From 3cca3367e6e0ffeccb8e39cb2c739d1dcb086701 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Mon, 4 Aug 2025 17:18:47 +0200 Subject: [PATCH] Reformat the whole project with clang-format Done with pre-commit run -a, so the version defined in pre-commit config is used. This also changes the Github workflow so that there is no commit that fails GHA. Change-Id: I2566ad493629e1f5fdfa6f6483b8973463404e3e Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20250804151853.10565-1-gert@greenie.muc.de> URL: https://gerrit.openvpn.net/c/openvpn/+/791 Signed-off-by: Gert Doering --- .github/workflows/build.yaml | 33 +- include/openvpn-msg.h | 63 +- .../client-connect/sample-client-connect.c | 111 +- sample/sample-plugins/defer/multi-auth.c | 74 +- .../keyingmaterialexporter.c | 51 +- sample/sample-plugins/log/log.c | 40 +- sample/sample-plugins/log/log_v3.c | 51 +- sample/sample-plugins/simple/base64.c | 32 +- sample/sample-plugins/simple/simple.c | 18 +- src/compat/compat-basename.c | 2 +- src/compat/compat-dirname.c | 4 +- src/compat/compat-gettimeofday.c | 4 +- src/openvpn/argv.c | 11 +- src/openvpn/argv.h | 15 +- src/openvpn/auth_token.c | 91 +- src/openvpn/auth_token.h | 22 +- src/openvpn/base64.c | 11 +- src/openvpn/base64.h | 6 +- src/openvpn/basic.h | 2 +- src/openvpn/buffer.c | 102 +- src/openvpn/buffer.h | 220 ++- src/openvpn/circ_list.h | 55 +- src/openvpn/clinat.c | 23 +- src/openvpn/clinat.h | 24 +- src/openvpn/common.h | 13 +- src/openvpn/comp-lz4.c | 43 +- src/openvpn/comp.c | 10 +- src/openvpn/comp.h | 45 +- src/openvpn/compstub.c | 34 +- src/openvpn/console.c | 10 +- src/openvpn/console.h | 25 +- src/openvpn/console_builtin.c | 23 +- src/openvpn/console_systemd.c | 10 +- src/openvpn/crypto.c | 290 ++- src/openvpn/crypto.h | 190 +- src/openvpn/crypto_backend.h | 34 +- src/openvpn/crypto_epoch.c | 70 +- src/openvpn/crypto_epoch.h | 46 +- src/openvpn/crypto_mbedtls.c | 148 +- src/openvpn/crypto_mbedtls.h | 31 +- src/openvpn/crypto_openssl.c | 182 +- src/openvpn/crypto_openssl.h | 26 +- src/openvpn/cryptoapi.c | 109 +- src/openvpn/dco.c | 116 +- src/openvpn/dco.h | 27 +- src/openvpn/dco_freebsd.c | 39 +- src/openvpn/dco_freebsd.h | 11 +- src/openvpn/dco_internal.h | 13 +- src/openvpn/dco_linux.c | 169 +- src/openvpn/dco_linux.h | 10 +- src/openvpn/dco_win.c | 119 +- src/openvpn/dco_win.h | 43 +- src/openvpn/dhcp.c | 56 +- src/openvpn/dhcp.h | 40 +- src/openvpn/dns.c | 74 +- src/openvpn/dns.h | 33 +- src/openvpn/env_set.c | 21 +- src/openvpn/env_set.h | 22 +- src/openvpn/errlevel.h | 262 +-- src/openvpn/error.c | 137 +- src/openvpn/error.h | 120 +- src/openvpn/event.c | 178 +- src/openvpn/event.h | 65 +- src/openvpn/fdmisc.c | 2 +- src/openvpn/fdmisc.h | 2 +- src/openvpn/forward.c | 272 ++- src/openvpn/forward.h | 71 +- src/openvpn/fragment.c | 94 +- src/openvpn/fragment.h | 78 +- src/openvpn/gremlin.c | 25 +- src/openvpn/gremlin.h | 32 +- src/openvpn/helper.c | 88 +- src/openvpn/httpdigest.c | 89 +- src/openvpn/httpdigest.h | 34 +- src/openvpn/init.c | 785 +++----- src/openvpn/init.h | 34 +- src/openvpn/integer.h | 17 +- src/openvpn/interval.c | 11 +- src/openvpn/interval.h | 20 +- src/openvpn/list.c | 116 +- src/openvpn/list.h | 27 +- src/openvpn/lladdr.c | 26 +- src/openvpn/lzo.c | 27 +- src/openvpn/lzo.h | 38 +- src/openvpn/manage.c | 633 +++---- src/openvpn/manage.h | 261 ++- src/openvpn/mbedtls_compat.h | 16 +- src/openvpn/mbuf.c | 6 +- src/openvpn/mbuf.h | 6 +- src/openvpn/memdbg.h | 8 +- src/openvpn/misc.c | 253 +-- src/openvpn/misc.h | 77 +- src/openvpn/mroute.c | 77 +- src/openvpn/mroute.h | 131 +- src/openvpn/mss.c | 80 +- src/openvpn/mss.h | 3 +- src/openvpn/mstats.c | 2 +- src/openvpn/mstats.h | 3 +- src/openvpn/mtcp.c | 16 +- src/openvpn/mtcp.h | 6 +- src/openvpn/mtu.c | 49 +- src/openvpn/mtu.h | 147 +- src/openvpn/mudp.c | 69 +- src/openvpn/multi.c | 841 ++++----- src/openvpn/multi.h | 134 +- src/openvpn/multi_io.c | 136 +- src/openvpn/networking.h | 61 +- src/openvpn/networking_freebsd.c | 54 +- src/openvpn/networking_iproute2.c | 94 +- src/openvpn/networking_sitnl.c | 320 ++-- src/openvpn/ntlm.c | 105 +- src/openvpn/occ.c | 229 ++- src/openvpn/occ.h | 31 +- src/openvpn/openssl_compat.h | 35 +- src/openvpn/openvpn.c | 21 +- src/openvpn/openvpn.h | 132 +- src/openvpn/options.c | 1652 ++++++++--------- src/openvpn/options.h | 233 ++- src/openvpn/options_util.c | 35 +- src/openvpn/options_util.h | 19 +- src/openvpn/otime.c | 18 +- src/openvpn/otime.h | 4 +- src/openvpn/ovpn_dco_freebsd.h | 52 +- src/openvpn/packet_id.c | 113 +- src/openvpn/packet_id.h | 62 +- src/openvpn/perf.c | 74 +- src/openvpn/perf.h | 44 +- src/openvpn/ping.c | 9 +- src/openvpn/ping.h | 11 +- src/openvpn/pkcs11.c | 558 ++---- src/openvpn/pkcs11.h | 49 +- src/openvpn/pkcs11_backend.h | 6 +- src/openvpn/pkcs11_mbedtls.c | 19 +- src/openvpn/pkcs11_openssl.c | 81 +- src/openvpn/platform.c | 74 +- src/openvpn/platform.h | 14 +- src/openvpn/plugin.c | 201 +- src/openvpn/plugin.h | 61 +- src/openvpn/pool.c | 124 +- src/openvpn/pool.h | 18 +- src/openvpn/proto.c | 38 +- src/openvpn/proto.h | 174 +- src/openvpn/proxy.c | 200 +- src/openvpn/proxy.h | 27 +- src/openvpn/ps.c | 122 +- src/openvpn/ps.h | 7 +- src/openvpn/push.c | 202 +- src/openvpn/push.h | 36 +- src/openvpn/push_util.c | 13 +- src/openvpn/pushlist.h | 6 +- src/openvpn/reflect_filter.c | 14 +- src/openvpn/reflect_filter.h | 12 +- src/openvpn/reliable.c | 63 +- src/openvpn/reliable.h | 58 +- src/openvpn/ring_buffer.h | 124 ++ src/openvpn/route.c | 1117 +++++------ src/openvpn/route.h | 243 ++- src/openvpn/run_command.c | 28 +- src/openvpn/run_command.h | 41 +- src/openvpn/schedule.c | 51 +- src/openvpn/schedule.h | 13 +- src/openvpn/session_id.h | 3 +- src/openvpn/shaper.c | 3 +- src/openvpn/shaper.h | 19 +- src/openvpn/sig.c | 59 +- src/openvpn/sig.h | 4 +- src/openvpn/socket.c | 899 ++++----- src/openvpn/socket.h | 397 ++-- src/openvpn/socks.c | 116 +- src/openvpn/socks.h | 20 +- src/openvpn/ssl.c | 694 +++---- src/openvpn/ssl.h | 118 +- src/openvpn/ssl_backend.h | 65 +- src/openvpn/ssl_common.h | 179 +- src/openvpn/ssl_mbedtls.c | 303 ++- src/openvpn/ssl_mbedtls.h | 69 +- src/openvpn/ssl_ncp.c | 101 +- src/openvpn/ssl_ncp.h | 31 +- src/openvpn/ssl_openssl.c | 322 ++-- src/openvpn/ssl_openssl.h | 14 +- src/openvpn/ssl_pkt.c | 108 +- src/openvpn/ssl_pkt.h | 106 +- src/openvpn/ssl_util.c | 293 +-- src/openvpn/ssl_util.h | 12 +- src/openvpn/ssl_verify.c | 331 ++-- src/openvpn/ssl_verify.h | 51 +- src/openvpn/ssl_verify_backend.h | 30 +- src/openvpn/ssl_verify_mbedtls.c | 122 +- src/openvpn/ssl_verify_mbedtls.h | 3 +- src/openvpn/ssl_verify_openssl.c | 98 +- src/openvpn/status.c | 30 +- src/openvpn/status.h | 22 +- src/openvpn/syshead.h | 48 +- src/openvpn/tls_crypt.c | 227 +-- src/openvpn/tls_crypt.h | 51 +- src/openvpn/tun.c | 1568 +++++++--------- src/openvpn/tun.h | 123 +- src/openvpn/tun_afunix.c | 17 +- src/openvpn/tun_afunix.h | 15 +- src/openvpn/vlan.c | 24 +- src/openvpn/vlan.h | 9 +- src/openvpn/wfp_block.c | 97 +- src/openvpn/wfp_block.h | 8 +- src/openvpn/win32-util.c | 2 +- src/openvpn/win32.c | 187 +- src/openvpn/win32.h | 63 +- src/openvpn/xkey_common.h | 34 +- src/openvpn/xkey_helper.c | 99 +- src/openvpn/xkey_provider.c | 300 +-- src/openvpnmsica/dllmain.c | 31 +- src/openvpnmsica/msica_arg.c | 21 +- src/openvpnmsica/msica_arg.h | 18 +- src/openvpnmsica/msiex.c | 34 +- src/openvpnmsica/msiex.h | 27 +- src/openvpnmsica/openvpnmsica.c | 349 ++-- src/openvpnmsica/openvpnmsica.h | 174 +- src/openvpnserv/common.c | 49 +- src/openvpnserv/interactive.c | 407 ++-- src/openvpnserv/service.c | 46 +- src/openvpnserv/service.h | 23 +- src/openvpnserv/validate.c | 33 +- src/openvpnserv/validate.h | 13 +- src/plugins/auth-pam/auth-pam.c | 142 +- src/plugins/auth-pam/pamdl.c | 66 +- src/plugins/auth-pam/utils.c | 9 +- src/plugins/auth-pam/utils.h | 16 +- src/plugins/down-root/down-root.c | 37 +- src/tapctl/basic.h | 16 +- src/tapctl/error.h | 68 +- src/tapctl/main.c | 132 +- src/tapctl/tap.c | 419 ++--- src/tapctl/tap.h | 42 +- tests/ntlm_support.c | 2 +- tests/unit_tests/example_test/test.c | 9 +- tests/unit_tests/example_test/test2.c | 2 +- tests/unit_tests/openvpn/cert_data.h | 70 +- tests/unit_tests/openvpn/mock_management.c | 3 +- tests/unit_tests/openvpn/mock_msg.c | 5 +- tests/unit_tests/openvpn/mock_msg.h | 9 +- .../openvpn/mock_ssl_dependencies.c | 4 +- tests/unit_tests/openvpn/pkey_test_utils.c | 11 +- tests/unit_tests/openvpn/test_argv.c | 18 +- tests/unit_tests/openvpn/test_auth_token.c | 127 +- tests/unit_tests/openvpn/test_buffer.c | 65 +- tests/unit_tests/openvpn/test_crypto.c | 224 +-- tests/unit_tests/openvpn/test_cryptoapi.c | 83 +- tests/unit_tests/openvpn/test_misc.c | 73 +- tests/unit_tests/openvpn/test_ncp.c | 80 +- tests/unit_tests/openvpn/test_networking.c | 14 +- tests/unit_tests/openvpn/test_packet_id.c | 57 +- tests/unit_tests/openvpn/test_pkcs11.c | 93 +- tests/unit_tests/openvpn/test_pkt.c | 218 +-- tests/unit_tests/openvpn/test_provider.c | 53 +- .../unit_tests/openvpn/test_push_update_msg.c | 92 +- tests/unit_tests/openvpn/test_ssl.c | 55 +- tests/unit_tests/openvpn/test_tls_crypt.c | 261 ++- tests/unit_tests/openvpn/test_user_pass.c | 31 +- .../auth-pam/test_search_and_replace.c | 2 - 258 files changed, 12052 insertions(+), 15278 deletions(-) create mode 100644 src/openvpn/ring_buffer.h diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a499e1c7c..b2bfd21c4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -5,35 +5,26 @@ on: pull_request: jobs: - checkuncrustify: - name: "Check code style with Uncrustify" - # Ubuntu 22.04 has uncrustify 0.72_f - runs-on: ubuntu-22.04 + clang-format: + name: Check code style with clang-format + runs-on: ubuntu-24.04 steps: - name: Install dependencies - run: sudo apt update && sudo apt install -y uncrustify + run: | + sudo apt update && sudo apt install -y python3-pip + pip3 install pre-commit - name: Checkout OpenVPN uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: openvpn - - name: Show uncrustify version - run: uncrustify --version - - name: Run uncrustify - run: ./dev-tools/reformat-all.sh - working-directory: openvpn + - name: Run clang-format + run: pre-commit run -a --show-diff-on-failure || true - name: Check for changes - run: git diff --output=uncrustify-changes.patch - working-directory: openvpn - - name: Show changes on standard output - run: git diff - working-directory: openvpn + run: git diff --output=format-changes.patch - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: - name: uncrustify-changes.patch - path: 'openvpn/uncrustify-changes.patch' + name: format-changes.patch + path: format-changes.patch - name: Set job status - run: test ! -s uncrustify-changes.patch - working-directory: openvpn + run: test ! -s format-changes.patch android: strategy: diff --git a/include/openvpn-msg.h b/include/openvpn-msg.h index 106a27462..a69213796 100644 --- a/include/openvpn-msg.h +++ b/include/openvpn-msg.h @@ -26,7 +26,8 @@ #include #include -typedef enum { +typedef enum +{ msg_acknowledgement, msg_add_address, msg_del_address, @@ -50,28 +51,33 @@ typedef enum { msg_create_adapter } message_type_t; -typedef struct { +typedef struct +{ message_type_t type; size_t size; int message_id; } message_header_t; -typedef union { +typedef union +{ struct in_addr ipv4; struct in6_addr ipv6; } inet_address_t; -typedef struct { +typedef struct +{ int index; char name[256]; } interface_t; -typedef enum { - wfp_block_local = 1<<0, - wfp_block_dns = 1<<1 +typedef enum +{ + wfp_block_local = 1 << 0, + wfp_block_dns = 1 << 1 } wfp_block_flags_t; -typedef struct { +typedef struct +{ message_header_t header; short family; inet_address_t address; @@ -79,7 +85,8 @@ typedef struct { interface_t iface; } address_message_t; -typedef struct { +typedef struct +{ message_header_t header; short family; inet_address_t prefix; @@ -89,7 +96,8 @@ typedef struct { int metric; } route_message_t; -typedef struct { +typedef struct +{ message_header_t header; interface_t iface; char domains[512]; @@ -99,14 +107,16 @@ typedef struct { } dns_cfg_message_t; -typedef enum { +typedef enum +{ nrpt_dnssec } nrpt_flags_t; -#define NRPT_ADDR_NUM 8 /* Max. number of addresses */ +#define NRPT_ADDR_NUM 8 /* Max. number of addresses */ #define NRPT_ADDR_SIZE 48 /* Max. address strlen + some */ typedef char nrpt_address_t[NRPT_ADDR_SIZE]; -typedef struct { +typedef struct +{ message_header_t header; interface_t iface; nrpt_address_t addresses[NRPT_ADDR_NUM]; @@ -115,14 +125,16 @@ typedef struct { nrpt_flags_t flags; } nrpt_dns_cfg_message_t; -typedef struct { +typedef struct +{ message_header_t header; interface_t iface; int addr_len; inet_address_t addr[4]; /* support up to 4 dns addresses */ } wins_cfg_message_t; -typedef struct { +typedef struct +{ message_header_t header; interface_t iface; int disable_nbt; @@ -134,41 +146,48 @@ typedef struct { /* TODO: NTP */ -typedef struct { +typedef struct +{ message_header_t header; short family; interface_t iface; } flush_neighbors_message_t; -typedef struct { +typedef struct +{ message_header_t header; int error_number; } ack_message_t; -typedef struct { +typedef struct +{ message_header_t header; wfp_block_flags_t flags; interface_t iface; } wfp_block_message_t; -typedef struct { +typedef struct +{ message_header_t header; interface_t iface; } enable_dhcp_message_t; -typedef struct { +typedef struct +{ message_header_t header; interface_t iface; short family; int mtu; } set_mtu_message_t; -typedef enum { +typedef enum +{ ADAPTER_TYPE_DCO, ADAPTER_TYPE_TAP, } adapter_type_t; -typedef struct { +typedef struct +{ message_header_t header; adapter_type_t adapter_type; } create_adapter_message_t; diff --git a/sample/sample-plugins/client-connect/sample-client-connect.c b/sample/sample-plugins/client-connect/sample-client-connect.c index 3dda7825b..7e3b5a903 100644 --- a/sample/sample-plugins/client-connect/sample-client-connect.c +++ b/sample/sample-plugins/client-connect/sample-client-connect.c @@ -58,8 +58,9 @@ static char *MODULE = "sample-cc"; * Our context, where we keep our state. */ -struct plugin_context { - int verb; /* logging verbosity */ +struct plugin_context +{ + int verb; /* logging verbosity */ }; /* this is used for the CLIENT_CONNECT_V2 async/deferred handler @@ -68,8 +69,9 @@ struct plugin_context { * this, and the "CLIENT_CONNECT_DEFER_V2" handler looks at it to see * if it's time yet to succeed/fail */ -struct plugin_per_client_context { - time_t sleep_until; /* wakeup time (time() + sleep) */ +struct plugin_per_client_context +{ + time_t sleep_until; /* wakeup time (time() + sleep) */ bool want_fail; bool want_disable; const char *client_config; @@ -117,8 +119,7 @@ atoi_null0(const char *str) /* use v3 functions so we can use openvpn's logging and base64 etc. */ OPENVPN_EXPORT int -openvpn_plugin_open_v3(const int v3structver, - struct openvpn_plugin_args_open_in const *args, +openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret) { /* const char **argv = args->argv; */ /* command line arguments (unused) */ @@ -127,7 +128,9 @@ openvpn_plugin_open_v3(const int v3structver, /* Check API compatibility -- struct version 5 or higher needed */ if (v3structver < 5) { - fprintf(stderr, "sample-client-connect: this plugin is incompatible with the running version of OpenVPN\n"); + fprintf( + stderr, + "sample-client-connect: this plugin is incompatible with the running version of OpenVPN\n"); return OPENVPN_PLUGIN_FUNC_ERROR; } @@ -143,18 +146,17 @@ openvpn_plugin_open_v3(const int v3structver, /* * Intercept just about everything... */ - ret->type_mask = - OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); + ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); /* Save global pointers to functions exported from openvpn */ plugin_log = args->callbacks->plugin_log; @@ -166,7 +168,7 @@ openvpn_plugin_open_v3(const int v3structver, */ context->verb = atoi_null0(get_env("verb", envp)); - ret->handle = (openvpn_plugin_handle_t *) context; + ret->handle = (openvpn_plugin_handle_t *)context; plugin_log(PLOG_NOTE, MODULE, "initialization succeeded"); return OPENVPN_PLUGIN_FUNC_SUCCESS; @@ -242,8 +244,10 @@ cc_handle_deferred_v1(int seconds, const char *name, const char **envp) const char *ccd_file = get_env("client_connect_deferred_file", envp); if (!ccd_file) { - plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_ASYNC=%d, but " - "'client_connect_deferred_file' not set -> fail", seconds); + plugin_log(PLOG_NOTE, MODULE, + "env has UV_WANT_CC_ASYNC=%d, but " + "'client_connect_deferred_file' not set -> fail", + seconds); return OPENVPN_PLUGIN_FUNC_ERROR; } @@ -257,13 +261,13 @@ cc_handle_deferred_v1(int seconds, const char *name, const char **envp) int fd = open(ccd_file, O_WRONLY); if (fd < 0) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file); return OPENVPN_PLUGIN_FUNC_ERROR; } if (write(fd, "2", 1) != 1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file ); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file); close(fd); return OPENVPN_PLUGIN_FUNC_ERROR; } @@ -277,11 +281,11 @@ cc_handle_deferred_v1(int seconds, const char *name, const char **envp) /* fork, sleep, succeed/fail according to env vars */ pid_t p1 = fork(); - if (p1 < 0) /* Fork failed */ + if (p1 < 0) /* Fork failed */ { return OPENVPN_PLUGIN_FUNC_ERROR; } - if (p1 > 0) /* parent process */ + if (p1 > 0) /* parent process */ { waitpid(p1, NULL, 0); return OPENVPN_PLUGIN_FUNC_DEFERRED; @@ -291,10 +295,10 @@ cc_handle_deferred_v1(int seconds, const char *name, const char **envp) pid_t p2 = fork(); if (p2 < 0) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed"); exit(1); } - if (p2 > 0) /* new parent: exit right away */ + if (p2 > 0) /* new parent: exit right away */ { exit(0); } @@ -324,16 +328,16 @@ cc_handle_deferred_v1(int seconds, const char *name, const char **envp) fd = open(ccd_file, O_WRONLY); if (fd < 0) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file); exit(1); } plugin_log(PLOG_NOTE, MODULE, "cc_handle_deferred_v1: done, signalling %s", - (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "success" : "fail" ); + (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "success" : "fail"); if (write(fd, (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "1" : "0", 1) != 1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file ); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file); } close(fd); @@ -341,14 +345,12 @@ cc_handle_deferred_v1(int seconds, const char *name, const char **envp) } int -openvpn_plugin_client_connect(struct plugin_context *context, - const char **argv, - const char **envp) +openvpn_plugin_client_connect(struct plugin_context *context, const char **argv, const char **envp) { /* log environment variables handed to us by OpenVPN, but * only if "setenv verb" is 3 or higher (arbitrary number) */ - if (context->verb>=3) + if (context->verb >= 3) { for (int i = 0; argv[i]; i++) { @@ -389,8 +391,7 @@ openvpn_plugin_client_connect(struct plugin_context *context, int openvpn_plugin_client_connect_v2(struct plugin_context *context, - struct plugin_per_client_context *pcc, - const char **envp, + struct plugin_per_client_context *pcc, const char **envp, struct openvpn_plugin_string_list **return_list) { /* by setting "UV_WANT_CC2_ASYNC" we go to async/deferred mode */ @@ -420,7 +421,8 @@ openvpn_plugin_client_connect_v2(struct plugin_context *context, pcc->want_fail = (want_fail != NULL); pcc->want_disable = (want_disable != NULL); pcc->client_config = client_config; - plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_ASYNC=%s -> set up deferred handler", want_async); + plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_ASYNC=%s -> set up deferred handler", + want_async); return OPENVPN_PLUGIN_FUNC_DEFERRED; } @@ -431,8 +433,7 @@ openvpn_plugin_client_connect_v2(struct plugin_context *context, return OPENVPN_PLUGIN_FUNC_ERROR; } - struct openvpn_plugin_string_list *rl = - calloc(1, sizeof(struct openvpn_plugin_string_list)); + struct openvpn_plugin_string_list *rl = calloc(1, sizeof(struct openvpn_plugin_string_list)); if (!rl) { plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed"); @@ -466,12 +467,10 @@ openvpn_plugin_client_connect_v2(struct plugin_context *context, int openvpn_plugin_client_connect_defer_v2(struct plugin_context *context, struct plugin_per_client_context *pcc, - struct openvpn_plugin_string_list - **return_list) + struct openvpn_plugin_string_list **return_list) { time_t time_left = pcc->sleep_until - time(NULL); - plugin_log(PLOG_NOTE, MODULE, "defer_v2: seconds left=%d", - (int) time_left); + plugin_log(PLOG_NOTE, MODULE, "defer_v2: seconds left=%d", (int)time_left); /* not yet due? */ if (time_left > 0) @@ -482,15 +481,14 @@ openvpn_plugin_client_connect_defer_v2(struct plugin_context *context, /* client wants fail? */ if (pcc->want_fail) { - plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL -> fail" ); + plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL -> fail"); return OPENVPN_PLUGIN_FUNC_ERROR; } /* fill in RL according to with-disable / without-disable */ /* TODO: unify this with non-deferred case */ - struct openvpn_plugin_string_list *rl = - calloc(1, sizeof(struct openvpn_plugin_string_list)); + struct openvpn_plugin_string_list *rl = calloc(1, sizeof(struct openvpn_plugin_string_list)); if (!rl) { plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed"); @@ -522,15 +520,12 @@ openvpn_plugin_client_connect_defer_v2(struct plugin_context *context, } OPENVPN_EXPORT int -openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, - const int type, - const char *argv[], - const char *envp[], - void *per_client_context, +openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, const int type, const char *argv[], + const char *envp[], void *per_client_context, struct openvpn_plugin_string_list **return_list) { - struct plugin_context *context = (struct plugin_context *) handle; - struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context; + struct plugin_context *context = (struct plugin_context *)handle; + struct plugin_per_client_context *pcc = (struct plugin_per_client_context *)per_client_context; /* for most functions, we just "don't do anything" but log the * event received (so one can follow it in the log and understand @@ -564,13 +559,11 @@ openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_V2"); - return openvpn_plugin_client_connect_v2(context, pcc, envp, - return_list); + return openvpn_plugin_client_connect_v2(context, pcc, envp, return_list); case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2: plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2"); - return openvpn_plugin_client_connect_defer_v2(context, pcc, - return_list); + return openvpn_plugin_client_connect_defer_v2(context, pcc, return_list); case OPENVPN_PLUGIN_CLIENT_DISCONNECT: plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_DISCONNECT"); @@ -607,7 +600,7 @@ openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_cl OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; printf("FUNC: openvpn_plugin_close_v1\n"); free(context); } diff --git a/sample/sample-plugins/defer/multi-auth.c b/sample/sample-plugins/defer/multi-auth.c index 9a2cb137c..3c9c9c6f2 100644 --- a/sample/sample-plugins/defer/multi-auth.c +++ b/sample/sample-plugins/defer/multi-auth.c @@ -62,7 +62,8 @@ static char *MODULE = "multi-auth"; * Our context, where we keep our state. */ -struct plugin_context { +struct plugin_context +{ int test_deferred_auth; char *authid; char *test_valid_user; @@ -103,11 +104,12 @@ plog(const struct plugin_context *ctx, int flags, char *fmt, ...) * structver '5' here to indicate a desire for modern openvpn, rather * than a need for any particular feature found in structver beyond '1'. */ -#define OPENVPN_PLUGIN_VERSION_MIN 3 +#define OPENVPN_PLUGIN_VERSION_MIN 3 #define OPENVPN_PLUGIN_STRUCTVER_MIN 5 -struct plugin_per_client_context { +struct plugin_per_client_context +{ int n_calls; bool generated_pf_file; }; @@ -175,13 +177,13 @@ openvpn_plugin_min_version_required_v1(void) /* use v3 functions so we can use openvpn's logging and base64 etc. */ OPENVPN_EXPORT int -openvpn_plugin_open_v3(const int v3structver, - struct openvpn_plugin_args_open_in const *args, +openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret) { if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN) { - fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE); + fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", + MODULE); return OPENVPN_PLUGIN_FUNC_ERROR; } @@ -194,7 +196,7 @@ openvpn_plugin_open_v3(const int v3structver, * Allocate our context */ struct plugin_context *context = NULL; - context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); + context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context)); if (!context) { goto error; @@ -238,7 +240,7 @@ openvpn_plugin_open_v3(const int v3structver, * Which callbacks to intercept. */ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY); - ret->handle = (openvpn_plugin_handle_t *) context; + ret->handle = (openvpn_plugin_handle_t *)context; plog(context, PLOG_NOTE, "initialization succeeded"); return OPENVPN_PLUGIN_FUNC_SUCCESS; @@ -253,29 +255,22 @@ error: } static bool -do_auth_user_pass(struct plugin_context *context, - const char *username, const char *password) +do_auth_user_pass(struct plugin_context *context, const char *username, const char *password) { - plog(context, PLOG_NOTE, - "expect_user=%s, received_user=%s, expect_passw=%s, received_passw=%s", - np(context->test_valid_user), - np(username), - np(context->test_valid_pass), - np(password)); + plog(context, PLOG_NOTE, "expect_user=%s, received_user=%s, expect_passw=%s, received_passw=%s", + np(context->test_valid_user), np(username), np(context->test_valid_pass), np(password)); if (context->test_valid_user && context->test_valid_pass) { if ((strcmp(context->test_valid_user, username) != 0) || (strcmp(context->test_valid_pass, password) != 0)) { - plog(context, PLOG_ERR, - "User/Password auth result: FAIL"); + plog(context, PLOG_ERR, "User/Password auth result: FAIL"); return false; } else { - plog(context, PLOG_NOTE, - "User/Password auth result: PASS"); + plog(context, PLOG_NOTE, "User/Password auth result: PASS"); return true; } } @@ -284,8 +279,7 @@ do_auth_user_pass(struct plugin_context *context, static int -auth_user_pass_verify(struct plugin_context *context, - struct plugin_per_client_context *pcc, +auth_user_pass_verify(struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[]) { /* get username/password from envp string array */ @@ -295,8 +289,8 @@ auth_user_pass_verify(struct plugin_context *context, if (!context->test_deferred_auth) { plog(context, PLOG_NOTE, "Direct authentication"); - return do_auth_user_pass(context, username, password) ? - OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR; + return do_auth_user_pass(context, username, password) ? OPENVPN_PLUGIN_FUNC_SUCCESS + : OPENVPN_PLUGIN_FUNC_ERROR; } /* get auth_control_file filename from envp string array*/ @@ -317,11 +311,11 @@ auth_user_pass_verify(struct plugin_context *context, /* fork, sleep, succeed (no "real" auth done = always succeed) */ pid_t p1 = fork(); - if (p1 < 0) /* Fork failed */ + if (p1 < 0) /* Fork failed */ { return OPENVPN_PLUGIN_FUNC_ERROR; } - if (p1 > 0) /* parent process */ + if (p1 > 0) /* parent process */ { waitpid(p1, NULL, 0); return OPENVPN_PLUGIN_FUNC_DEFERRED; @@ -331,11 +325,11 @@ auth_user_pass_verify(struct plugin_context *context, pid_t p2 = fork(); if (p2 < 0) { - plog(context, PLOG_ERR|PLOG_ERRNO, "BACKGROUND: fork(2) failed"); + plog(context, PLOG_ERR | PLOG_ERRNO, "BACKGROUND: fork(2) failed"); exit(1); } - if (p2 != 0) /* new parent: exit right away */ + if (p2 != 0) /* new parent: exit right away */ { exit(0); } @@ -347,7 +341,7 @@ auth_user_pass_verify(struct plugin_context *context, */ /* do mighty complicated work that will really take time here... */ - useconds_t wait_time = (useconds_t)context->test_deferred_auth*1000; + useconds_t wait_time = (useconds_t)context->test_deferred_auth * 1000; plog(context, PLOG_NOTE, "in async/deferred handler, usleep(%u)", wait_time); usleep(wait_time); @@ -355,8 +349,7 @@ auth_user_pass_verify(struct plugin_context *context, int fd = open(auth_control_file, O_WRONLY); if (fd < 0) { - plog(context, PLOG_ERR|PLOG_ERRNO, - "open('%s') failed", auth_control_file); + plog(context, PLOG_ERR | PLOG_ERRNO, "open('%s') failed", auth_control_file); exit(1); } @@ -368,7 +361,7 @@ auth_user_pass_verify(struct plugin_context *context, if (write(fd, result, 1) != 1) { - plog(context, PLOG_ERR|PLOG_ERRNO, "write to '%s' failed", auth_control_file ); + plog(context, PLOG_ERR | PLOG_ERRNO, "write to '%s' failed", auth_control_file); } close(fd); @@ -377,19 +370,20 @@ auth_user_pass_verify(struct plugin_context *context, OPENVPN_EXPORT int -openvpn_plugin_func_v3(const int v3structver, - struct openvpn_plugin_args_func_in const *args, +openvpn_plugin_func_v3(const int v3structver, struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *ret) { if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN) { - fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE); + fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", + MODULE); return OPENVPN_PLUGIN_FUNC_ERROR; } const char **argv = args->argv; const char **envp = args->envp; - struct plugin_context *context = (struct plugin_context *) args->handle; - struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) args->per_client_context; + struct plugin_context *context = (struct plugin_context *)args->handle; + struct plugin_per_client_context *pcc = + (struct plugin_per_client_context *)args->per_client_context; switch (args->type) { case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: @@ -405,7 +399,7 @@ openvpn_plugin_func_v3(const int v3structver, OPENVPN_EXPORT void * openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_client_constructor_v1"); return calloc(1, sizeof(struct plugin_per_client_context)); } @@ -413,7 +407,7 @@ openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle) OPENVPN_EXPORT void openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_client_destructor_v1"); free(per_client_context); } @@ -421,7 +415,7 @@ openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_cl OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_close_v1"); free(context); } diff --git a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c index b73144fdc..e7556a1fc 100644 --- a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c +++ b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c @@ -37,22 +37,25 @@ #define MAXPATH 1024 #endif -#define ovpn_err(fmt, ...) \ - plugin->log(PLOG_ERR, "SSO", fmt, ## __VA_ARGS__) -#define ovpn_dbg(fmt, ...) \ - plugin->log(PLOG_DEBUG, "SSO", fmt, ## __VA_ARGS__) -#define ovpn_note(fmt, ...) \ - plugin->log(PLOG_NOTE, "SSO", fmt, ## __VA_ARGS__) +#define ovpn_err(fmt, ...) plugin->log(PLOG_ERR, "SSO", fmt, ##__VA_ARGS__) +#define ovpn_dbg(fmt, ...) plugin->log(PLOG_DEBUG, "SSO", fmt, ##__VA_ARGS__) +#define ovpn_note(fmt, ...) plugin->log(PLOG_NOTE, "SSO", fmt, ##__VA_ARGS__) -enum endpoint { CLIENT = 1, SERVER = 2 }; +enum endpoint +{ + CLIENT = 1, + SERVER = 2 +}; -struct plugin { +struct plugin +{ plugin_log_t log; enum endpoint type; int mask; }; -struct session { +struct session +{ char user[48]; char key[48]; }; @@ -85,8 +88,7 @@ get_env(const char *name, const char *envp[]) } OPENVPN_EXPORT int -openvpn_plugin_open_v3(const int version, - struct openvpn_plugin_args_open_in const *args, +openvpn_plugin_open_v3(const int version, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *rv) { struct plugin *plugin = calloc(1, sizeof(*plugin)); @@ -98,9 +100,9 @@ openvpn_plugin_open_v3(const int version, } plugin->type = get_env("remote_1", args->envp) ? CLIENT : SERVER; - plugin->log = args->callbacks->plugin_log; + plugin->log = args->callbacks->plugin_log; - plugin->mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); + plugin->mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); plugin->mask |= OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY); ovpn_note("vpn endpoint type=%s", plugin->type == CLIENT ? "client" : "server"); @@ -163,8 +165,8 @@ session_user_set(struct session *sess, X509 *x509) static int tls_verify(struct openvpn_plugin_args_func_in const *args) { - struct plugin *plugin = (struct plugin *)args->handle; - struct session *sess = (struct session *)args->per_client_context; + struct plugin *plugin = (struct plugin *)args->handle; + struct session *sess = (struct session *)args->per_client_context; /* we store cert subject for the server end point only */ if (plugin->type != SERVER) @@ -199,8 +201,8 @@ file_store(char *file, char *content) static void server_store(struct openvpn_plugin_args_func_in const *args) { - struct plugin *plugin = (struct plugin *)args->handle; - struct session *sess = (struct session *)args->per_client_context; + struct plugin *plugin = (struct plugin *)args->handle; + struct session *sess = (struct session *)args->per_client_context; char file[MAXPATH]; snprintf(file, sizeof(file) - 1, "/tmp/openvpn_sso_%s", sess->key); @@ -211,8 +213,8 @@ server_store(struct openvpn_plugin_args_func_in const *args) static void client_store(struct openvpn_plugin_args_func_in const *args) { - struct plugin *plugin = (struct plugin *)args->handle; - struct session *sess = (struct session *)args->per_client_context; + struct plugin *plugin = (struct plugin *)args->handle; + struct session *sess = (struct session *)args->per_client_context; char *file = "/tmp/openvpn_sso_user"; ovpn_note("app session file: %s", file); @@ -223,8 +225,8 @@ static int tls_final(struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *rv) { - struct plugin *plugin = (struct plugin *)args->handle; - struct session *sess = (struct session *)args->per_client_context; + struct plugin *plugin = (struct plugin *)args->handle; + struct session *sess = (struct session *)args->per_client_context; const char *key; if (!(key = get_env("exported_keying_material", args->envp))) @@ -251,8 +253,7 @@ tls_final(struct openvpn_plugin_args_func_in const *args, } OPENVPN_EXPORT int -openvpn_plugin_func_v3(const int version, - struct openvpn_plugin_args_func_in const *args, +openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *rv) { switch (args->type) @@ -270,7 +271,7 @@ OPENVPN_EXPORT void * openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle) { struct plugin *plugin = (struct plugin *)handle; - struct session *sess = calloc(1, sizeof(*sess)); + struct session *sess = calloc(1, sizeof(*sess)); ovpn_note("app session created"); @@ -281,7 +282,7 @@ OPENVPN_EXPORT void openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *ctx) { struct plugin *plugin = (struct plugin *)handle; - struct session *sess = (struct session *)ctx; + struct session *sess = (struct session *)ctx; ovpn_note("app session key: %s", sess->key); ovpn_note("app session destroyed"); diff --git a/sample/sample-plugins/log/log.c b/sample/sample-plugins/log/log.c index 63d714fc8..70fa60d93 100644 --- a/sample/sample-plugins/log/log.c +++ b/sample/sample-plugins/log/log.c @@ -36,7 +36,8 @@ /* * Our context, where we keep our state. */ -struct plugin_context { +struct plugin_context +{ const char *username; const char *password; }; @@ -75,7 +76,7 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char * /* * Allocate our context */ - context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); + context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context)); if (context == NULL) { printf("PLUGIN: allocating memory for context failed\n"); @@ -91,19 +92,17 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char * /* * Which callbacks to intercept. */ - *type_mask = - OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); - - return (openvpn_plugin_handle_t) context; + *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); + + return (openvpn_plugin_handle_t)context; } void @@ -171,9 +170,10 @@ show(const int type, const char *argv[], const char *envp[]) } OPENVPN_EXPORT int -openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) +openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], + const char *envp[]) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; show(type, argv, envp); @@ -184,8 +184,8 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha const char *username = get_env("username", envp); const char *password = get_env("password", envp); - if (username && !strcmp(username, context->username) - && password && !strcmp(password, context->password)) + if (username && !strcmp(username, context->username) && password + && !strcmp(password, context->password)) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } @@ -203,6 +203,6 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; free(context); } diff --git a/sample/sample-plugins/log/log_v3.c b/sample/sample-plugins/log/log_v3.c index 02cdda883..cef22cf36 100644 --- a/sample/sample-plugins/log/log_v3.c +++ b/sample/sample-plugins/log/log_v3.c @@ -39,7 +39,8 @@ /* * Our context, where we keep our state. */ -struct plugin_context { +struct plugin_context +{ const char *username; const char *password; }; @@ -71,8 +72,7 @@ get_env(const char *name, const char *envp[]) } OPENVPN_EXPORT int -openvpn_plugin_open_v3(const int v3structver, - struct openvpn_plugin_args_open_in const *args, +openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret) { struct plugin_context *context = NULL; @@ -80,7 +80,8 @@ openvpn_plugin_open_v3(const int v3structver, /* Check that we are API compatible */ if (v3structver != OPENVPN_PLUGINv3_STRUCTVER) { - printf("log_v3: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n"); + printf( + "log_v3: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n"); return OPENVPN_PLUGIN_FUNC_ERROR; } @@ -91,26 +92,24 @@ openvpn_plugin_open_v3(const int v3structver, } /* Print some version information about the OpenVPN process using this plug-in */ - printf("log_v3: OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n", - args->ovpn_version, args->ovpn_version_major, - args->ovpn_version_minor, args->ovpn_version_patch); + printf("log_v3: OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n", args->ovpn_version, + args->ovpn_version_major, args->ovpn_version_minor, args->ovpn_version_patch); /* Which callbacks to intercept. */ - ret->type_mask = - OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); + ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); /* Allocate our context */ - context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); + context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context)); if (context == NULL) { printf("PLUGIN: allocating memory for context failed\n"); @@ -122,7 +121,7 @@ openvpn_plugin_open_v3(const int v3structver, context->password = "bar"; /* Point the global context handle to our newly created context */ - ret->handle = (void *) context; + ret->handle = (void *)context; return OPENVPN_PLUGIN_FUNC_SUCCESS; } @@ -243,13 +242,11 @@ x509_print_info(X509 *x509crt) } - OPENVPN_EXPORT int -openvpn_plugin_func_v3(const int version, - struct openvpn_plugin_args_func_in const *args, +openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *retptr) { - struct plugin_context *context = (struct plugin_context *) args->handle; + struct plugin_context *context = (struct plugin_context *)args->handle; printf("\nopenvpn_plugin_func_v3() :::::>> "); show(args->type, args->argv, args->envp); @@ -270,8 +267,8 @@ openvpn_plugin_func_v3(const int version, const char *username = get_env("username", args->envp); const char *password = get_env("password", args->envp); - if (username && !strcmp(username, context->username) - && password && !strcmp(password, context->password)) + if (username && !strcmp(username, context->username) && password + && !strcmp(password, context->password)) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } @@ -289,6 +286,6 @@ openvpn_plugin_func_v3(const int version, OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; free(context); } diff --git a/sample/sample-plugins/simple/base64.c b/sample/sample-plugins/simple/base64.c index b6c0c97df..8a1dedd2e 100644 --- a/sample/sample-plugins/simple/base64.c +++ b/sample/sample-plugins/simple/base64.c @@ -98,21 +98,20 @@ get_env(const char *name, const char *envp[]) * */ OPENVPN_EXPORT int -openvpn_plugin_open_v3(const int v3structver, - struct openvpn_plugin_args_open_in const *args, +openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret) { /* Check that we are API compatible */ if (v3structver != OPENVPN_PLUGINv3_STRUCTVER) { - printf("base64.c: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n"); + printf( + "base64.c: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n"); return OPENVPN_PLUGIN_FUNC_ERROR; } /* Which callbacks to intercept. */ - ret->type_mask = - OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2); + ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) + | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2); /* we don't need a plug-in context in this example, but OpenVPN expects "something" */ ret->handle = calloc(1, 1); @@ -125,8 +124,8 @@ openvpn_plugin_open_v3(const int v3structver, /* Print some version information about the OpenVPN process using this plug-in */ ovpn_log(PLOG_NOTE, PLUGIN_NAME, "OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n", - args->ovpn_version, args->ovpn_version_major, - args->ovpn_version_minor, args->ovpn_version_patch); + args->ovpn_version, args->ovpn_version_major, args->ovpn_version_minor, + args->ovpn_version_patch); return OPENVPN_PLUGIN_FUNC_SUCCESS; } @@ -154,10 +153,10 @@ openvpn_plugin_open_v3(const int v3structver, */ OPENVPN_EXPORT int -openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) +openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], + const char *envp[]) { - if (type != OPENVPN_PLUGIN_TLS_VERIFY - && type != OPENVPN_PLUGIN_CLIENT_CONNECT_V2) + if (type != OPENVPN_PLUGIN_TLS_VERIFY && type != OPENVPN_PLUGIN_CLIENT_CONNECT_V2) { ovpn_log(PLOG_ERR, PLUGIN_NAME, "Unsupported plug-in hook call attempted"); return OPENVPN_PLUGIN_FUNC_ERROR; @@ -174,14 +173,13 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha /* test the BASE64 encode function */ char *buf = NULL; int r = ovpn_base64_encode(clcert_cn, (int)strlen(clcert_cn), &buf); - ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 encoded '%s' (return value %i): '%s'", - clcert_cn, r, buf); + ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 encoded '%s' (return value %i): '%s'", clcert_cn, r, + buf); /* test the BASE64 decode function */ - char buf2[256] = {0}; + char buf2[256] = { 0 }; r = ovpn_base64_decode(buf, &buf2, 255); - ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 decoded '%s' (return value %i): '%s'", - buf, r, buf2); + ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 decoded '%s' (return value %i): '%s'", buf, r, buf2); /* Verify the result, and free the buffer allocated by ovpn_base64_encode() */ r = strcmp(clcert_cn, buf2); @@ -201,6 +199,6 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; free(context); } diff --git a/sample/sample-plugins/simple/simple.c b/sample/sample-plugins/simple/simple.c index ed5bce57b..8b2b793fa 100644 --- a/sample/sample-plugins/simple/simple.c +++ b/sample/sample-plugins/simple/simple.c @@ -38,7 +38,8 @@ /* * Our context, where we keep our state. */ -struct plugin_context { +struct plugin_context +{ const char *username; const char *password; }; @@ -77,7 +78,7 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char * /* * Allocate our context */ - context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); + context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context)); if (context == NULL) { printf("PLUGIN: allocating memory for context failed\n"); @@ -96,21 +97,22 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char * */ *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY); - return (openvpn_plugin_handle_t) context; + return (openvpn_plugin_handle_t)context; } OPENVPN_EXPORT int -openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) +openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], + const char *envp[]) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; /* get username/password from envp string array */ const char *username = get_env("username", envp); const char *password = get_env("password", envp); /* check entered username/password against what we require */ - if (username && !strcmp(username, context->username) - && password && !strcmp(password, context->password)) + if (username && !strcmp(username, context->username) && password + && !strcmp(password, context->password)) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } @@ -123,6 +125,6 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { - struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_context *context = (struct plugin_context *)handle; free(context); } diff --git a/src/compat/compat-basename.c b/src/compat/compat-basename.c index 18944f69d..24f5af727 100644 --- a/src/compat/compat-basename.c +++ b/src/compat/compat-basename.c @@ -41,7 +41,7 @@ basename(char *filename) /* If NULL, check for \ instead ... might be Windows a path */ p = strrchr(filename, '\\'); } - return p ? p + 1 : (char *) filename; + return p ? p + 1 : (char *)filename; } #endif /* HAVE_BASENAME */ diff --git a/src/compat/compat-dirname.c b/src/compat/compat-dirname.c index 17de8adb3..a432baece 100644 --- a/src/compat/compat-dirname.c +++ b/src/compat/compat-dirname.c @@ -89,7 +89,7 @@ dirname(char *path) /* The '/' is the last character, we have to look further. */ if (runp != path) { - last_slash = (char *) __memrchr(path, separator, runp - path); + last_slash = (char *)__memrchr(path, separator, runp - path); } } @@ -134,7 +134,7 @@ dirname(char *path) /* This assignment is ill-designed but the XPG specs require to * return a string containing "." in any case no directory part is * found and so a static and constant string is required. */ - path = (char *) dot; + path = (char *)dot; } return path; diff --git a/src/compat/compat-gettimeofday.c b/src/compat/compat-gettimeofday.c index de53cb56d..29ded6c52 100644 --- a/src/compat/compat-gettimeofday.c +++ b/src/compat/compat-gettimeofday.c @@ -48,7 +48,7 @@ gettimeofday_calibrate(void) { const time_t t = time(NULL); const DWORD gtc = GetTickCount(); - gtc_base = t - gtc/1000; + gtc_base = t - gtc / 1000; gtc_last = gtc; } @@ -112,7 +112,7 @@ gettimeofday(struct timeval *tv, void *tz) return 0; } -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ #include diff --git a/src/openvpn/argv.c b/src/openvpn/argv.c index 34266d40d..903fc0a57 100644 --- a/src/openvpn/argv.c +++ b/src/openvpn/argv.c @@ -284,8 +284,7 @@ argv_msg_prefix(const int msglev, const struct argv *a, const char *prefix) * free()d to avoid memory leaks. */ static char * -argv_prep_format(const char *format, const char delim, size_t *count, - struct gc_arena *gc) +argv_prep_format(const char *format, const char delim, size_t *count, struct gc_arena *gc) { if (format == NULL) { @@ -311,7 +310,7 @@ argv_prep_format(const char *format, const char delim, size_t *count, * the string is empty; the resulting format string * will never start with a delimiter. */ - if (j > 0) /* Has anything been written to the output string? */ + if (j > 0) /* Has anything been written to the output string? */ { f[j++] = delim; } @@ -347,7 +346,7 @@ argv_prep_format(const char *format, const char delim, size_t *count, static bool argv_printf_arglist(struct argv *argres, const char *format, va_list arglist) { - const char delim = 0x1D; /* ASCII Group Separator (GS) */ + const char delim = 0x1D; /* ASCII Group Separator (GS) */ bool res = false; /* @@ -484,8 +483,8 @@ argv_parse_cmd(struct argv *argres, const char *cmdstr) argv_reset(argres); char *parms[MAX_PARMS + 1] = { 0 }; - int nparms = parse_line(cmdstr, parms, MAX_PARMS, "SCRIPT-ARGV", 0, - D_ARGV_PARSE_CMD, &argres->gc); + int nparms = + parse_line(cmdstr, parms, MAX_PARMS, "SCRIPT-ARGV", 0, D_ARGV_PARSE_CMD, &argres->gc); if (nparms) { int i; diff --git a/src/openvpn/argv.h b/src/openvpn/argv.h index f69476090..056fe31ca 100644 --- a/src/openvpn/argv.h +++ b/src/openvpn/argv.h @@ -31,7 +31,8 @@ #include "buffer.h" -struct argv { +struct argv +{ struct gc_arena gc; size_t capacity; size_t argc; @@ -55,21 +56,21 @@ void argv_parse_cmd(struct argv *a, const char *s); bool argv_printf(struct argv *a, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO -__attribute__ ((format(gnu_printf, 2, 3))) + __attribute__((format(gnu_printf, 2, 3))) #else -__attribute__ ((format(__printf__, 2, 3))) + __attribute__((format(__printf__, 2, 3))) #endif #endif -; + ; bool argv_printf_cat(struct argv *a, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO -__attribute__ ((format(gnu_printf, 2, 3))) + __attribute__((format(gnu_printf, 2, 3))) #else -__attribute__ ((format(__printf__, 2, 3))) + __attribute__((format(__printf__, 2, 3))) #endif #endif -; + ; #endif /* ifndef ARGV_H */ diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 3cf55e876..a694e81cf 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -18,7 +18,7 @@ const char *auth_token_pem_name = "OpenVPN auth-token server key"; -#define AUTH_TOKEN_SESSION_ID_LEN 12 +#define AUTH_TOKEN_SESSION_ID_LEN 12 #define AUTH_TOKEN_SESSION_ID_BASE64_LEN (AUTH_TOKEN_SESSION_ID_LEN * 8 / 6) #if AUTH_TOKEN_SESSION_ID_LEN % 3 @@ -53,7 +53,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi, } else if (auth_token_state_flags & AUTH_TOKEN_HMAC_OK) { - switch (auth_token_state_flags & (AUTH_TOKEN_VALID_EMPTYUSER|AUTH_TOKEN_EXPIRED)) + switch (auth_token_state_flags & (AUTH_TOKEN_VALID_EMPTYUSER | AUTH_TOKEN_EXPIRED)) { case 0: state = "Authenticated"; @@ -107,9 +107,9 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi, * in the encoding */ - char session_id[AUTH_TOKEN_SESSION_ID_LEN*2] = {0}; + char session_id[AUTH_TOKEN_SESSION_ID_LEN * 2] = { 0 }; memcpy(session_id, session_id_source + strlen(SESSION_ID_PREFIX), - AUTH_TOKEN_SESSION_ID_LEN*8/6); + AUTH_TOKEN_SESSION_ID_LEN * 8 / 6); setenv_str(session->opt->es, "session_id", session_id); } @@ -121,8 +121,7 @@ auth_token_write_server_key_file(const char *filename) } void -auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, - bool key_inline) +auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline) { struct key_type kt = auth_token_kt(); @@ -131,14 +130,12 @@ auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_loaded = false; if (key_file) { - key_loaded = read_pem_key_file(&server_secret_key, - auth_token_pem_name, - key_file, key_inline); + key_loaded = + read_pem_key_file(&server_secret_key, auth_token_pem_name, key_file, key_inline); } else { - key_loaded = generate_ephemeral_key(&server_secret_key, - auth_token_pem_name); + key_loaded = generate_ephemeral_key(&server_secret_key, auth_token_pem_name); } if (!key_loaded) @@ -169,7 +166,7 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) int64_t initial_timestamp = timestamp; hmac_ctx_t *ctx = multi->opt.auth_token_key.hmac; - ASSERT(hmac_ctx_size(ctx) == 256/8); + ASSERT(hmac_ctx_size(ctx) == 256 / 8); uint8_t sessid[AUTH_TOKEN_SESSION_ID_LEN]; @@ -185,7 +182,7 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) char *initial_token_copy = string_alloc(multi->auth_token_initial, &gc); char *old_sessid = initial_token_copy + strlen(SESSION_ID_PREFIX); - char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6; + char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN * 8 / 6; /* * We null terminate the old token just after the session ID to let @@ -197,12 +194,13 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) memcpy(&initial_timestamp, &old_tstamp_decode, sizeof(initial_timestamp)); old_tstamp_initial[0] = '\0'; - ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN) == AUTH_TOKEN_SESSION_ID_LEN); + ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN) + == AUTH_TOKEN_SESSION_ID_LEN); } else if (!rand_bytes(sessid, AUTH_TOKEN_SESSION_ID_LEN)) { - msg( M_FATAL, "Failed to get enough randomness for " - "authentication token"); + msg(M_FATAL, "Failed to get enough randomness for " + "authentication token"); } /* Calculate the HMAC */ @@ -210,7 +208,7 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) * with \0 in them is asking for troubles in so many ways anyway that we * ignore that corner case here */ - uint8_t hmac_output[256/8]; + uint8_t hmac_output[256 / 8]; hmac_ctx_reset(ctx); @@ -222,20 +220,20 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; if (ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER) { - hmac_ctx_update(ctx, (const uint8_t *) "", 0); + hmac_ctx_update(ctx, (const uint8_t *)"", 0); } else { - hmac_ctx_update(ctx, (uint8_t *) up->username, (int) strlen(up->username)); + hmac_ctx_update(ctx, (uint8_t *)up->username, (int)strlen(up->username)); } hmac_ctx_update(ctx, sessid, AUTH_TOKEN_SESSION_ID_LEN); - hmac_ctx_update(ctx, (uint8_t *) &initial_timestamp, sizeof(initial_timestamp)); - hmac_ctx_update(ctx, (uint8_t *) ×tamp, sizeof(timestamp)); + hmac_ctx_update(ctx, (uint8_t *)&initial_timestamp, sizeof(initial_timestamp)); + hmac_ctx_update(ctx, (uint8_t *)×tamp, sizeof(timestamp)); hmac_ctx_final(ctx, hmac_output); /* Construct the unencoded session token */ - struct buffer token = alloc_buf_gc( - 2*sizeof(uint64_t) + AUTH_TOKEN_SESSION_ID_LEN + 256/8, &gc); + struct buffer token = + alloc_buf_gc(2 * sizeof(uint64_t) + AUTH_TOKEN_SESSION_ID_LEN + 256 / 8, &gc); ASSERT(buf_write(&token, sessid, sizeof(sessid))); ASSERT(buf_write(&token, &initial_timestamp, sizeof(initial_timestamp))); @@ -245,8 +243,8 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) char *b64output = NULL; openvpn_base64_encode(BPTR(&token), BLEN(&token), &b64output); - struct buffer session_token = alloc_buf_gc( - strlen(SESSION_ID_PREFIX) + strlen(b64output) + 1, &gc); + struct buffer session_token = + alloc_buf_gc(strlen(SESSION_ID_PREFIX) + strlen(b64output) + 1, &gc); ASSERT(buf_write(&session_token, SESSION_ID_PREFIX, strlen(SESSION_ID_PREFIX))); ASSERT(buf_write(&session_token, b64output, (int)strlen(b64output))); @@ -258,8 +256,7 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) free(multi->auth_token); multi->auth_token = strdup((char *)BPTR(&session_token)); - dmsg(D_SHOW_KEYS, "Generated token for client: %s (%s)", - multi->auth_token, up->username); + dmsg(D_SHOW_KEYS, "Generated token for client: %s (%s)", multi->auth_token, up->username); if (!multi->auth_token_initial) { @@ -277,22 +274,21 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) static bool check_hmac_token(hmac_ctx_t *ctx, const uint8_t *b64decoded, const char *username) { - ASSERT(hmac_ctx_size(ctx) == 256/8); + ASSERT(hmac_ctx_size(ctx) == 256 / 8); - uint8_t hmac_output[256/8]; + uint8_t hmac_output[256 / 8]; hmac_ctx_reset(ctx); - hmac_ctx_update(ctx, (uint8_t *) username, (int)strlen(username)); - hmac_ctx_update(ctx, b64decoded, TOKEN_DATA_LEN - 256/8); + hmac_ctx_update(ctx, (uint8_t *)username, (int)strlen(username)); + hmac_ctx_update(ctx, b64decoded, TOKEN_DATA_LEN - 256 / 8); hmac_ctx_final(ctx, hmac_output); - const uint8_t *hmac = b64decoded + TOKEN_DATA_LEN - 256/8; + const uint8_t *hmac = b64decoded + TOKEN_DATA_LEN - 256 / 8; return memcmp_constant_time(&hmac_output, hmac, 32) == 0; } unsigned int -verify_auth_token(struct user_pass *up, struct tls_multi *multi, - struct tls_session *session) +verify_auth_token(struct user_pass *up, struct tls_multi *multi, struct tls_session *session) { /* * Base64 is <= input and input is < USER_PASS_LEN, so using USER_PASS_LEN @@ -300,8 +296,8 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, */ ASSERT(up && !up->protected); uint8_t b64decoded[USER_PASS_LEN]; - int decoded_len = openvpn_base64_decode(up->password + strlen(SESSION_ID_PREFIX), - b64decoded, USER_PASS_LEN); + int decoded_len = + openvpn_base64_decode(up->password + strlen(SESSION_ID_PREFIX), b64decoded, USER_PASS_LEN); /* * Ensure that the decoded data is the size of the @@ -309,8 +305,7 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, */ if (decoded_len != TOKEN_DATA_LEN) { - msg(M_WARN, "ERROR: --auth-token wrong size (%d!=%d)", - decoded_len, (int) TOKEN_DATA_LEN); + msg(M_WARN, "ERROR: --auth-token wrong size (%d!=%d)", decoded_len, (int)TOKEN_DATA_LEN); return 0; } @@ -343,15 +338,14 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, } else { - msg(M_WARN, "--auth-gen-token: HMAC on token from client failed (%s)", - up->username); + msg(M_WARN, "--auth-gen-token: HMAC on token from client failed (%s)", up->username); return 0; } /* Accept session tokens only if their timestamp is in the acceptable range * for renegotiations */ - bool in_renegotiation_time = now >= timestamp - && now < timestamp + 2 * session->opt->auth_token_renewal; + bool in_renegotiation_time = + now >= timestamp && now < timestamp + 2 * session->opt->auth_token_renewal; if (!in_renegotiation_time) { @@ -363,14 +357,14 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, /* Sanity check the initial timestamp */ if (timestamp < timestamp_initial) { - msg(M_WARN, "Initial timestamp (%" PRIu64 ") in token from client earlier than " + msg(M_WARN, + "Initial timestamp (%" PRIu64 ") in token from client earlier than " "current timestamp %" PRIu64 ". Broken/unsynchronised clock?", timestamp_initial, timestamp); ret |= AUTH_TOKEN_EXPIRED; } - if (multi->opt.auth_token_lifetime - && now > timestamp_initial + multi->opt.auth_token_lifetime) + if (multi->opt.auth_token_lifetime && now > timestamp_initial + multi->opt.auth_token_lifetime) { ret |= AUTH_TOKEN_EXPIRED; } @@ -391,7 +385,7 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, strlen(SESSION_ID_PREFIX) + AUTH_TOKEN_SESSION_ID_BASE64_LEN)) { msg(M_WARN, "--auth-gen-token: session id in token changed (Rejecting " - "token."); + "token."); ret = 0; } return ret; @@ -409,8 +403,7 @@ wipe_auth_token(struct tls_multi *multi) } if (multi->auth_token_initial) { - secure_memzero(multi->auth_token_initial, - strlen(multi->auth_token_initial)); + secure_memzero(multi->auth_token_initial, strlen(multi->auth_token_initial)); free(multi->auth_token_initial); } multi->auth_token = NULL; @@ -438,7 +431,7 @@ check_send_auth_token(struct context *c) if (!multi->auth_token_initial) { msg(D_SHOW_KEYS, "initial auth-token not generated yet, skipping " - "auth-token renewal."); + "auth-token renewal."); return; } diff --git a/src/openvpn/auth_token.h b/src/openvpn/auth_token.h index 3d56ee639..1e4a4135c 100644 --- a/src/openvpn/auth_token.h +++ b/src/openvpn/auth_token.h @@ -58,27 +58,22 @@ * This function will free() an existing multi->auth_token and keep the * existing initial timestamp and session id contained in that token. */ -void -generate_auth_token(const struct user_pass *up, struct tls_multi *multi); +void generate_auth_token(const struct user_pass *up, struct tls_multi *multi); /** * Verifies the auth token to be in the format that generate_auth_token * create and checks if the token is valid. * */ -unsigned -verify_auth_token(struct user_pass *up, struct tls_multi *multi, - struct tls_session *session); - +unsigned verify_auth_token(struct user_pass *up, struct tls_multi *multi, + struct tls_session *session); /** * Loads an HMAC secret from a file or if no file is present generates a * epheremal secret for the run time of the server and stores it into ctx */ -void -auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, - bool key_inline); +void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline); /** @@ -125,8 +120,7 @@ void wipe_auth_token(struct tls_multi *multi); static inline bool is_auth_token(const char *password) { - return (memcmp_constant_time(SESSION_ID_PREFIX, password, - strlen(SESSION_ID_PREFIX)) == 0); + return (memcmp_constant_time(SESSION_ID_PREFIX, password, strlen(SESSION_ID_PREFIX)) == 0); } /** * Checks if a client should be sent a new auth token to update its @@ -134,15 +128,13 @@ is_auth_token(const char *password) * @param multi Pointer the multi object of the TLS session * @param session Pointer to the TLS session itself */ -void -resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session); +void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session); /** * Checks if the timer to resend the auth-token has expired and if a new * auth-token should be send to the client and triggers the resending */ -void -check_send_auth_token(struct context *c); +void check_send_auth_token(struct context *c); #endif /* AUTH_TOKEN_H */ diff --git a/src/openvpn/base64.c b/src/openvpn/base64.c index a9c2f4c66..54d5b7953 100644 --- a/src/openvpn/base64.c +++ b/src/openvpn/base64.c @@ -41,8 +41,7 @@ #include "memdbg.h" -static char base64_chars[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +static char base64_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; /* * base64 encode input data of length size to malloced * buffer which is returned as *str. Returns string @@ -60,14 +59,14 @@ openvpn_base64_encode(const void *data, int size, char **str) { return -1; } - p = s = (char *) malloc(size * 4 / 3 + 4); + p = s = (char *)malloc(size * 4 / 3 + 4); if (p == NULL) { return -1; } - q = (const unsigned char *) data; + q = (const unsigned char *)data; i = 0; - for (i = 0; i < size; ) + for (i = 0; i < size;) { c = q[i++]; c *= 256; @@ -196,5 +195,5 @@ openvpn_base64_decode(const char *str, void *data, int size) *q++ = val & 0xff; } } - return q - (unsigned char *) data; + return q - (unsigned char *)data; } diff --git a/src/openvpn/base64.h b/src/openvpn/base64.h index 7b4224a51..be7aa6466 100644 --- a/src/openvpn/base64.h +++ b/src/openvpn/base64.h @@ -35,12 +35,10 @@ #define _BASE64_H_ /** Compute resulting base64 length. 6 bits per byte, padded to 4 bytes. */ -#define OPENVPN_BASE64_LENGTH(binary_length) \ - ((((8 * binary_length) / 6) + 3) & ~3) +#define OPENVPN_BASE64_LENGTH(binary_length) ((((8 * binary_length) / 6) + 3) & ~3) /** Compute the maximal number of bytes encoded in a base64 string. */ -#define OPENVPN_BASE64_DECODED_LENGTH(base64_length) \ - ((base64_length / 4) * 3) +#define OPENVPN_BASE64_DECODED_LENGTH(base64_length) ((base64_length / 4) * 3) int openvpn_base64_encode(const void *data, int size, char **str); diff --git a/src/openvpn/basic.h b/src/openvpn/basic.h index 47a86d90a..aae84f59e 100644 --- a/src/openvpn/basic.h +++ b/src/openvpn/basic.h @@ -26,7 +26,7 @@ #define BOOL_CAST(x) ((x) ? (true) : (false)) /* size of an array */ -#define SIZE(x) (sizeof(x)/sizeof(x[0])) +#define SIZE(x) (sizeof(x) / sizeof(x[0])) /* clear an object (may be optimized away, use secure_memzero() to erase secrets) */ #define CLEAR(x) memset(&(x), 0, sizeof(x)) diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 5940ad972..0f0d17e0f 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -40,12 +40,14 @@ size_t array_mult_safe(const size_t m1, const size_t m2, const size_t extra) { const size_t limit = 0xFFFFFFFF; - unsigned long long res = (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra; - if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit) || unlikely(res > (unsigned long long)limit)) + unsigned long long res = + (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra; + if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit) + || unlikely(res > (unsigned long long)limit)) { msg(M_FATAL, "attempted allocation of excessively large array"); } - return (size_t) res; + return (size_t)res; } void @@ -96,9 +98,9 @@ alloc_buf_gc(size_t size, struct gc_arena *gc) buf.offset = 0; buf.len = 0; #ifdef DMALLOC - buf.data = (uint8_t *) gc_malloc_debug(size, false, gc, file, line); + buf.data = (uint8_t *)gc_malloc_debug(size, false, gc, file, line); #else - buf.data = (uint8_t *) gc_malloc(size, false, gc); + buf.data = (uint8_t *)gc_malloc(size, false, gc); #endif if (size) { @@ -119,9 +121,9 @@ clone_buf(const struct buffer *buf) ret.offset = buf->offset; ret.len = buf->len; #ifdef DMALLOC - ret.data = (uint8_t *) openvpn_dmalloc(file, line, buf->capacity); + ret.data = (uint8_t *)openvpn_dmalloc(file, line, buf->capacity); #else - ret.data = (uint8_t *) malloc(buf->capacity); + ret.data = (uint8_t *)malloc(buf->capacity); #endif check_malloc_return(ret.data); memcpy(BPTR(&ret), BPTR(buf), BLEN(buf)); @@ -150,7 +152,7 @@ buf_debug_file(const struct buffer *buf) return buf->debug_file; } -#else /* ifdef BUF_INIT_TRACKING */ +#else /* ifdef BUF_INIT_TRACKING */ #define buf_debug_line(buf) 0 #define buf_debug_file(buf) "[UNDEF]" @@ -252,7 +254,7 @@ buf_printf(struct buffer *buf, const char *format, ...) stat = vsnprintf((char *)ptr, cap, format, arglist); va_end(arglist); *(buf->data + buf->capacity - 1) = 0; /* windows vsnprintf needs this */ - buf->len += (int) strlen((char *)ptr); + buf->len += (int)strlen((char *)ptr); if (stat >= 0 && stat < cap) { ret = true; @@ -272,7 +274,7 @@ buf_puts(struct buffer *buf, const char *str) { strncpynt((char *)ptr, str, cap); *(buf->data + buf->capacity - 1) = 0; /* windows vsnprintf needs this */ - buf->len += (int) strlen((char *)ptr); + buf->len += (int)strlen((char *)ptr); ret = true; } return ret; @@ -299,8 +301,7 @@ bool buffer_write_file(const char *filename, const struct buffer *buf) { bool ret = false; - int fd = platform_open(filename, O_CREAT | O_TRUNC | O_WRONLY, - S_IRUSR | S_IWUSR); + int fd = platform_open(filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR); if (fd == -1) { msg(M_ERRNO, "Cannot open file '%s' for write", filename); @@ -340,12 +341,12 @@ gc_malloc(size_t size, bool clear, struct gc_arena *a) { struct gc_entry *e; #ifdef DMALLOC - e = (struct gc_entry *) openvpn_dmalloc(file, line, size + sizeof(struct gc_entry)); + e = (struct gc_entry *)openvpn_dmalloc(file, line, size + sizeof(struct gc_entry)); #else - e = (struct gc_entry *) malloc(size + sizeof(struct gc_entry)); + e = (struct gc_entry *)malloc(size + sizeof(struct gc_entry)); #endif check_malloc_return(e); - ret = (char *) e + sizeof(struct gc_entry); + ret = (char *)e + sizeof(struct gc_entry); e->next = a->list; a->list = e; } @@ -361,7 +362,7 @@ gc_malloc(size_t size, bool clear, struct gc_arena *a) #ifndef ZERO_BUFFER_ON_ALLOC if (clear) #endif - memset(ret, 0, size); + memset(ret, 0, size); return ret; } @@ -439,9 +440,9 @@ gc_addspecial(void *addr, void (*free_function)(void *), struct gc_arena *a) ASSERT(a); struct gc_entry_special *e; #ifdef DMALLOC - e = (struct gc_entry_special *) openvpn_dmalloc(file, line, sizeof(struct gc_entry_special)); + e = (struct gc_entry_special *)openvpn_dmalloc(file, line, sizeof(struct gc_entry_special)); #else - e = (struct gc_entry_special *) malloc(sizeof(struct gc_entry_special)); + e = (struct gc_entry_special *)malloc(sizeof(struct gc_entry_special)); #endif check_malloc_return(e); e->free_fnc = free_function; @@ -479,15 +480,15 @@ gc_transfer(struct gc_arena *dest, struct gc_arena *src) */ char * -format_hex_ex(const uint8_t *data, int size, int maxoutput, - unsigned int space_break_flags, const char *separator, - struct gc_arena *gc) +format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, + const char *separator, struct gc_arena *gc) { const size_t bytes_per_hexblock = space_break_flags & FHE_SPACE_BREAK_MASK; const size_t separator_len = separator ? strlen(separator) : 0; static_assert(INT_MAX <= SIZE_MAX, "Code assumes INT_MAX <= SIZE_MAX"); - const size_t out_len = maxoutput > 0 ? maxoutput : - ((size * 2) + ((size / bytes_per_hexblock) * separator_len) + 2); + const size_t out_len = maxoutput > 0 + ? maxoutput + : ((size * 2) + ((size / bytes_per_hexblock) * separator_len) + 2); struct buffer out = alloc_buf_gc(out_len, gc); for (int i = 0; i < size; ++i) @@ -531,13 +532,13 @@ buf_rmtail(struct buffer *buf, uint8_t remove) void buf_null_terminate(struct buffer *buf) { - char *last = (char *) BLAST(buf); + char *last = (char *)BLAST(buf); if (last && *last == '\0') /* already terminated? */ { return; } - if (!buf_safe(buf, 1)) /* make space for trailing null */ + if (!buf_safe(buf, 1)) /* make space for trailing null */ { buf_inc_len(buf, -1); } @@ -554,12 +555,12 @@ buf_chomp(struct buffer *buf) { while (true) { - char *last = (char *) BLAST(buf); + char *last = (char *)BLAST(buf); if (!last) { break; } - if (char_class(*last, CC_CRLF|CC_NULL)) + if (char_class(*last, CC_CRLF | CC_NULL)) { if (!buf_inc_len(buf, -1)) { @@ -656,9 +657,9 @@ string_alloc(const char *str, struct gc_arena *gc) if (gc) { #ifdef DMALLOC - ret = (char *) gc_malloc_debug(n, false, gc, file, line); + ret = (char *)gc_malloc_debug(n, false, gc, file, line); #else - ret = (char *) gc_malloc(n, false, gc); + ret = (char *)gc_malloc(n, false, gc); #endif } else @@ -717,7 +718,7 @@ print_argv(const char **p, struct gc_arena *gc, const unsigned int flags) { struct buffer out = alloc_buf_gc(256, gc); int i = 0; - for (;; ) + for (;;) { const char *cp = *p++; if (!cp) @@ -756,9 +757,9 @@ string_alloc_buf(const char *str, struct gc_arena *gc) ASSERT(str); #ifdef DMALLOC - buf_set_read(&buf, (uint8_t *) string_alloc_debug(str, gc, file, line), strlen(str) + 1); + buf_set_read(&buf, (uint8_t *)string_alloc_debug(str, gc, file, line), strlen(str) + 1); #else - buf_set_read(&buf, (uint8_t *) string_alloc(str, gc), strlen(str) + 1); + buf_set_read(&buf, (uint8_t *)string_alloc(str, gc), strlen(str) + 1); #endif if (buf.len > 0) /* Don't count trailing '\0' as part of length */ @@ -845,10 +846,9 @@ buf_parse(struct buffer *buf, const int delim, char *line, const int size) break; } line[n++] = (char)c; - } - while (c); + } while (c); - line[size-1] = '\0'; + line[size - 1] = '\0'; return !(eol && !strlen(line)); } @@ -1038,7 +1038,8 @@ string_class(const char *str, const unsigned int inclusive, const unsigned int e * Guaranteed to not increase string length. */ bool -string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace) +string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, + const char replace) { const char *in = str; bool ret = true; @@ -1087,11 +1088,8 @@ string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigne } const char * -string_mod_const(const char *str, - const unsigned int inclusive, - const unsigned int exclusive, - const char replace, - struct gc_arena *gc) +string_mod_const(const char *str, const unsigned int inclusive, const unsigned int exclusive, + const char replace, struct gc_arena *gc) { if (str) { @@ -1130,23 +1128,16 @@ valign4(const struct buffer *buf, const char *file, const int line) if (buf && buf->len) { int msglevel = D_ALIGN_DEBUG; - const unsigned int u = (unsigned int) BPTR(buf); + const unsigned int u = (unsigned int)BPTR(buf); - if (u & (PAYLOAD_ALIGN-1)) + if (u & (PAYLOAD_ALIGN - 1)) { msglevel = D_ALIGN_ERRORS; } msg(msglevel, "%sAlignment at %s/%d ptr=" ptr_format " OLC=%d/%d/%d I=%s/%d", - (msglevel == D_ALIGN_ERRORS) ? "ERROR: " : "", - file, - line, - (ptr_type)buf->data, - buf->offset, - buf->len, - buf->capacity, - buf_debug_file(buf), - buf_debug_line(buf)); + (msglevel == D_ALIGN_ERRORS) ? "ERROR: " : "", file, line, (ptr_type)buf->data, + buf->offset, buf->len, buf->capacity, buf_debug_file(buf), buf_debug_line(buf)); } } #endif /* ifdef VERIFY_ALIGNMENT */ @@ -1200,7 +1191,7 @@ buffer_list_push(struct buffer_list *ol, const char *str) if (str) { const size_t len = strlen((const char *)str); - struct buffer_entry *e = buffer_list_push_data(ol, str, len+1); + struct buffer_entry *e = buffer_list_push_data(ol, str, len + 1); if (e) { e->buf.len = (int)len; /* Don't count trailing '\0' as part of length */ @@ -1249,8 +1240,7 @@ buffer_list_peek(struct buffer_list *ol) } void -buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, - const char *sep) +buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, const char *sep) { const size_t sep_len = strlen(sep); struct buffer_entry *more = bl->head; @@ -1339,7 +1329,7 @@ buffer_list_file(const char *fn, int max_line_len) if (fp) { - char *line = (char *) malloc(max_line_len); + char *line = (char *)malloc(max_line_len); if (line) { bl = buffer_list_new(); diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 0d5c30dfb..ae783c614 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -58,13 +58,13 @@ */ struct buffer { - int capacity; /**< Size in bytes of memory allocated by - * \c malloc(). */ - int offset; /**< Offset in bytes of the actual content - * within the allocated memory. */ - int len; /**< Length in bytes of the actual content - * within the allocated memory. */ - uint8_t *data; /**< Pointer to the allocated memory. */ + int capacity; /**< Size in bytes of memory allocated by + * \c malloc(). */ + int offset; /**< Offset in bytes of the actual content + * within the allocated memory. */ + int len; /**< Length in bytes of the actual content + * within the allocated memory. */ + uint8_t *data; /**< Pointer to the allocated memory. */ #ifdef BUF_INIT_TRACKING const char *debug_file; @@ -85,8 +85,8 @@ struct buffer */ struct gc_entry { - struct gc_entry *next; /**< Pointer to the next item in the - * linked list. */ + struct gc_entry *next; /**< Pointer to the next item in the + * linked list. */ }; /** @@ -114,8 +114,8 @@ struct gc_entry_special */ struct gc_arena { - struct gc_entry *list; /**< First element of the linked list of - * \c gc_entry structures. */ + struct gc_entry *list; /**< First element of the linked list of + * \c gc_entry structures. */ struct gc_entry_special *list_special; }; @@ -140,7 +140,7 @@ int string_array_len(const char **array); size_t array_mult_safe(const size_t m1, const size_t m2, const size_t extra); -#define PA_BRACKET (1<<0) +#define PA_BRACKET (1 << 0) char *print_argv(const char **p, struct gc_arena *gc, const unsigned int flags); void buf_size_error(const size_t size); @@ -166,13 +166,15 @@ void *gc_malloc_debug(size_t size, bool clear, struct gc_arena *a, const char *f char *string_alloc_debug(const char *str, struct gc_arena *gc, const char *file, int line); -struct buffer string_alloc_buf_debug(const char *str, struct gc_arena *gc, const char *file, int line); +struct buffer string_alloc_buf_debug(const char *str, struct gc_arena *gc, const char *file, + int line); #else /* ifdef DMALLOC */ struct buffer alloc_buf(size_t size); -struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc); /* allocate buffer with garbage collection */ +struct buffer alloc_buf_gc(size_t size, + struct gc_arena *gc); /* allocate buffer with garbage collection */ struct buffer clone_buf(const struct buffer *buf); @@ -197,8 +199,7 @@ void gc_addspecial(void *addr, void (*free_function)(void *), struct gc_arena *a * @param a gc_arena to use * @return new pointer */ -void * -gc_realloc(void *ptr, size_t size, struct gc_arena *a); +void *gc_realloc(void *ptr, size_t size, struct gc_arena *a); #ifdef BUF_INIT_TRACKING #define buf_init(buf, offset) buf_init_debug(buf, offset, __FILE__, __LINE__) @@ -213,14 +214,14 @@ bool buf_init_debug(struct buffer *buf, int offset, const char *file, int line); static inline void gc_freeaddrinfo_callback(void *addr) { - freeaddrinfo((struct addrinfo *) addr); + freeaddrinfo((struct addrinfo *)addr); } /** Return an empty struct buffer */ static inline struct buffer clear_buf(void) { - return (struct buffer) { 0 }; + return (struct buffer){ 0 }; } static inline bool @@ -361,7 +362,7 @@ strncpynt(char *dest, const char *src, size_t maxlen) { if (maxlen > 0) { - strncpy(dest, src, maxlen-1); + strncpy(dest, src, maxlen - 1); dest[maxlen - 1] = 0; } } @@ -416,9 +417,9 @@ secure_memzero(void *data, size_t len) SecureZeroMemory(data, len); #elif defined(__GNUC__) || defined(__clang__) memset(data, 0, len); - __asm__ __volatile__ ("" : : "r" (data) : "memory"); + __asm__ __volatile__("" : : "r"(data) : "memory"); #else - volatile char *p = (volatile char *) data; + volatile char *p = (volatile char *)data; while (len--) { *p++ = 0; @@ -435,12 +436,12 @@ secure_memzero(void *data, size_t len) bool buf_printf(struct buffer *buf, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO -__attribute__ ((format(gnu_printf, 2, 3))) + __attribute__((format(gnu_printf, 2, 3))) #else -__attribute__ ((format(__printf__, 2, 3))) + __attribute__((format(__printf__, 2, 3))) #endif #endif -; + ; /* * puts append to a buffer with overflow check @@ -493,12 +494,10 @@ bool buf_parse(struct buffer *buf, const int delim, char *line, const int size); /* * Hex dump -- Output a binary buffer to a hex string and return it. */ -#define FHE_SPACE_BREAK_MASK 0xFF /* space_break parameter in lower 8 bits */ -#define FHE_CAPS 0x100 /* output hex in caps */ -char * -format_hex_ex(const uint8_t *data, int size, int maxoutput, - unsigned int space_break_flags, const char *separator, - struct gc_arena *gc); +#define FHE_SPACE_BREAK_MASK 0xFF /* space_break parameter in lower 8 bits */ +#define FHE_CAPS 0x100 /* output hex in caps */ +char *format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, + const char *separator, struct gc_arena *gc); static inline char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc) @@ -725,16 +724,10 @@ buf_copy_n(struct buffer *dest, struct buffer *src, int n) } static inline bool -buf_copy_range(struct buffer *dest, - int dest_index, - const struct buffer *src, - int src_index, +buf_copy_range(struct buffer *dest, int dest_index, const struct buffer *src, int src_index, int src_len) { - if (src_index < 0 - || src_len < 0 - || src_index + src_len > src->len - || dest_index < 0 + if (src_index < 0 || src_len < 0 || src_index + src_len > src->len || dest_index < 0 || dest->offset + dest_index + src_len > dest->capacity) { return false; @@ -749,9 +742,7 @@ buf_copy_range(struct buffer *dest, /* truncate src to len, copy excess data beyond len to dest */ static inline bool -buf_copy_excess(struct buffer *dest, - struct buffer *src, - int len) +buf_copy_excess(struct buffer *dest, struct buffer *src, int len) { if (len < 0) { @@ -879,44 +870,44 @@ const char *np(const char *str); /* character classes */ -#define CC_ANY (1<<0) /**< any character */ -#define CC_NULL (1<<1) /**< null character \0 */ - -#define CC_ALNUM (1<<2) /**< alphanumeric isalnum() */ -#define CC_ALPHA (1<<3) /**< alphabetic isalpha() */ -#define CC_ASCII (1<<4) /**< ASCII character */ -#define CC_CNTRL (1<<5) /**< control character iscntrl() */ -#define CC_DIGIT (1<<6) /**< digit isdigit() */ -#define CC_PRINT (1<<7) /**< printable (>= 32, != 127) */ -#define CC_PUNCT (1<<8) /**< punctuation ispunct() */ -#define CC_SPACE (1<<9) /**< whitespace isspace() */ -#define CC_XDIGIT (1<<10) /**< hex digit isxdigit() */ - -#define CC_BLANK (1<<11) /**< space or tab */ -#define CC_NEWLINE (1<<12) /**< newline */ -#define CC_CR (1<<13) /**< carriage return */ - -#define CC_BACKSLASH (1<<14) /**< backslash */ -#define CC_UNDERBAR (1<<15) /**< underscore */ -#define CC_DASH (1<<16) /**< dash */ -#define CC_DOT (1<<17) /**< dot */ -#define CC_COMMA (1<<18) /**< comma */ -#define CC_COLON (1<<19) /**< colon */ -#define CC_SLASH (1<<20) /**< slash */ -#define CC_SINGLE_QUOTE (1<<21) /**< single quote */ -#define CC_DOUBLE_QUOTE (1<<22) /**< double quote */ -#define CC_REVERSE_QUOTE (1<<23) /**< reverse quote */ -#define CC_AT (1<<24) /**< at sign */ -#define CC_EQUAL (1<<25) /**< equal sign */ -#define CC_LESS_THAN (1<<26) /**< less than sign */ -#define CC_GREATER_THAN (1<<27) /**< greater than sign */ -#define CC_PIPE (1<<28) /**< pipe */ -#define CC_QUESTION_MARK (1<<29) /**< question mark */ -#define CC_ASTERISK (1<<30) /**< asterisk */ +#define CC_ANY (1 << 0) /**< any character */ +#define CC_NULL (1 << 1) /**< null character \0 */ + +#define CC_ALNUM (1 << 2) /**< alphanumeric isalnum() */ +#define CC_ALPHA (1 << 3) /**< alphabetic isalpha() */ +#define CC_ASCII (1 << 4) /**< ASCII character */ +#define CC_CNTRL (1 << 5) /**< control character iscntrl() */ +#define CC_DIGIT (1 << 6) /**< digit isdigit() */ +#define CC_PRINT (1 << 7) /**< printable (>= 32, != 127) */ +#define CC_PUNCT (1 << 8) /**< punctuation ispunct() */ +#define CC_SPACE (1 << 9) /**< whitespace isspace() */ +#define CC_XDIGIT (1 << 10) /**< hex digit isxdigit() */ + +#define CC_BLANK (1 << 11) /**< space or tab */ +#define CC_NEWLINE (1 << 12) /**< newline */ +#define CC_CR (1 << 13) /**< carriage return */ + +#define CC_BACKSLASH (1 << 14) /**< backslash */ +#define CC_UNDERBAR (1 << 15) /**< underscore */ +#define CC_DASH (1 << 16) /**< dash */ +#define CC_DOT (1 << 17) /**< dot */ +#define CC_COMMA (1 << 18) /**< comma */ +#define CC_COLON (1 << 19) /**< colon */ +#define CC_SLASH (1 << 20) /**< slash */ +#define CC_SINGLE_QUOTE (1 << 21) /**< single quote */ +#define CC_DOUBLE_QUOTE (1 << 22) /**< double quote */ +#define CC_REVERSE_QUOTE (1 << 23) /**< reverse quote */ +#define CC_AT (1 << 24) /**< at sign */ +#define CC_EQUAL (1 << 25) /**< equal sign */ +#define CC_LESS_THAN (1 << 26) /**< less than sign */ +#define CC_GREATER_THAN (1 << 27) /**< greater than sign */ +#define CC_PIPE (1 << 28) /**< pipe */ +#define CC_QUESTION_MARK (1 << 29) /**< question mark */ +#define CC_ASTERISK (1 << 30) /**< asterisk */ /* macro classes */ -#define CC_NAME (CC_ALNUM|CC_UNDERBAR) /**< alphanumeric plus underscore */ -#define CC_CRLF (CC_CR|CC_NEWLINE) /**< carriage return or newline */ +#define CC_NAME (CC_ALNUM | CC_UNDERBAR) /**< alphanumeric plus underscore */ +#define CC_CRLF (CC_CR | CC_NEWLINE) /**< carriage return or newline */ bool char_class(const unsigned char c, const unsigned int flags); @@ -935,7 +926,8 @@ bool string_class(const char *str, const unsigned int inclusive, const unsigned * @param replace The character to replace the specified character classes with. * @return True if the string was not modified, false otherwise. */ -bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace); +bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, + const char replace); /** @@ -946,8 +938,8 @@ bool string_mod(char *str, const unsigned int inclusive, const unsigned int excl * @param exclusive Character classes that are not allowed even if they are also in inclusive. * @return True if the string consists only of allowed characters, false otherwise. */ -bool -string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive); +bool string_check_buf(struct buffer *buf, const unsigned int inclusive, + const unsigned int exclusive); /** * Returns a copy of a string with certain classes of characters of it replaced with a specified @@ -963,11 +955,8 @@ string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigne * * @return The modified string with characters replaced within the specified range. */ -const char *string_mod_const(const char *str, - const unsigned int inclusive, - const unsigned int exclusive, - const char replace, - struct gc_arena *gc); +const char *string_mod_const(const char *str, const unsigned int inclusive, + const unsigned int exclusive, const char replace, struct gc_arena *gc); void string_replace_leading(char *str, const char match, const char replace); @@ -1051,51 +1040,51 @@ gc_reset(struct gc_arena *a) * Allocate memory to hold a structure */ -#define ALLOC_OBJ(dptr, type) \ - { \ - check_malloc_return((dptr) = (type *) malloc(sizeof(type))); \ +#define ALLOC_OBJ(dptr, type) \ + { \ + check_malloc_return((dptr) = (type *)malloc(sizeof(type))); \ } -#define ALLOC_OBJ_CLEAR(dptr, type) \ - { \ - ALLOC_OBJ(dptr, type); \ +#define ALLOC_OBJ_CLEAR(dptr, type) \ + { \ + ALLOC_OBJ(dptr, type); \ memset((dptr), 0, sizeof(type)); \ } -#define ALLOC_ARRAY(dptr, type, n) \ - { \ - check_malloc_return((dptr) = (type *) malloc(array_mult_safe(sizeof(type), (n), 0))); \ +#define ALLOC_ARRAY(dptr, type, n) \ + { \ + check_malloc_return((dptr) = (type *)malloc(array_mult_safe(sizeof(type), (n), 0))); \ } -#define ALLOC_ARRAY_GC(dptr, type, n, gc) \ - { \ - (dptr) = (type *) gc_malloc(array_mult_safe(sizeof(type), (n), 0), false, (gc)); \ +#define ALLOC_ARRAY_GC(dptr, type, n, gc) \ + { \ + (dptr) = (type *)gc_malloc(array_mult_safe(sizeof(type), (n), 0), false, (gc)); \ } -#define ALLOC_ARRAY_CLEAR(dptr, type, n) \ - { \ - ALLOC_ARRAY(dptr, type, n); \ +#define ALLOC_ARRAY_CLEAR(dptr, type, n) \ + { \ + ALLOC_ARRAY(dptr, type, n); \ memset((dptr), 0, (array_mult_safe(sizeof(type), (n), 0))); \ } -#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc) \ - { \ - (dptr) = (type *) gc_malloc(array_mult_safe(sizeof(type), (n), 0), true, (gc)); \ +#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc) \ + { \ + (dptr) = (type *)gc_malloc(array_mult_safe(sizeof(type), (n), 0), true, (gc)); \ } -#define ALLOC_VAR_ARRAY_CLEAR_GC(dptr, type, atype, n, gc) \ - { \ - (dptr) = (type *) gc_malloc(array_mult_safe(sizeof(atype), (n), sizeof(type)), true, (gc)); \ +#define ALLOC_VAR_ARRAY_CLEAR_GC(dptr, type, atype, n, gc) \ + { \ + (dptr) = (type *)gc_malloc(array_mult_safe(sizeof(atype), (n), sizeof(type)), true, (gc)); \ } -#define ALLOC_OBJ_GC(dptr, type, gc) \ - { \ - (dptr) = (type *) gc_malloc(sizeof(type), false, (gc)); \ +#define ALLOC_OBJ_GC(dptr, type, gc) \ + { \ + (dptr) = (type *)gc_malloc(sizeof(type), false, (gc)); \ } -#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc) \ - { \ - (dptr) = (type *) gc_malloc(sizeof(type), true, (gc)); \ +#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc) \ + { \ + (dptr) = (type *)gc_malloc(sizeof(type), true, (gc)); \ } static inline void @@ -1120,8 +1109,8 @@ struct buffer_list { struct buffer_entry *head; /* next item to pop/peek */ struct buffer_entry *tail; /* last item pushed */ - int size; /* current number of entries */ - int max_size; /* maximum size list should grow to */ + int size; /* current number of entries */ + int max_size; /* maximum size list should grow to */ }; /** @@ -1209,8 +1198,7 @@ void buffer_list_aggregate(struct buffer_list *bl, const size_t max); * @param max_len the maximum length of the aggregated buffer * @param sep the separator to put between buffers during aggregation */ -void buffer_list_aggregate_separator(struct buffer_list *bl, - const size_t max_len, const char *sep); +void buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, const char *sep); struct buffer_list *buffer_list_file(const char *fn, int max_line_len); diff --git a/src/openvpn/circ_list.h b/src/openvpn/circ_list.h index cdbc8ef89..eebf08748 100644 --- a/src/openvpn/circ_list.h +++ b/src/openvpn/circ_list.h @@ -28,49 +28,46 @@ #include "error.h" #define CIRC_LIST(name, type) \ - struct name { \ - int x_head; \ - int x_size; \ - int x_cap; \ - int x_sizeof; \ - type x_list[]; \ + struct name \ + { \ + int x_head; \ + int x_size; \ + int x_cap; \ + int x_sizeof; \ + type x_list[]; \ } -#define CIRC_LIST_PUSH(obj, item) \ - { \ +#define CIRC_LIST_PUSH(obj, item) \ + { \ (obj)->x_head = modulo_add((obj)->x_head, -1, (obj)->x_cap); \ - (obj)->x_list[(obj)->x_head] = (item); \ - (obj)->x_size = min_int((obj)->x_size + 1, (obj)->x_cap); \ + (obj)->x_list[(obj)->x_head] = (item); \ + (obj)->x_size = min_int((obj)->x_size + 1, (obj)->x_cap); \ } -#define CIRC_LIST_SIZE(obj) \ - ((obj)->x_size) +#define CIRC_LIST_SIZE(obj) ((obj)->x_size) -#define CIRC_LIST_INDEX(obj, index) \ - modulo_add((obj)->x_head, \ - index_verify((index), (obj)->x_size, __FILE__, __LINE__), \ +#define CIRC_LIST_INDEX(obj, index) \ + modulo_add((obj)->x_head, index_verify((index), (obj)->x_size, __FILE__, __LINE__), \ (obj)->x_cap) -#define CIRC_LIST_ITEM(obj, index) \ - ((obj)->x_list[CIRC_LIST_INDEX((obj), (index))]) +#define CIRC_LIST_ITEM(obj, index) ((obj)->x_list[CIRC_LIST_INDEX((obj), (index))]) #define CIRC_LIST_RESET(obj) \ - { \ - (obj)->x_head = 0; \ - (obj)->x_size = 0; \ + { \ + (obj)->x_head = 0; \ + (obj)->x_size = 0; \ } -#define CIRC_LIST_ALLOC(dest, list_type, size) \ - { \ +#define CIRC_LIST_ALLOC(dest, list_type, size) \ + { \ const int so = sizeof(list_type) + sizeof((dest)->x_list[0]) * (size); \ - (dest) = (list_type *) malloc(so); \ - check_malloc_return(dest); \ - memset((dest), 0, so); \ - (dest)->x_cap = size; \ - (dest)->x_sizeof = so; \ + (dest) = (list_type *)malloc(so); \ + check_malloc_return(dest); \ + memset((dest), 0, so); \ + (dest)->x_cap = size; \ + (dest)->x_sizeof = so; \ } -#define CIRC_LIST_FREE(dest) \ - free(dest) +#define CIRC_LIST_FREE(dest) free(dest) #endif /* ifndef CIRC_LIST_H */ diff --git a/src/openvpn/clinat.c b/src/openvpn/clinat.c index f120a5497..a3032855f 100644 --- a/src/openvpn/clinat.c +++ b/src/openvpn/clinat.c @@ -32,8 +32,7 @@ #include "memdbg.h" static bool -add_entry(struct client_nat_option_list *dest, - const struct client_nat_entry *e) +add_entry(struct client_nat_option_list *dest, const struct client_nat_entry *e) { if (dest->n >= MAX_CLIENT_NAT) { @@ -59,9 +58,7 @@ print_client_nat_list(const struct client_nat_option_list *list, int msglevel) for (i = 0; i < list->n; ++i) { const struct client_nat_entry *e = &list->entries[i]; - msg(msglevel, " CNAT[%d] t=%d %s/%s/%s", - i, - e->type, + msg(msglevel, " CNAT[%d] t=%d %s/%s/%s", i, e->type, print_in_addr_t(e->network, IA_NET_ORDER, &gc), print_in_addr_t(e->netmask, IA_NET_ORDER, &gc), print_in_addr_t(e->foreign_network, IA_NET_ORDER, &gc)); @@ -102,11 +99,8 @@ copy_client_nat_option_list(struct client_nat_option_list *dest, } void -add_client_nat_to_option_list(struct client_nat_option_list *dest, - const char *type, - const char *network, - const char *netmask, - const char *foreign_network, +add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, + const char *network, const char *netmask, const char *foreign_network, int msglevel) { struct client_nat_entry e; @@ -179,9 +173,7 @@ print_pkt(struct openvpn_iphdr *iph, const char *prefix, const int direction, co dirstr = "IN"; } - msg(msglevel, "** CNAT %s %s %s -> %s", - dirstr, - prefix, + msg(msglevel, "** CNAT %s %s %s -> %s", dirstr, prefix, print_in_addr_t(iph->saddr, IA_NET_ORDER, &gc), print_in_addr_t(iph->daddr, IA_NET_ORDER, &gc)); @@ -189,11 +181,10 @@ print_pkt(struct openvpn_iphdr *iph, const char *prefix, const int direction, co } void -client_nat_transform(const struct client_nat_option_list *list, - struct buffer *ipbuf, +client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction) { - struct ip_tcp_udp_hdr *h = (struct ip_tcp_udp_hdr *) BPTR(ipbuf); + struct ip_tcp_udp_hdr *h = (struct ip_tcp_udp_hdr *)BPTR(ipbuf); int i; uint32_t addr, *addr_ptr; const uint32_t *from, *to; diff --git a/src/openvpn/clinat.h b/src/openvpn/clinat.h index d565a4936..abfa0b732 100644 --- a/src/openvpn/clinat.h +++ b/src/openvpn/clinat.h @@ -30,7 +30,8 @@ #define CN_OUTGOING 0 #define CN_INCOMING 1 -struct client_nat_entry { +struct client_nat_entry +{ #define CN_SNAT 0 #define CN_DNAT 1 int type; @@ -39,28 +40,27 @@ struct client_nat_entry { in_addr_t foreign_network; }; -struct client_nat_option_list { +struct client_nat_option_list +{ int n; struct client_nat_entry entries[MAX_CLIENT_NAT]; }; struct client_nat_option_list *new_client_nat_list(struct gc_arena *gc); -struct client_nat_option_list *clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc); +struct client_nat_option_list *clone_client_nat_option_list( + const struct client_nat_option_list *src, struct gc_arena *gc); -void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src); +void copy_client_nat_option_list(struct client_nat_option_list *dest, + const struct client_nat_option_list *src); void print_client_nat_list(const struct client_nat_option_list *list, int msglevel); -void add_client_nat_to_option_list(struct client_nat_option_list *dest, - const char *type, - const char *network, - const char *netmask, - const char *foreign_network, - int msglevel); +void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, + const char *network, const char *netmask, + const char *foreign_network, int msglevel); -void client_nat_transform(const struct client_nat_option_list *list, - struct buffer *ipbuf, +void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction); #endif /* if !defined(CLINAT_H) */ diff --git a/src/openvpn/common.h b/src/openvpn/common.h index d7f5d9596..c0947daae 100644 --- a/src/openvpn/common.h +++ b/src/openvpn/common.h @@ -27,7 +27,7 @@ * Statistics counters and associated printf format. */ typedef uint64_t counter_type; -#define counter_format "%" PRIu64 +#define counter_format "%" PRIu64 /* * Time intervals @@ -37,17 +37,17 @@ typedef int interval_t; /* * Used as an upper bound for timeouts. */ -#define BIG_TIMEOUT (60*60*24*7) /* one week (in seconds) */ +#define BIG_TIMEOUT (60 * 60 * 24 * 7) /* one week (in seconds) */ /* * Printf formats for special types */ #ifdef _WIN64 -#define ptr_format "0x%016" PRIx64 +#define ptr_format "0x%016" PRIx64 #else -#define ptr_format "0x%08lx" +#define ptr_format "0x%08lx" #endif -#define fragment_header_format "0x%08x" +#define fragment_header_format "0x%08x" /* these are used to cast the arguments * and MUST match the formats above */ @@ -94,6 +94,7 @@ typedef unsigned long ptr_type; /* * Script security warning */ -#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info." +#define SCRIPT_SECURITY_WARNING \ + "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info." #endif /* ifndef COMMON_H */ diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index 425b1d984..673646924 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -56,8 +56,7 @@ lz4_compress_uninit(struct compress_context *compctx) /* Doesn't do any actual compression anymore */ static void -lz4_compress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +lz4_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { if (buf->len <= 0) @@ -78,8 +77,7 @@ lz4_compress(struct buffer *buf, struct buffer work, /* Doesn't do any actual compression anymore */ static void -lz4v2_compress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +lz4v2_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { if (buf->len <= 0) @@ -91,14 +89,13 @@ lz4v2_compress(struct buffer *buf, struct buffer work, } static void -do_lz4_decompress(size_t zlen_max, - struct buffer *work, - struct buffer *buf, +do_lz4_decompress(size_t zlen_max, struct buffer *work, struct buffer *buf, struct compress_context *compctx) { int uncomp_len; ASSERT(buf_safe(work, zlen_max)); - uncomp_len = LZ4_decompress_safe((const char *)BPTR(buf), (char *)BPTR(work), (size_t)BLEN(buf), zlen_max); + uncomp_len = LZ4_decompress_safe((const char *)BPTR(buf), (char *)BPTR(work), (size_t)BLEN(buf), + zlen_max); if (uncomp_len <= 0) { dmsg(D_COMP_ERRORS, "LZ4 decompression error: %d", uncomp_len); @@ -117,12 +114,11 @@ do_lz4_decompress(size_t zlen_max, } static void -lz4_decompress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +lz4_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { size_t zlen_max = frame->buf.payload_size; - uint8_t c; /* flag indicating whether or not our peer compressed */ + uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) { @@ -155,12 +151,11 @@ lz4_decompress(struct buffer *buf, struct buffer work, } static void -lz4v2_decompress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +lz4v2_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { size_t zlen_max = frame->buf.payload_size; - uint8_t c; /* flag indicating whether or not our peer compressed */ + uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) { @@ -203,19 +198,9 @@ lz4v2_decompress(struct buffer *buf, struct buffer work, } } -const struct compress_alg lz4_alg = { - "lz4", - lz4_compress_init, - lz4_compress_uninit, - lz4_compress, - lz4_decompress -}; - -const struct compress_alg lz4v2_alg = { - "lz4v2", - lz4v2_compress_init, - lz4_compress_uninit, - lz4v2_compress, - lz4v2_decompress -}; +const struct compress_alg lz4_alg = { "lz4", lz4_compress_init, lz4_compress_uninit, lz4_compress, + lz4_decompress }; + +const struct compress_alg lz4v2_alg = { "lz4v2", lz4v2_compress_init, lz4_compress_uninit, + lz4v2_compress, lz4v2_decompress }; #endif /* ENABLE_LZ4 */ diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index afea94862..1a2e775c4 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -171,10 +171,10 @@ check_compression_settings_valid(struct compress_options *info, int msglevel) { #ifdef USE_COMP msg(msglevel, "Compression or compression stub framing is not allowed " - "since data-channel offloading is enabled."); + "since data-channel offloading is enabled."); #else msg(msglevel, "Compression or compression stub framing is not allowed " - "since OpenVPN was built without compression support."); + "since OpenVPN was built without compression support."); #endif return false; } @@ -182,14 +182,14 @@ check_compression_settings_valid(struct compress_options *info, int msglevel) if ((info->flags & COMP_F_ALLOW_STUB_ONLY) && comp_non_stub_enabled(info)) { msg(msglevel, "Compression is not allowed since allow-compression is " - "set to 'stub-only'"); + "set to 'stub-only'"); return false; } #ifndef ENABLE_LZ4 if (info->alg == COMP_ALGV2_LZ4 || info->alg == COMP_ALG_LZ4) { msg(msglevel, "OpenVPN is compiled without LZ4 support. Requested " - "compression cannot be enabled."); + "compression cannot be enabled."); return false; } #endif @@ -197,7 +197,7 @@ check_compression_settings_valid(struct compress_options *info, int msglevel) if (info->alg == COMP_ALG_LZO) { msg(msglevel, "OpenVPN is compiled without LZO support. Requested " - "compression cannot be enabled."); + "compression cannot be enabled."); return false; } #endif diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index a1c885b8c..265e15ddd 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -33,21 +33,22 @@ /* Compression flags */ /* Removed #define COMP_F_ADAPTIVE (1<<0) / * COMP_ALG_LZO only * / - #define COMP_F_ALLOW_COMPRESS (1<<1) / * not only incoming is compressed but also outgoing * / + #define COMP_F_ALLOW_COMPRESS (1<<1) / * not only incoming is compressed but also outgoing * + / */ /** initial command byte is swapped with last byte in buffer to preserve payload alignment */ -#define COMP_F_SWAP (1<<2) +#define COMP_F_SWAP (1 << 2) /** tell server that we only support compression stubs */ -#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) +#define COMP_F_ADVERTISE_STUBS_ONLY (1 << 3) /** Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY * we still accept other compressions to be pushed */ -#define COMP_F_ALLOW_STUB_ONLY (1<<4) +#define COMP_F_ALLOW_STUB_ONLY (1 << 4) /** push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ -#define COMP_F_MIGRATE (1<<5) +#define COMP_F_MIGRATE (1 << 5) /** Compression was explicitly set to allow asymetric compression */ -#define COMP_F_ALLOW_ASYM (1<<6) +#define COMP_F_ALLOW_ASYM (1 << 6) /** Do not allow compression framing (breaks DCO) */ -#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) +#define COMP_F_ALLOW_NOCOMP_ONLY (1 << 7) /* algorithms */ #define COMP_ALG_UNDEF 0 @@ -60,7 +61,7 @@ /* algorithm v2 */ #define COMP_ALGV2_UNCOMPRESSED 10 -#define COMP_ALGV2_LZ4 11 +#define COMP_ALGV2_LZ4 11 /* #define COMP_ALGV2_LZO 12 #define COMP_ALGV2_SNAPPY 13 @@ -79,8 +80,7 @@ struct compress_options static inline bool comp_non_stub_enabled(const struct compress_options *info) { - return info->alg != COMP_ALGV2_UNCOMPRESSED - && info->alg != COMP_ALG_STUB + return info->alg != COMP_ALGV2_UNCOMPRESSED && info->alg != COMP_ALG_STUB && info->alg != COMP_ALG_UNDEF; } @@ -89,8 +89,7 @@ comp_non_stub_enabled(const struct compress_options *info) * flags of allow-compression and also the whether algorithms are compiled * in */ -bool -check_compression_settings_valid(struct compress_options *info, int msglevel); +bool check_compression_settings_valid(struct compress_options *info, int msglevel); #ifdef USE_COMP #include "buffer.h" @@ -109,18 +108,18 @@ check_compression_settings_valid(struct compress_options *info, int msglevel); /* V1 on wire codes */ /* Initial command byte to tell our peer if we compressed */ -#define LZO_COMPRESS_BYTE 0x66 -#define LZ4_COMPRESS_BYTE 0x69 +#define LZO_COMPRESS_BYTE 0x66 +#define LZ4_COMPRESS_BYTE 0x69 #define NO_COMPRESS_BYTE 0xFA /** to maintain payload alignment, replace this byte with last byte of packet */ #define NO_COMPRESS_BYTE_SWAP 0xFB /* V2 on wire code */ -#define COMP_ALGV2_INDICATOR_BYTE 0x50 -#define COMP_ALGV2_UNCOMPRESSED_BYTE 0 -#define COMP_ALGV2_LZ4_BYTE 1 -#define COMP_ALGV2_LZO_BYTE 2 -#define COMP_ALGV2_SNAPPY_BYTE 3 +#define COMP_ALGV2_INDICATOR_BYTE 0x50 +#define COMP_ALGV2_UNCOMPRESSED_BYTE 0 +#define COMP_ALGV2_LZ4_BYTE 1 +#define COMP_ALGV2_LZO_BYTE 2 +#define COMP_ALGV2_SNAPPY_BYTE 3 /* * Compress worst case size expansion (for any algorithm) @@ -129,7 +128,7 @@ check_compression_settings_valid(struct compress_options *info, int msglevel); * Snappy: len + len/6 + 32 * LZ4: len + len/255 + 16 (LZ4_COMPRESSBOUND(len)) */ -#define COMP_EXTRA_BUFFER(len) ((len)/6 + 128 + 3 + COMP_PREFIX_LEN) +#define COMP_EXTRA_BUFFER(len) ((len) / 6 + 128 + 3 + COMP_PREFIX_LEN) /* * Don't try to compress any packet smaller than this. @@ -147,12 +146,10 @@ struct compress_alg const char *name; void (*compress_init)(struct compress_context *compctx); void (*compress_uninit)(struct compress_context *compctx); - void (*compress)(struct buffer *buf, struct buffer work, - struct compress_context *compctx, + void (*compress)(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame); - void (*decompress)(struct buffer *buf, struct buffer work, - struct compress_context *compctx, + void (*decompress)(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame); }; diff --git a/src/openvpn/compstub.c b/src/openvpn/compstub.c index 853e9ee94..bf709dff2 100644 --- a/src/openvpn/compstub.c +++ b/src/openvpn/compstub.c @@ -45,8 +45,7 @@ stub_compress_uninit(struct compress_context *compctx) } static void -stub_compress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +stub_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { if (buf->len <= 0) @@ -56,7 +55,7 @@ stub_compress(struct buffer *buf, struct buffer work, if (compctx->flags & COMP_F_SWAP) { uint8_t *head = BPTR(buf); - uint8_t *tail = BEND(buf); + uint8_t *tail = BEND(buf); ASSERT(buf_safe(buf, 1)); ++buf->len; @@ -72,8 +71,7 @@ stub_compress(struct buffer *buf, struct buffer work, } static void -stub_decompress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +stub_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { uint8_t c; @@ -107,8 +105,7 @@ stub_decompress(struct buffer *buf, struct buffer work, static void -stubv2_compress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +stubv2_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { if (buf->len <= 0) @@ -120,8 +117,7 @@ stubv2_compress(struct buffer *buf, struct buffer work, } static void -stubv2_decompress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +stubv2_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { if (buf->len <= 0) @@ -157,19 +153,9 @@ stubv2_decompress(struct buffer *buf, struct buffer work, } } -const struct compress_alg compv2_stub_alg = { - "stubv2", - stub_compress_init, - stub_compress_uninit, - stubv2_compress, - stubv2_decompress -}; - -const struct compress_alg comp_stub_alg = { - "stub", - stub_compress_init, - stub_compress_uninit, - stub_compress, - stub_decompress -}; +const struct compress_alg compv2_stub_alg = { "stubv2", stub_compress_init, stub_compress_uninit, + stubv2_compress, stubv2_decompress }; + +const struct compress_alg comp_stub_alg = { "stub", stub_compress_init, stub_compress_uninit, + stub_compress, stub_decompress }; #endif /* USE_STUB */ diff --git a/src/openvpn/console.c b/src/openvpn/console.c index 7cc4fff1c..bdceaf212 100644 --- a/src/openvpn/console.c +++ b/src/openvpn/console.c @@ -37,7 +37,7 @@ #endif -struct _query_user query_user[QUERY_USER_NUMSLOTS]; /* GLOBAL */ +struct _query_user query_user[QUERY_USER_NUMSLOTS]; /* GLOBAL */ void @@ -53,16 +53,14 @@ query_user_clear(void) void -query_user_add(char *prompt, size_t prompt_len, - char *resp, size_t resp_len, - bool echo) +query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo) { int i; /* Ensure input is sane. All these must be present otherwise it is * a programming error. */ - ASSERT( prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL ); + ASSERT(prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL); /* Seek to the last unused slot */ for (i = 0; i < QUERY_USER_NUMSLOTS; i++) @@ -72,7 +70,7 @@ query_user_add(char *prompt, size_t prompt_len, break; } } - ASSERT( i < QUERY_USER_NUMSLOTS ); /* Unlikely, but we want to panic if it happens */ + ASSERT(i < QUERY_USER_NUMSLOTS); /* Unlikely, but we want to panic if it happens */ /* Save the information needed for the user interaction */ query_user[i].prompt = prompt; diff --git a/src/openvpn/console.h b/src/openvpn/console.h index 3e9977640..14b611699 100644 --- a/src/openvpn/console.h +++ b/src/openvpn/console.h @@ -30,16 +30,17 @@ /** * Configuration setup for declaring what kind of information to ask a user for */ -struct _query_user { - char *prompt; /**< Prompt to present to the user */ - size_t prompt_len; /**< Length of the prompt string */ - char *response; /**< The user's response */ - size_t response_len; /**< Length the of the user response */ - bool echo; /**< True: The user should see what is being typed, otherwise mask it */ +struct _query_user +{ + char *prompt; /**< Prompt to present to the user */ + size_t prompt_len; /**< Length of the prompt string */ + char *response; /**< The user's response */ + size_t response_len; /**< Length the of the user response */ + bool echo; /**< True: The user should see what is being typed, otherwise mask it */ }; #define QUERY_USER_NUMSLOTS 10 -extern struct _query_user query_user[]; /**< Global variable, declared in console.c */ +extern struct _query_user query_user[]; /**< Global variable, declared in console.c */ /** * Wipes all data put into all of the query_user structs @@ -58,9 +59,7 @@ void query_user_clear(void); * @param echo Should the user input be echoed to the user? If False, input will be masked * */ -void query_user_add(char *prompt, size_t prompt_len, - char *resp, size_t resp_len, - bool echo); +void query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo); /** @@ -107,7 +106,7 @@ query_user_exec(void) { return query_user_exec_builtin(); } -#endif /* defined(ENABLE_SYSTEMD) */ +#endif /* defined(ENABLE_SYSTEMD) */ /** @@ -118,9 +117,7 @@ query_user_exec(void) * */ static inline bool -query_user_SINGLE(char *prompt, size_t prompt_len, - char *resp, size_t resp_len, - bool echo) +query_user_SINGLE(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo) { query_user_clear(); query_user_add(prompt, prompt_len, resp, resp_len, echo); diff --git a/src/openvpn/console_builtin.c b/src/openvpn/console_builtin.c index b6db7014a..b0228dd57 100644 --- a/src/openvpn/console_builtin.c +++ b/src/openvpn/console_builtin.c @@ -67,11 +67,10 @@ get_console_input_win32(const char *prompt, const bool echo, char *input, const HANDLE in = GetStdHandle(STD_INPUT_HANDLE); int orig_stderr = get_orig_stderr(); /* guaranteed to be always valid */ - if ((in == INVALID_HANDLE_VALUE) - || win32_service_interrupt(&win32_signal) + if ((in == INVALID_HANDLE_VALUE) || win32_service_interrupt(&win32_signal) || (_write(orig_stderr, prompt, strlen(prompt)) == -1)) { - msg(M_WARN|M_ERRNO, "get_console_input_win32(): unexpected error"); + msg(M_WARN | M_ERRNO, "get_console_input_win32(): unexpected error"); return false; } @@ -135,7 +134,7 @@ get_console_input_win32(const char *prompt, const bool echo, char *input, const return false; } -#endif /* _WIN32 */ +#endif /* _WIN32 */ #ifdef HAVE_TERMIOS_H @@ -177,7 +176,7 @@ close_tty(FILE *fp) } } -#endif /* HAVE_TERMIOS_H */ +#endif /* HAVE_TERMIOS_H */ /** @@ -209,15 +208,17 @@ get_console_input(const char *prompt, const bool echo, char *input, const int ca * (in which case neither stdin or stderr are connected to a tty and * /dev/tty can not be open()ed anymore) */ - if (!isatty(0) && !isatty(2) ) + if (!isatty(0) && !isatty(2)) { - int fd = open( "/dev/tty", O_RDWR ); + int fd = open("/dev/tty", O_RDWR); if (fd < 0) { - msg(M_FATAL, "neither stdin nor stderr are a tty device and you have neither a " + msg(M_FATAL, + "neither stdin nor stderr are a tty device and you have neither a " "controlling tty nor systemd - can't ask for '%s'. If you used --daemon, " "you need to use --askpass to make passphrase-protected keys work, and you " - "can not use --auth-nocache.", prompt ); + "can not use --auth-nocache.", + prompt); } close(fd); } @@ -285,8 +286,8 @@ query_user_exec_builtin(void) /* Loop through configured query_user slots */ for (i = 0; i < QUERY_USER_NUMSLOTS && query_user[i].response != NULL; i++) { - if (!get_console_input(query_user[i].prompt, query_user[i].echo, - query_user[i].response, query_user[i].response_len) ) + if (!get_console_input(query_user[i].prompt, query_user[i].echo, query_user[i].response, + query_user[i].response_len)) { /* Force the final result state to failed on failure */ ret = false; diff --git a/src/openvpn/console_systemd.c b/src/openvpn/console_systemd.c index 36103b2b5..d277bd4f4 100644 --- a/src/openvpn/console_systemd.c +++ b/src/openvpn/console_systemd.c @@ -50,9 +50,7 @@ check_systemd_running(void) * mounted, as well as the systemd-ask-password executable * being available */ - return (sd_booted() > 0) - && (stat(SYSTEMD_ASK_PASSWORD_PATH, &c) == 0); - + return (sd_booted() > 0) && (stat(SYSTEMD_ASK_PASSWORD_PATH, &c) == 0); } static bool @@ -79,7 +77,7 @@ get_console_input_systemd(const char *prompt, const bool echo, char *input, cons return false; } memset(input, 0, capacity); - if (read(std_out, input, capacity-1) != 0) + if (read(std_out, input, capacity - 1) != 0) { chomp(input); ret = true; @@ -99,7 +97,7 @@ get_console_input_systemd(const char *prompt, const bool echo, char *input, cons bool query_user_exec_systemd(void) { - bool ret = true; /* Presume everything goes okay */ + bool ret = true; /* Presume everything goes okay */ int i; /* If systemd is not available, use the default built-in mechanism */ @@ -112,7 +110,7 @@ query_user_exec_systemd(void) for (i = 0; i < QUERY_USER_NUMSLOTS && query_user[i].response != NULL; i++) { if (!get_console_input_systemd(query_user[i].prompt, query_user[i].echo, - query_user[i].response, query_user[i].response_len) ) + query_user[i].response, query_user[i].response_len)) { /* Force the final result state to failed on failure */ ret = false; diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 1c1be466a..af7583aef 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -63,8 +63,7 @@ */ static void -openvpn_encrypt_aead(struct buffer *buf, struct buffer work, - struct crypto_options *opt) +openvpn_encrypt_aead(struct buffer *buf, struct buffer work, struct crypto_options *opt) { struct gc_arena gc; int outlen = 0; @@ -88,7 +87,7 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, /* Prepare IV */ { struct buffer iv_buffer; - uint8_t iv[OPENVPN_MAX_IV_LENGTH] = {0}; + uint8_t iv[OPENVPN_MAX_IV_LENGTH] = { 0 }; const int iv_len = cipher_ctx_iv_length(ctx->cipher); ASSERT(iv_len >= OPENVPN_AEAD_MIN_IV_LEN && iv_len <= OPENVPN_MAX_IV_LENGTH); @@ -133,17 +132,14 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, /* Buffer overflow check */ if (!buf_safe(&work, buf->len + mac_len + cipher_ctx_block_size(ctx->cipher))) { - msg(D_CRYPT_ERRORS, - "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", - buf->capacity, buf->offset, buf->len, work.capacity, work.offset, - work.len); + msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", + buf->capacity, buf->offset, buf->len, work.capacity, work.offset, work.len); goto err; } /* For AEAD ciphers, authenticate Additional Data, including opcode */ ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(&work), BLEN(&work))); - dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s", - format_hex(BPTR(&work), BLEN(&work), 0, &gc)); + dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s", format_hex(BPTR(&work), BLEN(&work), 0, &gc)); if (!use_epoch_data_format) { @@ -159,7 +155,7 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, /* update number of plaintext blocks encrypted. Use the (x + (n-1))/n trick * to round up the result to the number of blocks used */ const int blocksize = AEAD_LIMIT_BLOCKSIZE; - opt->key_ctx_bi.encrypt.plaintext_blocks += (outlen + (blocksize - 1))/blocksize; + opt->key_ctx_bi.encrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize; /* Flush the encryption buffer */ ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); @@ -191,8 +187,7 @@ err: } static void -openvpn_encrypt_v1(struct buffer *buf, struct buffer work, - struct crypto_options *opt) +openvpn_encrypt_v1(struct buffer *buf, struct buffer work, struct crypto_options *opt) { struct gc_arena gc; gc_init(&gc); @@ -206,7 +201,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, /* Do Encrypt from buf -> work */ if (ctx->cipher) { - uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH] = {0}; + uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH] = { 0 }; const int iv_size = cipher_ctx_iv_length(ctx->cipher); int outlen; @@ -226,8 +221,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, /* Put packet ID in plaintext buffer */ if (packet_id_initialized(&opt->packet_id) && !packet_id_write(&opt->packet_id.send, buf, - opt->flags & CO_PACKET_ID_LONG_FORM, - true)) + opt->flags & CO_PACKET_ID_LONG_FORM, true)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); goto err; @@ -252,8 +246,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, ASSERT(buf_write(&work, iv_buf, iv_size)); dmsg(D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex(iv_buf, iv_size, 0, &gc)); - dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", - format_hex(BPTR(buf), BLEN(buf), 80, &gc)); + dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); /* cipher_ctx was already initialized with key & keylen */ ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf)); @@ -261,13 +254,9 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, /* Buffer overflow check */ if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) { - msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d", - buf->capacity, - buf->offset, - buf->len, - work.capacity, - work.offset, - work.len, + msg(D_CRYPT_ERRORS, + "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d", + buf->capacity, buf->offset, buf->len, work.capacity, work.offset, work.len, cipher_ctx_block_size(ctx->cipher)); goto err; } @@ -281,14 +270,13 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, ASSERT(buf_inc_len(&work, outlen)); /* For all CBC mode ciphers, check the last block is complete */ - ASSERT(cipher_ctx_mode(ctx->cipher) != OPENVPN_MODE_CBC - || outlen == iv_size); + ASSERT(cipher_ctx_mode(ctx->cipher) != OPENVPN_MODE_CBC || outlen == iv_size); } - else /* No Encryption */ + else /* No Encryption */ { if (packet_id_initialized(&opt->packet_id) - && !packet_id_write(&opt->packet_id.send, buf, - opt->flags & CO_PACKET_ID_LONG_FORM, true)) + && !packet_id_write(&opt->packet_id.send, buf, opt->flags & CO_PACKET_ID_LONG_FORM, + true)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); goto err; @@ -317,8 +305,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, *buf = work; - dmsg(D_PACKET_CONTENT, "ENCRYPT TO: %s", - format_hex(BPTR(&work), BLEN(&work), 80, &gc)); + dmsg(D_PACKET_CONTENT, "ENCRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc)); } gc_free(&gc); @@ -332,8 +319,7 @@ err: } void -openvpn_encrypt(struct buffer *buf, struct buffer work, - struct crypto_options *opt) +openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt) { if (buf->len > 0 && opt) { @@ -380,10 +366,8 @@ cipher_get_aead_limits(const char *ciphername) } bool -crypto_check_replay(struct crypto_options *opt, - const struct packet_id_net *pin, uint16_t epoch, - const char *error_prefix, - struct gc_arena *gc) +crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, uint16_t epoch, + const char *error_prefix, struct gc_arena *gc) { bool ret = false; struct packet_id_rec *recv; @@ -400,8 +384,10 @@ crypto_check_replay(struct crypto_options *opt, { /* We have an epoch that is neither current or old recv key but * is authenticated, ie we need to move to a new current recv key */ - msg(D_GENKEY, "Received data packet with new epoch %d. Updating " - "receive key", epoch); + msg(D_GENKEY, + "Received data packet with new epoch %d. Updating " + "receive key", + epoch); epoch_replace_update_recv_key(opt, epoch); recv = &opt->packet_id.rec; } @@ -420,7 +406,8 @@ crypto_check_replay(struct crypto_options *opt, { if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) { - msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " + msg(D_REPLAY_ERRORS, + "%s: bad packet ID (may be a replay): %s -- " "see the man page entry for --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); @@ -438,9 +425,8 @@ crypto_check_replay(struct crypto_options *opt, * On success, buf is set to point to plaintext, true is returned. */ static bool -openvpn_decrypt_aead(struct buffer *buf, struct buffer work, - struct crypto_options *opt, const struct frame *frame, - const uint8_t *ad_start) +openvpn_decrypt_aead(struct buffer *buf, struct buffer work, struct crypto_options *opt, + const struct frame *frame, const uint8_t *ad_start) { static const char error_prefix[] = "AEAD Decrypt error"; struct packet_id_net pin = { 0 }; @@ -462,8 +448,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, ASSERT(buf->len > 0); ASSERT(ctx->cipher); - dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", - format_hex(BPTR(buf), BLEN(buf), 80, &gc)); + dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); ASSERT(ad_start >= buf->data && ad_start <= BPTR(buf)); @@ -571,28 +556,24 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, /* feed in tag and the authenticated data */ ASSERT(cipher_ctx_update_ad(ctx->cipher, ad_start, ad_size)); - dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s", - format_hex(ad_start, ad_size, 0, &gc)); + dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s", format_hex(ad_start, ad_size, 0, &gc)); /* Decrypt and authenticate packet */ int outlen; - if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), - data_len)) + if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), data_len)) { CRYPT_ERROR("packet decryption failed"); } ASSERT(buf_inc_len(&work, outlen)); - if (!cipher_ctx_final_check_tag(ctx->cipher, BPTR(&work) + outlen, - &outlen, tag_ptr, tag_size)) + if (!cipher_ctx_final_check_tag(ctx->cipher, BPTR(&work) + outlen, &outlen, tag_ptr, tag_size)) { ctx->failed_verifications++; CRYPT_DROP("packet tag authentication failed"); } ASSERT(buf_inc_len(&work, outlen)); - dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s", - format_hex(BPTR(&work), BLEN(&work), 80, &gc)); + dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc)); if (!crypto_check_replay(opt, &pin, epoch, error_prefix, &gc)) { @@ -603,7 +584,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, /* update number of plaintext blocks decrypted. Use the (x + (n-1))/n trick * to round up the result to the number of blocks used. */ const int blocksize = AEAD_LIMIT_BLOCKSIZE; - opt->key_ctx_bi.decrypt.plaintext_blocks += (outlen + (blocksize - 1))/blocksize; + opt->key_ctx_bi.decrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize; *buf = work; @@ -626,8 +607,8 @@ error_exit: * On success, buf is set to point to plaintext, true is returned. */ static bool -openvpn_decrypt_v1(struct buffer *buf, struct buffer work, - struct crypto_options *opt, const struct frame *frame) +openvpn_decrypt_v1(struct buffer *buf, struct buffer work, struct crypto_options *opt, + const struct frame *frame) { static const char error_prefix[] = "Authenticate/Decrypt packet error"; struct gc_arena gc; @@ -639,8 +620,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, struct packet_id_net pin; bool have_pin = false; - dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", - format_hex(BPTR(buf), BLEN(buf), 80, &gc)); + dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); /* Verify the HMAC */ if (ctx->hmac) @@ -722,8 +702,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, } ASSERT(buf_inc_len(&work, outlen)); - dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s", - format_hex(BPTR(&work), BLEN(&work), 80, &gc)); + dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc)); /* Get packet ID from plaintext buffer or IV, depending on cipher mode */ { @@ -731,7 +710,8 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, { if (packet_id_initialized(&opt->packet_id)) { - if (!packet_id_read(&pin, &work, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM))) + if (!packet_id_read(&pin, &work, + BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM))) { CRYPT_ERROR("error reading CBC packet-id"); } @@ -790,9 +770,8 @@ error_exit: bool -openvpn_decrypt(struct buffer *buf, struct buffer work, - struct crypto_options *opt, const struct frame *frame, - const uint8_t *ad_start) +openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, + const struct frame *frame, const uint8_t *ad_start) { bool ret = false; @@ -815,9 +794,7 @@ openvpn_decrypt(struct buffer *buf, struct buffer work, } unsigned int -calculate_crypto_overhead(const struct key_type *kt, - unsigned int pkt_id_size, - bool occ) +calculate_crypto_overhead(const struct key_type *kt, unsigned int pkt_id_size, bool occ) { unsigned int crypto_overhead = 0; @@ -866,9 +843,8 @@ calculate_crypto_overhead(const struct key_type *kt, unsigned int crypto_max_overhead(void) { - return packet_id_size(true) + OPENVPN_MAX_IV_LENGTH - +OPENVPN_MAX_CIPHER_BLOCK_SIZE - +max_int(OPENVPN_MAX_HMAC_SIZE, OPENVPN_AEAD_TAG_LENGTH); + return packet_id_size(true) + OPENVPN_MAX_IV_LENGTH + OPENVPN_MAX_CIPHER_BLOCK_SIZE + + max_int(OPENVPN_MAX_HMAC_SIZE, OPENVPN_AEAD_TAG_LENGTH); } static void @@ -876,12 +852,13 @@ warn_insecure_key_type(const char *ciphername) { if (cipher_kt_insecure(ciphername)) { - msg(M_WARN, "WARNING: INSECURE cipher (%s) with block size less than 128" + msg(M_WARN, + "WARNING: INSECURE cipher (%s) with block size less than 128" " bit (%d bit). This allows attacks like SWEET32. Mitigate by " "using a --cipher with a larger block size (e.g. AES-256-CBC). " "Support for these insecure ciphers will be removed in " "OpenVPN 2.7.", - ciphername, cipher_kt_block_size(ciphername)*8); + ciphername, cipher_kt_block_size(ciphername) * 8); } } @@ -889,8 +866,8 @@ warn_insecure_key_type(const char *ciphername) * Build a struct key_type. */ void -init_key_type(struct key_type *kt, const char *ciphername, - const char *authname, bool tls_mode, bool warn) +init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, + bool warn) { bool aead_cipher = false; @@ -908,12 +885,11 @@ init_key_type(struct key_type *kt, const char *ciphername, /* check legal cipher mode */ aead_cipher = cipher_kt_mode_aead(kt->cipher); - if (!(cipher_kt_mode_cbc(kt->cipher) - || (tls_mode && aead_cipher) + if (!(cipher_kt_mode_cbc(kt->cipher) || (tls_mode && aead_cipher) #ifdef ENABLE_OFB_CFB_MODE || (tls_mode && cipher_kt_mode_ofb_cfb(kt->cipher)) #endif - )) + )) { msg(M_FATAL, "Cipher '%s' mode not supported", ciphername); } @@ -932,9 +908,9 @@ init_key_type(struct key_type *kt, const char *ciphername, if (warn) { msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. " - "This means NO encryption will be performed and tunnelled " - "data WILL be transmitted in clear text over the network! " - "PLEASE DO RECONSIDER THIS SETTING!"); + "This means NO encryption will be performed and tunnelled " + "data WILL be transmitted in clear text over the network! " + "PLEASE DO RECONSIDER THIS SETTING!"); } } kt->digest = authname; @@ -959,10 +935,10 @@ init_key_type(struct key_type *kt, const char *ciphername, if (warn) { msg(M_WARN, "******* WARNING *******: '--auth none' was specified. " - "This means no authentication will be performed on received " - "packets, meaning you CANNOT trust that the data received by " - "the remote side have NOT been manipulated. " - "PLEASE DO RECONSIDER THIS SETTING!"); + "This means no authentication will be performed on received " + "packets, meaning you CANNOT trust that the data received by " + "the remote side have NOT been manipulated. " + "PLEASE DO RECONSIDER THIS SETTING!"); } } } @@ -1011,9 +987,8 @@ key_ctx_update_implicit_iv(struct key_ctx *ctx, const struct key_parameters *key /* given a key and key_type, build a key_ctx */ void -init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, - const struct key_type *kt, int enc, - const char *prefix) +init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt, + int enc, const char *prefix) { struct gc_arena gc = gc_new(); CLEAR(*ctx); @@ -1024,14 +999,13 @@ init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher, enc); const char *ciphername = cipher_kt_name(kt->cipher); - msg(D_CIPHER_INIT, "%s: Cipher '%s' initialized with %d bit key", - prefix, ciphername, cipher_kt_key_size(kt->cipher) * 8); + msg(D_CIPHER_INIT, "%s: Cipher '%s' initialized with %d bit key", prefix, ciphername, + cipher_kt_key_size(kt->cipher) * 8); dmsg(D_SHOW_KEYS, "%s: CIPHER KEY: %s", prefix, format_hex(key->cipher, cipher_kt_key_size(kt->cipher), 0, &gc)); - dmsg(D_CRYPTO_DEBUG, "%s: CIPHER block_size=%d iv_size=%d", - prefix, cipher_kt_block_size(kt->cipher), - cipher_kt_iv_size(kt->cipher)); + dmsg(D_CRYPTO_DEBUG, "%s: CIPHER block_size=%d iv_size=%d", prefix, + cipher_kt_block_size(kt->cipher), cipher_kt_iv_size(kt->cipher)); warn_insecure_key_type(ciphername); } @@ -1041,18 +1015,14 @@ init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, ctx->hmac = hmac_ctx_new(); hmac_ctx_init(ctx->hmac, key->hmac, kt->digest); - msg(D_CIPHER_INIT, - "%s: Using %d bit message hash '%s' for HMAC authentication", - prefix, md_kt_size(kt->digest) * 8, md_kt_name(kt->digest)); + msg(D_CIPHER_INIT, "%s: Using %d bit message hash '%s' for HMAC authentication", prefix, + md_kt_size(kt->digest) * 8, md_kt_name(kt->digest)); dmsg(D_SHOW_KEYS, "%s: HMAC KEY: %s", prefix, format_hex(key->hmac, md_kt_size(kt->digest), 0, &gc)); - dmsg(D_CRYPTO_DEBUG, "%s: HMAC size=%d block_size=%d", - prefix, - md_kt_size(kt->digest), + dmsg(D_CRYPTO_DEBUG, "%s: HMAC size=%d block_size=%d", prefix, md_kt_size(kt->digest), hmac_ctx_size(ctx->hmac)); - } ctx->epoch = key->epoch; gc_free(&gc); @@ -1083,8 +1053,8 @@ init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key_parameters *key_param } void -init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, - int key_direction, const struct key_type *kt, const char *name) +init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, + const struct key_type *kt, const char *name) { struct key_direction_state kds; @@ -1174,39 +1144,34 @@ generate_key_random(struct key *key) struct gc_arena gc = gc_new(); CLEAR(*key); - if (!rand_bytes(key->cipher, cipher_len) - || !rand_bytes(key->hmac, hmac_len)) + if (!rand_bytes(key->cipher, cipher_len) || !rand_bytes(key->hmac, hmac_len)) { msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation"); } - dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc)); + dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", + format_hex(key->cipher, cipher_len, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc)); gc_free(&gc); } static void -key_print(const struct key *key, - const struct key_type *kt, - const char *prefix) +key_print(const struct key *key, const struct key_type *kt, const char *prefix) { struct gc_arena gc = gc_new(); - dmsg(D_SHOW_KEY_SOURCE, "%s (cipher, %s, %d bits): %s", - prefix, cipher_kt_name(kt->cipher), cipher_kt_key_size(kt->cipher) * 8, + dmsg(D_SHOW_KEY_SOURCE, "%s (cipher, %s, %d bits): %s", prefix, cipher_kt_name(kt->cipher), + cipher_kt_key_size(kt->cipher) * 8, format_hex(key->cipher, cipher_kt_key_size(kt->cipher), 0, &gc)); - dmsg(D_SHOW_KEY_SOURCE, "%s (hmac, %s, %d bits): %s", - prefix, md_kt_name(kt->digest), md_kt_size(kt->digest) * 8, - format_hex(key->hmac, md_kt_size(kt->digest), 0, &gc)); + dmsg(D_SHOW_KEY_SOURCE, "%s (hmac, %s, %d bits): %s", prefix, md_kt_name(kt->digest), + md_kt_size(kt->digest) * 8, format_hex(key->hmac, md_kt_size(kt->digest), 0, &gc)); gc_free(&gc); } /** * Prints the keys in a key2 structure. */ void -key2_print(const struct key2 *k, - const struct key_type *kt, - const char *prefix0, +key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1) { ASSERT(k->n == 2); @@ -1248,11 +1213,10 @@ test_crypto(struct crypto_options *co, struct frame *frame) ASSERT(cipher_ctx_iv_length(cipher) >= OPENVPN_AEAD_MIN_IV_LEN); /* Generate dummy implicit IV */ - ASSERT(rand_bytes(co->key_ctx_bi.encrypt.implicit_iv, - OPENVPN_MAX_IV_LENGTH)); + ASSERT(rand_bytes(co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH)); - memcpy(co->key_ctx_bi.decrypt.implicit_iv, - co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH); + memcpy(co->key_ctx_bi.decrypt.implicit_iv, co->key_ctx_bi.encrypt.implicit_iv, + OPENVPN_MAX_IV_LENGTH); } } @@ -1317,11 +1281,9 @@ print_key_filename(const char *str, bool is_inline) } void -crypto_read_openvpn_key(const struct key_type *key_type, - struct key_ctx_bi *ctx, const char *key_file, - bool key_inline, const int key_direction, - const char *key_name, const char *opt_name, - struct key2 *keydata) +crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, + const char *key_file, bool key_inline, const int key_direction, + const char *key_name, const char *opt_name, struct key2 *keydata) { struct key2 key2; struct key_direction_state kds; @@ -1335,7 +1297,8 @@ crypto_read_openvpn_key(const struct key_type *key_type, if (key2.n != 2) { - msg(M_ERR, "File '%s' does not have OpenVPN Static Key format. Using " + msg(M_ERR, + "File '%s' does not have OpenVPN Static Key format. Using " "free-form passphrase file is not supported anymore.", print_key_filename(key_file, key_inline)); } @@ -1374,7 +1337,7 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) struct gc_arena gc = gc_new(); struct buffer in; int size; - uint8_t hex_byte[3] = {0, 0, 0}; + uint8_t hex_byte[3] = { 0, 0, 0 }; /* parse info */ const unsigned char *cp; @@ -1384,17 +1347,17 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) int match = 0; /* output */ - uint8_t *out = (uint8_t *) &key2->keys; + uint8_t *out = (uint8_t *)&key2->keys; const int keylen = sizeof(key2->keys); int count = 0; /* parse states */ -#define PARSE_INITIAL 0 -#define PARSE_HEAD 1 -#define PARSE_DATA 2 -#define PARSE_DATA_COMPLETE 3 -#define PARSE_FOOT 4 -#define PARSE_FINISHED 5 +#define PARSE_INITIAL 0 +#define PARSE_HEAD 1 +#define PARSE_DATA 2 +#define PARSE_DATA_COMPLETE 3 +#define PARSE_FOOT 4 +#define PARSE_FINISHED 5 int state = PARSE_INITIAL; /* constants */ @@ -1506,11 +1469,9 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) } else { - msg(M_FATAL, - (isprint(c) ? printable_char_fmt : unprintable_char_fmt), - c, line_num, - print_key_filename(file, flags & RKF_INLINE), count, - onekeylen, keylen); + msg(M_FATAL, (isprint(c) ? printable_char_fmt : unprintable_char_fmt), c, + line_num, print_key_filename(file, flags & RKF_INLINE), count, onekeylen, + keylen); } } ++line_index; @@ -1524,22 +1485,21 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) */ key2->n = count / onekeylen; - ASSERT(key2->n >= 0 && key2->n <= (int) SIZE(key2->keys)); + ASSERT(key2->n >= 0 && key2->n <= (int)SIZE(key2->keys)); if (flags & RKF_MUST_SUCCEED) { if (!key2->n) { - msg(M_FATAL, "Insufficient key material or header text not found in file '%s' (%d/%d/%d bytes found/min/max)", - print_key_filename(file, flags & RKF_INLINE), count, onekeylen, - keylen); + msg(M_FATAL, + "Insufficient key material or header text not found in file '%s' (%d/%d/%d bytes found/min/max)", + print_key_filename(file, flags & RKF_INLINE), count, onekeylen, keylen); } if (state != PARSE_FINISHED) { msg(M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)", - print_key_filename(file, flags & RKF_INLINE), count, onekeylen, - keylen); + print_key_filename(file, flags & RKF_INLINE), count, onekeylen, keylen); } } @@ -1598,12 +1558,7 @@ write_key_file(const int nkeys, const char *filename) generate_key_random(&key); /* format key as ascii */ - fmt = format_hex_ex((const uint8_t *)&key, - sizeof(key), - 0, - bytes_per_line, - "\n", - &gc); + fmt = format_hex_ex((const uint8_t *)&key, sizeof(key), 0, bytes_per_line, "\n", &gc); /* write to holding buffer */ buf_printf(&out, "%s\n", fmt); @@ -1616,7 +1571,7 @@ write_key_file(const int nkeys, const char *filename) buf_printf(&out, "%s\n", static_key_foot); /* write key file to stdout if no filename given */ - if (!filename || strcmp(filename, "")==0) + if (!filename || strcmp(filename, "") == 0) { printf("%.*s\n", BLEN(&out), BPTR(&out)); } @@ -1641,9 +1596,14 @@ must_have_n_keys(const char *filename, const char *option, const struct key2 *ke if (key2->n < n) { #ifdef ENABLE_SMALL - msg(M_FATAL, "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d]", filename, option, key2->n, n); + msg(M_FATAL, + "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d]", + filename, option, key2->n, n); #else - msg(M_FATAL, "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d] -- try generating a new key file with '" PACKAGE " --genkey secret [file]', or use the existing key file in bidirectional mode by specifying --%s without a key direction parameter", filename, option, key2->n, n, option); + msg(M_FATAL, + "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d] -- try generating a new key file with '" PACKAGE + " --genkey secret [file]', or use the existing key file in bidirectional mode by specifying --%s without a key direction parameter", + filename, option, key2->n, n, option); #endif } } @@ -1739,8 +1699,8 @@ verify_fix_key2(struct key2 *key2, const struct key_type *kt, const char *shared /* This should be a very improbable failure */ if (!check_key(&key2->keys[i], kt)) { - msg(M_FATAL, "Key #%d in '%s' is bad. Try making a new key with --genkey.", - i+1, shared_secret_file); + msg(M_FATAL, "Key #%d in '%s' is bad. Try making a new key with --genkey.", i + 1, + shared_secret_file); } } } @@ -1767,9 +1727,7 @@ get_random(void) void print_cipher(const char *ciphername) { - printf("%s (%d bit key, ", - cipher_kt_name(ciphername), - cipher_kt_key_size(ciphername) * 8); + printf("%s (%d bit key, ", cipher_kt_name(ciphername), cipher_kt_key_size(ciphername) * 8); if (cipher_kt_block_size(ciphername) == 1) { @@ -1855,14 +1813,13 @@ write_pem_key_file(const char *filename, const char *pem_name) goto cleanup; } buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key)); - if (!crypto_pem_encode(pem_name, &server_key_pem, - &server_key_buf, &gc)) + if (!crypto_pem_encode(pem_name, &server_key_pem, &server_key_buf, &gc)) { msg(M_WARN, "ERROR: could not PEM-encode key"); goto cleanup; } - if (!filename || strcmp(filename, "")==0) + if (!filename || strcmp(filename, "") == 0) { printf("%.*s", BLEN(&server_key_pem), BPTR(&server_key_pem)); } @@ -1898,8 +1855,7 @@ generate_ephemeral_key(struct buffer *key, const char *key_name) } bool -read_pem_key_file(struct buffer *key, const char *pem_name, - const char *key_file, bool key_inline) +read_pem_key_file(struct buffer *key, const char *pem_name, const char *key_file, bool key_inline) { bool ret = false; struct buffer key_pem = { 0 }; @@ -1910,8 +1866,7 @@ read_pem_key_file(struct buffer *key, const char *pem_name, key_pem = buffer_read_from_file(key_file, &gc); if (!buf_valid(&key_pem)) { - msg(M_WARN, "ERROR: failed to read %s file (%s)", - pem_name, key_file); + msg(M_WARN, "ERROR: failed to read %s file (%s)", pem_name, key_file); goto cleanup; } } @@ -1948,9 +1903,8 @@ check_tls_prf_working(void) uint8_t out[8]; uint8_t expected_out[] = { 'q', 'D', '\xfe', '%', '@', 's', 'u', '\x95' }; - int ret = ssl_tls1_PRF((uint8_t *)seed, (int) strlen(seed), - (uint8_t *)secret, (int) strlen(secret), - out, sizeof(out)); + int ret = ssl_tls1_PRF((uint8_t *)seed, (int)strlen(seed), (uint8_t *)secret, + (int)strlen(secret), out, sizeof(out)); return (ret && memcmp(out, expected_out, sizeof(out)) == 0); } diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index b6f3549d8..cee414582 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -129,7 +129,8 @@ #include "mtu.h" /** Wrapper struct to pass around SHA256 digests */ -struct sha256_digest { +struct sha256_digest +{ uint8_t digest[SHA256_DIGEST_LENGTH]; }; @@ -138,8 +139,8 @@ struct sha256_digest { */ struct key_type { - const char *cipher; /**< const name of the cipher */ - const char *digest; /**< Message digest static parameters */ + const char *cipher; /**< const name of the cipher */ + const char *digest; /**< Message digest static parameters */ }; /** @@ -158,7 +159,8 @@ struct key /** internal structure similar to struct key that holds key information * but is not represented on wire and can be changed/extended */ -struct key_parameters { +struct key_parameters +{ /** %Key material for cipher operations. */ uint8_t cipher[MAX_CIPHER_KEY_LENGTH]; @@ -184,10 +186,10 @@ struct key_parameters { * @param key_params destination for the converted struct * @param key source of the conversion */ -void -key_parameters_from_key(struct key_parameters *key_params, const struct key *key); +void key_parameters_from_key(struct key_parameters *key_params, const struct key *key); -struct epoch_key { +struct epoch_key +{ uint8_t epoch_key[SHA256_DIGEST_LENGTH]; uint16_t epoch; }; @@ -198,8 +200,8 @@ struct epoch_key { */ struct key_ctx { - cipher_ctx_t *cipher; /**< Generic cipher %context. */ - hmac_ctx_t *hmac; /**< Generic HMAC %context. */ + cipher_ctx_t *cipher; /**< Generic cipher %context. */ + hmac_ctx_t *hmac; /**< Generic HMAC %context. */ /** * This implicit IV will be always XORed with the packet id that is sent on * the wire to get the IV. For the common AEAD ciphers of AES-GCM and @@ -213,7 +215,7 @@ struct key_ctx */ uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH]; /**< The implicit part of the IV */ - size_t implicit_iv_len; /**< The length of implicit_iv */ + size_t implicit_iv_len; /**< The length of implicit_iv */ /** Counter for the number of plaintext block encrypted using this cipher * with the current key in number of 128 bit blocks (only used for * AEAD ciphers) */ @@ -236,12 +238,12 @@ struct key_ctx */ struct key2 { - int n; /**< The number of \c key objects stored - * in the \c key2.keys array. */ - struct key keys[2]; /**< Two unidirectional sets of %key - * material. The first key is the client - * (encrypts) to server (decrypts), the - * second the server to client key. */ + int n; /**< The number of \c key objects stored + * in the \c key2.keys array. */ + struct key keys[2]; /**< Two unidirectional sets of %key + * material. The first key is the client + * (encrypts) to server (decrypts), the + * second the server to client key. */ }; /** @@ -255,18 +257,18 @@ struct key2 */ struct key_direction_state { - int out_key; /**< Index into the \c key2.keys array for - * the sending direction. */ - int in_key; /**< Index into the \c key2.keys array for - * the receiving direction. */ - int need_keys; /**< The number of key objects necessary - * to support both sending and - * receiving. - * - * This will be 1 if the same keys are - * used in both directions, or 2 if - * there are two sets of unidirectional - * keys. */ + int out_key; /**< Index into the \c key2.keys array for + * the sending direction. */ + int in_key; /**< Index into the \c key2.keys array for + * the receiving direction. */ + int need_keys; /**< The number of key objects necessary + * to support both sending and + * receiving. + * + * This will be 1 if the same keys are + * used in both directions, or 2 if + * there are two sets of unidirectional + * keys. */ }; /** @@ -276,10 +278,10 @@ struct key_direction_state */ struct key_ctx_bi { - struct key_ctx encrypt; /**< Cipher and/or HMAC contexts for sending - * direction. */ - struct key_ctx decrypt; /**< cipher and/or HMAC contexts for - * receiving direction. */ + struct key_ctx encrypt; /**< Cipher and/or HMAC contexts for sending + * direction. */ + struct key_ctx decrypt; /**< cipher and/or HMAC contexts for + * receiving direction. */ bool initialized; }; @@ -340,54 +342,58 @@ struct crypto_options * keeping state between successive * OpenVPN process startups. */ -#define CO_PACKET_ID_LONG_FORM (1<<0) +#define CO_PACKET_ID_LONG_FORM (1 << 0) /**< Bit-flag indicating whether to use - * OpenVPN's long packet ID format. */ -#define CO_IGNORE_PACKET_ID (1<<1) + * OpenVPN's long packet ID format. */ +#define CO_IGNORE_PACKET_ID (1 << 1) /**< Bit-flag indicating whether to ignore * the packet ID of a received packet. * This flag is used during processing * of the first packet received from a * client. */ -#define CO_MUTE_REPLAY_WARNINGS (1<<2) +#define CO_MUTE_REPLAY_WARNINGS (1 << 2) /**< Bit-flag indicating not to display * replay warnings. */ -#define CO_USE_TLS_KEY_MATERIAL_EXPORT (1<<3) +#define CO_USE_TLS_KEY_MATERIAL_EXPORT (1 << 3) /**< Bit-flag indicating that data channel key derivation * is done using TLS keying material export [RFC5705] */ -#define CO_RESEND_WKC (1<<4) +#define CO_RESEND_WKC (1 << 4) /**< Bit-flag indicating that the client is expected to * resend the wrapped client key with the 2nd packet (packet-id 1) * like with the HARD_RESET_CLIENT_V3 packet */ -#define CO_FORCE_TLSCRYPTV2_COOKIE (1<<5) +#define CO_FORCE_TLSCRYPTV2_COOKIE (1 << 5) /**< Bit-flag indicating that we do not allow clients that do * not support resending the wrapped client key (WKc) with the * third packet of the three-way handshake */ -#define CO_USE_CC_EXIT_NOTIFY (1<<6) +#define CO_USE_CC_EXIT_NOTIFY (1 << 6) /**< Bit-flag indicating that explicit exit notifies should be * sent via the control channel instead of using an OCC message */ -#define CO_USE_DYNAMIC_TLS_CRYPT (1<<7) +#define CO_USE_DYNAMIC_TLS_CRYPT (1 << 7) /**< Bit-flag indicating that renegotiations are using tls-crypt * with a TLS-EKM derived key. */ -#define CO_EPOCH_DATA_KEY_FORMAT (1<<8) +#define CO_EPOCH_DATA_KEY_FORMAT (1 << 8) /**< Bit-flag indicating the epoch the data format. This format * has the AEAD tag at the end of the packet and is using a longer * 64-bit packet id that is split into a 16 bit epoch and 48 bit * epoch counter */ - unsigned int flags; /**< Bit-flags determining behavior of - * security operation functions. */ + unsigned int flags; /**< Bit-flags determining behavior of + * security operation functions. */ }; -#define CRYPT_ERROR_EXIT(flags, format) \ - do { msg(flags, "%s: " format, error_prefix); goto error_exit; } while (false) +#define CRYPT_ERROR_EXIT(flags, format) \ + do \ + { \ + msg(flags, "%s: " format, error_prefix); \ + goto error_exit; \ + } while (false) #define CRYPT_ERROR(format) CRYPT_ERROR_EXIT(D_CRYPT_ERRORS, format) -#define CRYPT_DROP(format) CRYPT_ERROR_EXIT(D_MULTI_DROPPED, format) +#define CRYPT_DROP(format) CRYPT_ERROR_EXIT(D_MULTI_DROPPED, format) /** * Minimal IV length for AEAD mode ciphers (in bytes): @@ -395,8 +401,8 @@ struct crypto_options */ #define OPENVPN_AEAD_MIN_IV_LEN (sizeof(packet_id_type) + 8) -#define RKF_MUST_SUCCEED (1<<0) -#define RKF_INLINE (1<<1) +#define RKF_MUST_SUCCEED (1 << 0) +#define RKF_INLINE (1 << 1) void read_key_file(struct key2 *key2, const char *file, const unsigned int flags); /** @@ -418,30 +424,26 @@ bool check_key(struct key *key, const struct key_type *kt); * more ciphers than static key mode. * @param warn Print warnings when null cipher / auth is used. */ -void init_key_type(struct key_type *kt, const char *ciphername, - const char *authname, bool tls_mode, bool warn); +void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, + bool warn); /* * Key context functions */ -void init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, - const struct key_type *kt, int enc, - const char *prefix); +void init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt, + int enc, const char *prefix); -void -init_key_bi_ctx_send(struct key_ctx *ctx, const struct key_parameters *key, - const struct key_type *kt, const char *name); +void init_key_bi_ctx_send(struct key_ctx *ctx, const struct key_parameters *key, + const struct key_type *kt, const char *name); -void -init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key_parameters *key, - const struct key_type *kt, const char *name); +void init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key_parameters *key, + const struct key_type *kt, const char *name); void free_key_ctx(struct key_ctx *ctx); -void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, - int key_direction, const struct key_type *kt, - const char *name); +void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, + const struct key_type *kt, const char *name); void free_key_ctx_bi(struct key_ctx_bi *ctx); @@ -476,8 +478,7 @@ void free_key_ctx_bi(struct key_ctx_bi *ctx); * contain the processed packet ready for sending, or be empty if an * error occurred. */ -void openvpn_encrypt(struct buffer *buf, struct buffer work, - struct crypto_options *opt); +void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt); /** @@ -513,9 +514,8 @@ void openvpn_encrypt(struct buffer *buf, struct buffer work, * the plaintext packet ready for further processing, or be empty if * an error occurred. */ -bool openvpn_decrypt(struct buffer *buf, struct buffer work, - struct crypto_options *opt, const struct frame *frame, - const uint8_t *ad_start); +bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, + const struct frame *frame, const uint8_t *ad_start); /** @} name Functions for performing security operations on data channel packets */ @@ -530,11 +530,8 @@ bool openvpn_decrypt(struct buffer *buf, struct buffer work, * * @return true if packet ID is validated to be not a replay, false otherwise. */ -bool crypto_check_replay(struct crypto_options *opt, - const struct packet_id_net *pin, - uint16_t epoch, - const char *error_prefix, - struct gc_arena *gc); +bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, + uint16_t epoch, const char *error_prefix, struct gc_arena *gc); /** Calculate the maximum overhead that our encryption has @@ -550,10 +547,8 @@ bool crypto_check_replay(struct crypto_options *opt, * incorrect way as all previous OpenVPN versions did, to * end up with identical numbers for OCC compatibility */ -unsigned int -calculate_crypto_overhead(const struct key_type *kt, - unsigned int pkt_id_size, - bool occ); +unsigned int calculate_crypto_overhead(const struct key_type *kt, unsigned int pkt_id_size, + bool occ); /** Return the worst-case OpenVPN crypto overhead (in bytes) */ unsigned int crypto_max_overhead(void); @@ -565,8 +560,7 @@ unsigned int crypto_max_overhead(void); * @param filename Filename of the server key file to create. * @param key_name The name to use in the PEM header/footer. */ -void -write_pem_key_file(const char *filename, const char *key_name); +void write_pem_key_file(const char *filename, const char *key_name); /** * Generate ephermal key material into the key structure @@ -575,8 +569,7 @@ write_pem_key_file(const char *filename, const char *key_name); * @param pem_name the name used for logging * @return true if key generation was successful */ -bool -generate_ephemeral_key(struct buffer *key, const char *pem_name); +bool generate_ephemeral_key(struct buffer *key, const char *pem_name); /** * Read key material from a PEM encoded files into the key structure @@ -588,9 +581,8 @@ generate_ephemeral_key(struct buffer *key, const char *pem_name); * otherwise. * @return true if reading into key was successful */ -bool -read_pem_key_file(struct buffer *key, const char *pem_name, - const char *key_file, bool key_inline); +bool read_pem_key_file(struct buffer *key, const char *pem_name, const char *key_file, + bool key_inline); /* * Message digest-based pseudo random number generator. @@ -631,16 +623,12 @@ int ascii2keydirection(int msglevel, const char *str); const char *keydirection2ascii(int kd, bool remote, bool humanreadable); /* print keys */ -void key2_print(const struct key2 *k, - const struct key_type *kt, - const char *prefix0, +void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1); -void crypto_read_openvpn_key(const struct key_type *key_type, - struct key_ctx_bi *ctx, const char *key_file, - bool key_inline, const int key_direction, - const char *key_name, const char *opt_name, - struct key2 *keydata); +void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, + const char *key_file, bool key_inline, const int key_direction, + const char *key_name, const char *opt_name, struct key2 *keydata); /* * Inline functions @@ -690,12 +678,12 @@ create_kt(const char *cipher, const char *md, const char *optname) if (cipher_defined(kt.cipher) && !cipher_valid(kt.cipher)) { msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.cipher); - return (struct key_type) { 0 }; + return (struct key_type){ 0 }; } if (md_defined(kt.digest) && !md_valid(kt.digest)) { msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.digest); - return (struct key_type) { 0 }; + return (struct key_type){ 0 }; } return kt; @@ -710,8 +698,7 @@ create_kt(const char *cipher, const char *md, const char *optname) * For reference see the OpenVPN RFC draft and * https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-08.html */ -uint64_t -cipher_get_aead_limits(const char *ciphername); +uint64_t cipher_get_aead_limits(const char *ciphername); /** * Check if the number of failed decryption is over the acceptable limit. @@ -724,7 +711,7 @@ cipher_decrypt_verify_fail_exceeded(const struct key_ctx *ctx) * but we accept slightly lower security bound for the edge * of Chacha20-Poly1305 and packets over 16k as MTUs over 16k are * extremely rarely used */ - return ctx->failed_verifications > (1ull << 36); + return ctx->failed_verifications > (1ull << 36); } /** @@ -735,7 +722,7 @@ static inline bool cipher_decrypt_verify_fail_warn(const struct key_ctx *ctx) { /* Use 2**35, half the amount after which we refuse to decrypt */ - return ctx->failed_verifications > (1ull << 35); + return ctx->failed_verifications > (1ull << 35); } @@ -744,7 +731,7 @@ cipher_decrypt_verify_fail_warn(const struct key_ctx *ctx) * * Since cipher_ctx_block_size() is not reliable and will return 1 in many * cases use a hardcoded blocksize instead */ -#define AEAD_LIMIT_BLOCKSIZE 16 +#define AEAD_LIMIT_BLOCKSIZE 16 /** * Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 @@ -761,13 +748,12 @@ bool check_tls_prf_working(void); * to read. */ static inline bool -aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx, - int64_t higest_pid) +aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx, int64_t higest_pid) { /* This is the q + s <= p^(1/2) * 2^(129/2) - 1 calculation where * q is the number of protected messages (highest_pid) * s Total plaintext length in all messages (in blocks) */ - return (limit > 0 && key_ctx->plaintext_blocks + (uint64_t) higest_pid > limit); + return (limit > 0 && key_ctx->plaintext_blocks + (uint64_t)higest_pid > limit); } #endif /* CRYPTO_H */ diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index df5bc4d8a..59418f630 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -45,18 +45,20 @@ #define OPENVPN_MAX_CIPHER_BLOCK_SIZE 32 /* Maximum HMAC digest size (bytes) */ -#define OPENVPN_MAX_HMAC_SIZE 64 +#define OPENVPN_MAX_HMAC_SIZE 64 /** Types referencing specific message digest hashing algorithms */ -typedef enum { +typedef enum +{ MD_SHA1, MD_SHA256 } hash_algo_type; /** Struct used in cipher name translation table */ -typedef struct { - const char *openvpn_name; /**< Cipher name used by OpenVPN */ - const char *lib_name; /**< Cipher name used by crypto library */ +typedef struct +{ + const char *openvpn_name; /**< Cipher name used by OpenVPN */ + const char *lib_name; /**< Cipher name used by crypto library */ } cipher_name_pair; /** Cipher name translation table */ @@ -122,8 +124,8 @@ void show_available_engines(void); * * @return true iff PEM encode succeeded. */ -bool crypto_pem_encode(const char *name, struct buffer *dst, - const struct buffer *src, struct gc_arena *gc); +bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, + struct gc_arena *gc); /** * Decode a PEM buffer to binary data. @@ -134,8 +136,7 @@ bool crypto_pem_encode(const char *name, struct buffer *dst, * * @return true iff PEM decode succeeded. */ -bool crypto_pem_decode(const char *name, struct buffer *dst, - const struct buffer *src); +bool crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src); /* * @@ -338,8 +339,8 @@ void cipher_ctx_free(cipher_ctx_t *ctx); * @param enc Whether to encrypt or decrypt (either * \c OPENVPN_OP_ENCRYPT or \c OPENVPN_OP_DECRYPT). */ -void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, - const char *ciphername, crypto_operation_t enc); +void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, const char *ciphername, + crypto_operation_t enc); /** * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is @@ -447,8 +448,7 @@ int cipher_ctx_update_ad(cipher_ctx_t *ctx, const uint8_t *src, int src_len); * * @return \c 0 on failure, \c 1 on success. */ -int cipher_ctx_update(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, - uint8_t *src, int src_len); +int cipher_ctx_update(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len); /** * Pads the final cipher block using PKCS padding, and output to the destination @@ -475,8 +475,8 @@ int cipher_ctx_final(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len); * * @return \c 0 on failure, \c 1 on success. */ -int cipher_ctx_final_check_tag(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, - uint8_t *tag, size_t tag_len); +int cipher_ctx_final_check_tag(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *tag, + size_t tag_len); /* @@ -716,7 +716,7 @@ const char *translate_cipher_name_to_openvpn(const char *cipher_name); * * @return true if successful, false on any error */ -bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, - int secret_len, uint8_t *output, int output_len); +bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, + uint8_t *output, int output_len); #endif /* CRYPTO_BACKEND_H_ */ diff --git a/src/openvpn/crypto_epoch.c b/src/openvpn/crypto_epoch.c index 741ad233e..b5cbc8db8 100644 --- a/src/openvpn/crypto_epoch.c +++ b/src/openvpn/crypto_epoch.c @@ -39,9 +39,8 @@ #include "integer.h" void -ovpn_hkdf_expand(const uint8_t *secret, - const uint8_t *info, int info_len, - uint8_t *out, int out_len) +ovpn_hkdf_expand(const uint8_t *secret, const uint8_t *info, int info_len, uint8_t *out, + int out_len) { hmac_ctx_t *hmac_ctx = hmac_ctx_new(); hmac_ctx_init(hmac_ctx, secret, "SHA256"); @@ -74,13 +73,10 @@ ovpn_hkdf_expand(const uint8_t *secret, } bool -ovpn_expand_label(const uint8_t *secret, size_t secret_len, - const uint8_t *label, size_t label_len, - const uint8_t *context, size_t context_len, - uint8_t *out, uint16_t out_len) +ovpn_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len, + const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len) { - if (secret_len != 32 || label_len > 250 || context_len > 255 - || label_len < 1) + if (secret_len != 32 || label_len > 250 || context_len > 255 || label_len < 1) { /* Our current implementation is not a general purpose one * and assumes that the secret size matches the size of the @@ -92,7 +88,7 @@ ovpn_expand_label(const uint8_t *secret, size_t secret_len, struct gc_arena gc = gc_new(); /* 2 byte for the outlen encoded as uint16, 5 bytes for "ovpn ", * 1 byte for context len byte and 1 byte for label len byte */ - const uint8_t *label_prefix = (const uint8_t *) ("ovpn "); + const uint8_t *label_prefix = (const uint8_t *)("ovpn "); int prefix_len = 5; int hkdf_label_len = 2 + prefix_len + 1 + label_len + 1 + context_len; @@ -111,8 +107,7 @@ ovpn_expand_label(const uint8_t *secret, size_t secret_len, ASSERT(buf_len(&hkdf_label) == hkdf_label_len); - ovpn_hkdf_expand(secret, buf_bptr(&hkdf_label), - buf_len(&hkdf_label), out, out_len); + ovpn_hkdf_expand(secret, buf_bptr(&hkdf_label), buf_len(&hkdf_label), out, out_len); gc_free(&gc); return true; @@ -133,16 +128,14 @@ epoch_key_iterate(struct epoch_key *epoch_key) const size_t epoch_update_label_len = sizeof(epoch_update_label) - 1; /* E_N+1 = OVPN-Expand-Label(E_N, "datakey upd", "", 32) */ - ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key), - epoch_update_label, epoch_update_label_len, - NULL, 0, - new_epoch_key.epoch_key, sizeof(new_epoch_key.epoch_key)); + ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key), epoch_update_label, + epoch_update_label_len, NULL, 0, new_epoch_key.epoch_key, + sizeof(new_epoch_key.epoch_key)); *epoch_key = new_epoch_key; } void -epoch_data_key_derive(struct key_parameters *key, - const struct epoch_key *epoch_key, +epoch_data_key_derive(struct key_parameters *key, const struct epoch_key *epoch_key, const struct key_type *kt) { key->hmac_size = cipher_kt_iv_size(kt->cipher); @@ -157,19 +150,16 @@ epoch_data_key_derive(struct key_parameters *key, /* length of the array without extra \0 byte from the string */ const size_t epoch_data_key_label_len = sizeof(epoch_data_key_label) - 1; - ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key), - epoch_data_key_label, epoch_data_key_label_len, - NULL, 0, - (uint8_t *)(&key->cipher), key->cipher_size); + ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key), epoch_data_key_label, + epoch_data_key_label_len, NULL, 0, (uint8_t *)(&key->cipher), + key->cipher_size); const uint8_t epoch_data_iv_label[] = "data_iv"; /* length of the array without extra \0 byte from the string */ const size_t epoch_data_iv_label_len = sizeof(epoch_data_iv_label) - 1; - ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key), - epoch_data_iv_label, epoch_data_iv_label_len, - NULL, 0, - (uint8_t *)(&key->hmac), key->hmac_size); + ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key), epoch_data_iv_label, + epoch_data_iv_label_len, NULL, 0, (uint8_t *)(&key->hmac), key->hmac_size); key->epoch = epoch_key->epoch; } @@ -187,8 +177,7 @@ epoch_init_send_key_ctx(struct crypto_options *co) epoch_data_key_derive(&send_key, &co->epoch_key_send, &co->epoch_key_type); - init_key_bi_ctx_send(&co->key_ctx_bi.encrypt, &send_key, - &co->epoch_key_type, name); + init_key_bi_ctx_send(&co->key_ctx_bi.encrypt, &send_key, &co->epoch_key_type, name); reset_packet_id_send(&co->packet_id.send); CLEAR(send_key); } @@ -219,10 +208,10 @@ epoch_generate_future_receive_keys(struct crypto_options *co) /* Either we have not generated any future keys yet (first initialisation) * or the last index is the same as our current epoch key * (last generated receive epoch key should match the epoch key) */ - struct key_ctx *highest_future_key = &co->epoch_data_keys_future[co->epoch_data_keys_future_count - 1]; + struct key_ctx *highest_future_key = + &co->epoch_data_keys_future[co->epoch_data_keys_future_count - 1]; - ASSERT(co->epoch_key_recv.epoch == 1 - || highest_future_key->epoch == co->epoch_key_recv.epoch); + ASSERT(co->epoch_key_recv.epoch == 1 || highest_future_key->epoch == co->epoch_key_recv.epoch); /* free the keys that are not used anymore */ for (uint16_t i = 0; i < co->epoch_data_keys_future_count; i++) @@ -250,12 +239,12 @@ epoch_generate_future_receive_keys(struct crypto_options *co) { ASSERT(co->epoch_data_keys_future[i].epoch == 0); } - memmove(co->epoch_data_keys_future, - co->epoch_data_keys_future + num_keys_generate, + memmove(co->epoch_data_keys_future, co->epoch_data_keys_future + num_keys_generate, (co->epoch_data_keys_future_count - num_keys_generate) * sizeof(struct key_ctx)); /* Clear and regenerate the array elements at the end */ - for (uint16_t i = co->epoch_data_keys_future_count - num_keys_generate; i < co->epoch_data_keys_future_count; i++) + for (uint16_t i = co->epoch_data_keys_future_count - num_keys_generate; + i < co->epoch_data_keys_future_count; i++) { CLEAR(co->epoch_data_keys_future[i]); epoch_key_iterate(&co->epoch_key_recv); @@ -280,8 +269,7 @@ epoch_iterate_send_key(struct crypto_options *co) } void -epoch_replace_update_recv_key(struct crypto_options *co, - uint16_t new_epoch) +epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch) { /* Find the key of the new epoch in future keys */ uint16_t fki; @@ -350,8 +338,7 @@ free_epoch_key_ctx(struct crypto_options *co) void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, - const struct epoch_key *e1_send, - const struct epoch_key *e1_recv, + const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count) { ASSERT(e1_send->epoch == 1 && e1_recv->epoch == 1); @@ -441,11 +428,9 @@ epoch_check_send_iterate(struct crypto_options *opt) * decryption fail warn limit. * */ else if (opt->key_ctx_bi.encrypt.epoch == opt->key_ctx_bi.decrypt.epoch - && (aead_usage_limit_reached(opt->aead_usage_limit, - &opt->key_ctx_bi.decrypt, + && (aead_usage_limit_reached(opt->aead_usage_limit, &opt->key_ctx_bi.decrypt, opt->packet_id.rec.id) - || cipher_decrypt_verify_fail_warn(&opt->key_ctx_bi.decrypt) - )) + || cipher_decrypt_verify_fail_warn(&opt->key_ctx_bi.decrypt))) { /* Receive key limit reached. Increase our own send key to signal * that we want to use a new epoch. Peer should then also move its @@ -458,5 +443,4 @@ epoch_check_send_iterate(struct crypto_options *opt) { epoch_iterate_send_key(opt); } - } diff --git a/src/openvpn/crypto_epoch.h b/src/openvpn/crypto_epoch.h index ff5974ea2..33ca74149 100644 --- a/src/openvpn/crypto_epoch.h +++ b/src/openvpn/crypto_epoch.h @@ -38,10 +38,8 @@ * @param out output keying material * @param out_len length of output keying material */ -void -ovpn_hkdf_expand(const uint8_t *secret, - const uint8_t *info, int info_len, - uint8_t *out, int out_len); +void ovpn_hkdf_expand(const uint8_t *secret, const uint8_t *info, int info_len, uint8_t *out, + int out_len); /** * Variant of the RFC 8446 TLS 1.3 HKDF-Expand-Label function with the @@ -60,11 +58,9 @@ ovpn_hkdf_expand(const uint8_t *secret, * @param out_len length of output keying material * @return */ -bool -ovpn_expand_label(const uint8_t *secret, size_t secret_len, - const uint8_t *label, size_t label_len, - const uint8_t *context, size_t context_len, - uint8_t *out, uint16_t out_len); +bool ovpn_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, + size_t label_len, const uint8_t *context, size_t context_len, uint8_t *out, + uint16_t out_len); /** * Generate a data channel key pair from the epoch key @@ -72,10 +68,8 @@ ovpn_expand_label(const uint8_t *secret, size_t secret_len, * @param epoch_key Epoch key to be used * @param kt Cipher information to generate the data channel key for */ -void -epoch_data_key_derive(struct key_parameters *key, - const struct epoch_key *epoch_key, - const struct key_type *kt); +void epoch_data_key_derive(struct key_parameters *key, const struct epoch_key *epoch_key, + const struct key_type *kt); /** * Generates and fills the epoch_data_keys_future with next valid @@ -90,8 +84,7 @@ epoch_data_key_derive(struct key_parameters *key, * free the ones that are older than the crypto_options.key_ctx_bi.decrypt and * generate the keys from the newer epoch. */ -void -epoch_generate_future_receive_keys(struct crypto_options *co); +void epoch_generate_future_receive_keys(struct crypto_options *co); /** This is called when the peer uses a new send key that is not the default @@ -102,21 +95,17 @@ epoch_generate_future_receive_keys(struct crypto_options *co); * @param co crypto_options to update * @param new_epoch the new epoch to use for the receive key */ -void -epoch_replace_update_recv_key(struct crypto_options *co, - uint16_t new_epoch); +void epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch); /** * Updates the send key and send_epoch_key in cryptio_options->key_ctx_bi to * use the next epoch */ -void -epoch_iterate_send_key(struct crypto_options *co); +void epoch_iterate_send_key(struct crypto_options *co); /** * Frees the extra data structures used by epoch keys in \c crypto_options */ -void -free_epoch_key_ctx(struct crypto_options *co); +void free_epoch_key_ctx(struct crypto_options *co); /** * Initialises data channel keys and internal structures for epoch data keys @@ -131,10 +120,9 @@ free_epoch_key_ctx(struct crypto_options *co); * @param future_key_count the number of future epoch keys that should be * considered valid when receiving data from the peer */ -void -epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, - const struct epoch_key *e1_send, const struct epoch_key *e1_recv, - uint16_t future_key_count); +void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, + const struct epoch_key *e1_send, const struct epoch_key *e1_recv, + uint16_t future_key_count); /** * Using an epoch, this function will try to retrieve a decryption @@ -143,8 +131,7 @@ epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, * @param epoch epoch of the key to lookup * @return the key context with */ -struct key_ctx * -epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch); +struct key_ctx *epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch); /** * Checks if we need to iterate the send epoch key. This needs to be in one @@ -153,8 +140,7 @@ epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch); * - send key aead usage limit reached (for AES-GCM and similar ciphers) * - recv key usage limit reached */ -void -epoch_check_send_iterate(struct crypto_options *opt); +void epoch_check_send_iterate(struct crypto_options *opt); #endif /* ifndef CRYPTO_EPOCH_H */ diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 0950f6b5c..86317dd75 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -65,7 +65,7 @@ void crypto_init_lib_engine(const char *engine_name) { msg(M_WARN, "Note: mbed TLS hardware crypto engine functionality is not " - "available"); + "available"); } provider_t * @@ -123,8 +123,7 @@ mbed_log_err(unsigned int flags, int errval, const char *prefix) } bool -mbed_log_func_line(unsigned int flags, int errval, const char *func, - int line) +mbed_log_func_line(unsigned int flags, int errval, const char *func, int line) { char prefix[256]; @@ -203,8 +202,8 @@ show_available_digests(void) const int *digests = mbedtls_md_list(); #ifndef ENABLE_SMALL - printf("The following message digests are available for use with\n" - PACKAGE_NAME ". A message digest is used in conjunction with\n" + printf("The following message digests are available for use with\n" PACKAGE_NAME + ". A message digest is used in conjunction with\n" "the HMAC function, to authenticate received packets.\n" "You can specify a message digest as parameter to\n" "the --auth option.\n\n"); @@ -232,12 +231,12 @@ show_available_engines(void) } bool -crypto_pem_encode(const char *name, struct buffer *dst, - const struct buffer *src, struct gc_arena *gc) +crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, + struct gc_arena *gc) { /* 1000 chars is the PEM line length limit (+1 for tailing NUL) */ - char header[1000+1] = { 0 }; - char footer[1000+1] = { 0 }; + char header[1000 + 1] = { 0 }; + char footer[1000 + 1] = { 0 }; if (!snprintf(header, sizeof(header), "-----BEGIN %s-----\n", name)) { @@ -249,9 +248,8 @@ crypto_pem_encode(const char *name, struct buffer *dst, } size_t out_len = 0; - if (MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL != - mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src), - NULL, 0, &out_len)) + if (MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL + != mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src), NULL, 0, &out_len)) { return false; } @@ -259,9 +257,9 @@ crypto_pem_encode(const char *name, struct buffer *dst, /* We set the size buf to out_len-1 to NOT include the 0 byte that * mbedtls_pem_write_buffer in its length calculation */ *dst = alloc_buf_gc(out_len, gc); - if (!mbed_ok(mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src), - BPTR(dst), BCAP(dst), &out_len)) - || !buf_inc_len(dst, out_len-1)) + if (!mbed_ok(mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src), BPTR(dst), + BCAP(dst), &out_len)) + || !buf_inc_len(dst, out_len - 1)) { CLEAR(*dst); return false; @@ -271,12 +269,11 @@ crypto_pem_encode(const char *name, struct buffer *dst, } bool -crypto_pem_decode(const char *name, struct buffer *dst, - const struct buffer *src) +crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src) { /* 1000 chars is the PEM line length limit (+1 for tailing NUL) */ - char header[1000+1] = { 0 }; - char footer[1000+1] = { 0 }; + char header[1000 + 1] = { 0 }; + char footer[1000 + 1] = { 0 }; if (!snprintf(header, sizeof(header), "-----BEGIN %s-----", name)) { @@ -296,8 +293,8 @@ crypto_pem_decode(const char *name, struct buffer *dst, size_t use_len = 0; mbedtls_pem_context ctx = { 0 }; - bool ret = mbed_ok(mbedtls_pem_read_buffer(&ctx, header, footer, BPTR(&input), - NULL, 0, &use_len)); + bool ret = + mbed_ok(mbedtls_pem_read_buffer(&ctx, header, footer, BPTR(&input), NULL, 0, &use_len)); size_t buf_size = 0; const unsigned char *buf = mbedtls_pem_get_buffer(&ctx, &buf_size); if (ret && !buf_write(dst, buf, buf_size)) @@ -327,8 +324,8 @@ crypto_pem_decode(const char *name, struct buffer *dst, mbedtls_ctr_drbg_context * rand_ctx_get(void) { - static mbedtls_entropy_context ec = {0}; - static mbedtls_ctr_drbg_context cd_ctx = {0}; + static mbedtls_entropy_context ec = { 0 }; + static mbedtls_ctr_drbg_context cd_ctx = { 0 }; static bool rand_initialised = false; if (!rand_initialised) @@ -341,14 +338,15 @@ rand_ctx_get(void) * 800-90 section 8.7.1). We have very little information at this stage. * Include Program Name, memory address of the context and PID. */ - buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, time_string(0, 0, 0, &gc)); + buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, + time_string(0, 0, 0, &gc)); /* Initialise mbed TLS RNG, and built-in entropy sources */ mbedtls_entropy_init(&ec); mbedtls_ctr_drbg_init(&cd_ctx); - if (!mbed_ok(mbedtls_ctr_drbg_seed(&cd_ctx, mbedtls_entropy_func, &ec, - BPTR(&pers_string), BLEN(&pers_string)))) + if (!mbed_ok(mbedtls_ctr_drbg_seed(&cd_ctx, mbedtls_entropy_func, &ec, BPTR(&pers_string), + BLEN(&pers_string)))) { msg(M_FATAL, "Failed to initialize random generator"); } @@ -421,12 +419,14 @@ cipher_valid_reason(const char *ciphername, const char **reason) return false; } - const size_t key_bytelen = mbedtls_cipher_info_get_key_bitlen(cipher)/8; + const size_t key_bytelen = mbedtls_cipher_info_get_key_bitlen(cipher) / 8; if (key_bytelen > MAX_CIPHER_KEY_LENGTH) { - msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%zu bytes) " + msg(D_LOW, + "Cipher algorithm '%s' uses a default key size (%zu bytes) " "which is larger than " PACKAGE_NAME "'s current maximum key size " - "(%d bytes)", ciphername, key_bytelen, MAX_CIPHER_KEY_LENGTH); + "(%d bytes)", + ciphername, key_bytelen, MAX_CIPHER_KEY_LENGTH); *reason = "disabled due to key size too large"; return false; } @@ -457,7 +457,7 @@ cipher_kt_key_size(const char *ciphername) return 0; } - return (int)mbedtls_cipher_info_get_key_bitlen(cipher_kt)/8; + return (int)mbedtls_cipher_info_get_key_bitlen(cipher_kt) / 8; } int @@ -506,7 +506,7 @@ cipher_kt_insecure(const char *ciphername) #ifdef MBEDTLS_CHACHAPOLY_C || mbedtls_cipher_info_get_type(cipher_kt) == MBEDTLS_CIPHER_CHACHA20_POLY1305 #endif - ); + ); } static mbedtls_cipher_mode_t @@ -527,19 +527,21 @@ bool cipher_kt_mode_ofb_cfb(const char *ciphername) { const mbedtls_cipher_info_t *cipher = cipher_get(ciphername); - return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB - || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB); + return cipher + && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB + || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB); } bool cipher_kt_mode_aead(const char *ciphername) { const mbedtls_cipher_info_t *cipher = cipher_get(ciphername); - return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_GCM + return cipher + && (cipher_kt_mode(cipher) == OPENVPN_MODE_GCM #ifdef MBEDTLS_CHACHAPOLY_C - || cipher_kt_mode(cipher) == MBEDTLS_MODE_CHACHAPOLY + || cipher_kt_mode(cipher) == MBEDTLS_MODE_CHACHAPOLY #endif - ); + ); } @@ -565,8 +567,8 @@ cipher_ctx_free(mbedtls_cipher_context_t *ctx) } void -cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, - const char *ciphername, crypto_operation_t enc) +cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, const char *ciphername, + crypto_operation_t enc) { ASSERT(NULL != ciphername && NULL != ctx); CLEAR(*ctx); @@ -611,7 +613,7 @@ cipher_ctx_get_tag(cipher_ctx_t *ctx, uint8_t *tag, int tag_len) return 0; } - if (!mbed_ok(mbedtls_cipher_write_tag(ctx, (unsigned char *) tag, tag_len))) + if (!mbed_ok(mbedtls_cipher_write_tag(ctx, (unsigned char *)tag, tag_len))) { return 0; } @@ -643,18 +645,20 @@ cipher_ctx_mode_cbc(const cipher_ctx_t *ctx) bool cipher_ctx_mode_ofb_cfb(const cipher_ctx_t *ctx) { - return ctx && (cipher_ctx_mode(ctx) == OPENVPN_MODE_OFB - || cipher_ctx_mode(ctx) == OPENVPN_MODE_CFB); + return ctx + && (cipher_ctx_mode(ctx) == OPENVPN_MODE_OFB + || cipher_ctx_mode(ctx) == OPENVPN_MODE_CFB); } bool cipher_ctx_mode_aead(const cipher_ctx_t *ctx) { - return ctx && (cipher_ctx_mode(ctx) == OPENVPN_MODE_GCM + return ctx + && (cipher_ctx_mode(ctx) == OPENVPN_MODE_GCM #ifdef MBEDTLS_CHACHAPOLY_C - || cipher_ctx_mode(ctx) == MBEDTLS_MODE_CHACHAPOLY + || cipher_ctx_mode(ctx) == MBEDTLS_MODE_CHACHAPOLY #endif - ); + ); } int @@ -690,13 +694,12 @@ cipher_ctx_update_ad(cipher_ctx_t *ctx, const uint8_t *src, int src_len) } int -cipher_ctx_update(mbedtls_cipher_context_t *ctx, uint8_t *dst, - int *dst_len, uint8_t *src, int src_len) +cipher_ctx_update(mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, + int src_len) { size_t s_dst_len = *dst_len; - if (!mbed_ok(mbedtls_cipher_update(ctx, src, (size_t) src_len, dst, - &s_dst_len))) + if (!mbed_ok(mbedtls_cipher_update(ctx, src, (size_t)src_len, dst, &s_dst_len))) { return 0; } @@ -722,8 +725,8 @@ cipher_ctx_final(mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len) } int -cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst, - int *dst_len, uint8_t *tag, size_t tag_len) +cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len, uint8_t *tag, + size_t tag_len) { size_t olen = 0; @@ -749,8 +752,7 @@ cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst, } *dst_len = olen; - if (!mbed_ok(mbedtls_cipher_check_tag(ctx, (const unsigned char *) tag, - tag_len))) + if (!mbed_ok(mbedtls_cipher_check_tag(ctx, (const unsigned char *)tag, tag_len))) { return 0; } @@ -759,7 +761,6 @@ cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst, } - /* * * Generic message digest information functions @@ -780,10 +781,10 @@ md_get(const char *digest) } if (mbedtls_md_get_size(md) > MAX_HMAC_KEY_LENGTH) { - msg(M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)", - digest, - mbedtls_md_get_size(md), - MAX_HMAC_KEY_LENGTH); + msg(M_FATAL, + "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME + "'s current maximum hash size (%d bytes)", + digest, mbedtls_md_get_size(md), MAX_HMAC_KEY_LENGTH); } return md; } @@ -791,7 +792,7 @@ md_get(const char *digest) bool md_valid(const char *digest) { - const mbedtls_md_info_t *md = mbedtls_md_info_from_string(digest); + const mbedtls_md_info_t *md = mbedtls_md_info_from_string(digest); return md != NULL; } @@ -966,8 +967,8 @@ memcmp_constant_time(const void *a, const void *b, size_t size) * via its APIs like OpenSSL does with CRYPTO_memcmp * Adapt the function that mbedtls itself uses in * mbedtls_safer_memcmp as it considers that to be safe */ - volatile const unsigned char *A = (volatile const unsigned char *) a; - volatile const unsigned char *B = (volatile const unsigned char *) b; + volatile const unsigned char *A = (volatile const unsigned char *)a; + volatile const unsigned char *B = (volatile const unsigned char *)b; volatile unsigned char diff = 0; for (size_t i = 0; i < size; i++) @@ -982,12 +983,11 @@ memcmp_constant_time(const void *a, const void *b, size_t size) * from recent versions, so we use our own implementation if necessary. */ #if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) bool -ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, - int secret_len, uint8_t *output, int output_len) +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, + uint8_t *output, int output_len) { - return mbed_ok(mbedtls_ssl_tls_prf(MBEDTLS_SSL_TLS_PRF_TLS1, secret, - secret_len, "", seed, seed_len, output, - output_len)); + return mbed_ok(mbedtls_ssl_tls_prf(MBEDTLS_SSL_TLS_PRF_TLS1, secret, secret_len, "", seed, + seed_len, output, output_len)); } #else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ /* @@ -1002,8 +1002,8 @@ ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, * @param olen Length of the output buffer */ static void -tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, int sec_len, - const uint8_t *seed, int seed_len, uint8_t *out, int olen) +tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed, + int seed_len, uint8_t *out, int olen) { struct gc_arena gc = gc_new(); uint8_t A1[MAX_HMAC_KEY_LENGTH]; @@ -1037,7 +1037,7 @@ tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, int sec_len, hmac_ctx_update(ctx, seed, seed_len); hmac_ctx_final(ctx, A1); - for (;; ) + for (;;) { hmac_ctx_reset(ctx); hmac_ctx_reset(ctx_tmp); @@ -1052,7 +1052,7 @@ tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, int sec_len, olen -= chunk; hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */ } - else /* last one */ + else /* last one */ { hmac_ctx_final(ctx, A1); memcpy(out, A1, olen); @@ -1089,8 +1089,8 @@ tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, int sec_len, * (2) The pre-master secret is generated by the client. */ bool -ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, - int slen, uint8_t *out1, int olen) +ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, + int olen) { struct gc_arena gc = gc_new(); const md_kt_t *md5 = md_get("MD5"); @@ -1098,15 +1098,15 @@ ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, uint8_t *out2 = (uint8_t *)gc_malloc(olen, false, &gc); - int len = slen/2; + int len = slen / 2; const uint8_t *S1 = sec; const uint8_t *S2 = &(sec[len]); - len += (slen&1); /* add for odd, make longer */ + len += (slen & 1); /* add for odd, make longer */ tls1_P_hash(md5, S1, len, label, label_len, out1, olen); tls1_P_hash(sha1, S2, len, label, label_len, out2, olen); - for (int i = 0; i= 0x30000000L */ +#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ msg(M_WARN, "Note: OpenSSL provider functionality is not available"); return NULL; #endif @@ -249,12 +244,13 @@ crypto_print_openssl_errors(const unsigned int flags) if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) { msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " - "in common with the client. Your --tls-cipher setting might be " - "too restrictive."); + "in common with the client. Your --tls-cipher setting might be " + "too restrictive."); } else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL) { - msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically " + msg(D_CRYPT_ERRORS, + "TLS error: Unsupported protocol. This typically " "indicates that client and server have no common TLS version enabled. " "This can be caused by mismatched tls-version-min and tls-version-max " "options on client and server. " @@ -270,8 +266,8 @@ crypto_print_openssl_errors(const unsigned int flags) } else { - msg(flags, "OpenSSL: %s:%s:%s:%d:%s", ERR_error_string(err, NULL), - data, file, line, func); + msg(flags, "OpenSSL: %s:%s:%s:%d:%s", ERR_error_string(err, NULL), data, file, line, + func); } } } @@ -307,9 +303,7 @@ crypto_free(void *ptr) void crypto_init_dmalloc(void) { - CRYPTO_set_mem_ex_functions(crypto_malloc, - crypto_realloc, - crypto_free); + CRYPTO_set_mem_ex_functions(crypto_malloc, crypto_realloc, crypto_free); } #endif /* DMALLOC */ @@ -332,7 +326,8 @@ cipher_name_cmp(const void *a, const void *b) return strcmp(EVP_CIPHER_get0_name(*cipher_a), EVP_CIPHER_get0_name(*cipher_b)); } -struct collect_ciphers { +struct collect_ciphers +{ /* If we ever exceed this, we must be more selective */ const EVP_CIPHER *list[1000]; size_t num; @@ -354,12 +349,12 @@ collect_ciphers(EVP_CIPHER *cipher, void *list) const char *ciphername = EVP_CIPHER_get0_name(cipher); - if (ciphername && (cipher_kt_mode_cbc(ciphername) + if (ciphername + && (cipher_kt_mode_cbc(ciphername) #ifdef ENABLE_OFB_CFB_MODE - || cipher_kt_mode_ofb_cfb(ciphername) + || cipher_kt_mode_ofb_cfb(ciphername) #endif - || cipher_kt_mode_aead(ciphername) - )) + || cipher_kt_mode_aead(ciphername))) { cipher_list->list[cipher_list->num++] = cipher; } @@ -393,17 +388,18 @@ show_available_ciphers(void) { cipher = EVP_get_cipherbyname(name); } -#else /* if defined(LIBRESSL_VERSION_NUMBER) */ +#else /* if defined(LIBRESSL_VERSION_NUMBER) */ const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid); #endif /* We cast the const away so we can keep the function prototype * compatible with EVP_CIPHER_do_all_provided */ - collect_ciphers((EVP_CIPHER *) cipher, &cipher_list); + collect_ciphers((EVP_CIPHER *)cipher, &cipher_list); } #endif /* cast to non-const to prevent warning */ - qsort((EVP_CIPHER *)cipher_list.list, cipher_list.num, sizeof(*cipher_list.list), cipher_name_cmp); + qsort((EVP_CIPHER *)cipher_list.list, cipher_list.num, sizeof(*cipher_list.list), + cipher_name_cmp); for (size_t i = 0; i < cipher_list.num; i++) { @@ -436,8 +432,8 @@ void show_available_digests(void) { #ifndef ENABLE_SMALL - printf("The following message digests are available for use with\n" - PACKAGE_NAME ". A message digest is used in conjunction with\n" + printf("The following message digests are available for use with\n" PACKAGE_NAME + ". A message digest is used in conjunction with\n" "the HMAC function, to authenticate received packets.\n" "You can specify a message digest as parameter to\n" "the --auth option.\n"); @@ -486,21 +482,19 @@ show_available_engines(void) e = ENGINE_get_first(); while (e) { - printf("%s [%s]\n", - ENGINE_get_name(e), - ENGINE_get_id(e)); + printf("%s [%s]\n", ENGINE_get_name(e), ENGINE_get_id(e)); e = ENGINE_get_next(e); } ENGINE_cleanup(); -#else /* if HAVE_OPENSSL_ENGINE */ +#else /* if HAVE_OPENSSL_ENGINE */ printf("Sorry, OpenSSL hardware crypto engine functionality is not available.\n"); #endif } bool -crypto_pem_encode(const char *name, struct buffer *dst, - const struct buffer *src, struct gc_arena *gc) +crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, + struct gc_arena *gc) { bool ret = false; BIO *bio = BIO_new(BIO_s_mem()); @@ -527,8 +521,7 @@ cleanup: } bool -crypto_pem_decode(const char *name, struct buffer *dst, - const struct buffer *src) +crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src) { bool ret = false; @@ -542,8 +535,7 @@ crypto_pem_decode(const char *name, struct buffer *dst, char *header_read = NULL; uint8_t *data_read = NULL; long data_read_len = 0; - if (!PEM_read_bio(bio, &name_read, &header_read, &data_read, - &data_read_len)) + if (!PEM_read_bio(bio, &name_read, &header_read, &data_read, &data_read_len)) { dmsg(D_CRYPT_ERRORS, "%s: PEM decode failed", __func__); goto cleanup; @@ -551,17 +543,16 @@ crypto_pem_decode(const char *name, struct buffer *dst, if (strcmp(name, name_read)) { - dmsg(D_CRYPT_ERRORS, - "%s: unexpected PEM name (got '%s', expected '%s')", - __func__, name_read, name); + dmsg(D_CRYPT_ERRORS, "%s: unexpected PEM name (got '%s', expected '%s')", __func__, + name_read, name); goto cleanup; } uint8_t *dst_data = buf_write_alloc(dst, data_read_len); if (!dst_data) { - dmsg(D_CRYPT_ERRORS, "%s: dst too small (%i, needs %li)", __func__, - BCAP(dst), data_read_len); + dmsg(D_CRYPT_ERRORS, "%s: dst too small (%i, needs %li)", __func__, BCAP(dst), + data_read_len); goto cleanup; } memcpy(dst_data, data_read, data_read_len); @@ -632,18 +623,21 @@ cipher_valid_reason(const char *ciphername, const char **reason) if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { - msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but " - "currently disabled by running in FIPS mode.", ciphername); + msg(D_LOW, + "Cipher algorithm '%s' is known by OpenSSL library but " + "currently disabled by running in FIPS mode.", + ciphername); *reason = "disabled by FIPS mode"; goto out; } #endif if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH) { - msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) " + msg(D_LOW, + "Cipher algorithm '%s' uses a default key size (%d bytes) " "which is larger than " PACKAGE_NAME "'s current maximum key size " - "(%d bytes)", ciphername, EVP_CIPHER_key_length(cipher), - MAX_CIPHER_KEY_LENGTH); + "(%d bytes)", + ciphername, EVP_CIPHER_key_length(cipher), MAX_CIPHER_KEY_LENGTH); *reason = "disabled due to key size too large"; goto out; } @@ -758,7 +752,6 @@ cipher_kt_tag_size(const char *ciphername) bool cipher_kt_insecure(const char *ciphername) { - if (cipher_kt_block_size(ciphername) >= 128 / 8) { return false; @@ -790,12 +783,13 @@ cipher_kt_mode_cbc(const char *ciphername) { evp_cipher_type *cipher = cipher_get(ciphername); - bool ret = cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_CBC - /* Exclude AEAD cipher modes, they require a different API */ + bool ret = cipher + && (cipher_kt_mode(cipher) == OPENVPN_MODE_CBC + /* Exclude AEAD cipher modes, they require a different API */ #ifdef EVP_CIPH_FLAG_CTS - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); EVP_CIPHER_free(cipher); return ret; } @@ -804,8 +798,9 @@ bool cipher_kt_mode_ofb_cfb(const char *ciphername) { evp_cipher_type *cipher = cipher_get(ciphername); - bool ofb_cfb = cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB - || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB) + bool ofb_cfb = cipher + && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB + || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB) /* Exclude AEAD cipher modes, they require a different API */ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER); EVP_CIPHER_free(cipher); @@ -828,7 +823,7 @@ cipher_kt_mode_aead(const char *ciphername) #ifdef NID_chacha20_poly1305 if (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305) { - isaead = true; + isaead = true; } #endif } @@ -859,8 +854,8 @@ cipher_ctx_free(EVP_CIPHER_CTX *ctx) } void -cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, - const char *ciphername, crypto_operation_t enc) +cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, const char *ciphername, + crypto_operation_t enc) { ASSERT(NULL != ciphername && NULL != ctx); evp_cipher_type *kt = cipher_get(ciphername); @@ -913,7 +908,7 @@ cipher_ctx_mode_cbc(const cipher_ctx_t *ctx) int mode = EVP_CIPHER_CTX_mode(ctx); return mode == EVP_CIPH_CBC_MODE - /* Exclude AEAD cipher modes, they require a different API */ + /* Exclude AEAD cipher modes, they require a different API */ #ifdef EVP_CIPH_FLAG_CTS && !(flags & EVP_CIPH_FLAG_CTS) #endif @@ -976,8 +971,7 @@ cipher_ctx_update_ad(EVP_CIPHER_CTX *ctx, const uint8_t *src, int src_len) } int -cipher_ctx_update(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, - uint8_t *src, int src_len) +cipher_ctx_update(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len) { if (!EVP_CipherUpdate(ctx, dst, dst_len, src, src_len)) { @@ -993,8 +987,8 @@ cipher_ctx_final(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len) } int -cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, - uint8_t *tag, size_t tag_len) +cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *tag, + size_t tag_len) { ASSERT(tag_len < SIZE_MAX); if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag)) @@ -1025,7 +1019,8 @@ md_get(const char *digest) } if (EVP_MD_size(md) > MAX_HMAC_KEY_LENGTH) { - crypto_msg(M_FATAL, "Message hash algorithm '%s' uses a default hash " + crypto_msg(M_FATAL, + "Message hash algorithm '%s' uses a default hash " "size (%d bytes) which is larger than " PACKAGE_NAME "'s current " "maximum hash size (%d bytes)", digest, EVP_MD_size(md), MAX_HMAC_KEY_LENGTH); @@ -1051,17 +1046,12 @@ md_valid(const char *digest) * this translation table for forward lookup, only for returning the name * with md_kt_name() */ const cipher_name_pair digest_name_translation_table[] = { - { "BLAKE2s256", "BLAKE2S-256"}, - { "BLAKE2b512", "BLAKE2B-512"}, - { "RIPEMD160", "RIPEMD-160" }, - { "SHA224", "SHA2-224"}, - { "SHA256", "SHA2-256"}, - { "SHA384", "SHA2-384"}, - { "SHA512", "SHA2-512"}, - { "SHA512-224", "SHA2-512/224"}, - { "SHA512-256", "SHA2-512/256"}, - { "SHAKE128", "SHAKE-128"}, - { "SHAKE256", "SHAKE-256"}, + { "BLAKE2s256", "BLAKE2S-256" }, { "BLAKE2b512", "BLAKE2B-512" }, + { "RIPEMD160", "RIPEMD-160" }, { "SHA224", "SHA2-224" }, + { "SHA256", "SHA2-256" }, { "SHA384", "SHA2-384" }, + { "SHA512", "SHA2-512" }, { "SHA512-224", "SHA2-512/224" }, + { "SHA512-256", "SHA2-512/256" }, { "SHAKE128", "SHAKE-128" }, + { "SHAKE256", "SHAKE-256" }, }; const size_t digest_name_translation_table_count = sizeof(digest_name_translation_table) / sizeof(*digest_name_translation_table); @@ -1098,7 +1088,7 @@ md_kt_size(const char *mdname) return 0; } evp_md_type *kt = md_get(mdname); - unsigned char size = (unsigned char)EVP_MD_size(kt); + unsigned char size = (unsigned char)EVP_MD_size(kt); EVP_MD_free(kt); return size; } @@ -1286,10 +1276,8 @@ hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, const char *mdname) * only used for lookup so we cast (as OpenSSL also does internally) * the constness away here. */ - ctx->params[0] = OSSL_PARAM_construct_utf8_string("digest", - (char *) EVP_MD_get0_name(kt), 0); - ctx->params[1] = OSSL_PARAM_construct_octet_string("key", - ctx->key, EVP_MD_size(kt)); + ctx->params[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)EVP_MD_get0_name(kt), 0); + ctx->params[1] = OSSL_PARAM_construct_octet_string("key", ctx->key, EVP_MD_size(kt)); ctx->params[2] = OSSL_PARAM_construct_end(); if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params)) @@ -1348,8 +1336,8 @@ memcmp_constant_time(const void *a, const void *b, size_t size) } #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) && !defined(LIBRESSL_VERSION_NUMBER) bool -ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, - int secret_len, uint8_t *output, int output_len) +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, + uint8_t *output, int output_len) { bool ret = true; EVP_KDF_CTX *kctx = NULL; @@ -1372,18 +1360,18 @@ ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, /* The OpenSSL APIs require us to cast the const aways even though the * strings are never changed and only read */ - params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - SN_md5_sha1, strlen(SN_md5_sha1)); - params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, - (uint8_t *) secret, (size_t) secret_len); - params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, - (uint8_t *) seed, (size_t) seed_len); + params[0] = + OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, SN_md5_sha1, strlen(SN_md5_sha1)); + params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, (uint8_t *)secret, + (size_t)secret_len); + params[2] = + OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, (uint8_t *)seed, (size_t)seed_len); params[3] = OSSL_PARAM_construct_end(); if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) { crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " - "EVP_KDF_derive failed"); + "EVP_KDF_derive failed"); goto err; } @@ -1399,15 +1387,15 @@ out: } #elif defined(OPENSSL_IS_AWSLC) bool -ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, - int slen, uint8_t *out1, int olen) +ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, + int olen) { CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0); } #elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) bool -ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, - int secret_len, uint8_t *output, int output_len) +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, + uint8_t *output, int output_len) { EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); if (!pctx) @@ -1455,8 +1443,8 @@ out: * OpenSSL does. As result they will only be able to support * peers that support TLS EKM like when running with OpenSSL 3.x FIPS */ bool -ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, - int slen, uint8_t *out1, int olen) +ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, + int olen) { return false; } diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 9680c18ee..6218b39de 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -50,7 +50,8 @@ typedef HMAC_CTX hmac_ctx_t; /* Use a dummy type for the provider */ typedef void provider_t; #else -typedef struct { +typedef struct +{ OSSL_PARAM params[3]; uint8_t key[EVP_MAX_KEY_LENGTH]; EVP_MAC_CTX *ctx; @@ -71,29 +72,29 @@ typedef EVP_MD evp_md_type; #endif /** Maximum length of an IV */ -#define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH +#define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH /** Cipher is in CBC mode */ -#define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE +#define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE /** Cipher is in OFB mode */ -#define OPENVPN_MODE_OFB EVP_CIPH_OFB_MODE +#define OPENVPN_MODE_OFB EVP_CIPH_OFB_MODE /** Cipher is in CFB mode */ -#define OPENVPN_MODE_CFB EVP_CIPH_CFB_MODE +#define OPENVPN_MODE_CFB EVP_CIPH_CFB_MODE /** Cipher is in GCM mode */ -#define OPENVPN_MODE_GCM EVP_CIPH_GCM_MODE +#define OPENVPN_MODE_GCM EVP_CIPH_GCM_MODE typedef int crypto_operation_t; /** Cipher should encrypt */ -#define OPENVPN_OP_ENCRYPT 1 +#define OPENVPN_OP_ENCRYPT 1 /** Cipher should decrypt */ -#define OPENVPN_OP_DECRYPT 0 +#define OPENVPN_OP_DECRYPT 0 -#define MD4_DIGEST_LENGTH 16 +#define MD4_DIGEST_LENGTH 16 /** * Retrieve any occurred OpenSSL errors and print those errors. @@ -112,10 +113,11 @@ void crypto_print_openssl_errors(const unsigned int flags); * @param flags Flags to indicate error type and priority. * @param ... Format string and optional format arguments */ -#define crypto_msg(flags, ...) \ - do { \ +#define crypto_msg(flags, ...) \ + do \ + { \ crypto_print_openssl_errors(nonfatal(flags)); \ - msg((flags), __VA_ARGS__); \ + msg((flags), __VA_ARGS__); \ } while (false) #endif /* CRYPTO_OPENSSL_H_ */ diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 67dc382dc..d91d9a1c2 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -62,11 +62,12 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) return 0; } -#else /* HAVE_XKEY_PROVIDER */ +#else /* HAVE_XKEY_PROVIDER */ static XKEY_EXTERNAL_SIGN_fn xkey_cng_sign; -typedef struct _CAPI_DATA { +typedef struct _CAPI_DATA +{ const CERT_CONTEXT *cert_context; HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov; EVP_PKEY *pubkey; @@ -112,7 +113,7 @@ cng_hash_algo(int md_type) break; default: - msg(M_WARN|M_INFO, "cryptoapicert: Unknown hash type NID=0x%x", md_type); + msg(M_WARN | M_INFO, "cryptoapicert: Unknown hash type NID=0x%x", md_type); break; } return alg; @@ -157,7 +158,7 @@ int parse_hexstring(const char *p, unsigned char *arr, size_t capacity) { int i = 0; - for ( ; *p && i < capacity; p += 2) + for (; *p && i < capacity; p += 2) { /* skip spaces */ while (*p == ' ') @@ -169,8 +170,7 @@ parse_hexstring(const char *p, unsigned char *arr, size_t capacity) break; } - if (!isxdigit(p[0]) || !isxdigit(p[1]) - || sscanf(p, "%2hhx", &arr[i++]) != 1) + if (!isxdigit(p[0]) || !isxdigit(p[1]) || sscanf(p, "%2hhx", &arr[i++]) != 1) { return 0; } @@ -179,21 +179,21 @@ parse_hexstring(const char *p, unsigned char *arr, size_t capacity) } static void * -decode_object(struct gc_arena *gc, LPCSTR struct_type, - const CRYPT_OBJID_BLOB *val, DWORD flags, DWORD *cb) +decode_object(struct gc_arena *gc, LPCSTR struct_type, const CRYPT_OBJID_BLOB *val, DWORD flags, + DWORD *cb) { /* get byte count for decoding */ BYTE *buf; - if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, - val->pbData, val->cbData, flags, NULL, cb)) + if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, val->pbData, + val->cbData, flags, NULL, cb)) { return NULL; } /* do the actual decode */ buf = gc_malloc(*cb, false, gc); - if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, - val->pbData, val->cbData, flags, buf, cb)) + if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, val->pbData, + val->cbData, flags, buf, cb)) { return NULL; } @@ -243,8 +243,8 @@ test_certificate_template(const char *cert_prop, const CERT_CONTEXT *cert_ctx) return true; } - const CRYPT_OID_INFO *tmpl_oid = find_oid(CRYPT_OID_INFO_NAME_KEY, tmpl_name, - CRYPT_TEMPLATE_OID_GROUP_ID); + const CRYPT_OID_INFO *tmpl_oid = + find_oid(CRYPT_OID_INFO_NAME_KEY, tmpl_name, CRYPT_TEMPLATE_OID_GROUP_ID); if (tmpl_oid && !stricmp(tmpl_oid->pszOID, cte->pszObjId)) { /* found OID match in extension against resolved key */ @@ -274,7 +274,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) DWORD find_type; const void *find_param; unsigned char hash[255]; - CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash}; + CRYPT_HASH_BLOB blob = { .cbData = 0, .pbData = hash }; struct gc_arena gc = gc_new(); if (!strncmp(cert_prop, "SUBJ:", 5)) @@ -296,7 +296,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) blob.cbData = parse_hexstring(cert_prop + 6, hash, sizeof(hash)); if (blob.cbData == 0) { - msg(M_WARN|M_INFO, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop); + msg(M_WARN | M_INFO, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop); goto out; } } @@ -308,7 +308,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } else { - msg(M_NONFATAL, "Error in cryptoapicert: unsupported certificate specification <%s>", cert_prop); + msg(M_NONFATAL, "Error in cryptoapicert: unsupported certificate specification <%s>", + cert_prop); goto out; } @@ -316,15 +317,14 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) { int validity = 1; /* this frees previous rv, if not NULL */ - rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, find_type, find_param, rv); + rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, + find_type, find_param, rv); if (!rv) { break; } /* if searching by template name, check now if it matches */ - if (find_type == CERT_FIND_HAS_PRIVATE_KEY - && !test_certificate_template(cert_prop, rv)) + if (find_type == CERT_FIND_HAS_PRIVATE_KEY && !test_certificate_template(cert_prop, rv)) { continue; } @@ -333,7 +333,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) { break; } - msg(M_WARN|M_INFO, "WARNING: cryptoapicert: ignoring certificate in store %s.", + msg(M_WARN | M_INFO, "WARNING: cryptoapicert: ignoring certificate in store %s.", validity < 0 ? "not yet valid" : "that has expired"); } @@ -356,12 +356,12 @@ xkey_cng_ec_sign(CAPI_DATA *cd, unsigned char *sig, size_t *siglen, const unsign if (status != ERROR_SUCCESS) { SetLastError(status); - msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: ECDSA signature using CNG failed."); + msg(M_NONFATAL | M_ERRNO, "Error in cryptoapicert: ECDSA signature using CNG failed."); return 0; } /* NCryptSignHash returns r|s -- convert to DER encoded buffer expected by OpenSSL */ - int derlen = ecdsa_bin2der(sig, (int) len, *siglen); + int derlen = ecdsa_bin2der(sig, (int)len, *siglen); if (derlen <= 0) { return 0; @@ -396,9 +396,9 @@ xkey_cng_rsa_sign(CAPI_DATA *cd, unsigned char *sig, size_t *siglen, const unsig { msg(D_LOW, "Signing using NCryptSignHash with PKCS1 padding: hashalg <%s>", sigalg.mdname); - BCRYPT_PKCS1_PADDING_INFO padinfo = {hashalg}; - status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD)tbslen, - sig, (DWORD)*siglen, &len, BCRYPT_PAD_PKCS1); + BCRYPT_PKCS1_PADDING_INFO padinfo = { hashalg }; + status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD)tbslen, sig, + (DWORD)*siglen, &len, BCRYPT_PAD_PKCS1); } else if (!strcmp(sigalg.padmode, "pss")) { @@ -416,9 +416,10 @@ xkey_cng_rsa_sign(CAPI_DATA *cd, unsigned char *sig, size_t *siglen, const unsig msg(D_LOW, "Signing using NCryptSignHash with PSS padding: hashalg <%s>, saltlen <%d>", sigalg.mdname, saltlen); - BCRYPT_PSS_PADDING_INFO padinfo = {hashalg, (DWORD) saltlen}; /* cast is safe as saltlen >= 0 */ - status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD) tbslen, - sig, (DWORD)*siglen, &len, BCRYPT_PAD_PSS); + BCRYPT_PSS_PADDING_INFO padinfo = { hashalg, + (DWORD)saltlen }; /* cast is safe as saltlen >= 0 */ + status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD)tbslen, sig, + (DWORD)*siglen, &len, BCRYPT_PAD_PSS); } else { @@ -429,7 +430,7 @@ xkey_cng_rsa_sign(CAPI_DATA *cd, unsigned char *sig, size_t *siglen, const unsig if (status != ERROR_SUCCESS) { SetLastError(status); - msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: RSA signature using CNG failed."); + msg(M_NONFATAL | M_ERRNO, "Error in cryptoapicert: RSA signature using CNG failed."); return 0; } @@ -484,7 +485,7 @@ get_cert_name(const CERT_CONTEXT *cc, struct gc_arena *gc) char *name = NULL; if (len) { - wchar_t *wname = gc_malloc(len*sizeof(wchar_t), false, gc); + wchar_t *wname = gc_malloc(len * sizeof(wchar_t), false, gc); if (!wname || CertGetNameStringW(cc, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, wname, len) == 0) { @@ -504,7 +505,6 @@ get_cert_name(const CERT_CONTEXT *cc, struct gc_arena *gc) static int Load_CryptoAPI_certificate(const char *cert_prop, X509 **cert, EVP_PKEY **privkey) { - HCERTSTORE cs; CAPI_DATA *cd = calloc(1, sizeof(*cd)); struct gc_arena gc = gc_new(); @@ -515,29 +515,35 @@ Load_CryptoAPI_certificate(const char *cert_prop, X509 **cert, EVP_PKEY **privke goto err; } /* search CURRENT_USER first, then LOCAL_MACHINE */ - cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER - |CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY"); + cs = CertOpenStore((LPCSTR)CERT_STORE_PROV_SYSTEM, 0, 0, + CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_OPEN_EXISTING_FLAG + | CERT_STORE_READONLY_FLAG, + L"MY"); if (cs == NULL) { - msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: failed to open user certficate store"); + msg(M_NONFATAL | M_ERRNO, "Error in cryptoapicert: failed to open user certficate store"); goto err; } cd->cert_context = find_certificate_in_store(cert_prop, cs); CertCloseStore(cs, 0); if (!cd->cert_context) { - cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE - |CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY"); + cs = CertOpenStore((LPCSTR)CERT_STORE_PROV_SYSTEM, 0, 0, + CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_OPEN_EXISTING_FLAG + | CERT_STORE_READONLY_FLAG, + L"MY"); if (cs == NULL) { - msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: failed to open machine certficate store"); + msg(M_NONFATAL | M_ERRNO, + "Error in cryptoapicert: failed to open machine certficate store"); goto err; } cd->cert_context = find_certificate_in_store(cert_prop, cs); CertCloseStore(cs, 0); if (cd->cert_context == NULL) { - msg(M_NONFATAL, "Error in cryptoapicert: certificate matching <%s> not found", cert_prop); + msg(M_NONFATAL, "Error in cryptoapicert: certificate matching <%s> not found", + cert_prop); goto err; } } @@ -550,7 +556,7 @@ Load_CryptoAPI_certificate(const char *cert_prop, X509 **cert, EVP_PKEY **privke } /* cert_context->pbCertEncoded is the cert X509 DER encoded. */ - *cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded, + *cert = d2i_X509(NULL, (const unsigned char **)&cd->cert_context->pbCertEncoded, cd->cert_context->cbCertEncoded); if (*cert == NULL) { @@ -560,13 +566,13 @@ Load_CryptoAPI_certificate(const char *cert_prop, X509 **cert, EVP_PKEY **privke /* set up stuff to use the private key */ /* We support NCRYPT key handles only */ - DWORD flags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG - | CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG; - if (!CryptAcquireCertificatePrivateKey(cd->cert_context, flags, NULL, - &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov)) + DWORD flags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG | CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG; + if (!CryptAcquireCertificatePrivateKey(cd->cert_context, flags, NULL, &cd->crypt_prov, + &cd->key_spec, &cd->free_crypt_prov)) { /* private key may be in a token not available, or incompatible with CNG */ - msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: failed to acquire key. Key not present or " + msg(M_NONFATAL | M_ERRNO, + "Error in cryptoapicert: failed to acquire key. Key not present or " "is in a legacy token not supported by Windows CNG API"); X509_free(*cert); goto err; @@ -576,8 +582,8 @@ Load_CryptoAPI_certificate(const char *cert_prop, X509 **cert, EVP_PKEY **privke EVP_PKEY *pkey = X509_get_pubkey(*cert); cd->pubkey = pkey; /* will be freed with cd */ - *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, - xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free); + *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, xkey_cng_sign, + (XKEY_PRIVKEY_FREE_fn *)CAPI_DATA_free); gc_free(&gc); return 1; /* do not free cd -- its kept by xkey provider */ @@ -598,8 +604,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) { return ret; } - if (SSL_CTX_use_certificate(ssl_ctx, cert) - && SSL_CTX_use_PrivateKey(ssl_ctx, privkey)) + if (SSL_CTX_use_certificate(ssl_ctx, cert) && SSL_CTX_use_PrivateKey(ssl_ctx, privkey)) { crypto_print_openssl_errors(M_WARN); ret = 1; @@ -612,5 +617,5 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) return ret; } -#endif /* HAVE_XKEY_PROVIDER */ -#endif /* _WIN32 */ +#endif /* HAVE_XKEY_PROVIDER */ +#endif /* _WIN32 */ diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index df70e8713..1abebbbcf 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -51,14 +51,13 @@ #endif static int -dco_install_key(struct tls_multi *multi, struct key_state *ks, - const uint8_t *encrypt_key, const uint8_t *encrypt_iv, - const uint8_t *decrypt_key, const uint8_t *decrypt_iv, +dco_install_key(struct tls_multi *multi, struct key_state *ks, const uint8_t *encrypt_key, + const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername) { - msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d, currently %d keys installed", - __func__, multi->dco_peer_id, ks->key_id, multi->dco_keys_installed); + msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d, currently %d keys installed", __func__, + multi->dco_peer_id, ks->key_id, multi->dco_keys_installed); /* Install a key in the PRIMARY slot only when no other key exist. * From that moment on, any new key will be installed in the SECONDARY @@ -71,33 +70,27 @@ dco_install_key(struct tls_multi *multi, struct key_state *ks, slot = OVPN_KEY_SLOT_SECONDARY; } - int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot, - encrypt_key, encrypt_iv, - decrypt_key, decrypt_iv, - ciphername); + int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot, encrypt_key, encrypt_iv, + decrypt_key, decrypt_iv, ciphername); if ((ret == 0) && (multi->dco_keys_installed < 2)) { multi->dco_keys_installed++; - ks->dco_status = (slot == OVPN_KEY_SLOT_PRIMARY) ? DCO_INSTALLED_PRIMARY : - DCO_INSTALLED_SECONDARY; + ks->dco_status = + (slot == OVPN_KEY_SLOT_PRIMARY) ? DCO_INSTALLED_PRIMARY : DCO_INSTALLED_SECONDARY; } return ret; } int -init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, - const struct key2 *key2, int key_direction, - const char *ciphername, bool server) +init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, + int key_direction, const char *ciphername, bool server) { struct key_direction_state kds; key_direction_state_init(&kds, key_direction); - return dco_install_key(multi, ks, - key2->keys[kds.out_key].cipher, - key2->keys[(int)server].hmac, - key2->keys[kds.in_key].cipher, - key2->keys[1 - (int)server].hmac, + return dco_install_key(multi, ks, key2->keys[kds.out_key].cipher, key2->keys[(int)server].hmac, + key2->keys[kds.in_key].cipher, key2->keys[1 - (int)server].hmac, ciphername); } @@ -183,13 +176,15 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) { if (secondary) { - msg(D_DCO_DEBUG, "Swapping primary and secondary keys to " + msg(D_DCO_DEBUG, + "Swapping primary and secondary keys to " "primary-id=%d secondary-id=%d", primary->key_id, secondary->key_id); } else { - msg(D_DCO_DEBUG, "Swapping primary and secondary keys to " + msg(D_DCO_DEBUG, + "Swapping primary and secondary keys to " "primary-id=%d secondary-id=(to be deleted)", primary->key_id); } @@ -275,13 +270,15 @@ dco_check_option_ce(const struct connection_entry *ce, int msglevel, int mode) #if defined(_WIN32) if (!proto_is_udp(ce->proto) && mode == MODE_SERVER) { - msg(msglevel, "NOTE: TCP transport disables data channel offload on Windows in server mode."); + msg(msglevel, + "NOTE: TCP transport disables data channel offload on Windows in server mode."); return false; } if (!ce->remote && !dco_win_supports_multipeer()) { - msg(msglevel, "NOTE: --remote is not defined. This DCO version doesn't support multipeer. Disabling Data Channel Offload"); + msg(msglevel, + "NOTE: --remote is not defined. This DCO version doesn't support multipeer. Disabling Data Channel Offload"); return false; } @@ -310,7 +307,7 @@ dco_check_startup_option(int msglevel, const struct options *o) if (!o->tls_client && !o->tls_server) { msg(msglevel, "No tls-client or tls-server option in configuration " - "detected. Disabling data channel offload."); + "detected. Disabling data channel offload."); return false; } @@ -354,7 +351,8 @@ dco_check_startup_option(int msglevel, const struct options *o) #if defined(_WIN32) if ((o->mode == MODE_SERVER) && !dco_win_supports_multipeer()) { - msg(msglevel, "--mode server is set. This DCO version doesn't support multipeer. Disabling Data Channel Offload"); + msg(msglevel, + "--mode server is set. This DCO version doesn't support multipeer. Disabling Data Channel Offload"); return false; } @@ -385,8 +383,8 @@ dco_check_startup_option(int msglevel, const struct options *o) } else if ((ret < 0) && (ret != -ENODEV)) { - msg(msglevel, "Cannot retrieve type of device %s: %s (%d)", o->dev, - strerror(-ret), ret); + msg(msglevel, "Cannot retrieve type of device %s: %s (%d)", o->dev, strerror(-ret), + ret); } } #endif /* if defined(_WIN32) */ @@ -401,13 +399,13 @@ dco_check_startup_option(int msglevel, const struct options *o) if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { msg(msglevel, "--user specified but lacking CAP_SETPCAP. " - "Cannot retain CAP_NET_ADMIN. Disabling data channel offload"); + "Cannot retain CAP_NET_ADMIN. Disabling data channel offload"); return false; } if (!capng_have_capability(CAPNG_PERMITTED, CAP_NET_ADMIN)) { msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. " - "Disabling data channel offload"); + "Disabling data channel offload"); return false; } } @@ -438,16 +436,18 @@ dco_check_option(int msglevel, const struct options *o) if (o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, dco_get_supported_ciphers())) { - msg(msglevel, "Note: --data-ciphers-fallback with cipher '%s' " - "disables data channel offload.", o->ciphername); + msg(msglevel, + "Note: --data-ciphers-fallback with cipher '%s' " + "disables data channel offload.", + o->ciphername); return false; } #if defined(USE_COMP) - if (o->comp.alg != COMP_ALG_UNDEF - || o->comp.flags & COMP_F_ALLOW_ASYM) + if (o->comp.alg != COMP_ALG_UNDEF || o->comp.flags & COMP_F_ALLOW_ASYM) { - msg(msglevel, "Note: '--allow-compression' is not set to 'no', disabling data channel offload."); + msg(msglevel, + "Note: '--allow-compression' is not set to 'no', disabling data channel offload."); if (o->mode == MODE_SERVER && !(o->comp.flags & COMP_F_MIGRATE)) { @@ -466,8 +466,10 @@ dco_check_option(int msglevel, const struct options *o) { if (!tls_item_in_cipher_list(token, dco_get_supported_ciphers())) { - msg(msglevel, "Note: cipher '%s' in --data-ciphers is not supported " - "by ovpn-dco, disabling data channel offload.", token); + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is not supported " + "by ovpn-dco, disabling data channel offload.", + token); gc_free(&gc); return false; } @@ -483,7 +485,7 @@ dco_check_pull_options(int msglevel, const struct options *o) if (!o->use_peer_id) { msg(msglevel, "OPTIONS IMPORT: Server did not request DATA_V2 packet " - "format required for data channel offload"); + "format required for data channel offload"); return false; } return true; @@ -513,8 +515,7 @@ dco_p2p_add_new_peer(struct context *c) } #endif int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL, - proto_is_dgram(sock->info.proto) ? remoteaddr : NULL, - NULL, NULL); + proto_is_dgram(sock->info.proto) ? remoteaddr : NULL, NULL, NULL); if (ret < 0) { return ret; @@ -547,7 +548,8 @@ dco_multi_get_localaddr(struct multi_context *m, struct multi_instance *mi, #if ENABLE_IP_PKTINFO struct context *c = &mi->context; - if (!proto_is_udp(c->c2.link_sockets[0]->info.proto) || !(c->options.sockflags & SF_USE_IP_PKTINFO)) + if (!proto_is_udp(c->c2.link_sockets[0]->info.proto) + || !(c->options.sockflags & SF_USE_IP_PKTINFO)) { return false; } @@ -631,8 +633,8 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) localaddr = (struct sockaddr *)&local; } - int ret = dco_new_peer(&c->c1.tuntap->dco, peer_id, sd, localaddr, - remoteaddr, vpn_addr4, vpn_addr6); + int ret = + dco_new_peer(&c->c1.tuntap->dco, peer_id, sd, localaddr, remoteaddr, vpn_addr4, vpn_addr6); if (ret < 0) { return ret; @@ -644,8 +646,7 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) } void -dco_install_iroute(struct multi_context *m, struct multi_instance *mi, - struct mroute_addr *addr) +dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr) { #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32) if (!dco_enabled(&m->top.options)) @@ -666,7 +667,8 @@ dco_install_iroute(struct multi_context *m, struct multi_instance *mi, if (addrtype == MR_ADDR_IPV6) { #if defined(_WIN32) - dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr, addr->netbits, c->c2.tls_multi->peer_id); + dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr, addr->netbits, + c->c2.tls_multi->peer_id); #else net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits, &mi->context.c2.push_ifconfig_ipv6_local, c->c1.tuntap->actual_name, 0, @@ -676,12 +678,12 @@ dco_install_iroute(struct multi_context *m, struct multi_instance *mi, else if (addrtype == MR_ADDR_IPV4) { #if defined(_WIN32) - dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr, addr->netbits, c->c2.tls_multi->peer_id); + dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr, addr->netbits, + c->c2.tls_multi->peer_id); #else in_addr_t dest = htonl(addr->v4.addr); - net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits, - &mi->context.c2.push_ifconfig_local, c->c1.tuntap->actual_name, 0, - DCO_IROUTE_METRIC); + net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits, &mi->context.c2.push_ifconfig_local, + c->c1.tuntap->actual_name, 0, DCO_IROUTE_METRIC); #endif } #endif /* if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32) */ @@ -701,32 +703,28 @@ dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi) if (mi->context.c2.push_ifconfig_defined) { - for (const struct iroute *ir = c->options.iroutes; - ir; - ir = ir->next) + for (const struct iroute *ir = c->options.iroutes; ir; ir = ir->next) { #if defined(_WIN32) dco_win_del_iroute_ipv4(&c->c1.tuntap->dco, htonl(ir->network), ir->netbits); #else net_route_v4_del(&m->top.net_ctx, &ir->network, ir->netbits, - &mi->context.c2.push_ifconfig_local, c->c1.tuntap->actual_name, - 0, DCO_IROUTE_METRIC); + &mi->context.c2.push_ifconfig_local, c->c1.tuntap->actual_name, 0, + DCO_IROUTE_METRIC); #endif } } if (mi->context.c2.push_ifconfig_ipv6_defined) { - for (const struct iroute_ipv6 *ir6 = c->options.iroutes_ipv6; - ir6; - ir6 = ir6->next) + for (const struct iroute_ipv6 *ir6 = c->options.iroutes_ipv6; ir6; ir6 = ir6->next) { #if defined(_WIN32) dco_win_del_iroute_ipv6(&c->c1.tuntap->dco, ir6->network, ir6->netbits); #else net_route_v6_del(&m->top.net_ctx, &ir6->network, ir6->netbits, - &mi->context.c2.push_ifconfig_ipv6_local, c->c1.tuntap->actual_name, - 0, DCO_IROUTE_METRIC); + &mi->context.c2.push_ifconfig_ipv6_local, c->c1.tuntap->actual_name, 0, + DCO_IROUTE_METRIC); #endif } } diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index 95abf7100..59acb188c 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -43,8 +43,8 @@ struct options; struct tls_multi; struct tuntap; -#define DCO_IROUTE_METRIC 100 -#define DCO_DEFAULT_METRIC 200 +#define DCO_IROUTE_METRIC 100 +#define DCO_DEFAULT_METRIC 200 #if defined(ENABLE_DCO) @@ -153,9 +153,8 @@ void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg); * * @return 0 on success or a negative error code otherwise */ -int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, - const struct key2 *key2, int key_direction, - const char *ciphername, bool server); +int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, + int key_direction, const char *ciphername, bool server); /** * Possibly swap or wipe keys from DCO @@ -187,8 +186,8 @@ int dco_p2p_add_new_peer(struct context *c); * * @return 0 on success or a negative error code otherwise */ -int dco_set_peer(dco_context_t *dco, unsigned int peerid, - int keepalive_interval, int keepalive_timeout, int mss); +int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, + int keepalive_timeout, int mss); /** * Remove a peer from DCO @@ -257,7 +256,7 @@ dco_supports_epoch_data(struct context *c) { return false; } -#else /* if defined(ENABLE_DCO) */ +#else /* if defined(ENABLE_DCO) */ typedef void *dco_context_t; @@ -321,9 +320,8 @@ dco_event_set(dco_context_t *dco, struct event_set *es, void *arg) } static inline int -init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, - const struct key2 *key2, int key_direction, - const char *ciphername, bool server) +init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, + int key_direction, const char *ciphername, bool server) { return 0; } @@ -342,8 +340,8 @@ dco_p2p_add_new_peer(struct context *c) } static inline int -dco_set_peer(dco_context_t *dco, unsigned int peerid, - int keepalive_interval, int keepalive_timeout, int mss) +dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, + int mss) { return 0; } @@ -360,8 +358,7 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) } static inline void -dco_install_iroute(struct multi_context *m, struct multi_instance *mi, - struct mroute_addr *addr) +dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr) { } diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 04c1e3d18..931f9f681 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -133,9 +133,8 @@ nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss) } int -dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, - struct sockaddr *localaddr, struct sockaddr *remoteaddr, - struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6) +dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, + struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6) { struct ifdrv drv; nvlist_t *nvl, *local_nvl, *remote_nvl; @@ -159,8 +158,7 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, if (vpn_ipv4) { - nvlist_add_binary(nvl, "vpn_ipv4", &vpn_ipv4->s_addr, - sizeof(vpn_ipv4->s_addr)); + nvlist_add_binary(nvl, "vpn_ipv4", &vpn_ipv4->s_addr, sizeof(vpn_ipv4->s_addr)); } if (vpn_ipv6) @@ -278,7 +276,7 @@ create_interface(struct tuntap *tt, const char *dev) if (ret) { ret = -errno; - msg(M_WARN|M_ERRNO, "Failed to create interface %s (SIOCIFCREATE2)", ifr.ifr_name); + msg(M_WARN | M_ERRNO, "Failed to create interface %s (SIOCIFCREATE2)", ifr.ifr_name); return ret; } @@ -300,7 +298,7 @@ create_interface(struct tuntap *tt, const char *dev) ret = -errno; /* Delete the created interface again. */ (void)ioctl(tt->dco.fd, SIOCIFDESTROY, &ifr); - msg(M_WARN|M_ERRNO, "Failed to create interface %s (SIOCSIFNAME)", ifr.ifr_data); + msg(M_WARN | M_ERRNO, "Failed to create interface %s (SIOCSIFNAME)", ifr.ifr_data); return ret; } @@ -412,8 +410,7 @@ dco_del_peer(dco_context_t *dco, unsigned int peerid) } int -dco_del_key(dco_context_t *dco, unsigned int peerid, - dco_key_slot_t slot) +dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot) { struct ifdrv drv; nvlist_t *nvl; @@ -483,18 +480,16 @@ start_tun(dco_context_t *dco) } int -dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, - dco_key_slot_t slot, - const uint8_t *encrypt_key, const uint8_t *encrypt_iv, - const uint8_t *decrypt_key, const uint8_t *decrypt_iv, - const char *ciphername) +dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, + const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, + const uint8_t *decrypt_iv, const char *ciphername) { struct ifdrv drv; nvlist_t *nvl, *encrypt_nvl, *decrypt_nvl; int ret; - msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", - __func__, slot, keyid, peerid, ciphername); + msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid, + ciphername); nvl = nvlist_create(0); @@ -532,16 +527,15 @@ dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, } int -dco_set_peer(dco_context_t *dco, unsigned int peerid, - int keepalive_interval, int keepalive_timeout, +dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss) { struct ifdrv drv; nvlist_t *nvl; int ret; - msg(D_DCO_DEBUG, "%s: peer-id %d, ping interval %d, ping timeout %d", - __func__, peerid, keepalive_interval, keepalive_timeout); + msg(D_DCO_DEBUG, "%s: peer-id %d, ping interval %d, ping timeout %d", __func__, peerid, + keepalive_interval, keepalive_timeout); nvl = nvlist_create(0); nvlist_add_number(nvl, "peerid", peerid); @@ -633,7 +627,8 @@ dco_do_read(dco_context_t *dco) dco->dco_message_type = OVPN_CMD_SWAP_KEYS; break; - case OVPN_NOTIF_FLOAT: { + case OVPN_NOTIF_FLOAT: + { const nvlist_t *address; if (!nvlist_exists_nvlist(nvl, "address")) @@ -780,7 +775,6 @@ dco_event_set(dco_context_t *dco, struct event_set *es, void *arg) static void dco_update_peer_stat(struct multi_context *m, uint32_t peerid, const nvlist_t *nvl) { - if (peerid >= m->max_clients || !m->instances[peerid]) { msg(M_WARN, "dco_update_peer_stat: invalid peer ID %d returned by kernel", peerid); @@ -796,7 +790,6 @@ dco_update_peer_stat(struct multi_context *m, uint32_t peerid, const nvlist_t *n int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err) { - struct ifdrv drv; uint8_t *buf = NULL; size_t buf_size = 4096; diff --git a/src/openvpn/dco_freebsd.h b/src/openvpn/dco_freebsd.h index cbb1dda27..2f486f022 100644 --- a/src/openvpn/dco_freebsd.h +++ b/src/openvpn/dco_freebsd.h @@ -26,26 +26,29 @@ #include "ovpn_dco_freebsd.h" -#define DCO_IROUTE_METRIC 100 +#define DCO_IROUTE_METRIC 100 typedef enum ovpn_key_slot dco_key_slot_t; typedef enum ovpn_key_cipher dco_cipher_t; -enum ovpn_message_type_t { +enum ovpn_message_type_t +{ OVPN_CMD_DEL_PEER, OVPN_CMD_PACKET, OVPN_CMD_SWAP_KEYS, OVPN_CMD_FLOAT_PEER, }; -enum ovpn_del_reason_t { +enum ovpn_del_reason_t +{ OVPN_DEL_PEER_REASON_EXPIRED, OVPN_DEL_PEER_REASON_TRANSPORT_ERROR, OVPN_DEL_PEER_REASON_USERSPACE, OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT, }; -typedef struct dco_context { +typedef struct dco_context +{ bool open; int fd; int pipefd[2]; diff --git a/src/openvpn/dco_internal.h b/src/openvpn/dco_internal.h index 96aa28128..83013ef7d 100644 --- a/src/openvpn/dco_internal.h +++ b/src/openvpn/dco_internal.h @@ -59,17 +59,14 @@ dco_get_cipher(const char *cipher) * They are implemented by dco_linux.c */ -int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, - struct sockaddr *localaddr, struct sockaddr *remoteaddr, - struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6); +int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, + struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6); int dco_del_peer(dco_context_t *dco, unsigned int peerid); -int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, - dco_key_slot_t slot, - const uint8_t *encrypt_key, const uint8_t *encrypt_iv, - const uint8_t *decrypt_key, const uint8_t *decrypt_iv, - const char *ciphername); +int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, + const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, + const uint8_t *decrypt_iv, const char *ciphername); int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot); diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index ab59e3e40..a3907feed 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -54,8 +54,7 @@ * have to explicitly do it to prevent the kernel from failing upon * parsing of the message */ -#define nla_nest_start(_msg, _type) \ - nla_nest_start(_msg, (_type) | NLA_F_NESTED) +#define nla_nest_start(_msg, _type) nla_nest_start(_msg, (_type) | NLA_F_NESTED) static int ovpn_get_mcast_id(dco_context_t *dco); @@ -89,8 +88,7 @@ resolve_ovpn_netlink_id(int msglevel) ret = genl_connect(nl_sock); if (ret) { - msg(msglevel, "Cannot connect to generic netlink: %s", - nl_geterror(ret)); + msg(msglevel, "Cannot connect to generic netlink: %s", nl_geterror(ret)); goto err_sock; } set_cloexec(nl_socket_get_fd(nl_sock)); @@ -98,8 +96,7 @@ resolve_ovpn_netlink_id(int msglevel) ret = genl_ctrl_resolve(nl_sock, OVPN_FAMILY_NAME); if (ret < 0) { - msg(msglevel, "Cannot find ovpn_dco netlink component: %s", - nl_geterror(ret)); + msg(msglevel, "Cannot find ovpn_dco netlink component: %s", nl_geterror(ret)); } err_sock: @@ -157,7 +154,8 @@ ovpn_nl_recvmsgs(dco_context_t *dco, const char *prefix) default: if (ret) { - msg(M_NONFATAL, "%s: netlink reports error (%d): %s", prefix, ret, nl_geterror(-ret)); + msg(M_NONFATAL, "%s: netlink reports error (%d): %s", prefix, ret, + nl_geterror(-ret)); } break; } @@ -188,8 +186,8 @@ ovpn_nl_msg_send(dco_context_t *dco, struct nl_msg *nl_msg, const char *prefix) if (dco->status < 0) { - msg(M_INFO, "%s: failed to send netlink message: %s (%d)", - prefix, strerror(-dco->status), dco->status); + msg(M_INFO, "%s: failed to send netlink message: %s (%d)", prefix, strerror(-dco->status), + dco->status); } return dco->status; @@ -201,7 +199,6 @@ mapped_v4_to_v6(struct sockaddr *sock, struct gc_arena *gc) struct sockaddr_in6 *sock6 = (struct sockaddr_in6 *)sock; if (sock->sa_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&sock6->sin6_addr)) { - struct sockaddr_in *sock4; ALLOC_OBJ_CLEAR_GC(sock4, struct sockaddr_in, gc); memcpy(&sock4->sin_addr, sock6->sin6_addr.s6_addr + 12, 4); @@ -213,9 +210,8 @@ mapped_v4_to_v6(struct sockaddr *sock, struct gc_arena *gc) } int -dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, - struct sockaddr *localaddr, struct sockaddr *remoteaddr, - struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6) +dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, + struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6) { struct gc_arena gc = gc_new(); const char *remotestr = "[undefined]"; @@ -223,8 +219,7 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, { remotestr = print_sockaddr(remoteaddr, &gc); } - msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d, remote addr: %s", __func__, - peerid, sd, remotestr); + msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d, remote addr: %s", __func__, peerid, sd, remotestr); struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_PEER_NEW); struct nlattr *attr = nla_nest_start(nl_msg, OVPN_A_PEER); @@ -242,14 +237,17 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, { NLA_PUT(nl_msg, OVPN_A_PEER_REMOTE_IPV4, sizeof(struct in_addr), &((struct sockaddr_in *)remoteaddr)->sin_addr); - NLA_PUT_U16(nl_msg, OVPN_A_PEER_REMOTE_PORT, ((struct sockaddr_in *)remoteaddr)->sin_port); + NLA_PUT_U16(nl_msg, OVPN_A_PEER_REMOTE_PORT, + ((struct sockaddr_in *)remoteaddr)->sin_port); } else if (remoteaddr->sa_family == AF_INET6) { NLA_PUT(nl_msg, OVPN_A_PEER_REMOTE_IPV6, sizeof(struct in6_addr), &((struct sockaddr_in6 *)remoteaddr)->sin6_addr); - NLA_PUT_U16(nl_msg, OVPN_A_PEER_REMOTE_PORT, ((struct sockaddr_in6 *)remoteaddr)->sin6_port); - NLA_PUT_U32(nl_msg, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, ((struct sockaddr_in6 *)remoteaddr)->sin6_scope_id); + NLA_PUT_U16(nl_msg, OVPN_A_PEER_REMOTE_PORT, + ((struct sockaddr_in6 *)remoteaddr)->sin6_port); + NLA_PUT_U32(nl_msg, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, + ((struct sockaddr_in6 *)remoteaddr)->sin6_scope_id); } } @@ -275,8 +273,7 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, } if (vpn_ipv6) { - NLA_PUT(nl_msg, OVPN_A_PEER_VPN_IPV6, sizeof(struct in6_addr), - vpn_ipv6); + NLA_PUT(nl_msg, OVPN_A_PEER_VPN_IPV6, sizeof(struct in6_addr), vpn_ipv6); } nla_nest_end(nl_msg, attr); @@ -289,7 +286,7 @@ nla_put_failure: } static int -ovpn_nl_cb_finish(struct nl_msg (*msg) __attribute__ ((unused)), void *arg) +ovpn_nl_cb_finish(struct nl_msg(*msg) __attribute__((unused)), void *arg) { int *status = arg; @@ -310,7 +307,8 @@ ovpn_nl_cb_finish(struct nl_msg (*msg) __attribute__ ((unused)), void *arg) * missing at the message level * @NLMSGERR_ATTR_MISS_NEST: offset of the nest where attribute was missing */ -enum ovpn_nlmsgerr_attrs { +enum ovpn_nlmsgerr_attrs +{ OVPN_NLMSGERR_ATTR_MISS_TYPE = 5, OVPN_NLMSGERR_ATTR_MISS_NEST = 6, OVPN_NLMSGERR_ATTR_MAX = 6, @@ -325,8 +323,7 @@ enum ovpn_nlmsgerr_attrs { * reply to see if it contains a human-readable error. If found, it is printed. */ static int -ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)), - struct nlmsgerr *err, void *arg) +ovpn_nl_cb_error(struct sockaddr_nl(*nla) __attribute__((unused)), struct nlmsgerr *err, void *arg) { struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1; struct nlattr *tb_msg[OVPN_NLMSGERR_ATTR_MAX + 1]; @@ -360,8 +357,7 @@ ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)), { len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]), nla_len(tb_msg[NLMSGERR_ATTR_MSG])); - msg(M_WARN, "kernel error: %*s", len, - (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG])); + msg(M_WARN, "kernel error: %*s", len, (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG])); } if (tb_msg[OVPN_NLMSGERR_ATTR_MISS_NEST]) @@ -387,7 +383,7 @@ ovpn_dco_register(dco_context_t *dco) if (dco->ovpn_dco_mcast_id < 0) { - msg(M_FATAL, "cannot get mcast group: %s", nl_geterror(dco->ovpn_dco_mcast_id)); + msg(M_FATAL, "cannot get mcast group: %s", nl_geterror(dco->ovpn_dco_mcast_id)); } /* Register for ovpn-dco specific multicast messages that the kernel may @@ -417,14 +413,12 @@ ovpn_dco_init_netlink(dco_context_t *dco) int ret = genl_connect(dco->nl_sock); if (ret) { - msg(M_FATAL, "Cannot connect to generic netlink: %s", - nl_geterror(ret)); + msg(M_FATAL, "Cannot connect to generic netlink: %s", nl_geterror(ret)); } /* enable Extended ACK for detailed error reporting */ ret = 1; - setsockopt(nl_socket_get_fd(dco->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK, - &ret, sizeof(ret)); + setsockopt(nl_socket_get_fd(dco->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK, &ret, sizeof(ret)); /* set close on exec and non-block on the netlink socket */ set_cloexec(nl_socket_get_fd(dco->nl_sock)); @@ -440,10 +434,8 @@ ovpn_dco_init_netlink(dco_context_t *dco) dco->dco_message_peer_id = -1; nl_cb_err(dco->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &dco->status); - nl_cb_set(dco->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish, - &dco->status); - nl_cb_set(dco->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_finish, - &dco->status); + nl_cb_set(dco->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish, &dco->status); + nl_cb_set(dco->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_finish, &dco->status); nl_cb_set(dco->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, dco); ovpn_dco_register(dco); @@ -456,7 +448,7 @@ ovpn_dco_init_netlink(dco_context_t *dco) /* nl library sets the buffer size to 32k/32k by default which is sometimes * overrun with very fast connecting/disconnecting clients. * TODO: fix this in a better and more reliable way */ - ASSERT(!nl_socket_set_buffer_size(dco->nl_sock, 1024*1024, 1024*1024)); + ASSERT(!nl_socket_set_buffer_size(dco->nl_sock, 1024 * 1024, 1024 * 1024)); } bool @@ -578,8 +570,7 @@ nla_put_failure: int -dco_del_key(dco_context_t *dco, unsigned int peerid, - dco_key_slot_t slot) +dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot) { int ret = -EMSGSIZE; msg(D_DCO_DEBUG, "%s: peer-id %d, slot %d", __func__, peerid, slot); @@ -603,14 +594,12 @@ nla_put_failure: } int -dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, - dco_key_slot_t slot, - const uint8_t *encrypt_key, const uint8_t *encrypt_iv, - const uint8_t *decrypt_key, const uint8_t *decrypt_iv, - const char *ciphername) +dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, + const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, + const uint8_t *decrypt_iv, const char *ciphername) { - msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", - __func__, slot, keyid, peerid, ciphername); + msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid, + ciphername); const size_t key_len = cipher_kt_key_size(ciphername); const int nonce_tail_len = 8; @@ -631,23 +620,19 @@ dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, NLA_PUT_U32(nl_msg, OVPN_A_KEYCONF_KEY_ID, keyid); NLA_PUT_U32(nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, dco_cipher); - struct nlattr *key_enc = nla_nest_start(nl_msg, - OVPN_A_KEYCONF_ENCRYPT_DIR); + struct nlattr *key_enc = nla_nest_start(nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR); if (dco_cipher != OVPN_CIPHER_ALG_NONE) { NLA_PUT(nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, key_len, encrypt_key); - NLA_PUT(nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, nonce_tail_len, - encrypt_iv); + NLA_PUT(nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, nonce_tail_len, encrypt_iv); } nla_nest_end(nl_msg, key_enc); - struct nlattr *key_dec = nla_nest_start(nl_msg, - OVPN_A_KEYCONF_DECRYPT_DIR); + struct nlattr *key_dec = nla_nest_start(nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR); if (dco_cipher != OVPN_CIPHER_ALG_NONE) { NLA_PUT(nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, key_len, decrypt_key); - NLA_PUT(nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, nonce_tail_len, - decrypt_iv); + NLA_PUT(nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, nonce_tail_len, decrypt_iv); } nla_nest_end(nl_msg, key_dec); @@ -662,11 +647,11 @@ nla_put_failure: } int -dco_set_peer(dco_context_t *dco, unsigned int peerid, - int keepalive_interval, int keepalive_timeout, int mss) +dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, + int mss) { - msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__, - peerid, keepalive_interval, keepalive_timeout, mss); + msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__, peerid, + keepalive_interval, keepalive_timeout, mss); struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_PEER_SET); if (!nl_msg) @@ -677,10 +662,8 @@ dco_set_peer(dco_context_t *dco, unsigned int peerid, struct nlattr *attr = nla_nest_start(nl_msg, OVPN_A_PEER); int ret = -EMSGSIZE; NLA_PUT_U32(nl_msg, OVPN_A_PEER_ID, peerid); - NLA_PUT_U32(nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL, - keepalive_interval); - NLA_PUT_U32(nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, - keepalive_timeout); + NLA_PUT_U32(nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL, keepalive_interval); + NLA_PUT_U32(nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, keepalive_timeout); nla_nest_end(nl_msg, attr); ret = ovpn_nl_msg_send(dco, nl_msg, __func__); @@ -704,8 +687,7 @@ mcast_family_handler(struct nl_msg *msg, void *arg) struct nlattr *tb[CTRL_ATTR_MAX + 1]; struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); - nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0), - genlmsg_attrlen(gnlh, 0), NULL); + nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0), genlmsg_attrlen(gnlh, 0), NULL); if (!tb[CTRL_ATTR_MCAST_GROUPS]) { @@ -718,18 +700,16 @@ mcast_family_handler(struct nl_msg *msg, void *arg) { struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1]; - nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX, - nla_data(mcgrp), nla_len(mcgrp), NULL); + nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX, nla_data(mcgrp), nla_len(mcgrp), NULL); - if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] - || !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]) + if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] || !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]) { continue; } - if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]), - OVPN_MCGRP_PEERS, - nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])) != 0) + if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]), OVPN_MCGRP_PEERS, + nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])) + != 0) { continue; } @@ -829,49 +809,41 @@ dco_update_peer_stat(struct context_2 *c2, struct nlattr *tb[], uint32_t id) if (tb[OVPN_A_PEER_LINK_RX_BYTES]) { c2->dco_read_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_LINK_RX_BYTES]); - msg(D_DCO_DEBUG, "%s / dco_read_bytes: " counter_format, __func__, - c2->dco_read_bytes); + msg(D_DCO_DEBUG, "%s / dco_read_bytes: " counter_format, __func__, c2->dco_read_bytes); } else { - msg(M_WARN, "%s: no link RX bytes provided in reply for peer %u", - __func__, id); + msg(M_WARN, "%s: no link RX bytes provided in reply for peer %u", __func__, id); } if (tb[OVPN_A_PEER_LINK_TX_BYTES]) { c2->dco_write_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_LINK_TX_BYTES]); - msg(D_DCO_DEBUG, "%s / dco_write_bytes: " counter_format, __func__, - c2->dco_write_bytes); + msg(D_DCO_DEBUG, "%s / dco_write_bytes: " counter_format, __func__, c2->dco_write_bytes); } else { - msg(M_WARN, "%s: no link TX bytes provided in reply for peer %u", - __func__, id); + msg(M_WARN, "%s: no link TX bytes provided in reply for peer %u", __func__, id); } if (tb[OVPN_A_PEER_VPN_RX_BYTES]) { c2->tun_read_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_VPN_RX_BYTES]); - msg(D_DCO_DEBUG, "%s / tun_read_bytes: " counter_format, __func__, - c2->tun_read_bytes); + msg(D_DCO_DEBUG, "%s / tun_read_bytes: " counter_format, __func__, c2->tun_read_bytes); } else { - msg(M_WARN, "%s: no VPN RX bytes provided in reply for peer %u", - __func__, id); + msg(M_WARN, "%s: no VPN RX bytes provided in reply for peer %u", __func__, id); } if (tb[OVPN_A_PEER_VPN_TX_BYTES]) { c2->tun_write_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_VPN_TX_BYTES]); - msg(D_DCO_DEBUG, "%s / tun_write_bytes: " counter_format, __func__, - c2->tun_write_bytes); + msg(D_DCO_DEBUG, "%s / tun_write_bytes: " counter_format, __func__, c2->tun_write_bytes); } else { - msg(M_WARN, "%s: no VPN TX bytes provided in reply for peer %u", - __func__, id); + msg(M_WARN, "%s: no VPN TX bytes provided in reply for peer %u", __func__, id); } } @@ -945,8 +917,7 @@ ovpn_iface_check(dco_context_t *dco, struct nlattr *attrs[]) uint32_t ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]); if (ifindex != dco->ifindex) { - msg(D_DCO_DEBUG, - "ovpn-dco: ignoring message for foreign ifindex %d", ifindex); + msg(D_DCO_DEBUG, "ovpn-dco: ignoring message for foreign ifindex %d", ifindex); return false; } @@ -968,8 +939,7 @@ ovpn_handle_peer_del_ntf(dco_context_t *dco, struct nlattr *attrs[]) } struct nlattr *dp_attrs[OVPN_A_PEER_MAX + 1]; - if (nla_parse_nested(dp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER], - NULL)) + if (nla_parse_nested(dp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER], NULL)) { msg(D_DCO, "ovpn-dco: can't parse peer in PEER_DEL_NTF messsage"); return NL_STOP; @@ -1013,8 +983,7 @@ ovpn_handle_peer_float_ntf(dco_context_t *dco, struct nlattr *attrs[]) } struct nlattr *fp_attrs[OVPN_A_PEER_MAX + 1]; - if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER], - NULL)) + if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER], NULL)) { msg(D_DCO, "ovpn-dco: can't parse peer in PEER_FLOAT_NTF messsage"); return NL_STOP; @@ -1033,8 +1002,7 @@ ovpn_handle_peer_float_ntf(dco_context_t *dco, struct nlattr *attrs[]) } struct gc_arena gc = gc_new(); - msg(D_DCO_DEBUG, - "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s", + msg(D_DCO_DEBUG, "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s", dco->ifindex, peerid, print_sockaddr((struct sockaddr *)&dco->dco_float_peer_ss, &gc)); dco->dco_message_peer_id = (int)peerid; dco->dco_message_type = OVPN_CMD_PEER_FLOAT_NTF; @@ -1059,8 +1027,7 @@ ovpn_handle_key_swap_ntf(dco_context_t *dco, struct nlattr *attrs[]) } struct nlattr *dp_attrs[OVPN_A_KEYCONF_MAX + 1]; - if (nla_parse_nested(dp_attrs, OVPN_A_KEYCONF_MAX, - attrs[OVPN_A_KEYCONF], NULL)) + if (nla_parse_nested(dp_attrs, OVPN_A_KEYCONF_MAX, attrs[OVPN_A_KEYCONF], NULL)) { msg(D_DCO, "ovpn-dco: can't parse keyconf in KEY_SWAP_NTF message"); return NL_STOP; @@ -1117,8 +1084,7 @@ ovpn_handle_msg(struct nl_msg *msg, void *arg) return NL_STOP; } - if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), - genlmsg_attrlen(gnlh, 0), NULL)) + if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), genlmsg_attrlen(gnlh, 0), NULL)) { msg(D_DCO, "received bogus data from ovpn-dco"); return NL_STOP; @@ -1206,8 +1172,8 @@ nla_put_failure: if (raise_sigusr1_on_err && ret < 0) { msg(M_WARN, "Error retrieving DCO peer stats: the underlying DCO peer" - "may have been deleted from the kernel without notifying " - "userspace. Restarting the session"); + "may have been deleted from the kernel without notifying " + "userspace. Restarting the session"); register_signal(dco->c->sig, SIGUSR1, "dco peer stats error"); } return ret; @@ -1230,8 +1196,7 @@ dco_available(int msglevel) { if (resolve_ovpn_netlink_id(D_DCO_DEBUG) < 0) { - msg(msglevel, - "Note: Kernel support for ovpn-dco missing, disabling data channel offload."); + msg(msglevel, "Note: Kernel support for ovpn-dco missing, disabling data channel offload."); return false; } diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h index 9f15199e5..310d43355 100644 --- a/src/openvpn/dco_linux.h +++ b/src/openvpn/dco_linux.h @@ -31,8 +31,8 @@ #include /* Defines to avoid mismatching with other platforms */ -#define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF -#define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF +#define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF +#define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF #define OVPN_CMD_FLOAT_PEER OVPN_CMD_PEER_FLOAT_NTF typedef enum ovpn_key_slot dco_key_slot_t; @@ -42,12 +42,14 @@ typedef enum ovpn_cipher_alg dco_cipher_t; #ifndef IFLA_OVPN_MAX -enum ovpn_mode { +enum ovpn_mode +{ OVPN_MODE_P2P, OVPN_MODE_MP, }; -enum ovpn_ifla_attrs { +enum ovpn_ifla_attrs +{ IFLA_OVPN_UNSPEC = 0, IFLA_OVPN_MODE, diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c index d2279654a..5317ac10b 100644 --- a/src/openvpn/dco_win.c +++ b/src/openvpn/dco_win.c @@ -75,14 +75,12 @@ dco_get_version(OVPN_VERSION *version) bool res = false; - HANDLE h = CreateFile("\\\\.\\ovpn-dco-ver", GENERIC_READ, - 0, NULL, OPEN_EXISTING, 0, NULL); + HANDLE h = CreateFile("\\\\.\\ovpn-dco-ver", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL); if (h == INVALID_HANDLE_VALUE) { /* fallback to a "normal" device, this will fail if device is already in use */ - h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ, - 0, NULL, OPEN_EXISTING, 0, NULL); + h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL); } if (h == INVALID_HANDLE_VALUE) @@ -91,8 +89,8 @@ dco_get_version(OVPN_VERSION *version) } DWORD bytes_returned = 0; - if (!DeviceIoControl(h, OVPN_IOCTL_GET_VERSION, NULL, 0, - version, sizeof(*version), &bytes_returned, NULL)) + if (!DeviceIoControl(h, OVPN_IOCTL_GET_VERSION, NULL, 0, version, sizeof(*version), + &bytes_returned, NULL)) { goto done; } @@ -145,7 +143,8 @@ ovpn_dco_init_mp(dco_context_t *dco, const char *dev_node) /* set mp mode */ OVPN_MODE m = OVPN_MODE_MP; DWORD bytes_returned = 0; - if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_SET_MODE, &m, sizeof(m), NULL, 0, &bytes_returned, NULL)) + if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_SET_MODE, &m, sizeof(m), NULL, 0, + &bytes_returned, NULL)) { msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_SET_MODE) failed"); } @@ -221,7 +220,7 @@ dco_connect_wait(HANDLE handle, OVERLAPPED *ov, int timeout, struct signal_info { volatile int *signal_received = &sig_info->signal_received; /* GetOverlappedResultEx is available starting from Windows 8 */ - typedef BOOL (WINAPI *get_overlapped_result_ex_t)(HANDLE, LPOVERLAPPED, LPDWORD, DWORD, BOOL); + typedef BOOL(WINAPI * get_overlapped_result_ex_t)(HANDLE, LPOVERLAPPED, LPDWORD, DWORD, BOOL); get_overlapped_result_ex_t get_overlapped_result_ex = (get_overlapped_result_ex_t)GetProcAddress(GetModuleHandle("Kernel32.dll"), "GetOverlappedResultEx"); @@ -295,8 +294,8 @@ dco_mp_start_vpn(HANDLE handle, struct link_socket *sock) } if (!cur) { - msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", - __func__, addr_family_name(ai_family)); + msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", __func__, + addr_family_name(ai_family)); } OVPN_MP_START_VPN in, out; @@ -322,7 +321,8 @@ dco_mp_start_vpn(HANDLE handle, struct link_socket *sock) } void -dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info) +dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, + struct signal_info *sig_info) { msg(D_DCO_DEBUG, "%s", __func__); @@ -333,8 +333,7 @@ dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct struct sockaddr *local = NULL; struct sockaddr *remote = remoteaddr->ai_addr; - if (remoteaddr->ai_protocol == IPPROTO_TCP - || remoteaddr->ai_socktype == SOCK_STREAM) + if (remoteaddr->ai_protocol == IPPROTO_TCP || remoteaddr->ai_socktype == SOCK_STREAM) { peer.Proto = OVPN_PROTO_TCP; } @@ -406,15 +405,15 @@ dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct } else { - dco_connect_wait(handle, ov, get_server_poll_remaining_time(sock->server_poll_timeout), sig_info); + dco_connect_wait(handle, ov, get_server_poll_remaining_time(sock->server_poll_timeout), + sig_info); } } } int -dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, - struct sockaddr *localaddr, struct sockaddr *remoteaddr, - struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6) +dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, + struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6) { msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d", __func__, peerid, sd); @@ -424,7 +423,7 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, return 0; } - OVPN_MP_NEW_PEER newPeer = {0}; + OVPN_MP_NEW_PEER newPeer = { 0 }; if (remoteaddr) { @@ -454,7 +453,8 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, newPeer.PeerId = peerid; DWORD bytesReturned; - if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_NEW_PEER, &newPeer, sizeof(newPeer), NULL, 0, &bytesReturned, NULL)) + if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_NEW_PEER, &newPeer, sizeof(newPeer), NULL, 0, + &bytesReturned, NULL)) { msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_MP_NEW_PEER) failed"); } @@ -489,11 +489,11 @@ dco_del_peer(dco_context_t *dco, unsigned int peerid) } int -dco_set_peer(dco_context_t *dco, unsigned int peerid, - int keepalive_interval, int keepalive_timeout, int mss) +dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, + int mss) { - msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__, - peerid, keepalive_interval, keepalive_timeout, mss); + msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__, peerid, + keepalive_interval, keepalive_timeout, mss); OVPN_MP_SET_PEER mp_peer = { peerid, keepalive_interval, keepalive_timeout, mss }; OVPN_SET_PEER peer = { keepalive_interval, keepalive_timeout, mss }; @@ -523,14 +523,12 @@ dco_set_peer(dco_context_t *dco, unsigned int peerid, } int -dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, - dco_key_slot_t slot, - const uint8_t *encrypt_key, const uint8_t *encrypt_iv, - const uint8_t *decrypt_key, const uint8_t *decrypt_iv, - const char *ciphername) +dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, + const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, + const uint8_t *decrypt_iv, const char *ciphername) { - msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", - __func__, slot, keyid, peerid, ciphername); + msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid, + ciphername); const int nonce_len = 8; size_t key_len = cipher_kt_key_size(ciphername); @@ -555,8 +553,8 @@ dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, DWORD bytes_returned = 0; - if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NEW_KEY, &crypto_data, - sizeof(crypto_data), NULL, 0, &bytes_returned, NULL)) + if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NEW_KEY, &crypto_data, sizeof(crypto_data), NULL, + 0, &bytes_returned, NULL)) { msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_NEW_KEY) failed"); return -1; @@ -566,8 +564,7 @@ dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot) { - msg(D_DCO, "%s: peer-id %d, slot %d called but ignored", __func__, peerid, - slot); + msg(D_DCO, "%s: peer-id %d, slot %d called but ignored", __func__, peerid, slot); /* FIXME: Implement in driver first */ return 0; } @@ -577,7 +574,7 @@ dco_swap_keys(dco_context_t *dco, unsigned int peer_id) { msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peer_id); - OVPN_MP_SWAP_KEYS swap = {peer_id}; + OVPN_MP_SWAP_KEYS swap = { peer_id }; DWORD ioctl = OVPN_IOCTL_SWAP_KEYS; VOID *buf = NULL; DWORD len = 0; @@ -602,8 +599,8 @@ bool dco_available(int msglevel) { /* try to open device by symbolic name */ - HANDLE h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, - 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL); + HANDLE h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, + FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL); if (h != INVALID_HANDLE_VALUE) { @@ -628,7 +625,7 @@ dco_available(int msglevel) const char * dco_version_string(struct gc_arena *gc) { - OVPN_VERSION version = {0}; + OVPN_VERSION version = { 0 }; if (dco_get_version(&version)) { struct buffer out = alloc_buf_gc(256, gc); @@ -659,7 +656,8 @@ dco_handle_overlapped_success(dco_context_t *dco, bool queued) BOOL res = GetOverlappedResult(dco->tt->hand, &dco->ov, &bytes_read, FALSE); if (res) { - msg(D_DCO_DEBUG, "%s: completion%s success [%ld]", __func__, queued ? "" : " non-queued", bytes_read); + msg(D_DCO_DEBUG, "%s: completion%s success [%ld]", __func__, queued ? "" : " non-queued", + bytes_read); dco->dco_message_peer_id = dco->notif_buf.PeerId; dco->dco_message_type = dco->notif_buf.Cmd; @@ -734,8 +732,8 @@ dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err) ZeroMemory(&stats, sizeof(OVPN_STATS)); DWORD bytes_returned = 0; - if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_STATS, NULL, 0, - &stats, sizeof(stats), &bytes_returned, NULL)) + if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_STATS, NULL, 0, &stats, sizeof(stats), + &bytes_returned, NULL)) { msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_GET_STATS) failed"); return -1; @@ -765,7 +763,8 @@ dco_event_set(dco_context_t *dco, struct event_set *es, void *arg) /* the overlapped IOCTL will signal this event on I/O completion */ ASSERT(ResetEvent(dco->ov.hEvent)); - if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NOTIFY_EVENT, NULL, 0, &dco->notif_buf, sizeof(dco->notif_buf), NULL, &dco->ov)) + if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NOTIFY_EVENT, NULL, 0, &dco->notif_buf, + sizeof(dco->notif_buf), NULL, &dco->ov)) { DWORD err = GetLastError(); if (err == ERROR_IO_PENDING) /* operation queued? */ @@ -826,17 +825,21 @@ dco_win_supports_multipeer(void) } void -dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id) +dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, + unsigned int peer_id) { struct gc_arena gc = gc_new(); - OVPN_MP_IROUTE route = {.Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 0}; + OVPN_MP_IROUTE route = { + .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 0 + }; - msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc), netbits, peer_id); + msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc), + netbits, peer_id); DWORD bytes_returned = 0; - if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, - sizeof(route), NULL, 0, &bytes_returned, NULL)) + if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, sizeof(route), NULL, 0, + &bytes_returned, NULL)) { msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_ADD_IROUTE) failed"); } @@ -845,17 +848,19 @@ dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, } void -dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id) +dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, + unsigned int peer_id) { struct gc_arena gc = gc_new(); OVPN_MP_IROUTE route = { .Addr.Addr6 = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 1 }; - msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc), netbits, peer_id); + msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc), + netbits, peer_id); DWORD bytes_returned = 0; - if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, - sizeof(route), NULL, 0, &bytes_returned, NULL)) + if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, sizeof(route), NULL, 0, + &bytes_returned, NULL)) { msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_ADD_IROUTE) failed"); } @@ -868,13 +873,15 @@ dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits) { struct gc_arena gc = gc_new(); - OVPN_MP_IROUTE route = { .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = -1, .IPv6 = 0 }; + OVPN_MP_IROUTE route = { + .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = -1, .IPv6 = 0 + }; msg(D_DCO_DEBUG, "%s: %s/%d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc), netbits); DWORD bytes_returned = 0; - if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, - sizeof(route), NULL, 0, &bytes_returned, NULL)) + if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, sizeof(route), NULL, 0, + &bytes_returned, NULL)) { msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_DEL_IROUTE) failed"); } @@ -892,8 +899,8 @@ dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int ne msg(D_DCO_DEBUG, "%s: %s/%d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc), netbits); DWORD bytes_returned = 0; - if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, - sizeof(route), NULL, 0, &bytes_returned, NULL)) + if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, sizeof(route), NULL, 0, + &bytes_returned, NULL)) { msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_DEL_IROUTE) failed"); } diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h index 7311de844..a7f4865a5 100644 --- a/src/openvpn/dco_win.h +++ b/src/openvpn/dco_win.h @@ -32,21 +32,23 @@ typedef OVPN_KEY_SLOT dco_key_slot_t; typedef OVPN_CIPHER_ALG dco_cipher_t; -typedef enum { +typedef enum +{ DCO_MODE_UNINIT, DCO_MODE_P2P, DCO_MODE_MP } dco_mode_type; -struct dco_context { +struct dco_context +{ struct tuntap *tt; dco_mode_type ifmode; OVPN_NOTIFY_EVENT notif_buf; /**< Buffer for incoming notifications. */ - OVERLAPPED ov; /**< Used by overlapped I/O for async IOCTL. */ - int iostate; /**< State of overlapped I/O; see definitions in win32.h. */ - struct rw_handle rwhandle; /**< Used to hook async I/O to the OpenVPN event loop. */ - int ov_ret; /**< Win32 error code for overlapped operation, 0 for success */ + OVERLAPPED ov; /**< Used by overlapped I/O for async IOCTL. */ + int iostate; /**< State of overlapped I/O; see definitions in win32.h. */ + struct rw_handle rwhandle; /**< Used to hook async I/O to the OpenVPN event loop. */ + int ov_ret; /**< Win32 error code for overlapped operation, 0 for success */ int dco_message_peer_id; int dco_message_type; @@ -59,31 +61,26 @@ struct dco_context { typedef struct dco_context dco_context_t; -void -dco_mp_start_vpn(HANDLE handle, struct link_socket *sock); +void dco_mp_start_vpn(HANDLE handle, struct link_socket *sock); -void -dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info); +void dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, + struct signal_info *sig_info); -void -dco_start_tun(struct tuntap *tt); +void dco_start_tun(struct tuntap *tt); -bool -dco_win_supports_multipeer(void); +bool dco_win_supports_multipeer(void); -void -dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id); +void dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, + unsigned int peer_id); -void -dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id); +void dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, + unsigned int peer_id); -void -dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits); +void dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits); -void -dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits); +void dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits); -#else /* if defined(ENABLE_DCO) && defined(_WIN32) */ +#else /* if defined(ENABLE_DCO) && defined(_WIN32) */ static inline void dco_start_tun(struct tuntap *tt) diff --git a/src/openvpn/dhcp.c b/src/openvpn/dhcp.c index df014120c..0a7689f78 100644 --- a/src/openvpn/dhcp.c +++ b/src/openvpn/dhcp.c @@ -35,37 +35,37 @@ static int get_dhcp_message_type(const struct dhcp *dhcp, const int optlen) { - const uint8_t *p = (uint8_t *) (dhcp + 1); + const uint8_t *p = (uint8_t *)(dhcp + 1); int i; for (i = 0; i < optlen; ++i) { const uint8_t type = p[i]; const int room = optlen - i; - if (type == DHCP_END) /* didn't find what we were looking for */ + if (type == DHCP_END) /* didn't find what we were looking for */ { return -1; } - else if (type == DHCP_PAD) /* no-operation */ + else if (type == DHCP_PAD) /* no-operation */ { } else if (type == DHCP_MSG_TYPE) /* what we are looking for */ { if (room >= 3) { - if (p[i+1] == 1) /* option length should be 1 */ + if (p[i + 1] == 1) /* option length should be 1 */ { - return p[i+2]; /* return message type */ + return p[i + 2]; /* return message type */ } } return -1; } - else /* some other option */ + else /* some other option */ { if (room >= 2) { - const int len = p[i+1]; /* get option length */ - i += (len + 1); /* advance to next option */ + const int len = p[i + 1]; /* get option length */ + i += (len + 1); /* advance to next option */ } } } @@ -75,11 +75,11 @@ get_dhcp_message_type(const struct dhcp *dhcp, const int optlen) static in_addr_t do_extract(struct dhcp *dhcp, int optlen) { - uint8_t *p = (uint8_t *) (dhcp + 1); + uint8_t *p = (uint8_t *)(dhcp + 1); int i; in_addr_t ret = 0; - for (i = 0; i < optlen; ) + for (i = 0; i < optlen;) { const uint8_t type = p[i]; const int room = optlen - i; @@ -95,25 +95,25 @@ do_extract(struct dhcp *dhcp, int optlen) { if (room >= 2) { - const int len = p[i+1]; /* get option length */ - if (len <= (room-2)) + const int len = p[i + 1]; /* get option length */ + if (len <= (room - 2)) { /* get router IP address */ if (!ret && len >= 4 && (len & 3) == 0) { - memcpy(&ret, p+i+2, 4); + memcpy(&ret, p + i + 2, 4); ret = ntohl(ret); } { /* delete the router option */ uint8_t *dest = p + i; - const int owlen = len + 2; /* len of data to overwrite */ + const int owlen = len + 2; /* len of data to overwrite */ uint8_t *src = dest + owlen; uint8_t *end = p + optlen; const int movlen = end - src; if (movlen > 0) { - memmove(dest, src, movlen); /* overwrite router option */ + memmove(dest, src, movlen); /* overwrite router option */ } memset(end - owlen, DHCP_PAD, owlen); /* pad tail */ } @@ -128,12 +128,12 @@ do_extract(struct dhcp *dhcp, int optlen) break; } } - else /* some other option */ + else /* some other option */ { if (room >= 2) { - const int len = p[i+1]; /* get option length */ - i += (len + 2); /* advance to next option */ + const int len = p[i + 1]; /* get option length */ + i += (len + 2); /* advance to next option */ } else { @@ -147,13 +147,13 @@ do_extract(struct dhcp *dhcp, int optlen) in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf) { - struct dhcp_full *df = (struct dhcp_full *) BPTR(ipbuf); - const int optlen = BLEN(ipbuf) - (sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr) + sizeof(struct dhcp)); + struct dhcp_full *df = (struct dhcp_full *)BPTR(ipbuf); + const int optlen = + BLEN(ipbuf) + - (sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr) + sizeof(struct dhcp)); - if (optlen >= 0 - && df->ip.protocol == OPENVPN_IPPROTO_UDP - && df->udp.source == htons(BOOTPS_PORT) - && df->udp.dest == htons(BOOTPC_PORT) + if (optlen >= 0 && df->ip.protocol == OPENVPN_IPPROTO_UDP + && df->udp.source == htons(BOOTPS_PORT) && df->udp.dest == htons(BOOTPC_PORT) && df->dhcp.op == BOOTREPLY) { const int message_type = get_dhcp_message_type(&df->dhcp, optlen); @@ -164,10 +164,10 @@ dhcp_extract_router_msg(struct buffer *ipbuf) /* recompute the UDP checksum */ df->udp.check = 0; - df->udp.check = htons(ip_checksum(AF_INET, (uint8_t *)&df->udp, - sizeof(struct openvpn_udphdr) + sizeof(struct dhcp) + optlen, - (uint8_t *)&df->ip.saddr, (uint8_t *)&df->ip.daddr, - OPENVPN_IPPROTO_UDP)); + df->udp.check = htons(ip_checksum( + AF_INET, (uint8_t *)&df->udp, + sizeof(struct openvpn_udphdr) + sizeof(struct dhcp) + optlen, + (uint8_t *)&df->ip.saddr, (uint8_t *)&df->ip.daddr, OPENVPN_IPPROTO_UDP)); /* only return the extracted Router address if DHCPACK */ if (message_type == DHCPACK) diff --git a/src/openvpn/dhcp.h b/src/openvpn/dhcp.h index 34f451300..af5c2c45e 100644 --- a/src/openvpn/dhcp.h +++ b/src/openvpn/dhcp.h @@ -30,10 +30,10 @@ #pragma pack(1) /* DHCP Option types */ -#define DHCP_PAD 0 -#define DHCP_ROUTER 3 -#define DHCP_MSG_TYPE 53 /* message type (u8) */ -#define DHCP_END 255 +#define DHCP_PAD 0 +#define DHCP_ROUTER 3 +#define DHCP_MSG_TYPE 53 /* message type (u8) */ +#define DHCP_END 255 /* DHCP Messages types */ #define DHCPDISCOVER 1 @@ -49,28 +49,30 @@ #define BOOTPS_PORT 67 #define BOOTPC_PORT 68 -struct dhcp { +struct dhcp +{ #define BOOTREQUEST 1 #define BOOTREPLY 2 - uint8_t op; /* message op */ + uint8_t op; /* message op */ - uint8_t htype; /* hardware address type (e.g. '1' = 10Mb Ethernet) */ - uint8_t hlen; /* hardware address length (e.g. '6' for 10Mb Ethernet) */ - uint8_t hops; /* client sets to 0, may be used by relay agents */ - uint32_t xid; /* transaction ID, chosen by client */ - uint16_t secs; /* seconds since request process began, set by client */ + uint8_t htype; /* hardware address type (e.g. '1' = 10Mb Ethernet) */ + uint8_t hlen; /* hardware address length (e.g. '6' for 10Mb Ethernet) */ + uint8_t hops; /* client sets to 0, may be used by relay agents */ + uint32_t xid; /* transaction ID, chosen by client */ + uint16_t secs; /* seconds since request process began, set by client */ uint16_t flags; - uint32_t ciaddr; /* client IP address, client sets if known */ - uint32_t yiaddr; /* 'your' IP address -- server's response to client */ - uint32_t siaddr; /* server IP address */ - uint32_t giaddr; /* relay agent IP address */ + uint32_t ciaddr; /* client IP address, client sets if known */ + uint32_t yiaddr; /* 'your' IP address -- server's response to client */ + uint32_t siaddr; /* server IP address */ + uint32_t giaddr; /* relay agent IP address */ uint8_t chaddr[16]; /* client hardware address */ - uint8_t sname[64]; /* optional server host name */ - uint8_t file[128]; /* boot file name */ - uint32_t magic; /* must be 0x63825363 (network order) */ + uint8_t sname[64]; /* optional server host name */ + uint8_t file[128]; /* boot file name */ + uint32_t magic; /* must be 0x63825363 (network order) */ }; -struct dhcp_full { +struct dhcp_full +{ struct openvpn_iphdr ip; struct openvpn_udphdr udp; struct dhcp dhcp; diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 22f4cece5..8e28c2b77 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -65,7 +65,7 @@ dns_server_addr_parse(struct dns_server *server, const char *addr) return false; } - char addrcopy[INET6_ADDRSTRLEN] = {0}; + char addrcopy[INET6_ADDRSTRLEN] = { 0 }; size_t copylen = 0; in_port_t port = 0; sa_family_t af; @@ -202,13 +202,13 @@ dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc) bool dns_options_verify(int msglevel, const struct dns_options *o) { - const struct dns_server *server = - o->servers ? o->servers : o->servers_prepull; + const struct dns_server *server = o->servers ? o->servers : o->servers_prepull; while (server) { if (server->addr_count == 0) { - msg(msglevel, "ERROR: dns server %ld does not have an address assigned", server->priority); + msg(msglevel, "ERROR: dns server %ld does not have an address assigned", + server->priority); return false; } server = server->next; @@ -352,8 +352,8 @@ transport_value(const enum dns_server_transport transport) #ifdef _WIN32 static void -make_domain_list(const char *what, const struct dns_domain *src, - bool nrpt_domains, char *dst, size_t dst_size) +make_domain_list(const char *what, const struct dns_domain *src, bool nrpt_domains, char *dst, + size_t dst_size) { /* NRPT domains need two \0 at the end for REG_MULTI_SZ * and a leading '.' added in front of the domain name */ @@ -429,11 +429,8 @@ run_up_down_service(bool add, const struct options *o, const struct tuntap *tt) ack_message_t ack; nrpt_dns_cfg_message_t nrpt = { - .header = { - (add ? msg_add_nrpt_cfg : msg_del_nrpt_cfg), - sizeof(nrpt_dns_cfg_message_t), - 0 - }, + .header = { (add ? msg_add_nrpt_cfg : msg_del_nrpt_cfg), sizeof(nrpt_dns_cfg_message_t), + 0 }, .iface = { .index = tt->adapter_index, .name = "" }, .flags = server->dnssec == DNS_SECURITY_NO ? 0 : nrpt_dnssec, }; @@ -447,33 +444,31 @@ run_up_down_service(bool add, const struct options *o, const struct tuntap *tt) break; } - if (inet_ntop(server->addr[i].family, &server->addr[i].in, - nrpt.addresses[i], NRPT_ADDR_SIZE) == NULL) + if (inet_ntop(server->addr[i].family, &server->addr[i].in, nrpt.addresses[i], + NRPT_ADDR_SIZE) + == NULL) { msg(M_WARN, "WARNING: could not convert dns server address"); } } - make_domain_list("dns server resolve domains", server->domains, true, - nrpt.resolve_domains, sizeof(nrpt.resolve_domains)); + make_domain_list("dns server resolve domains", server->domains, true, nrpt.resolve_domains, + sizeof(nrpt.resolve_domains)); - make_domain_list("dns search domains", search_domains, false, - nrpt.search_domains, sizeof(nrpt.search_domains)); + make_domain_list("dns search domains", search_domains, false, nrpt.search_domains, + sizeof(nrpt.search_domains)); msg(D_LOW, "%s NRPT DNS%s%s on '%s' (if_index = %d) using service", (add ? "Setting" : "Deleting"), nrpt.resolve_domains[0] != 0 ? ", resolve domains" : "", - nrpt.search_domains[0] != 0 ? ", search domains" : "", - nrpt.iface.name, nrpt.iface.index); + nrpt.search_domains[0] != 0 ? ", search domains" : "", nrpt.iface.name, nrpt.iface.index); send_msg_iservice(o->msg_channel, &nrpt, sizeof(nrpt), &ack, "DNS"); } -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ static void -setenv_dns_option(struct env_set *es, - const char *format, int i, int j, - const char *value) +setenv_dns_option(struct env_set *es, const char *format, int i, int j, const char *value) { char name[64]; bool name_ok = false; @@ -539,14 +534,12 @@ setenv_dns_options(const struct dns_options *o, struct env_set *es) if (s->dnssec) { - setenv_dns_option(es, "dns_server_%d_dnssec", i, -1, - dnssec_value(s->dnssec)); + setenv_dns_option(es, "dns_server_%d_dnssec", i, -1, dnssec_value(s->dnssec)); } if (s->transport) { - setenv_dns_option(es, "dns_server_%d_transport", i, -1, - transport_value(s->transport)); + setenv_dns_option(es, "dns_server_%d_transport", i, -1, transport_value(s->transport)); } if (s->sni) { @@ -566,7 +559,8 @@ updown_env_set(bool up, const struct dns_options *o, const struct tuntap *tt, st } static int -do_run_up_down_command(bool up, const char *vars_file, const struct dns_options *o, const struct tuntap *tt) +do_run_up_down_command(bool up, const char *vars_file, const struct dns_options *o, + const struct tuntap *tt) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); @@ -598,12 +592,12 @@ do_run_up_down_command(bool up, const char *vars_file, const struct dns_options } static bool -run_updown_runner(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner) +run_updown_runner(bool up, struct options *o, const struct tuntap *tt, + struct dns_updown_runner_info *updown_runner) { int dns_pipe_fd[2]; int ack_pipe_fd[2]; - if (pipe(dns_pipe_fd) != 0 - || pipe(ack_pipe_fd) != 0) + if (pipe(dns_pipe_fd) != 0 || pipe(ack_pipe_fd) != 0) { msg(M_ERR | M_ERRNO, "run_dns_up_down: unable to create pipes"); return false; @@ -631,8 +625,7 @@ run_updown_runner(bool up, struct options *o, const struct tuntap *tt, struct dn /* Script runner process, close unused FDs */ for (int fd = 3; fd < 100; ++fd) { - if (fd != dns_pipe_fd[0] - && fd != ack_pipe_fd[1]) + if (fd != dns_pipe_fd[0] && fd != ack_pipe_fd[1]) { close(fd); } @@ -693,7 +686,8 @@ run_updown_runner(bool up, struct options *o, const struct tuntap *tt, struct dn } static void -run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner) +run_up_down_command(bool up, struct options *o, const struct tuntap *tt, + struct dns_updown_runner_info *updown_runner) { struct dns_options *dns = &o->dns_options; if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))) @@ -851,7 +845,8 @@ show_dns_options(const struct dns_options *o) } void -run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *duri) +run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, + struct dns_updown_runner_info *duri) { if (!o->dns_options.servers) { @@ -881,14 +876,17 @@ run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, struct dns_ } if (bad_count == s->addr_count) { - msg(M_WARN, "DNS server %ld only has address(es) from a family " + msg(M_WARN, + "DNS server %ld only has address(es) from a family " "the tunnel is not configured for - it will not be reachable", s->priority); } else if (bad_count) { - msg(M_WARN, "DNS server %ld has address(es) from a family " - "the tunnel is not configured for", s->priority); + msg(M_WARN, + "DNS server %ld has address(es) from a family " + "the tunnel is not configured for", + s->priority); } s = s->next; } diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 94c76e522..6d97b40b5 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -27,33 +27,39 @@ #include "env_set.h" #include "tun.h" -enum dns_security { +enum dns_security +{ DNS_SECURITY_UNSET, DNS_SECURITY_NO, DNS_SECURITY_YES, DNS_SECURITY_OPTIONAL }; -enum dns_server_transport { +enum dns_server_transport +{ DNS_TRANSPORT_UNSET, DNS_TRANSPORT_PLAIN, DNS_TRANSPORT_HTTPS, DNS_TRANSPORT_TLS }; -enum dns_updown_flags { +enum dns_updown_flags +{ DNS_UPDOWN_NO_FLAGS, DNS_UPDOWN_USER_SET, DNS_UPDOWN_FORCED }; -struct dns_domain { +struct dns_domain +{ struct dns_domain *next; const char *name; }; -struct dns_server_addr { - union { +struct dns_server_addr +{ + union + { struct in_addr a4; struct in6_addr a6; } in; @@ -61,7 +67,8 @@ struct dns_server_addr { in_port_t port; }; -struct dns_server { +struct dns_server +{ struct dns_server *next; long priority; size_t addr_count; @@ -72,7 +79,8 @@ struct dns_server { const char *sni; }; -struct dns_updown_runner_info { +struct dns_updown_runner_info +{ bool required; int fds[2]; #if !defined(_WIN32) @@ -88,7 +96,8 @@ struct dns_updown_runner_info { #define N_SEARCH_LIST_LEN 10 #endif -struct dhcp_options { +struct dhcp_options +{ in_addr_t dns[N_DHCP_ADDR]; int dns_len; @@ -100,7 +109,8 @@ struct dhcp_options { int domain_search_list_len; }; -struct dns_options { +struct dns_options +{ struct dhcp_options from_dhcp; struct dns_domain *search_domains; struct dns_server *servers_prepull; @@ -165,8 +175,7 @@ bool dns_options_verify(int msglevel, const struct dns_options *o); * @param gc Pointer to the gc_arena to use for the clone * @return The dns_options clone */ -struct dns_options clone_dns_options(const struct dns_options *o, - struct gc_arena *gc); +struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc); /** * Saves and resets the server options, so that pulled ones don't mix in. diff --git a/src/openvpn/env_set.c b/src/openvpn/env_set.c index 7809237e9..6c7df8ebd 100644 --- a/src/openvpn/env_set.c +++ b/src/openvpn/env_set.c @@ -246,7 +246,7 @@ env_set_write_file(const char *path, const struct env_set *es) if (es) { - const struct env_item *item = es->list; + const struct env_item *item = es->list; while (item) { fputs(item->string, fp); @@ -356,15 +356,10 @@ setenv_del(struct env_set *es, const char *name) } void -setenv_str_ex(struct env_set *es, - const char *name, - const char *value, - const unsigned int name_include, - const unsigned int name_exclude, - const char name_replace, - const unsigned int value_include, - const unsigned int value_exclude, - const char value_replace) +setenv_str_ex(struct env_set *es, const char *name, const char *value, + const unsigned int name_include, const unsigned int name_exclude, + const char name_replace, const unsigned int value_include, + const unsigned int value_exclude, const char value_replace) { struct gc_arena gc = gc_new(); const char *name_tmp; @@ -442,9 +437,7 @@ env_allowed(const char *str) /* Make arrays of strings */ const char ** -make_env_array(const struct env_set *es, - const bool check_allowed, - struct gc_arena *gc) +make_env_array(const struct env_set *es, const bool check_allowed, struct gc_arena *gc) { char **ret = NULL; struct env_item *e = NULL; @@ -460,7 +453,7 @@ make_env_array(const struct env_set *es, } /* alloc return array */ - ALLOC_ARRAY_CLEAR_GC(ret, char *, n+1, gc); + ALLOC_ARRAY_CLEAR_GC(ret, char *, n + 1, gc); /* fill return array */ if (es) diff --git a/src/openvpn/env_set.h b/src/openvpn/env_set.h index 63237a7da..3973a4ee2 100644 --- a/src/openvpn/env_set.h +++ b/src/openvpn/env_set.h @@ -33,26 +33,23 @@ * Handle environmental variable lists */ -struct env_item { +struct env_item +{ char *string; struct env_item *next; }; -struct env_set { +struct env_set +{ struct gc_arena *gc; struct env_item *list; }; /* set/delete environmental variable */ -void setenv_str_ex(struct env_set *es, - const char *name, - const char *value, - const unsigned int name_include, - const unsigned int name_exclude, - const char name_replace, - const unsigned int value_include, - const unsigned int value_exclude, - const char value_replace); +void setenv_str_ex(struct env_set *es, const char *name, const char *value, + const unsigned int name_include, const unsigned int name_exclude, + const char name_replace, const unsigned int value_include, + const unsigned int value_exclude, const char value_replace); void setenv_counter(struct env_set *es, const char *name, counter_type value); @@ -123,8 +120,7 @@ env_safe_to_print(const char *str) /* returns true if environmental variable may be passed to an external program */ bool env_allowed(const char *str); -const char **make_env_array(const struct env_set *es, - const bool check_allowed, +const char **make_env_array(const struct env_set *es, const bool check_allowed, struct gc_arena *gc); #endif /* ifndef ENV_SET_H */ diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h index e5e5b4898..2d33d5582 100644 --- a/src/openvpn/errlevel.h +++ b/src/openvpn/errlevel.h @@ -49,134 +49,134 @@ * of output. */ -#define M_VERB0 LOGLEV(0, 0, 0) /* Messages displayed even at --verb 0 (fatal errors only) */ - -#define M_INFO LOGLEV(1, 0, 0) /* default informational messages */ - -#define D_LINK_ERRORS LOGLEV(1, 1, M_NONFATAL) /* show link errors from main event loop */ -#define D_CRYPT_ERRORS LOGLEV(1, 2, M_NONFATAL) /* show errors from encrypt/decrypt */ -#define D_TLS_ERRORS LOGLEV(1, 3, M_NONFATAL) /* show TLS control channel errors */ -#define D_RESOLVE_ERRORS LOGLEV(1, 4, M_NONFATAL) /* show hostname resolve errors */ -#define D_COMP_ERRORS LOGLEV(1, 5, M_NONFATAL) /* show compression errors */ -#define D_REPLAY_ERRORS LOGLEV(1, 6, M_NONFATAL) /* show packet replay errors */ -#define D_STREAM_ERRORS LOGLEV(1, 7, M_NONFATAL) /* TCP stream error requiring restart */ -#define D_IMPORT_ERRORS LOGLEV(1, 8, M_NONFATAL) /* show server import option errors */ -#define D_MULTI_ERRORS LOGLEV(1, 9, M_NONFATAL) /* show multi-client server errors */ -#define D_EVENT_ERRORS LOGLEV(1, 10, M_NONFATAL) /* show event.[ch] errors */ -#define D_PUSH_ERRORS LOGLEV(1, 11, M_NONFATAL) /* show push/pull errors */ -#define D_PID_PERSIST LOGLEV(1, 12, M_NONFATAL) /* show packet_id persist errors */ -#define D_FRAG_ERRORS LOGLEV(1, 13, M_NONFATAL) /* show fragmentation errors */ -#define D_ALIGN_ERRORS LOGLEV(1, 14, M_NONFATAL) /* show bad struct alignments */ - -#define D_HANDSHAKE LOGLEV(2, 20, 0) /* show data & control channel handshakes */ -#define D_CLOSE LOGLEV(2, 22, 0) /* show socket and TUN/TAP close */ -#define D_PROXY LOGLEV(2, 24, 0) /* show http proxy control packets */ -#define D_ARGV LOGLEV(2, 25, 0) /* show struct argv errors */ - -#define D_TLS_DEBUG_LOW LOGLEV(3, 20, 0) /* low frequency info from tls_session routines */ -#define D_GREMLIN LOGLEV(3, 30, 0) /* show simulated outage info from gremlin module */ -#define D_GENKEY LOGLEV(3, 31, 0) /* print message after key generation */ -#define D_ROUTE LOGLEV(3, 0, 0) /* show routes added and deleted (don't mute) */ -#define D_TUNTAP_INFO LOGLEV(3, 32, 0) /* show debugging info from TUN/TAP driver */ -#define D_RESTART LOGLEV(3, 33, 0) /* show certain restart messages */ -#define D_PUSH LOGLEV(3, 34, 0) /* show push/pull info */ -#define D_IFCONFIG_POOL LOGLEV(3, 35, 0) /* show ifconfig pool info */ -#define D_AUTH LOGLEV(3, 37, 0) /* show user/pass auth info */ -#define D_MULTI_LOW LOGLEV(3, 38, 0) /* show point-to-multipoint low-freq debug info */ -#define D_PLUGIN LOGLEV(3, 39, 0) /* show plugin calls */ -#define D_MANAGEMENT LOGLEV(3, 40, 0) /* show --management info */ -#define D_SCHED_EXIT LOGLEV(3, 41, 0) /* show arming of scheduled exit */ -#define D_ROUTE_QUOTA LOGLEV(3, 42, 0) /* show route quota exceeded messages */ -#define D_OSBUF LOGLEV(3, 43, 0) /* show socket/tun/tap buffer sizes */ -#define D_PS_PROXY LOGLEV(3, 44, 0) /* messages related to --port-share option */ -#define D_IFCONFIG LOGLEV(3, 0, 0) /* show ifconfig info (don't mute) */ -#define D_DCO LOGLEV(3, 0, 0) /* show DCO related messages */ - -#define D_SHOW_PARMS LOGLEV(4, 50, 0) /* show all parameters on program initiation */ -#define D_LOW LOGLEV(4, 52, 0) /* miscellaneous low-frequency debug info */ -#define D_DHCP_OPT LOGLEV(4, 53, 0) /* show DHCP options binary string */ -#define D_MBUF LOGLEV(4, 54, 0) /* mbuf.[ch] routines */ -#define D_PACKET_TRUNC_ERR LOGLEV(4, 55, 0) /* PACKET_TRUNCATION_CHECK */ -#define D_MULTI_DROPPED LOGLEV(4, 57, 0) /* show point-to-multipoint packet drops */ -#define D_MULTI_MEDIUM LOGLEV(4, 58, 0) /* show medium frequency multi messages */ -#define D_X509_ATTR LOGLEV(4, 59, 0) /* show x509-track attributes on connection */ -#define D_INIT_MEDIUM LOGLEV(4, 60, 0) /* show medium frequency init messages */ -#define D_MTU_INFO LOGLEV(4, 61, 0) /* show terse MTU info */ -#define D_PID_DEBUG_LOW LOGLEV(4, 63, 0) /* show low-freq packet-id debugging info */ -#define D_PID_DEBUG_MEDIUM LOGLEV(4, 64, 0) /* show medium-freq packet-id debugging info */ -#define D_CIPHER_INIT LOGLEV(4, 65, 0) /* show messages about cipher init */ - -#define D_LOG_RW LOGLEV(5, 0, 0) /* Print 'R' or 'W' to stdout for read/write */ - -#define D_RTNL LOGLEV(6, 68, M_DEBUG) /* show RTNL low level operations */ -#define D_LINK_RW LOGLEV(6, 69, M_DEBUG) /* show TCP/UDP reads/writes (terse) */ -#define D_TUN_RW LOGLEV(6, 69, M_DEBUG) /* show TUN/TAP reads/writes */ -#define D_TAP_WIN_DEBUG LOGLEV(6, 69, M_DEBUG) /* show TAP-Windows driver debug info */ -#define D_CLIENT_NAT LOGLEV(6, 69, M_DEBUG) /* show client NAT debug info */ -#define D_XKEY LOGLEV(6, 69, M_DEBUG) /* show xkey-provider debug info */ -#define D_DCO_DEBUG LOGLEV(6, 69, M_DEBUG) /* show DCO related lowlevel debug messages */ -#define D_SIGNAL_DEBUG LOGLEV(6, 69, M_DEBUG) /* show signal related debug messages */ - -#define D_SHOW_KEYS LOGLEV(7, 70, M_DEBUG) /* show data channel encryption keys */ -#define D_SHOW_KEY_SOURCE LOGLEV(7, 70, M_DEBUG) /* show data channel key source entropy */ -#define D_REL_LOW LOGLEV(7, 70, M_DEBUG) /* show low frequency info from reliable layer */ -#define D_FRAG_DEBUG LOGLEV(7, 70, M_DEBUG) /* show fragment debugging info */ -#define D_WIN32_IO_LOW LOGLEV(7, 70, M_DEBUG) /* low freq win32 I/O debugging info */ -#define D_MTU_DEBUG LOGLEV(7, 70, M_DEBUG) /* show MTU debugging info */ -#define D_MULTI_DEBUG LOGLEV(7, 70, M_DEBUG) /* show medium-freq multi debugging info */ -#define D_MSS LOGLEV(7, 70, M_DEBUG) /* show MSS adjustments */ -#define D_COMP_LOW LOGLEV(7, 70, M_DEBUG) /* show adaptive compression state changes */ -#define D_CONNECTION_LIST LOGLEV(7, 70, M_DEBUG) /* show list info */ -#define D_SCRIPT LOGLEV(7, 70, M_DEBUG) /* show parms & env vars passed to scripts */ -#define D_SHOW_NET LOGLEV(7, 70, M_DEBUG) /* show routing table and adapter list */ -#define D_ROUTE_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose route.[ch] output */ -#define D_TLS_STATE_ERRORS LOGLEV(7, 70, M_DEBUG) /* no TLS state for client */ -#define D_SEMAPHORE_LOW LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits (low freq) */ -#define D_SEMAPHORE LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits */ -#define D_TEST_FILE LOGLEV(7, 70, M_DEBUG) /* show test_file() calls */ -#define D_MANAGEMENT_DEBUG LOGLEV(3, 70, M_DEBUG) /* show --management debug info */ -#define D_PLUGIN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose plugin calls */ -#define D_SOCKET_DEBUG LOGLEV(7, 70, M_DEBUG) /* show socket.[ch] debugging info */ -#define D_SHOW_PKCS11 LOGLEV(7, 70, M_DEBUG) /* show PKCS#11 actions */ -#define D_ALIGN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose struct alignment info */ -#define D_PACKET_TRUNC_DEBUG LOGLEV(7, 70, M_DEBUG) /* PACKET_TRUNCATION_CHECK verbose */ -#define D_PING LOGLEV(7, 70, M_DEBUG) /* PING send/receive messages */ -#define D_PS_PROXY_DEBUG LOGLEV(7, 70, M_DEBUG) /* port share proxy debug */ -#define D_TLS_KEYSELECT LOGLEV(7, 70, M_DEBUG) /* show key selection for data channel */ -#define D_ARGV_PARSE_CMD LOGLEV(7, 70, M_DEBUG) /* show parse_line() errors in argv_parse_cmd */ -#define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */ -#define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */ -#define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG) /* show push/pull debugging info */ -#define D_SHOW_OCC LOGLEV(7, 74, M_DEBUG) /* show options compatibility string */ - - -#define D_VLAN_DEBUG LOGLEV(7, 74, M_DEBUG) /* show VLAN tagging/untagging debug info */ - -#define D_HANDSHAKE_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show detailed description of handshake */ -#define D_TLS_DEBUG_MED LOGLEV(8, 70, M_DEBUG) /* limited info from tls_session routines */ -#define D_INTERVAL LOGLEV(8, 70, M_DEBUG) /* show interval.h debugging info */ -#define D_SCHEDULER LOGLEV(8, 70, M_DEBUG) /* show scheduler debugging info */ -#define D_GREMLIN_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show verbose info from gremlin module */ -#define D_REL_DEBUG LOGLEV(8, 70, M_DEBUG) /* show detailed info from reliable routines */ -#define D_EVENT_WAIT LOGLEV(8, 70, M_DEBUG) /* show detailed info from event waits */ -#define D_MULTI_TCP LOGLEV(8, 70, M_DEBUG) /* show debug info from mtcp.c */ - -#define D_TLS_DEBUG LOGLEV(9, 70, M_DEBUG) /* show detailed info from TLS routines */ -#define D_COMP LOGLEV(9, 70, M_DEBUG) /* show compression info */ -#define D_READ_WRITE LOGLEV(9, 70, M_DEBUG) /* show all tun/tcp/udp reads/writes/opens */ -#define D_PACKET_CONTENT LOGLEV(9, 70, M_DEBUG) /* show before/after encryption packet content */ -#define D_TLS_NO_SEND_KEY LOGLEV(9, 70, M_DEBUG) /* show when no data channel send-key exists */ -#define D_PID_PERSIST_DEBUG LOGLEV(9, 70, M_DEBUG) /* show packet-id persist debugging info */ -#define D_LINK_RW_VERBOSE LOGLEV(9, 70, M_DEBUG) /* increase link reads/writes verbosity */ -#define D_STREAM_DEBUG LOGLEV(9, 70, M_DEBUG) /* show TCP stream debug info */ -#define D_WIN32_IO LOGLEV(9, 70, M_DEBUG) /* win32 I/O debugging info */ -#define D_PKCS11_DEBUG LOGLEV(9, 70, M_DEBUG) /* show PKCS#11 debugging */ - -#define D_SHAPER_DEBUG LOGLEV(10, 70, M_DEBUG) /* show traffic shaper info */ - -#define D_REGISTRY LOGLEV(11, 70, M_DEBUG) /* win32 registry debugging info */ -#define D_OPENSSL_LOCK LOGLEV(11, 70, M_DEBUG) /* show OpenSSL locks */ - -/*#define D_THREAD_DEBUG LOGLEV(4, 70, M_DEBUG)*/ /* show pthread debug information */ - -#endif /* ifndef ERRLEVEL_H */ +#define M_VERB0 LOGLEV(0, 0, 0) /* Messages displayed even at --verb 0 (fatal errors only) */ + +#define M_INFO LOGLEV(1, 0, 0) /* default informational messages */ + +#define D_LINK_ERRORS LOGLEV(1, 1, M_NONFATAL) /* show link errors from main event loop */ +#define D_CRYPT_ERRORS LOGLEV(1, 2, M_NONFATAL) /* show errors from encrypt/decrypt */ +#define D_TLS_ERRORS LOGLEV(1, 3, M_NONFATAL) /* show TLS control channel errors */ +#define D_RESOLVE_ERRORS LOGLEV(1, 4, M_NONFATAL) /* show hostname resolve errors */ +#define D_COMP_ERRORS LOGLEV(1, 5, M_NONFATAL) /* show compression errors */ +#define D_REPLAY_ERRORS LOGLEV(1, 6, M_NONFATAL) /* show packet replay errors */ +#define D_STREAM_ERRORS LOGLEV(1, 7, M_NONFATAL) /* TCP stream error requiring restart */ +#define D_IMPORT_ERRORS LOGLEV(1, 8, M_NONFATAL) /* show server import option errors */ +#define D_MULTI_ERRORS LOGLEV(1, 9, M_NONFATAL) /* show multi-client server errors */ +#define D_EVENT_ERRORS LOGLEV(1, 10, M_NONFATAL) /* show event.[ch] errors */ +#define D_PUSH_ERRORS LOGLEV(1, 11, M_NONFATAL) /* show push/pull errors */ +#define D_PID_PERSIST LOGLEV(1, 12, M_NONFATAL) /* show packet_id persist errors */ +#define D_FRAG_ERRORS LOGLEV(1, 13, M_NONFATAL) /* show fragmentation errors */ +#define D_ALIGN_ERRORS LOGLEV(1, 14, M_NONFATAL) /* show bad struct alignments */ + +#define D_HANDSHAKE LOGLEV(2, 20, 0) /* show data & control channel handshakes */ +#define D_CLOSE LOGLEV(2, 22, 0) /* show socket and TUN/TAP close */ +#define D_PROXY LOGLEV(2, 24, 0) /* show http proxy control packets */ +#define D_ARGV LOGLEV(2, 25, 0) /* show struct argv errors */ + +#define D_TLS_DEBUG_LOW LOGLEV(3, 20, 0) /* low frequency info from tls_session routines */ +#define D_GREMLIN LOGLEV(3, 30, 0) /* show simulated outage info from gremlin module */ +#define D_GENKEY LOGLEV(3, 31, 0) /* print message after key generation */ +#define D_ROUTE LOGLEV(3, 0, 0) /* show routes added and deleted (don't mute) */ +#define D_TUNTAP_INFO LOGLEV(3, 32, 0) /* show debugging info from TUN/TAP driver */ +#define D_RESTART LOGLEV(3, 33, 0) /* show certain restart messages */ +#define D_PUSH LOGLEV(3, 34, 0) /* show push/pull info */ +#define D_IFCONFIG_POOL LOGLEV(3, 35, 0) /* show ifconfig pool info */ +#define D_AUTH LOGLEV(3, 37, 0) /* show user/pass auth info */ +#define D_MULTI_LOW LOGLEV(3, 38, 0) /* show point-to-multipoint low-freq debug info */ +#define D_PLUGIN LOGLEV(3, 39, 0) /* show plugin calls */ +#define D_MANAGEMENT LOGLEV(3, 40, 0) /* show --management info */ +#define D_SCHED_EXIT LOGLEV(3, 41, 0) /* show arming of scheduled exit */ +#define D_ROUTE_QUOTA LOGLEV(3, 42, 0) /* show route quota exceeded messages */ +#define D_OSBUF LOGLEV(3, 43, 0) /* show socket/tun/tap buffer sizes */ +#define D_PS_PROXY LOGLEV(3, 44, 0) /* messages related to --port-share option */ +#define D_IFCONFIG LOGLEV(3, 0, 0) /* show ifconfig info (don't mute) */ +#define D_DCO LOGLEV(3, 0, 0) /* show DCO related messages */ + +#define D_SHOW_PARMS LOGLEV(4, 50, 0) /* show all parameters on program initiation */ +#define D_LOW LOGLEV(4, 52, 0) /* miscellaneous low-frequency debug info */ +#define D_DHCP_OPT LOGLEV(4, 53, 0) /* show DHCP options binary string */ +#define D_MBUF LOGLEV(4, 54, 0) /* mbuf.[ch] routines */ +#define D_PACKET_TRUNC_ERR LOGLEV(4, 55, 0) /* PACKET_TRUNCATION_CHECK */ +#define D_MULTI_DROPPED LOGLEV(4, 57, 0) /* show point-to-multipoint packet drops */ +#define D_MULTI_MEDIUM LOGLEV(4, 58, 0) /* show medium frequency multi messages */ +#define D_X509_ATTR LOGLEV(4, 59, 0) /* show x509-track attributes on connection */ +#define D_INIT_MEDIUM LOGLEV(4, 60, 0) /* show medium frequency init messages */ +#define D_MTU_INFO LOGLEV(4, 61, 0) /* show terse MTU info */ +#define D_PID_DEBUG_LOW LOGLEV(4, 63, 0) /* show low-freq packet-id debugging info */ +#define D_PID_DEBUG_MEDIUM LOGLEV(4, 64, 0) /* show medium-freq packet-id debugging info */ +#define D_CIPHER_INIT LOGLEV(4, 65, 0) /* show messages about cipher init */ + +#define D_LOG_RW LOGLEV(5, 0, 0) /* Print 'R' or 'W' to stdout for read/write */ + +#define D_RTNL LOGLEV(6, 68, M_DEBUG) /* show RTNL low level operations */ +#define D_LINK_RW LOGLEV(6, 69, M_DEBUG) /* show TCP/UDP reads/writes (terse) */ +#define D_TUN_RW LOGLEV(6, 69, M_DEBUG) /* show TUN/TAP reads/writes */ +#define D_TAP_WIN_DEBUG LOGLEV(6, 69, M_DEBUG) /* show TAP-Windows driver debug info */ +#define D_CLIENT_NAT LOGLEV(6, 69, M_DEBUG) /* show client NAT debug info */ +#define D_XKEY LOGLEV(6, 69, M_DEBUG) /* show xkey-provider debug info */ +#define D_DCO_DEBUG LOGLEV(6, 69, M_DEBUG) /* show DCO related lowlevel debug messages */ +#define D_SIGNAL_DEBUG LOGLEV(6, 69, M_DEBUG) /* show signal related debug messages */ + +#define D_SHOW_KEYS LOGLEV(7, 70, M_DEBUG) /* show data channel encryption keys */ +#define D_SHOW_KEY_SOURCE LOGLEV(7, 70, M_DEBUG) /* show data channel key source entropy */ +#define D_REL_LOW LOGLEV(7, 70, M_DEBUG) /* show low frequency info from reliable layer */ +#define D_FRAG_DEBUG LOGLEV(7, 70, M_DEBUG) /* show fragment debugging info */ +#define D_WIN32_IO_LOW LOGLEV(7, 70, M_DEBUG) /* low freq win32 I/O debugging info */ +#define D_MTU_DEBUG LOGLEV(7, 70, M_DEBUG) /* show MTU debugging info */ +#define D_MULTI_DEBUG LOGLEV(7, 70, M_DEBUG) /* show medium-freq multi debugging info */ +#define D_MSS LOGLEV(7, 70, M_DEBUG) /* show MSS adjustments */ +#define D_COMP_LOW LOGLEV(7, 70, M_DEBUG) /* show adaptive compression state changes */ +#define D_CONNECTION_LIST LOGLEV(7, 70, M_DEBUG) /* show list info */ +#define D_SCRIPT LOGLEV(7, 70, M_DEBUG) /* show parms & env vars passed to scripts */ +#define D_SHOW_NET LOGLEV(7, 70, M_DEBUG) /* show routing table and adapter list */ +#define D_ROUTE_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose route.[ch] output */ +#define D_TLS_STATE_ERRORS LOGLEV(7, 70, M_DEBUG) /* no TLS state for client */ +#define D_SEMAPHORE_LOW LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits (low freq) */ +#define D_SEMAPHORE LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits */ +#define D_TEST_FILE LOGLEV(7, 70, M_DEBUG) /* show test_file() calls */ +#define D_MANAGEMENT_DEBUG LOGLEV(3, 70, M_DEBUG) /* show --management debug info */ +#define D_PLUGIN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose plugin calls */ +#define D_SOCKET_DEBUG LOGLEV(7, 70, M_DEBUG) /* show socket.[ch] debugging info */ +#define D_SHOW_PKCS11 LOGLEV(7, 70, M_DEBUG) /* show PKCS#11 actions */ +#define D_ALIGN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose struct alignment info */ +#define D_PACKET_TRUNC_DEBUG LOGLEV(7, 70, M_DEBUG) /* PACKET_TRUNCATION_CHECK verbose */ +#define D_PING LOGLEV(7, 70, M_DEBUG) /* PING send/receive messages */ +#define D_PS_PROXY_DEBUG LOGLEV(7, 70, M_DEBUG) /* port share proxy debug */ +#define D_TLS_KEYSELECT LOGLEV(7, 70, M_DEBUG) /* show key selection for data channel */ +#define D_ARGV_PARSE_CMD LOGLEV(7, 70, M_DEBUG) /* show parse_line() errors in argv_parse_cmd */ +#define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */ +#define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */ +#define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG) /* show push/pull debugging info */ +#define D_SHOW_OCC LOGLEV(7, 74, M_DEBUG) /* show options compatibility string */ + + +#define D_VLAN_DEBUG LOGLEV(7, 74, M_DEBUG) /* show VLAN tagging/untagging debug info */ + +#define D_HANDSHAKE_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show detailed description of handshake */ +#define D_TLS_DEBUG_MED LOGLEV(8, 70, M_DEBUG) /* limited info from tls_session routines */ +#define D_INTERVAL LOGLEV(8, 70, M_DEBUG) /* show interval.h debugging info */ +#define D_SCHEDULER LOGLEV(8, 70, M_DEBUG) /* show scheduler debugging info */ +#define D_GREMLIN_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show verbose info from gremlin module */ +#define D_REL_DEBUG LOGLEV(8, 70, M_DEBUG) /* show detailed info from reliable routines */ +#define D_EVENT_WAIT LOGLEV(8, 70, M_DEBUG) /* show detailed info from event waits */ +#define D_MULTI_TCP LOGLEV(8, 70, M_DEBUG) /* show debug info from mtcp.c */ + +#define D_TLS_DEBUG LOGLEV(9, 70, M_DEBUG) /* show detailed info from TLS routines */ +#define D_COMP LOGLEV(9, 70, M_DEBUG) /* show compression info */ +#define D_READ_WRITE LOGLEV(9, 70, M_DEBUG) /* show all tun/tcp/udp reads/writes/opens */ +#define D_PACKET_CONTENT LOGLEV(9, 70, M_DEBUG) /* show before/after encryption packet content */ +#define D_TLS_NO_SEND_KEY LOGLEV(9, 70, M_DEBUG) /* show when no data channel send-key exists */ +#define D_PID_PERSIST_DEBUG LOGLEV(9, 70, M_DEBUG) /* show packet-id persist debugging info */ +#define D_LINK_RW_VERBOSE LOGLEV(9, 70, M_DEBUG) /* increase link reads/writes verbosity */ +#define D_STREAM_DEBUG LOGLEV(9, 70, M_DEBUG) /* show TCP stream debug info */ +#define D_WIN32_IO LOGLEV(9, 70, M_DEBUG) /* win32 I/O debugging info */ +#define D_PKCS11_DEBUG LOGLEV(9, 70, M_DEBUG) /* show PKCS#11 debugging */ + +#define D_SHAPER_DEBUG LOGLEV(10, 70, M_DEBUG) /* show traffic shaper info */ + +#define D_REGISTRY LOGLEV(11, 70, M_DEBUG) /* win32 registry debugging info */ +#define D_OPENSSL_LOCK LOGLEV(11, 70, M_DEBUG) /* show OpenSSL locks */ + +/*#define D_THREAD_DEBUG LOGLEV(4, 70, M_DEBUG)*/ /* show pthread debug information */ + +#endif /* ifndef ERRLEVEL_H */ diff --git a/src/openvpn/error.c b/src/openvpn/error.c index 22c339f61..dacfa8f63 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -51,9 +51,9 @@ unsigned int x_debug_level; /* GLOBAL */ /* Mute state */ -static int mute_cutoff; /* GLOBAL */ -static int mute_count; /* GLOBAL */ -static int mute_category; /* GLOBAL */ +static int mute_cutoff; /* GLOBAL */ +static int mute_count; /* GLOBAL */ +static int mute_category; /* GLOBAL */ /* * Output mode priorities are as follows: @@ -67,28 +67,28 @@ static int mute_category; /* GLOBAL */ /* If true, indicates that stdin/stdout/stderr * have been redirected due to --log */ -static bool std_redir; /* GLOBAL */ +static bool std_redir; /* GLOBAL */ /* Should messages be written to the syslog? */ -static bool use_syslog; /* GLOBAL */ +static bool use_syslog; /* GLOBAL */ /* Should stdout/stderr be be parsable and always be prefixed with time * and message flags */ -static bool machine_readable_output; /* GLOBAL */ +static bool machine_readable_output; /* GLOBAL */ /* Should timestamps be included on messages to stdout/stderr? */ static bool suppress_timestamps; /* GLOBAL */ /* The program name passed to syslog */ #if SYSLOG_CAPABILITY -static char *pgmname_syslog; /* GLOBAL */ +static char *pgmname_syslog; /* GLOBAL */ #endif /* If non-null, messages should be written here (used for debugging only) */ -static FILE *msgfp; /* GLOBAL */ +static FILE *msgfp; /* GLOBAL */ /* If true, we forked from main OpenVPN process */ -static bool forked; /* GLOBAL */ +static bool forked; /* GLOBAL */ /* our default output targets */ static FILE *default_out; /* GLOBAL */ @@ -175,7 +175,7 @@ error_reset(void) { openvpn_exit(OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE); /* exit point */ } -#else /* ifdef OPENVPN_DEBUG_COMMAND_LINE */ +#else /* ifdef OPENVPN_DEBUG_COMMAND_LINE */ msgfp = NULL; #endif } @@ -195,7 +195,7 @@ msg_fp(const unsigned int flags) FILE *fp = msgfp; if (!fp) { - fp = (flags & (M_FATAL|M_USAGE_SMALL)) ? default_err : default_out; + fp = (flags & (M_FATAL | M_USAGE_SMALL)) ? default_err : default_out; } if (!fp) { @@ -204,7 +204,12 @@ msg_fp(const unsigned int flags) return fp; } -#define SWAP { tmp = m1; m1 = m2; m2 = tmp; } +#define SWAP \ + { \ + tmp = m1; \ + m1 = m2; \ + m2 = tmp; \ + } int x_msg_line_num; /* GLOBAL */ @@ -265,16 +270,15 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) gc_init(&gc); - m1 = (char *) gc_malloc(ERR_BUF_SIZE, false, &gc); - m2 = (char *) gc_malloc(ERR_BUF_SIZE, false, &gc); + m1 = (char *)gc_malloc(ERR_BUF_SIZE, false, &gc); + m2 = (char *)gc_malloc(ERR_BUF_SIZE, false, &gc); vsnprintf(m1, ERR_BUF_SIZE, format, arglist); m1[ERR_BUF_SIZE - 1] = 0; /* windows vsnprintf needs this */ if ((flags & M_ERRNO) && e) { - snprintf(m2, ERR_BUF_SIZE, "%s: %s (errno=%d)", - m1, openvpn_strerror(e, crt_error, &gc), e); + snprintf(m2, ERR_BUF_SIZE, "%s: %s (errno=%d)", m1, openvpn_strerror(e, crt_error, &gc), e); SWAP; } @@ -285,7 +289,7 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) } #if SYSLOG_CAPABILITY - if (flags & (M_FATAL|M_NONFATAL|M_USAGE_SMALL)) + if (flags & (M_FATAL | M_NONFATAL | M_USAGE_SMALL)) { level = LOG_ERR; } @@ -320,10 +324,7 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) const struct virtual_output *vo = msg_get_virtual_output(); if (vo) { - snprintf(m2, ERR_BUF_SIZE, "%s%s%s", - prefix, - prefix_sep, - m1); + snprintf(m2, ERR_BUF_SIZE, "%s%s%s", prefix, prefix_sep, m1); virtual_output_print(vo, flags, m2); } } @@ -333,10 +334,7 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) if (use_syslog && !std_redir && !forked) { #if SYSLOG_CAPABILITY - syslog(level, "%s%s%s", - prefix, - prefix_sep, - m1); + syslog(level, "%s%s%s", prefix, prefix_sep, m1); #endif } else @@ -349,32 +347,17 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) struct timeval tv; gettimeofday(&tv, NULL); - fprintf(fp, "%" PRIi64 ".%06ld %x %s%s%s%s", - (int64_t)tv.tv_sec, - (long)tv.tv_usec, - flags, - prefix, - prefix_sep, - m1, - "\n"); - + fprintf(fp, "%" PRIi64 ".%06ld %x %s%s%s%s", (int64_t)tv.tv_sec, (long)tv.tv_usec, + flags, prefix, prefix_sep, m1, "\n"); } else if ((flags & M_NOPREFIX) || suppress_timestamps) { - fprintf(fp, "%s%s%s%s", - prefix, - prefix_sep, - m1, - (flags&M_NOLF) ? "" : "\n"); + fprintf(fp, "%s%s%s%s", prefix, prefix_sep, m1, (flags & M_NOLF) ? "" : "\n"); } else { - fprintf(fp, "%s %s%s%s%s", - time_string(0, 0, show_usec, &gc), - prefix, - prefix_sep, - m1, - (flags&M_NOLF) ? "" : "\n"); + fprintf(fp, "%s %s%s%s%s", time_string(0, 0, show_usec, &gc), prefix, prefix_sep, + m1, (flags & M_NOLF) ? "" : "\n"); } fflush(fp); ++x_msg_line_num; @@ -389,7 +372,6 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) if (flags & M_FATAL) { openvpn_exit(OPENVPN_EXIT_STATUS_ERROR); /* exit point */ - } if (flags & M_USAGE_SMALL) { @@ -426,8 +408,7 @@ dont_mute(unsigned int flags) if (suppressed > 0) { msg(M_INFO | M_NOMUTE, - "%d variation(s) on previous %d message(s) suppressed by --mute", - suppressed, + "%d variation(s) on previous %d message(s) suppressed by --mute", suppressed, mute_cutoff); } mute_count = 1; @@ -481,8 +462,9 @@ open_syslog(const char *pgmname, bool stdio_to_null) } } } -#else /* if SYSLOG_CAPABILITY */ - msg(M_WARN, "Warning on use of --daemon: this operating system lacks daemon logging features, therefore when I become a daemon, I won't be able to log status or error messages"); +#else /* if SYSLOG_CAPABILITY */ + msg(M_WARN, + "Warning on use of --daemon: this operating system lacks daemon logging features, therefore when I become a daemon, I won't be able to log status or error messages"); #endif } @@ -525,19 +507,14 @@ redirect_stdout_stderr(const char *file, bool append) saAttr.bInheritHandle = TRUE; saAttr.lpSecurityDescriptor = NULL; - log_handle = CreateFileW(wide_string(file, &gc), - GENERIC_WRITE, - FILE_SHARE_READ, - &saAttr, - append ? OPEN_ALWAYS : CREATE_ALWAYS, - FILE_ATTRIBUTE_NORMAL, - NULL); + log_handle = CreateFileW(wide_string(file, &gc), GENERIC_WRITE, FILE_SHARE_READ, &saAttr, + append ? OPEN_ALWAYS : CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); gc_free(&gc); if (log_handle == INVALID_HANDLE_VALUE) { - msg(M_WARN|M_ERRNO, "Warning: cannot open --log file: %s", file); + msg(M_WARN | M_ERRNO, "Warning: cannot open --log file: %s", file); return; } @@ -554,7 +531,8 @@ redirect_stdout_stderr(const char *file, bool append) orig_stderr = _dup(_fileno(stderr)); if (orig_stderr == -1) { - msg(M_WARN | M_ERRNO, "Warning: cannot duplicate stderr, password prompts will appear in log file instead of console."); + msg(M_WARN | M_ERRNO, + "Warning: cannot duplicate stderr, password prompts will appear in log file instead of console."); orig_stderr = _fileno(stderr); } @@ -584,13 +562,12 @@ redirect_stdout_stderr(const char *file, bool append) #elif defined(HAVE_DUP2) if (!std_redir) { - int out = open(file, - O_CREAT | O_WRONLY | (append ? O_APPEND : O_TRUNC), - S_IRUSR | S_IWUSR); + int out = open(file, O_CREAT | O_WRONLY | (append ? O_APPEND : O_TRUNC), S_IRUSR | S_IWUSR); if (out < 0) { - msg(M_WARN|M_ERRNO, "Warning: Error redirecting stdout/stderr to --log file: %s", file); + msg(M_WARN | M_ERRNO, "Warning: Error redirecting stdout/stderr to --log file: %s", + file); return; } @@ -612,7 +589,8 @@ redirect_stdout_stderr(const char *file, bool append) } #else /* if defined(_WIN32) */ - msg(M_WARN, "WARNING: The --log option is not supported on this OS because it lacks the dup2 function"); + msg(M_WARN, + "WARNING: The --log option is not supported on this OS because it lacks the dup2 function"); #endif /* if defined(_WIN32) */ } @@ -648,10 +626,7 @@ set_check_status(unsigned int info_level, unsigned int verbose_level) * from the OS. */ void -x_check_status(int status, - const char *description, - struct link_socket *sock, - struct tuntap *tt) +x_check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt) { const char *extended_msg = NULL; @@ -659,9 +634,7 @@ x_check_status(int status, int my_errno = openvpn_errno_maybe_crt(&crt_error); msg(x_cs_verbose_level, "%s %s returned %d", - sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", - description, - status); + sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", description, status); if (status < 0) { @@ -693,16 +666,14 @@ x_check_status(int status, if (extended_msg) { msg(x_cs_info_level, "%s %s [%s]: %s (fd=" SOCKET_PRINTF ",code=%d)", description, - sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", - extended_msg, openvpn_strerror(my_errno, crt_error, &gc), - sock ? sock->sd : -1, my_errno); + sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", extended_msg, + openvpn_strerror(my_errno, crt_error, &gc), sock ? sock->sd : -1, my_errno); } else { msg(x_cs_info_level, "%s %s: %s (fd=" SOCKET_PRINTF ",code=%d)", description, sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", - openvpn_strerror(my_errno, crt_error, &gc), - sock ? sock->sd : -1, my_errno); + openvpn_strerror(my_errno, crt_error, &gc), sock ? sock->sd : -1, my_errno); } if (x_cs_err_delay_ms) @@ -970,16 +941,10 @@ strerror_win32(DWORD errnum, struct gc_arena *gc) wchar_t wmessage[256]; char *message = NULL; struct buffer out = alloc_buf_gc(256, gc); - const DWORD status = FormatMessageW( - FORMAT_MESSAGE_IGNORE_INSERTS - | FORMAT_MESSAGE_FROM_SYSTEM - | FORMAT_MESSAGE_ARGUMENT_ARRAY, - NULL, - errnum, - 0, - wmessage, - SIZE(wmessage), - NULL); + const DWORD status = + FormatMessageW(FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM + | FORMAT_MESSAGE_ARGUMENT_ARRAY, + NULL, errnum, 0, wmessage, SIZE(wmessage), NULL); if (status) { message = utf16to8(wmessage, gc); diff --git a/src/openvpn/error.h b/src/openvpn/error.h index cd0cac399..8388f82c9 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -49,10 +49,10 @@ struct gc_arena; * Exit status codes */ -#define OPENVPN_EXIT_STATUS_GOOD 0 -#define OPENVPN_EXIT_STATUS_ERROR 1 -#define OPENVPN_EXIT_STATUS_USAGE 1 -#define OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE 1 +#define OPENVPN_EXIT_STATUS_GOOD 0 +#define OPENVPN_EXIT_STATUS_ERROR 1 +#define OPENVPN_EXIT_STATUS_USAGE 1 +#define OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE 1 /* * Special command line debugging mode. @@ -83,27 +83,27 @@ extern int x_msg_line_num; /* msg() flags */ -#define M_DEBUG_LEVEL (0x0F) /* debug level mask */ +#define M_DEBUG_LEVEL (0x0F) /* debug level mask */ -#define M_FATAL (1<<4) /* exit program */ -#define M_NONFATAL (1<<5) /* non-fatal error */ -#define M_WARN (1<<6) /* call syslog with LOG_WARNING */ -#define M_DEBUG (1<<7) +#define M_FATAL (1 << 4) /* exit program */ +#define M_NONFATAL (1 << 5) /* non-fatal error */ +#define M_WARN (1 << 6) /* call syslog with LOG_WARNING */ +#define M_DEBUG (1 << 7) -#define M_ERRNO (1<<8) /* show errno description */ +#define M_ERRNO (1 << 8) /* show errno description */ -#define M_NOMUTE (1<<11) /* don't do mute processing */ -#define M_NOPREFIX (1<<12) /* don't show date/time prefix */ -#define M_USAGE_SMALL (1<<13) /* fatal options error, call usage_small */ -#define M_MSG_VIRT_OUT (1<<14) /* output message through msg_status_output callback */ -#define M_OPTERR (1<<15) /* print "Options error:" prefix */ -#define M_NOLF (1<<16) /* don't print new line */ -#define M_NOIPREFIX (1<<17) /* don't print instance prefix */ +#define M_NOMUTE (1 << 11) /* don't do mute processing */ +#define M_NOPREFIX (1 << 12) /* don't show date/time prefix */ +#define M_USAGE_SMALL (1 << 13) /* fatal options error, call usage_small */ +#define M_MSG_VIRT_OUT (1 << 14) /* output message through msg_status_output callback */ +#define M_OPTERR (1 << 15) /* print "Options error:" prefix */ +#define M_NOLF (1 << 16) /* don't print new line */ +#define M_NOIPREFIX (1 << 17) /* don't print instance prefix */ /* flag combinations which are frequently used */ -#define M_ERR (M_FATAL | M_ERRNO) -#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR) -#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX) +#define M_ERR (M_FATAL | M_ERRNO) +#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR) +#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX) /* * Mute levels are designed to avoid large numbers of @@ -112,10 +112,10 @@ extern int x_msg_line_num; * A mute level of 0 is always printed. */ #define MUTE_LEVEL_SHIFT 24 -#define MUTE_LEVEL_MASK 0xFF +#define MUTE_LEVEL_MASK 0xFF #define ENCODE_MUTE_LEVEL(mute_level) (((mute_level) & MUTE_LEVEL_MASK) << MUTE_LEVEL_SHIFT) -#define DECODE_MUTE_LEVEL(flags) (((flags) >> MUTE_LEVEL_SHIFT) & MUTE_LEVEL_MASK) +#define DECODE_MUTE_LEVEL(flags) (((flags) >> MUTE_LEVEL_SHIFT) & MUTE_LEVEL_MASK) /* * log_level: verbosity level n (--verb n) must be >= log_level to print. @@ -138,11 +138,34 @@ extern int x_msg_line_num; bool dont_mute(unsigned int flags); /* Macro to ensure (and teach static analysis tools) we exit on fatal errors */ -#define EXIT_FATAL(flags) do { if ((flags) & M_FATAL) {_exit(1);}} while (false) - -#define msg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false) +#define EXIT_FATAL(flags) \ + do \ + { \ + if ((flags) & M_FATAL) \ + { \ + _exit(1); \ + } \ + } while (false) + +#define msg(flags, ...) \ + do \ + { \ + if (msg_test(flags)) \ + { \ + x_msg((flags), __VA_ARGS__); \ + } \ + EXIT_FATAL(flags); \ + } while (false) #ifdef ENABLE_DEBUG -#define dmsg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false) +#define dmsg(flags, ...) \ + do \ + { \ + if (msg_test(flags)) \ + { \ + x_msg((flags), __VA_ARGS__); \ + } \ + EXIT_FATAL(flags); \ + } while (false) #else #define dmsg(flags, ...) #endif @@ -150,12 +173,12 @@ bool dont_mute(unsigned int flags); void x_msg(const unsigned int flags, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO -__attribute__ ((format(gnu_printf, 2, 3))) + __attribute__((format(gnu_printf, 2, 3))) #else -__attribute__ ((format(__printf__, 2, 3))) + __attribute__((format(__printf__, 2, 3))) #endif #endif -; /* should be called via msg above */ + ; /* should be called via msg above */ void x_msg_va(const unsigned int flags, const char *format, va_list arglist); @@ -173,7 +196,7 @@ void set_suppress_timestamps(bool suppressed); void set_machine_readable_output(bool parsable); -#define SDL_CONSTRAIN (1<<0) +#define SDL_CONSTRAIN (1 << 0) bool set_debug_level(const int level, const unsigned int flags); bool set_mute_cutoff(const int cutoff); @@ -191,26 +214,41 @@ FILE *msg_fp(const unsigned int flags); /* Fatal logic errors */ #ifndef ENABLE_SMALL -#define ASSERT(x) do { if (!(x)) {assert_failed(__FILE__, __LINE__, #x);}} while (false) +#define ASSERT(x) \ + do \ + { \ + if (!(x)) \ + { \ + assert_failed(__FILE__, __LINE__, #x); \ + } \ + } while (false) #else -#define ASSERT(x) do { if (!(x)) {assert_failed(__FILE__, __LINE__, NULL);}} while (false) +#define ASSERT(x) \ + do \ + { \ + if (!(x)) \ + { \ + assert_failed(__FILE__, __LINE__, NULL); \ + } \ + } while (false) #endif #ifdef _MSC_VER __declspec(noreturn) #endif -void assert_failed(const char *filename, int line, const char *condition) +void +assert_failed(const char *filename, int line, const char *condition) #ifndef _MSC_VER -__attribute__((__noreturn__)) + __attribute__((__noreturn__)) #endif -; + ; /* Poor-man's static_assert() for when not supplied by assert.h, taken from * Linux's sys/cdefs.h under GPLv2 */ #ifndef static_assert -#define static_assert(expr, diagnostic) \ - extern int (*__OpenVPN_static_assert_function(void)) \ - [!!sizeof(struct { int __error_if_negative : (expr) ? 2 : -1; })] +#define static_assert(expr, diagnostic) \ + extern int (*__OpenVPN_static_assert_function( \ + void))[!!sizeof(struct { int __error_if_negative : (expr) ? 2 : -1; })] #endif /* Inline functions */ @@ -267,9 +305,7 @@ void reset_check_status(void); void set_check_status(unsigned int info_level, unsigned int verbose_level); -void x_check_status(int status, - const char *description, - struct link_socket *sock, +void x_check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt); static inline void @@ -383,7 +419,7 @@ openvpn_errno_maybe_crt(bool *crt_error) *crt_error = true; err = errno; } -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ *crt_error = true; err = errno; #endif diff --git a/src/openvpn/event.c b/src/openvpn/event.c index c773783f1..581bdbba9 100644 --- a/src/openvpn/event.c +++ b/src/openvpn/event.c @@ -176,8 +176,8 @@ we_del_index(struct we_set *wes, int index) ASSERT(index >= 0 && index < wes->n_events); for (i = index; i < wes->n_events - 1; ++i) { - wes->events[i] = wes->events[i+1]; - wes->esr[i] = wes->esr[i+1]; + wes->events[i] = wes->events[i + 1]; + wes->esr[i] = wes->esr[i + 1]; } --wes->n_events; } @@ -206,7 +206,7 @@ we_get_rw_indices(struct we_set *wes, event_t event, int *ri, int *wi) static void we_free(struct event_set *es) { - struct we_set *wes = (struct we_set *) es; + struct we_set *wes = (struct we_set *)es; free(wes->events); free(wes->esr); free(wes); @@ -215,7 +215,7 @@ we_free(struct event_set *es) static void we_reset(struct event_set *es) { - struct we_set *wes = (struct we_set *) es; + struct we_set *wes = (struct we_set *)es; ASSERT(wes->fast); wes->n_events = 0; } @@ -223,7 +223,7 @@ we_reset(struct event_set *es) static void we_del(struct event_set *es, event_t event) { - struct we_set *wes = (struct we_set *) es; + struct we_set *wes = (struct we_set *)es; ASSERT(!wes->fast); we_del_event(wes, event); } @@ -231,13 +231,10 @@ we_del(struct event_set *es, event_t event) static void we_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) { - struct we_set *wes = (struct we_set *) es; + struct we_set *wes = (struct we_set *)es; - dmsg(D_EVENT_WAIT, "WE_CTL n=%d ev=%p rwflags=0x%04x arg=" ptr_format, - wes->n_events, - event, - rwflags, - (ptr_type)arg); + dmsg(D_EVENT_WAIT, "WE_CTL n=%d ev=%p rwflags=0x%04x arg=" ptr_format, wes->n_events, event, + rwflags, (ptr_type)arg); if (wes->fast) { @@ -330,11 +327,11 @@ we_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) } break; - case EVENT_READ|EVENT_WRITE: + case EVENT_READ | EVENT_WRITE: switch (n) { case 0: - if (!we_append_event(wes, event, EVENT_READ|EVENT_WRITE, arg)) + if (!we_append_event(wes, event, EVENT_READ | EVENT_WRITE, arg)) { goto err; } @@ -377,13 +374,15 @@ we_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) return; err: - msg(D_EVENT_ERRORS, "Error: Windows resource limit WSA_MAXIMUM_WAIT_EVENTS (%d) has been exceeded", WSA_MAXIMUM_WAIT_EVENTS); + msg(D_EVENT_ERRORS, + "Error: Windows resource limit WSA_MAXIMUM_WAIT_EVENTS (%d) has been exceeded", + WSA_MAXIMUM_WAIT_EVENTS); } static int we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) { - struct we_set *wes = (struct we_set *) es; + struct we_set *wes = (struct we_set *)es; const int timeout = tv_to_ms_timeout(tv); DWORD status; @@ -395,11 +394,8 @@ we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return int i; for (i = 0; i < wes->n_events; ++i) { - dmsg(D_EVENT_WAIT, "[%d] ev=%p rwflags=0x%04x arg=" ptr_format, - i, - wes->events[i], - wes->esr[i].rwflags, - (ptr_type)wes->esr[i].arg); + dmsg(D_EVENT_WAIT, "[%d] ev=%p rwflags=0x%04x arg=" ptr_format, i, wes->events[i], + wes->esr[i].rwflags, (ptr_type)wes->esr[i].arg); } } #endif @@ -407,18 +403,13 @@ we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return /* * First poll our event list with 0 timeout */ - status = WSAWaitForMultipleEvents( - (DWORD) wes->n_events, - wes->events, - FALSE, - (DWORD) 0, - FALSE); + status = WSAWaitForMultipleEvents((DWORD)wes->n_events, wes->events, FALSE, (DWORD)0, FALSE); /* * If at least one event is already set, we must * individually poll the whole list. */ - if (status >= WSA_WAIT_EVENT_0 && status < WSA_WAIT_EVENT_0 + (DWORD) wes->n_events) + if (status >= WSA_WAIT_EVENT_0 && status < WSA_WAIT_EVENT_0 + (DWORD)wes->n_events) { int i; int j = 0; @@ -431,8 +422,8 @@ we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return if (WaitForSingleObject(wes->events[i], 0) == WAIT_OBJECT_0) { *out = wes->esr[i]; - dmsg(D_EVENT_WAIT, "WE_WAIT leave [%d,%d] rwflags=0x%04x arg=" ptr_format, - i, j, out->rwflags, (ptr_type)out->arg); + dmsg(D_EVENT_WAIT, "WE_WAIT leave [%d,%d] rwflags=0x%04x arg=" ptr_format, i, j, + out->rwflags, (ptr_type)out->arg); ++j; ++out; } @@ -452,19 +443,16 @@ we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return */ if (timeout > 0) { - status = WSAWaitForMultipleEvents( - (DWORD) wes->n_events, - wes->events, - FALSE, - (DWORD) timeout, - FALSE); + status = WSAWaitForMultipleEvents((DWORD)wes->n_events, wes->events, FALSE, + (DWORD)timeout, FALSE); } - if (outlen >= 1 && status >= WSA_WAIT_EVENT_0 && status < WSA_WAIT_EVENT_0 + (DWORD) wes->n_events) + if (outlen >= 1 && status >= WSA_WAIT_EVENT_0 + && status < WSA_WAIT_EVENT_0 + (DWORD)wes->n_events) { *out = wes->esr[status - WSA_WAIT_EVENT_0]; - dmsg(D_EVENT_WAIT, "WE_WAIT leave rwflags=0x%04x arg=" ptr_format, - out->rwflags, (ptr_type)out->arg); + dmsg(D_EVENT_WAIT, "WE_WAIT leave rwflags=0x%04x arg=" ptr_format, out->rwflags, + (ptr_type)out->arg); return 1; } else if (status == WSA_WAIT_TIMEOUT) @@ -511,10 +499,9 @@ we_init(int *maxevents, unsigned int flags) /* Allocate space for event_set_return objects */ ALLOC_ARRAY_CLEAR(wes->esr, struct event_set_return, wes->capacity); - dmsg(D_EVENT_WAIT, "WE_INIT maxevents=%d capacity=%d", - *maxevents, wes->capacity); + dmsg(D_EVENT_WAIT, "WE_INIT maxevents=%d capacity=%d", *maxevents, wes->capacity); - return (struct event_set *) wes; + return (struct event_set *)wes; } #endif /* _WIN32 */ @@ -533,7 +520,7 @@ struct ep_set static void ep_free(struct event_set *es) { - struct ep_set *eps = (struct ep_set *) es; + struct ep_set *eps = (struct ep_set *)es; close(eps->epfd); free(eps->events); free(eps); @@ -542,7 +529,7 @@ ep_free(struct event_set *es) static void ep_reset(struct event_set *es) { - const struct ep_set *eps = (struct ep_set *) es; + const struct ep_set *eps = (struct ep_set *)es; ASSERT(eps->fast); } @@ -550,7 +537,7 @@ static void ep_del(struct event_set *es, event_t event) { struct epoll_event ev; - struct ep_set *eps = (struct ep_set *) es; + struct ep_set *eps = (struct ep_set *)es; dmsg(D_EVENT_WAIT, "EP_DEL ev=%d", (int)event); @@ -558,14 +545,14 @@ ep_del(struct event_set *es, event_t event) CLEAR(ev); if (epoll_ctl(eps->epfd, EPOLL_CTL_DEL, event, &ev) < 0) { - msg(M_WARN|M_ERRNO, "EVENT: epoll_ctl EPOLL_CTL_DEL failed, sd=%d", (int)event); + msg(M_WARN | M_ERRNO, "EVENT: epoll_ctl EPOLL_CTL_DEL failed, sd=%d", (int)event); } } static void ep_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) { - struct ep_set *eps = (struct ep_set *) es; + struct ep_set *eps = (struct ep_set *)es; struct epoll_event ev; CLEAR(ev); @@ -580,11 +567,8 @@ ep_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) ev.events |= EPOLLOUT; } - dmsg(D_EVENT_WAIT, "EP_CTL fd=%d rwflags=0x%04x ev=0x%08x arg=" ptr_format, - (int)event, - rwflags, - (unsigned int)ev.events, - (ptr_type)ev.data.ptr); + dmsg(D_EVENT_WAIT, "EP_CTL fd=%d rwflags=0x%04x ev=0x%08x arg=" ptr_format, (int)event, rwflags, + (unsigned int)ev.events, (ptr_type)ev.data.ptr); if (epoll_ctl(eps->epfd, EPOLL_CTL_MOD, event, &ev) < 0) { @@ -605,7 +589,7 @@ ep_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) static int ep_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) { - struct ep_set *eps = (struct ep_set *) es; + struct ep_set *eps = (struct ep_set *)es; int stat; if (outlen > eps->maxevents) @@ -624,7 +608,7 @@ ep_wait(struct event_set *es, const struct timeval *tv, struct event_set_return for (i = 0; i < stat; ++i) { esr->rwflags = 0; - if (ev->events & (EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP)) + if (ev->events & (EPOLLIN | EPOLLPRI | EPOLLERR | EPOLLHUP)) { esr->rwflags |= EVENT_READ; } @@ -633,8 +617,8 @@ ep_wait(struct event_set *es, const struct timeval *tv, struct event_set_return esr->rwflags |= EVENT_WRITE; } esr->arg = ev->data.ptr; - dmsg(D_EVENT_WAIT, "EP_WAIT[%d] rwflags=0x%04x ev=0x%08x arg=" ptr_format, - i, esr->rwflags, ev->events, (ptr_type)ev->data.ptr); + dmsg(D_EVENT_WAIT, "EP_WAIT[%d] rwflags=0x%04x ev=0x%08x arg=" ptr_format, i, + esr->rwflags, ev->events, (ptr_type)ev->data.ptr); ++ev; ++esr; } @@ -682,7 +666,7 @@ ep_init(int *maxevents, unsigned int flags) /* set epoll control fd */ eps->epfd = fd; - return (struct event_set *) eps; + return (struct event_set *)eps; } #endif /* EPOLL */ @@ -701,7 +685,7 @@ struct po_set static void po_free(struct event_set *es) { - struct po_set *pos = (struct po_set *) es; + struct po_set *pos = (struct po_set *)es; free(pos->events); free(pos->args); free(pos); @@ -710,7 +694,7 @@ po_free(struct event_set *es) static void po_reset(struct event_set *es) { - struct po_set *pos = (struct po_set *) es; + struct po_set *pos = (struct po_set *)es; ASSERT(pos->fast); pos->n_events = 0; } @@ -718,7 +702,7 @@ po_reset(struct event_set *es) static void po_del(struct event_set *es, event_t event) { - struct po_set *pos = (struct po_set *) es; + struct po_set *pos = (struct po_set *)es; int i; dmsg(D_EVENT_WAIT, "PO_DEL ev=%d", (int)event); @@ -731,8 +715,8 @@ po_del(struct event_set *es, event_t event) int j; for (j = i; j < pos->n_events - 1; ++j) { - pos->events[j] = pos->events[j+1]; - pos->args[j] = pos->args[j+1]; + pos->events[j] = pos->events[j + 1]; + pos->args[j] = pos->args[j + 1]; } --pos->n_events; break; @@ -750,7 +734,7 @@ po_set_pollfd_events(struct pollfd *pfdp, unsigned int rwflags) } if (rwflags & EVENT_READ) { - pfdp->events |= (POLLIN|POLLPRI); + pfdp->events |= (POLLIN | POLLPRI); } } @@ -775,10 +759,10 @@ po_append_event(struct po_set *pos, event_t event, unsigned int rwflags, void *a static void po_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) { - struct po_set *pos = (struct po_set *) es; + struct po_set *pos = (struct po_set *)es; - dmsg(D_EVENT_WAIT, "PO_CTL rwflags=0x%04x ev=%d arg=" ptr_format, - rwflags, (int)event, (ptr_type)arg); + dmsg(D_EVENT_WAIT, "PO_CTL rwflags=0x%04x ev=%d arg=" ptr_format, rwflags, (int)event, + (ptr_type)arg); if (pos->fast) { @@ -816,7 +800,7 @@ err: static int po_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) { - struct po_set *pos = (struct po_set *) es; + struct po_set *pos = (struct po_set *)es; int stat; stat = poll(pos->events, pos->n_events, tv_to_ms_timeout(tv)); @@ -829,10 +813,10 @@ po_wait(struct event_set *es, const struct timeval *tv, struct event_set_return const struct pollfd *pfdp = pos->events; for (i = 0; i < pos->n_events && j < outlen; ++i) { - if (pfdp->revents & (POLLIN|POLLPRI|POLLERR|POLLHUP|POLLOUT)) + if (pfdp->revents & (POLLIN | POLLPRI | POLLERR | POLLHUP | POLLOUT)) { out->rwflags = 0; - if (pfdp->revents & (POLLIN|POLLPRI|POLLERR|POLLHUP)) + if (pfdp->revents & (POLLIN | POLLPRI | POLLERR | POLLHUP)) { out->rwflags |= EVENT_READ; } @@ -841,8 +825,10 @@ po_wait(struct event_set *es, const struct timeval *tv, struct event_set_return out->rwflags |= EVENT_WRITE; } out->arg = pos->args[i]; - dmsg(D_EVENT_WAIT, "PO_WAIT[%d,%d] fd=%d rev=0x%08x rwflags=0x%04x arg=" ptr_format " %s", - i, j, pfdp->fd, pfdp->revents, out->rwflags, (ptr_type)out->arg, pos->fast ? "" : "[scalable]"); + dmsg(D_EVENT_WAIT, + "PO_WAIT[%d,%d] fd=%d rev=0x%08x rwflags=0x%04x arg=" ptr_format " %s", i, j, + pfdp->fd, pfdp->revents, out->rwflags, (ptr_type)out->arg, + pos->fast ? "" : "[scalable]"); ++out; ++j; } @@ -891,7 +877,7 @@ po_init(int *maxevents, unsigned int flags) /* Allocate space for event_set_return objects */ ALLOC_ARRAY_CLEAR(pos->args, void *, pos->capacity); - return (struct event_set *) pos; + return (struct event_set *)pos; } #endif /* POLL */ @@ -903,15 +889,15 @@ struct se_set bool fast; fd_set readfds; fd_set writefds; - void **args; /* allocated to capacity size */ - int maxfd; /* largest fd seen so far, always < capacity */ + void **args; /* allocated to capacity size */ + int maxfd; /* largest fd seen so far, always < capacity */ int capacity; /* fixed largest fd + 1 */ }; static void se_free(struct event_set *es) { - struct se_set *ses = (struct se_set *) es; + struct se_set *ses = (struct se_set *)es; free(ses->args); free(ses); } @@ -919,7 +905,7 @@ se_free(struct event_set *es) static void se_reset(struct event_set *es) { - struct se_set *ses = (struct se_set *) es; + struct se_set *ses = (struct se_set *)es; int i; ASSERT(ses->fast); @@ -937,7 +923,7 @@ se_reset(struct event_set *es) static void se_del(struct event_set *es, event_t event) { - struct se_set *ses = (struct se_set *) es; + struct se_set *ses = (struct se_set *)es; ASSERT(!ses->fast); dmsg(D_EVENT_WAIT, "SE_DEL ev=%d", (int)event); @@ -958,7 +944,7 @@ se_del(struct event_set *es, event_t event) static void se_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) { - struct se_set *ses = (struct se_set *) es; + struct se_set *ses = (struct se_set *)es; dmsg(D_EVENT_WAIT, "SE_CTL rwflags=0x%04x ev=%d fast=%d cap=%d maxfd=%d arg=" ptr_format, rwflags, (int)event, (int)ses->fast, ses->capacity, ses->maxfd, (ptr_type)arg); @@ -1000,17 +986,13 @@ se_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) } else { - msg(D_EVENT_ERRORS, "Error: select: too many I/O wait events, fd=%d cap=%d", - (int) event, + msg(D_EVENT_ERRORS, "Error: select: too many I/O wait events, fd=%d cap=%d", (int)event, ses->capacity); } } static int -se_wait_return(struct se_set *ses, - fd_set *read, - fd_set *write, - struct event_set_return *out, +se_wait_return(struct se_set *ses, fd_set *read, fd_set *write, struct event_set_return *out, int outlen) { int i, j = 0; @@ -1030,8 +1012,8 @@ se_wait_return(struct se_set *ses, out->rwflags |= EVENT_WRITE; } out->arg = ses->args[i]; - dmsg(D_EVENT_WAIT, "SE_WAIT[%d,%d] rwflags=0x%04x arg=" ptr_format, - i, j, out->rwflags, (ptr_type)out->arg); + dmsg(D_EVENT_WAIT, "SE_WAIT[%d,%d] rwflags=0x%04x arg=" ptr_format, i, j, out->rwflags, + (ptr_type)out->arg); ++out; ++j; } @@ -1040,16 +1022,15 @@ se_wait_return(struct se_set *ses, } static int -se_wait_fast(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) +se_wait_fast(struct event_set *es, const struct timeval *tv, struct event_set_return *out, + int outlen) { - struct se_set *ses = (struct se_set *) es; + struct se_set *ses = (struct se_set *)es; struct timeval tv_tmp = *tv; int stat; - dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%" PRIi64 "/%ld", - ses->maxfd, - (int64_t)tv_tmp.tv_sec, - (long)tv_tmp.tv_usec); + dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%" PRIi64 "/%ld", ses->maxfd, + (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec); stat = select(ses->maxfd + 1, &ses->readfds, &ses->writefds, NULL, &tv_tmp); @@ -1062,16 +1043,17 @@ se_wait_fast(struct event_set *es, const struct timeval *tv, struct event_set_re } static int -se_wait_scalable(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) +se_wait_scalable(struct event_set *es, const struct timeval *tv, struct event_set_return *out, + int outlen) { - struct se_set *ses = (struct se_set *) es; + struct se_set *ses = (struct se_set *)es; struct timeval tv_tmp = *tv; fd_set read = ses->readfds; fd_set write = ses->writefds; int stat; - dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%" PRIi64 "/%ld", - ses->maxfd, (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec); + dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%" PRIi64 "/%ld", ses->maxfd, + (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec); stat = select(ses->maxfd + 1, &read, &write, NULL, &tv_tmp); @@ -1116,7 +1098,7 @@ se_init(int *maxevents, unsigned int flags) /* Allocate space for event_set_return void * args */ ALLOC_ARRAY_CLEAR(ses->args, void *, ses->capacity); - return (struct event_set *) ses; + return (struct event_set *)ses; } #endif /* SELECT */ @@ -1142,7 +1124,7 @@ event_set_init_simple(int *maxevents, unsigned int flags) { ret = po_init(maxevents, flags); } -#else /* ifdef SELECT_PREFERRED_OVER_POLL */ +#else /* ifdef SELECT_PREFERRED_OVER_POLL */ if (!ret) { ret = po_init(maxevents, flags); @@ -1174,7 +1156,7 @@ event_set_init_scalable(int *maxevents, unsigned int flags) msg(M_WARN, "Note: sys_epoll API is unavailable, falling back to poll/select API"); ret = event_set_init_simple(maxevents, flags); } -#else /* if EPOLL */ +#else /* if EPOLL */ ret = event_set_init_simple(maxevents, flags); #endif ASSERT(ret); diff --git a/src/openvpn/event.h b/src/openvpn/event.h index 38178fcc3..84229967c 100644 --- a/src/openvpn/event.h +++ b/src/openvpn/event.h @@ -31,12 +31,12 @@ * rwflags passed to event_ctl and returned by * struct event_set_return. */ -#define READ_SHIFT 0 -#define WRITE_SHIFT 1 +#define READ_SHIFT 0 +#define WRITE_SHIFT 1 -#define EVENT_UNDEF 4 -#define EVENT_READ (1 << READ_SHIFT) -#define EVENT_WRITE (1 << WRITE_SHIFT) +#define EVENT_UNDEF 4 +#define EVENT_READ (1 << READ_SHIFT) +#define EVENT_WRITE (1 << WRITE_SHIFT) /* event flags returned by io_wait. * @@ -57,35 +57,35 @@ * signals. */ -#define SOCKET_SHIFT 0 -#define SOCKET_READ (1 << (SOCKET_SHIFT + READ_SHIFT)) -#define SOCKET_WRITE (1 << (SOCKET_SHIFT + WRITE_SHIFT)) -#define TUN_SHIFT 2 -#define TUN_READ (1 << (TUN_SHIFT + READ_SHIFT)) -#define TUN_WRITE (1 << (TUN_SHIFT + WRITE_SHIFT)) -#define ERR_SHIFT 4 -#define ES_ERROR (1 << (ERR_SHIFT + READ_SHIFT)) -#define ES_TIMEOUT (1 << (ERR_SHIFT + WRITE_SHIFT)) -#define MANAGEMENT_SHIFT 6 -#define MANAGEMENT_READ (1 << (MANAGEMENT_SHIFT + READ_SHIFT)) -#define MANAGEMENT_WRITE (1 << (MANAGEMENT_SHIFT + WRITE_SHIFT)) -#define FILE_SHIFT 8 -#define FILE_CLOSED (1 << (FILE_SHIFT + READ_SHIFT)) -#define DCO_SHIFT 10 -#define DCO_READ (1 << (DCO_SHIFT + READ_SHIFT)) -#define DCO_WRITE (1 << (DCO_SHIFT + WRITE_SHIFT)) +#define SOCKET_SHIFT 0 +#define SOCKET_READ (1 << (SOCKET_SHIFT + READ_SHIFT)) +#define SOCKET_WRITE (1 << (SOCKET_SHIFT + WRITE_SHIFT)) +#define TUN_SHIFT 2 +#define TUN_READ (1 << (TUN_SHIFT + READ_SHIFT)) +#define TUN_WRITE (1 << (TUN_SHIFT + WRITE_SHIFT)) +#define ERR_SHIFT 4 +#define ES_ERROR (1 << (ERR_SHIFT + READ_SHIFT)) +#define ES_TIMEOUT (1 << (ERR_SHIFT + WRITE_SHIFT)) +#define MANAGEMENT_SHIFT 6 +#define MANAGEMENT_READ (1 << (MANAGEMENT_SHIFT + READ_SHIFT)) +#define MANAGEMENT_WRITE (1 << (MANAGEMENT_SHIFT + WRITE_SHIFT)) +#define FILE_SHIFT 8 +#define FILE_CLOSED (1 << (FILE_SHIFT + READ_SHIFT)) +#define DCO_SHIFT 10 +#define DCO_READ (1 << (DCO_SHIFT + READ_SHIFT)) +#define DCO_WRITE (1 << (DCO_SHIFT + WRITE_SHIFT)) /* * Initialization flags passed to event_set_init */ -#define EVENT_METHOD_US_TIMEOUT (1<<0) -#define EVENT_METHOD_FAST (1<<1) +#define EVENT_METHOD_US_TIMEOUT (1 << 0) +#define EVENT_METHOD_FAST (1 << 1) /* * The following constant is used as boundary between integer value * and real addresses when passing arguments to event handlers as (void *) */ -#define MULTI_N ((void *)16) /* upper bound on MTCP_x */ +#define MULTI_N ((void *)16) /* upper bound on MTCP_x */ #ifdef _WIN32 @@ -93,7 +93,7 @@ typedef const struct rw_handle *event_t; #define UNDEFINED_EVENT (NULL) -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ typedef int event_t; @@ -117,7 +117,8 @@ struct event_set_functions * 0 on timeout * length of event_set_return if at least 1 event is returned */ - int (*wait)(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen); + int (*wait)(struct event_set *es, const struct timeval *tv, struct event_set_return *out, + int outlen); }; struct event_set_return @@ -131,7 +132,8 @@ struct event_set struct event_set_functions func; }; -typedef enum { +typedef enum +{ EVENT_ARG_MULTI_INSTANCE = 0, EVENT_ARG_LINK_SOCKET, } event_arg_t; @@ -140,9 +142,10 @@ typedef enum { struct event_arg { event_arg_t type; - union { + union + { struct multi_instance *mi; /* if type = EVENT_ARG_MULTI_INSTANCE */ - struct link_socket *sock; /* if type = EVENT_ARG_LINK_SOCKET */ + struct link_socket *sock; /* if type = EVENT_ARG_LINK_SOCKET */ } u; }; @@ -210,7 +213,7 @@ wait_signal(struct event_set *es, void *arg) } } -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ static inline void wait_signal(struct event_set *es, void *arg) diff --git a/src/openvpn/fdmisc.c b/src/openvpn/fdmisc.c index b8d9334e2..2c6525bb7 100644 --- a/src/openvpn/fdmisc.c +++ b/src/openvpn/fdmisc.c @@ -41,7 +41,7 @@ set_nonblock_action(socket_descriptor_t fd) { return false; } -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) { return false; diff --git a/src/openvpn/fdmisc.h b/src/openvpn/fdmisc.h index de0007add..4c0ab65d5 100644 --- a/src/openvpn/fdmisc.h +++ b/src/openvpn/fdmisc.h @@ -45,4 +45,4 @@ openvpn_fd_set(socket_descriptor_t fd, fd_set *setp) } #undef FD_SET /* prevent direct use of FD_SET() */ -#endif /* FD_MISC_H */ +#endif /* FD_MISC_H */ diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index d750ebf35..75ca9d5c5 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -58,14 +58,11 @@ wait_status_string(struct context *c, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); - buf_printf(&out, "I/O WAIT %s|%s| %s", - tun_stat(c->c1.tuntap, EVENT_READ, gc), - tun_stat(c->c1.tuntap, EVENT_WRITE, gc), - tv_string(&c->c2.timeval, gc)); + buf_printf(&out, "I/O WAIT %s|%s| %s", tun_stat(c->c1.tuntap, EVENT_READ, gc), + tun_stat(c->c1.tuntap, EVENT_WRITE, gc), tv_string(&c->c2.timeval, gc)); for (int i = 0; i < c->c1.link_sockets_num; i++) { - buf_printf(&out, "\n %s|%s", - socket_stat(c->c2.link_sockets[i], EVENT_READ, gc), + buf_printf(&out, "\n %s|%s", socket_stat(c->c2.link_sockets[i], EVENT_READ, gc), socket_stat(c->c2.link_sockets[i], EVENT_WRITE, gc)); } return BSTR(&out); @@ -127,7 +124,7 @@ check_tls_errors(struct context *c) static inline void context_immediate_reschedule(struct context *c) { - c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */ + c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */ c->c2.timeval.tv_usec = 0; } @@ -185,9 +182,8 @@ check_tls(struct context *c) if (interval_test(&c->c2.tmp_int)) { - const int tmp_status = tls_multi_process - (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, - get_link_socket_info(c), &wakeup); + const int tmp_status = tls_multi_process( + c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, get_link_socket_info(c), &wakeup); if (tmp_status == TLSMP_RECONNECT) { @@ -345,12 +341,7 @@ check_connection_established(struct context *c) #ifdef ENABLE_MANAGEMENT if (management) { - management_set_state(management, - OPENVPN_STATE_GET_CONFIG, - NULL, - NULL, - NULL, - NULL, + management_set_state(management, OPENVPN_STATE_GET_CONFIG, NULL, NULL, NULL, NULL, NULL); } #endif @@ -377,8 +368,7 @@ check_connection_established(struct context *c) } bool -send_control_channel_string_dowork(struct tls_session *session, - const char *str, int msglevel) +send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel) { struct gc_arena gc = gc_new(); bool stat; @@ -387,12 +377,11 @@ send_control_channel_string_dowork(struct tls_session *session, struct key_state *ks = &session->key[KS_PRIMARY]; /* buffered cleartext write onto TLS control channel */ - stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1); + stat = tls_send_payload(ks, (uint8_t *)str, strlen(str) + 1); msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)", - session->common_name ? session->common_name : "UNDEF", - sanitize_control_message(str, &gc), - (int) stat); + session->common_name ? session->common_name : "UNDEF", sanitize_control_message(str, &gc), + (int)stat); gc_free(&gc); return stat; @@ -425,8 +414,8 @@ send_control_channel_string(struct context *c, const char *str, int msglevel) static void check_add_routes_action(struct context *c, const bool errors) { - bool route_status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, - c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx); + bool route_status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap, + c->plugins, c->c2.es, &c->net_ctx); int flags = (errors ? ISC_ERRORS : 0); flags |= (!route_status ? ISC_ROUTE_ERRORS : 0); @@ -458,8 +447,8 @@ check_add_routes(struct context *c) register_signal(c->sig, SIGHUP, "ip-fail"); c->persist.restart_sleep_seconds = 10; #ifdef _WIN32 - show_routes(M_INFO|M_NOPREFIX); - show_adapters(M_INFO|M_NOPREFIX); + show_routes(M_INFO | M_NOPREFIX); + show_adapters(M_INFO | M_NOPREFIX); #endif } } @@ -602,7 +591,8 @@ check_fragment(struct context *c) * Buffer reallocation, for use with null encryption. */ static inline void -buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage) +buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, + struct buffer *storage) { if (orig_buf == src_stub->data && src_stub->data != storage->data) { @@ -630,7 +620,7 @@ encrypt_sign(struct context *c, bool comp_frag) if (dco_enabled(&c->options)) { msg(M_WARN, "Attempting to send data packet while data channel offload is in use. " - "Dropping packet"); + "Dropping packet"); c->c2.buf.len = 0; } @@ -650,7 +640,8 @@ encrypt_sign(struct context *c, bool comp_frag) /* Compress the packet. */ if (c->c2.comp_context) { - (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame); + (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, + &c->c2.frame); } #endif #ifdef ENABLE_FRAGMENT @@ -697,8 +688,7 @@ encrypt_sign(struct context *c, bool comp_frag) /* * Get the address we will be sending the packet to. */ - link_socket_get_outgoing_addr(&c->c2.buf, get_link_socket_info(c), - &c->c2.to_link_addr); + link_socket_get_outgoing_addr(&c->c2.buf, get_link_socket_info(c), &c->c2.to_link_addr); /* if null encryption, copy result to read_tun_buf */ buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf); @@ -711,8 +701,7 @@ static void check_session_timeout(struct context *c) { if (c->options.session_timeout - && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval, - ETT_DEFAULT)) + && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval, ETT_DEFAULT)) { msg(M_INFO, "Session timeout, exiting"); register_signal(c->sig, SIGTERM, "session-timeout"); @@ -726,7 +715,7 @@ static void process_coarse_timers(struct context *c) { /* flush current packet-id to file once per 60 - * seconds if --replay-persist was specified */ + * seconds if --replay-persist was specified */ if (packet_id_persist_enabled(&c->c1.pid_persist) && event_timeout_trigger(&c->c2.packet_id_persist_interval, &c->c2.timeval, ETT_DEFAULT)) { @@ -849,7 +838,8 @@ check_coarse_timers(struct context *c) process_coarse_timers(c); c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec; - dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec); + dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", + (int64_t)c->c2.timeval.tv_sec); /* Is the coarse timeout NOT the earliest one? */ if (c->c2.timeval.tv_sec > save.tv_sec) @@ -863,10 +853,10 @@ check_timeout_random_component_dowork(struct context *c) { const int update_interval = 10; /* seconds */ c->c2.update_timeout_random_component = now + update_interval; - c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF; + c->c2.timeout_random_component.tv_usec = (time_t)get_random() & 0x0003FFFF; c->c2.timeout_random_component.tv_sec = 0; - dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long) c->c2.timeout_random_component.tv_usec); + dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long)c->c2.timeout_random_component.tv_usec); } static inline void @@ -897,10 +887,8 @@ socks_postprocess_incoming_link(struct context *c, struct link_socket *sock) } static inline void -socks_preprocess_outgoing_link(struct context *c, - struct link_socket *sock, - struct link_socket_actual **to_addr, - int *size_delta) +socks_preprocess_outgoing_link(struct context *c, struct link_socket *sock, + struct link_socket_actual **to_addr, int *size_delta) { if (sock->socks_proxy && sock->info.proto == PROTO_UDP) { @@ -911,9 +899,7 @@ socks_preprocess_outgoing_link(struct context *c, /* undo effect of socks_preprocess_outgoing_link */ static inline void -link_socket_write_post_size_adjust(int *size, - int size_delta, - struct buffer *buf) +link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf) { if (size_delta > 0 && *size > size_delta) { @@ -945,9 +931,7 @@ read_incoming_link(struct context *c, struct link_socket *sock) c->c2.buf = c->c2.buffers->read_link_buf; ASSERT(buf_init(&c->c2.buf, c->c2.frame.buf.headroom)); - status = link_socket_read(sock, - &c->c2.buf, - &c->c2.from); + status = link_socket_read(sock, &c->c2.buf, &c->c2.from); if (socket_connection_reset(sock, status)) { @@ -965,12 +949,14 @@ read_incoming_link(struct context *c, struct link_socket *sock) /* received a disconnect from a connection-oriented protocol */ if (event_timeout_defined(&c->c2.explicit_exit_notification_interval)) { - msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status); + msg(D_STREAM_ERRORS, + "Connection reset during exit notification period, ignoring [%d]", status); management_sleep(1); } else { - register_signal(c->sig, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */ + register_signal(c->sig, SIGUSR1, + "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */ msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status); } } @@ -1016,7 +1002,8 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo if (management) { management_bytes_client(management, c->c2.buf.len, 0); - management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context); + management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, + &c->c2.mda_context); } #endif } @@ -1044,11 +1031,8 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo fprintf(stderr, "R"); } #endif - msg(D_LINK_RW, "%s READ [%d] from %s: %s", - proto2ascii(lsi->proto, lsi->af, true), - BLEN(&c->c2.buf), - print_link_socket_actual(&c->c2.from, &gc), - PROTO_DUMP(&c->c2.buf, &gc)); + msg(D_LINK_RW, "%s READ [%d] from %s: %s", proto2ascii(lsi->proto, lsi->af, true), + BLEN(&c->c2.buf), print_link_socket_actual(&c->c2.from, &gc), PROTO_DUMP(&c->c2.buf, &gc)); /* * Good, non-zero length packet received. @@ -1080,9 +1064,8 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo */ if ((opcode == P_DATA_V1) && dco_enabled(&c->options)) { - msg(D_LINK_ERRORS, - "Data Channel Offload doesn't support DATA_V1 packets. " - "Upgrade your server to 2.4.5 or newer."); + msg(D_LINK_ERRORS, "Data Channel Offload doesn't support DATA_V1 packets. " + "Upgrade your server to 2.4.5 or newer."); c->c2.buf.len = 0; } @@ -1096,8 +1079,7 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo * will load crypto_options with the correct encryption key * and return false. */ - if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, - floated, &ad_start)) + if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, floated, &ad_start)) { interval_action(&c->c2.tmp_int); @@ -1124,15 +1106,16 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo } /* authenticate and decrypt the incoming packet */ - decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf, - co, &c->c2.frame, ad_start); + decrypt_status = + openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf, co, &c->c2.frame, ad_start); if (!decrypt_status /* on the instance context we have only one socket, so just check the first one */ && link_socket_connection_oriented(c->c2.link_sockets[0])) { /* decryption errors are fatal in TCP mode */ - register_signal(c->sig, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */ + register_signal(c->sig, SIGUSR1, + "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */ msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting"); } } @@ -1146,7 +1129,8 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo } void -process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf) +process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, + const uint8_t *orig_buf) { if (c->c2.buf.len > 0) { @@ -1161,17 +1145,15 @@ process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, con /* decompress the incoming packet */ if (c->c2.comp_context) { - (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame); + (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, + c->c2.comp_context, &c->c2.frame); } #endif #ifdef PACKET_TRUNCATION_CHECK /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ - ipv4_packet_size_verify(BPTR(&c->c2.buf), - BLEN(&c->c2.buf), - TUNNEL_TYPE(c->c1.tuntap), - "POST_DECRYPT", - &c->c2.n_trunc_post_decrypt); + ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap), + "POST_DECRYPT", &c->c2.n_trunc_post_decrypt); #endif /* @@ -1198,7 +1180,8 @@ process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, con if (c->c2.buf.len > 0) { c->c2.link_read_bytes_auth += c->c2.buf.len; - c->c2.max_recv_size_local = max_int(c->c2.original_recv_size, c->c2.max_recv_size_local); + c->c2.max_recv_size_local = + max_int(c->c2.original_recv_size, c->c2.max_recv_size_local); } /* Did we just receive an openvpn ping packet? */ @@ -1243,8 +1226,7 @@ process_incoming_link(struct context *c, struct link_socket *sock) } void -extract_dco_float_peer_addr(const sa_family_t socket_family, - struct openvpn_sockaddr *out_osaddr, +extract_dco_float_peer_addr(const sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr, const struct sockaddr *float_sa) { if (float_sa->sa_family == AF_INET) @@ -1262,8 +1244,8 @@ extract_dco_float_peer_addr(const sa_family_t socket_family, memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10); out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff; out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff; - memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12], - &float4->sin_addr.s_addr, sizeof(in_addr_t)); + memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12], &float4->sin_addr.s_addr, + sizeof(in_addr_t)); } else { @@ -1296,9 +1278,10 @@ process_incoming_dco(struct context *c) * ourselves in the foot and removing the just established session */ if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id) { - msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, " - "expected %d", __func__, dco->dco_message_peer_id, - c->c2.tls_multi->dco_peer_id); + msg(D_DCO_DEBUG, + "%s: received message for mismatching peer-id %d, " + "expected %d", + __func__, dco->dco_message_peer_id, c->c2.tls_multi->dco_peer_id); return; } @@ -1309,16 +1292,18 @@ process_incoming_dco(struct context *c) c->c2.tls_multi->dco_peer_id = -1; if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED) { - msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id " - "%d", __func__, dco->dco_message_peer_id); + msg(D_DCO_DEBUG, + "%s: received peer expired notification of for peer-id " + "%d", + __func__, dco->dco_message_peer_id); trigger_ping_timeout_signal(c); return; } break; case OVPN_CMD_SWAP_KEYS: - msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d", - __func__, dco->dco_message_peer_id); + msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d", __func__, + dco->dco_message_peer_id); tls_session_soft_reset(c->c2.tls_multi); break; @@ -1358,7 +1343,8 @@ read_incoming_tun(struct context *c) ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size)); if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX) { - c->c2.buf.len = read_tun_afunix(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size); + c->c2.buf.len = + read_tun_afunix(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size); } else { @@ -1367,11 +1353,8 @@ read_incoming_tun(struct context *c) #endif /* ifdef _WIN32 */ #ifdef PACKET_TRUNCATION_CHECK - ipv4_packet_size_verify(BPTR(&c->c2.buf), - BLEN(&c->c2.buf), - TUNNEL_TYPE(c->c1.tuntap), - "READ_TUN", - &c->c2.n_trunc_tun_read); + ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap), + "READ_TUN", &c->c2.n_trunc_tun_read); #endif /* Was TUN/TAP interface stopped? */ @@ -1426,7 +1409,7 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf) if (proto_ver == 4) { /* make sure we got whole IP header */ - if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset)) + if (BLEN(buf) < ((int)sizeof(struct openvpn_iphdr) + ip_hdr_offset)) { return; } @@ -1437,7 +1420,7 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf) return; } - struct openvpn_iphdr *pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset); + struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset); /* drop packets with same dest addr as gateway */ if (memcmp(&tun_sa.addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0) @@ -1448,7 +1431,7 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf) else if (proto_ver == 6) { /* make sure we got whole IPv6 header */ - if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset)) + if (BLEN(buf) < ((int)sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset)) { return; } @@ -1459,7 +1442,7 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf) return; } - struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset); + struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)(BPTR(buf) + ip_hdr_offset); /* drop packets with same dest addr as gateway */ if (OPENVPN_IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr)) @@ -1517,19 +1500,15 @@ process_incoming_tun(struct context *c, struct link_socket *out_sock) * The --passtos and --mssfix options require * us to examine the IP header (IPv4 or IPv6). */ - unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_ICMP_NOHOST_CLIENT; + unsigned int flags = + PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, &c->c2.buf, out_sock); #ifdef PACKET_TRUNCATION_CHECK /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ - ipv4_packet_size_verify(BPTR(&c->c2.buf), - BLEN(&c->c2.buf), - TUNNEL_TYPE(c->c1.tuntap), - "PRE_ENCRYPT", - &c->c2.n_trunc_pre_encrypt); + ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap), + "PRE_ENCRYPT", &c->c2.n_trunc_pre_encrypt); #endif - } if (c->c2.buf.len > 0) { @@ -1605,8 +1584,7 @@ ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client) icmp6out.icmp6_type = OPENVPN_ICMP6_DESTINATION_UNREACHABLE; icmp6out.icmp6_code = OPENVPN_ICMP6_DU_NOROUTE; - int icmpheader_len = sizeof(struct openvpn_ipv6hdr) - + sizeof(struct openvpn_icmp6hdr); + int icmpheader_len = sizeof(struct openvpn_ipv6hdr) + sizeof(struct openvpn_icmp6hdr); int totalheader_len = icmpheader_len; if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP) @@ -1619,8 +1597,7 @@ ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client) * frame should be <= 1280 and have as much as possible of the original * packet */ - int max_payload_size = min_int(MAX_ICMPV6LEN, - c->c2.frame.tun_mtu - icmpheader_len); + int max_payload_size = min_int(MAX_ICMPV6LEN, c->c2.frame.tun_mtu - icmpheader_len); int payload_len = min_int(max_payload_size, BLEN(&inputipbuf)); pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len); @@ -1648,10 +1625,10 @@ ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client) /* Calculate checksum over the packet and write to header */ - uint16_t new_csum = ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf), - (const uint8_t *)&pip6out.saddr, - (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6); - ((struct openvpn_icmp6hdr *) BPTR(outbuf))->icmp6_cksum = htons(new_csum); + uint16_t new_csum = + ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf), (const uint8_t *)&pip6out.saddr, + (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6); + ((struct openvpn_icmp6hdr *)BPTR(outbuf))->icmp6_cksum = htons(new_csum); /* IPv6 Header */ @@ -1667,7 +1644,7 @@ ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client) return; } - const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *) BPTR(buf); + const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *)BPTR(buf); /* Copy frametype and reverse source/destination for the response */ struct openvpn_ethhdr ethhdr; @@ -1748,15 +1725,13 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, { mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix); } - if (!(flags & PIP_OUTGOING) && (flags - &(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER))) + if (!(flags & PIP_OUTGOING) + && (flags & (PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER))) { - ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_ICMP_NOHOST_CLIENT)); + ipv6_send_icmp_unreachable(c, buf, (bool)(flags & PIPV6_ICMP_NOHOST_CLIENT)); /* Drop the IPv6 packet */ buf->len = 0; } - } } } @@ -1793,10 +1768,9 @@ process_outgoing_link(struct context *c, struct link_socket *sock) */ if (c->options.shaper) { - int overhead = datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family, - sock->info.proto); - shaper_wrote_bytes(&c->c2.shaper, - BLEN(&c->c2.to_link) + overhead); + int overhead = + datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family, sock->info.proto); + shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link) + overhead); } /* @@ -1820,10 +1794,8 @@ process_outgoing_link(struct context *c, struct link_socket *sock) } #endif msg(D_LINK_RW, "%s WRITE [%d] to %s: %s", - proto2ascii(sock->info.proto, sock->info.af, true), - BLEN(&c->c2.to_link), - print_link_socket_actual(c->c2.to_link_addr, &gc), - PROTO_DUMP(&c->c2.to_link, &gc)); + proto2ascii(sock->info.proto, sock->info.af, true), BLEN(&c->c2.to_link), + print_link_socket_actual(c->c2.to_link_addr, &gc), PROTO_DUMP(&c->c2.to_link, &gc)); /* Packet send complexified by possible Socks5 usage */ { @@ -1834,9 +1806,7 @@ process_outgoing_link(struct context *c, struct link_socket *sock) socks_preprocess_outgoing_link(c, sock, &to_addr, &size_delta); /* Send packet */ - size = (int)link_socket_write(sock, - &c->c2.to_link, - to_addr); + size = (int)link_socket_write(sock, &c->c2.to_link, to_addr); /* Undo effect of prepend */ link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); @@ -1857,7 +1827,8 @@ process_outgoing_link(struct context *c, struct link_socket *sock) if (management) { management_bytes_client(management, 0, size); - management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context); + management_bytes_server(management, &c->c2.link_read_bytes, + &c->c2.link_write_bytes, &c->c2.mda_context); } #endif } @@ -1874,9 +1845,7 @@ process_outgoing_link(struct context *c, struct link_socket *sock) { msg(D_LINK_ERRORS, "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)", - print_link_socket_actual(c->c2.to_link_addr, &gc), - BLEN(&c->c2.to_link), - size); + print_link_socket_actual(c->c2.to_link_addr, &gc), BLEN(&c->c2.to_link), size); } } @@ -1895,7 +1864,8 @@ process_outgoing_link(struct context *c, struct link_socket *sock) ENETUNREACH; #endif if (size < 0 && unreachable && c->c2.tls_multi - && !tls_initial_packet_received(c->c2.tls_multi) && c->options.mode == MODE_POINT_TO_POINT) + && !tls_initial_packet_received(c->c2.tls_multi) + && c->options.mode == MODE_POINT_TO_POINT) { msg(M_INFO, "Network unreachable, restarting"); register_signal(c->sig, SIGUSR1, "network-unreachable"); @@ -1906,8 +1876,7 @@ process_outgoing_link(struct context *c, struct link_socket *sock) if (c->c2.to_link.len > 0) { msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)", - print_link_socket_actual(c->c2.to_link_addr, &gc), - c->c2.to_link.len, + print_link_socket_actual(c->c2.to_link_addr, &gc), c->c2.to_link.len, c->c2.frame.buf.payload_size); } } @@ -1940,8 +1909,8 @@ process_outgoing_tun(struct context *c, struct link_socket *in_sock) * The --mssfix option requires * us to examine the IP header (IPv4 or IPv6). */ - process_ip_header(c, PIP_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_CLIENT_NAT|PIP_OUTGOING, &c->c2.to_tun, - in_sock); + process_ip_header(c, PIP_MSSFIX | PIPV4_EXTRACT_DHCP_ROUTER | PIPV4_CLIENT_NAT | PIP_OUTGOING, + &c->c2.to_tun, in_sock); if (c->c2.to_tun.len <= c->c2.frame.buf.payload_size) { @@ -1959,11 +1928,8 @@ process_outgoing_tun(struct context *c, struct link_socket *in_sock) dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun)); #ifdef PACKET_TRUNCATION_CHECK - ipv4_packet_size_verify(BPTR(&c->c2.to_tun), - BLEN(&c->c2.to_tun), - TUNNEL_TYPE(c->c1.tuntap), - "WRITE_TUN", - &c->c2.n_trunc_tun_write); + ipv4_packet_size_verify(BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun), TUNNEL_TYPE(c->c1.tuntap), + "WRITE_TUN", &c->c2.n_trunc_tun_write); #endif #ifdef _WIN32 @@ -1993,9 +1959,7 @@ process_outgoing_tun(struct context *c, struct link_socket *in_sock) { msg(D_LINK_ERRORS, "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)", - c->c1.tuntap->actual_name, - BLEN(&c->c2.to_tun), - size); + c->c1.tuntap->actual_name, BLEN(&c->c2.to_tun), size); } /* indicate activity regarding --inactive parameter */ @@ -2008,8 +1972,7 @@ process_outgoing_tun(struct context *c, struct link_socket *in_sock) * This should never happen, probably indicates some kind * of MTU mismatch. */ - msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", - c->c2.to_tun.len, + msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", c->c2.to_tun.len, c->c2.frame.buf.payload_size); } @@ -2085,9 +2048,8 @@ pre_select(struct context *c) } static void -multi_io_process_flags(struct context *c, struct event_set *es, - const unsigned int flags, unsigned int *out_socket, - unsigned int *out_tuntap) +multi_io_process_flags(struct context *c, struct event_set *es, const unsigned int flags, + unsigned int *out_socket, unsigned int *out_tuntap) { unsigned int socket = 0; unsigned int tuntap = 0; @@ -2178,8 +2140,7 @@ multi_io_process_flags(struct context *c, struct event_set *es, */ for (int i = 0; i < c->c1.link_sockets_num; i++) { - socket_set(c->c2.link_sockets[i], es, socket, - &c->c2.link_sockets[i]->ev_arg, NULL); + socket_set(c->c2.link_sockets[i], es, socket, &c->c2.link_sockets[i]->ev_arg, NULL); } tun_set(c->c1.tuntap, es, tuntap, (void *)tun_shift, NULL); @@ -2193,7 +2154,6 @@ multi_io_process_flags(struct context *c, struct event_set *es, { *out_tuntap = tuntap; } - } /* @@ -2244,15 +2204,16 @@ io_wait_dowork(struct context *c, const unsigned int flags) struct event_set_return esr[4]; /* These shifts all depend on EVENT_READ and EVENT_WRITE */ - static uintptr_t socket_shift = SOCKET_SHIFT; /* depends on SOCKET_READ and SOCKET_WRITE */ + static uintptr_t socket_shift = SOCKET_SHIFT; /* depends on SOCKET_READ and SOCKET_WRITE */ #ifdef ENABLE_MANAGEMENT - static uintptr_t management_shift = MANAGEMENT_SHIFT; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */ + static uintptr_t management_shift = + MANAGEMENT_SHIFT; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */ #endif #ifdef ENABLE_ASYNC_PUSH static uintptr_t file_shift = FILE_SHIFT; #endif #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) - static uintptr_t dco_shift = DCO_SHIFT; /* Event from DCO linux kernel module */ + static uintptr_t dco_shift = DCO_SHIFT; /* Event from DCO linux kernel module */ #endif /* @@ -2331,8 +2292,7 @@ io_wait_dowork(struct context *c, const unsigned int flags) if (ev_arg->type != EVENT_ARG_LINK_SOCKET) { c->c2.event_set_status = ES_ERROR; - msg(D_LINK_ERRORS, - "io_work: non socket event delivered"); + msg(D_LINK_ERRORS, "io_work: non socket event delivered"); return; } @@ -2375,7 +2335,7 @@ process_io(struct context *c, struct link_socket *sock) const unsigned int status = c->c2.event_set_status; #ifdef ENABLE_MANAGEMENT - if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE)) + if (status & (MANAGEMENT_READ | MANAGEMENT_WRITE)) { ASSERT(management); management_io(management); diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index abb45c08c..d5641491d 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -34,9 +34,9 @@ * file */ -#define TUN_OUT(c) (BLEN(&(c)->c2.to_tun) > 0) -#define LINK_OUT(c) (BLEN(&(c)->c2.to_link) > 0) -#define ANY_OUT(c) (TUN_OUT(c) || LINK_OUT(c)) +#define TUN_OUT(c) (BLEN(&(c)->c2.to_tun) > 0) +#define LINK_OUT(c) (BLEN(&(c)->c2.to_link) > 0) +#define ANY_OUT(c) (TUN_OUT(c) || LINK_OUT(c)) #ifdef ENABLE_FRAGMENT #define TO_LINK_FRAG(c) ((c)->c2.fragment && fragment_outgoing_defined((c)->c2.fragment)) @@ -44,31 +44,32 @@ #define TO_LINK_FRAG(c) (false) #endif -#define TO_LINK_DEF(c) (LINK_OUT(c) || TO_LINK_FRAG(c)) +#define TO_LINK_DEF(c) (LINK_OUT(c) || TO_LINK_FRAG(c)) #include "openvpn.h" #include "occ.h" #include "ping.h" #include "multi_io.h" -#define IOW_TO_TUN (1<<0) -#define IOW_TO_LINK (1<<1) -#define IOW_READ_TUN (1<<2) -#define IOW_READ_LINK (1<<3) -#define IOW_SHAPER (1<<4) -#define IOW_CHECK_RESIDUAL (1<<5) -#define IOW_FRAG (1<<6) -#define IOW_MBUF (1<<7) -#define IOW_READ_TUN_FORCE (1<<8) -#define IOW_WAIT_SIGNAL (1<<9) +#define IOW_TO_TUN (1 << 0) +#define IOW_TO_LINK (1 << 1) +#define IOW_READ_TUN (1 << 2) +#define IOW_READ_LINK (1 << 3) +#define IOW_SHAPER (1 << 4) +#define IOW_CHECK_RESIDUAL (1 << 5) +#define IOW_FRAG (1 << 6) +#define IOW_MBUF (1 << 7) +#define IOW_READ_TUN_FORCE (1 << 8) +#define IOW_WAIT_SIGNAL (1 << 9) -#define IOW_READ (IOW_READ_TUN|IOW_READ_LINK) +#define IOW_READ (IOW_READ_TUN | IOW_READ_LINK) extern counter_type link_read_bytes_global; extern counter_type link_write_bytes_global; -void get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags); +void get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, + const unsigned int flags); void get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags); @@ -192,7 +193,8 @@ bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi * @param orig_buf - Pointer to a buffer data. * */ -void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf); +void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, + const uint8_t *orig_buf); /** * Transfers \c float_sa data extracted from an incoming DCO @@ -204,10 +206,8 @@ void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi * @param float_sa - The sockaddr struct containing the data received from the * DCO notification */ -void -extract_dco_float_peer_addr(sa_family_t socket_family, - struct openvpn_sockaddr *out_osaddr, - const struct sockaddr *float_sa); +void extract_dco_float_peer_addr(sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr, + const struct sockaddr *float_sa); /** * Write a packet to the external network interface. @@ -285,8 +285,7 @@ void process_outgoing_tun(struct context *c, struct link_socket *in_sock); * @param str - The message to be sent * @param msglevel - Message level to use for logging */ -bool -send_control_channel_string(struct context *c, const char *str, int msglevel); +bool send_control_channel_string(struct context *c, const char *str, int msglevel); /* * Send a string to remote over the TLS control channel. @@ -304,9 +303,7 @@ send_control_channel_string(struct context *c, const char *str, int msglevel); * @param msglevel - Message level to use for logging */ -bool -send_control_channel_string_dowork(struct tls_session *session, - const char *str, int msglevel); +bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel); /** @@ -317,13 +314,13 @@ send_control_channel_string_dowork(struct tls_session *session, */ void reschedule_multi_process(struct context *c); -#define PIPV4_PASSTOS (1<<0) -#define PIP_MSSFIX (1<<1) /* v4 and v6 */ -#define PIP_OUTGOING (1<<2) -#define PIPV4_EXTRACT_DHCP_ROUTER (1<<3) -#define PIPV4_CLIENT_NAT (1<<4) -#define PIPV6_ICMP_NOHOST_CLIENT (1<<5) -#define PIPV6_ICMP_NOHOST_SERVER (1<<6) +#define PIPV4_PASSTOS (1 << 0) +#define PIP_MSSFIX (1 << 1) /* v4 and v6 */ +#define PIP_OUTGOING (1 << 2) +#define PIPV4_EXTRACT_DHCP_ROUTER (1 << 3) +#define PIPV4_CLIENT_NAT (1 << 4) +#define PIPV6_ICMP_NOHOST_CLIENT (1 << 5) +#define PIPV6_ICMP_NOHOST_SERVER (1 << 6) void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, @@ -365,7 +362,7 @@ register_activity(struct context *c, const int size) static inline unsigned int p2p_iow_flags(const struct context *c) { - unsigned int flags = (IOW_SHAPER|IOW_CHECK_RESIDUAL|IOW_FRAG|IOW_READ|IOW_WAIT_SIGNAL); + unsigned int flags = (IOW_SHAPER | IOW_CHECK_RESIDUAL | IOW_FRAG | IOW_READ | IOW_WAIT_SIGNAL); if (c->c2.to_link.len > 0) { flags |= IOW_TO_LINK; @@ -384,8 +381,8 @@ p2p_iow_flags(const struct context *c) static inline void io_wait(struct context *c, const unsigned int flags) { - if (proto_is_dgram(c->c2.link_sockets[0]->info.proto) - && c->c2.fast_io && (flags & (IOW_TO_TUN|IOW_TO_LINK|IOW_MBUF))) + if (proto_is_dgram(c->c2.link_sockets[0]->info.proto) && c->c2.fast_io + && (flags & (IOW_TO_TUN | IOW_TO_LINK | IOW_MBUF))) { /* fast path -- only for TUN/TAP/UDP writes */ unsigned int ret = 0; @@ -393,7 +390,7 @@ io_wait(struct context *c, const unsigned int flags) { ret |= TUN_WRITE; } - if (flags & (IOW_TO_LINK|IOW_MBUF)) + if (flags & (IOW_TO_LINK | IOW_MBUF)) { ret |= SOCKET_WRITE; } diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index a7fbe09cc..7fc42e5c3 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -34,7 +34,11 @@ #include "integer.h" #include "memdbg.h" -#define FRAG_ERR(s) { errmsg = s; goto error; } +#define FRAG_ERR(s) \ + { \ + errmsg = s; \ + goto error; \ + } static void fragment_list_buf_init(struct fragment_list *list, const struct frame *frame) @@ -132,8 +136,7 @@ fragment_frame_init(struct fragment_master *f, const struct frame *frame) * If a fragment fully completes the datagram, return the datagram. */ void -fragment_incoming(struct fragment_master *f, struct buffer *buf, - const struct frame *frame) +fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame) { const char *errmsg = NULL; fragment_header_type flags = 0; @@ -164,11 +167,8 @@ fragment_incoming(struct fragment_master *f, struct buffer *buf, /* handle the fragment type */ if (frag_type == FRAG_WHOLE) { - dmsg(D_FRAG_DEBUG, - "FRAG_IN buf->len=%d type=FRAG_WHOLE flags=" - fragment_header_format, - buf->len, - flags); + dmsg(D_FRAG_DEBUG, "FRAG_IN buf->len=%d type=FRAG_WHOLE flags=" fragment_header_format, + buf->len, flags); if (flags & (FRAG_SEQ_ID_MASK | FRAG_ID_MASK)) { @@ -179,22 +179,18 @@ fragment_incoming(struct fragment_master *f, struct buffer *buf, { const int seq_id = ((flags >> FRAG_SEQ_ID_SHIFT) & FRAG_SEQ_ID_MASK); const int n = ((flags >> FRAG_ID_SHIFT) & FRAG_ID_MASK); - const int size = ((frag_type == FRAG_YES_LAST) - ? (int)(((flags >> FRAG_SIZE_SHIFT) & FRAG_SIZE_MASK) << FRAG_SIZE_ROUND_SHIFT) - : buf->len); + const int size = + ((frag_type == FRAG_YES_LAST) + ? (int)(((flags >> FRAG_SIZE_SHIFT) & FRAG_SIZE_MASK) << FRAG_SIZE_ROUND_SHIFT) + : buf->len); /* get the appropriate fragment buffer based on received seq_id */ struct fragment *frag = fragment_list_get_buf(&f->incoming, seq_id); - dmsg(D_FRAG_DEBUG, - "FRAG_IN len=%d type=%d seq_id=%d frag_id=%d size=%d flags=" - fragment_header_format, - buf->len, - frag_type, - seq_id, - n, - size, - flags); + dmsg( + D_FRAG_DEBUG, + "FRAG_IN len=%d type=%d seq_id=%d frag_id=%d size=%d flags=" fragment_header_format, + buf->len, frag_type, seq_id, n, size, flags); /* make sure that size is an even multiple of 1<len, f->outgoing.len); + msg(D_FRAG_ERRORS, "FRAG: outgoing buffer is not empty, len=[%d,%d]", buf->len, + f->outgoing.len); } if (buf->len > frame->max_fragment_size) /* should we fragment? */ { @@ -351,11 +343,7 @@ fragment_outgoing(struct fragment_master *f, struct buffer *buf, /* * Send the datagram whole. */ - fragment_prepend_flags(buf, - FRAG_WHOLE, - 0, - 0, - 0); + fragment_prepend_flags(buf, FRAG_WHOLE, 0, 0, 0); } } return; @@ -363,8 +351,8 @@ fragment_outgoing(struct fragment_master *f, struct buffer *buf, error: if (errmsg) { - msg(D_FRAG_ERRORS, "FRAG_OUT error, len=%d frag_size=%d MAX_FRAGS=%d: %s", - buf->len, f->outgoing_frag_size, MAX_FRAGS, errmsg); + msg(D_FRAG_ERRORS, "FRAG_OUT error, len=%d frag_size=%d MAX_FRAGS=%d: %s", buf->len, + f->outgoing_frag_size, MAX_FRAGS, errmsg); } buf->len = 0; return; @@ -372,8 +360,7 @@ error: /* return true (and set buf) if we have an outgoing fragment which is ready to send */ bool -fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, - const struct frame *frame) +fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame) { if (fragment_outgoing_defined(f)) { @@ -392,13 +379,12 @@ fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, ASSERT(buf_copy_n(buf, &f->outgoing, size)); /* fragment flags differ based on whether or not we are sending the last fragment */ - fragment_prepend_flags(buf, - last ? FRAG_YES_LAST : FRAG_YES_NOTLAST, - f->outgoing_seq_id, - f->outgoing_frag_id++, - f->outgoing_frag_size); + fragment_prepend_flags(buf, last ? FRAG_YES_LAST : FRAG_YES_NOTLAST, f->outgoing_seq_id, + f->outgoing_frag_id++, f->outgoing_frag_size); - ASSERT(!last || !f->outgoing.len); /* outgoing buffer length should be zero after last fragment sent */ + ASSERT(!last + || !f->outgoing + .len); /* outgoing buffer length should be zero after last fragment sent */ return true; } diff --git a/src/openvpn/fragment.h b/src/openvpn/fragment.h index 6120079d4..9719bf528 100644 --- a/src/openvpn/fragment.h +++ b/src/openvpn/fragment.h @@ -45,15 +45,15 @@ #include "error.h" -#define N_FRAG_BUF 25 +#define N_FRAG_BUF 25 /**< Number of packet buffers for * reassembling incoming fragmented * packets. */ -#define FRAG_TTL_SEC 10 +#define FRAG_TTL_SEC 10 /**< Time-to-live in seconds for a %fragment. */ -#define FRAG_WAKEUP_INTERVAL 5 +#define FRAG_WAKEUP_INTERVAL 5 /**< Interval in seconds between calls to * wakeup code. */ @@ -61,15 +61,16 @@ /** * Structure for reassembling one incoming fragmented packet. */ -struct fragment { - bool defined; /**< Whether reassembly is currently - * taking place in this structure. */ +struct fragment +{ + bool defined; /**< Whether reassembly is currently + * taking place in this structure. */ - int max_frag_size; /**< Maximum size of each %fragment. */ + int max_frag_size; /**< Maximum size of each %fragment. */ #define FRAG_MAP_MASK 0xFFFFFFFF /**< Mask for reassembly map. */ -#define MAX_FRAGS 32 /**< Maximum number of fragments per packet. */ +#define MAX_FRAGS 32 /**< Maximum number of fragments per packet. */ unsigned int map; /**< Reassembly map for recording which * fragments have been received. @@ -80,10 +81,10 @@ struct fragment { * n has been received. Needs to have * at least \c MAX_FRAGS bits. */ - time_t timestamp; /**< Timestamp for time-to-live purposes. */ + time_t timestamp; /**< Timestamp for time-to-live purposes. */ - struct buffer buf; /**< Buffer in which received datagrams - * are reassembled. */ + struct buffer buf; /**< Buffer in which received datagrams + * are reassembled. */ }; @@ -135,11 +136,12 @@ struct fragment_list * fragment_incoming() function adds newly received parts into this array * and returns the whole packets once reassembly is complete. */ -struct fragment_master { +struct fragment_master +{ struct event_timeout wakeup; /**< Timeout structure used by the main * event loop to know when to do * fragmentation housekeeping. */ -#define N_SEQ_ID 256 +#define N_SEQ_ID 256 /**< One more than the maximum fragment * sequence ID, above which the IDs wrap * to zero. Should be a power of 2. */ @@ -195,24 +197,24 @@ typedef uint32_t fragment_header_type; #define ntoh_fragment_header_type(x) ntohl(x) /**< Convert a \c fragment_header_type from network to host order. */ -#define FRAG_TYPE_MASK 0x00000003 /**< Bit mask for %fragment type info. */ -#define FRAG_TYPE_SHIFT 0 /**< Bit shift for %fragment type info. */ +#define FRAG_TYPE_MASK 0x00000003 /**< Bit mask for %fragment type info. */ +#define FRAG_TYPE_SHIFT 0 /**< Bit shift for %fragment type info. */ -#define FRAG_WHOLE 0 /**< Fragment type indicating packet is whole. */ -#define FRAG_YES_NOTLAST 1 +#define FRAG_WHOLE 0 /**< Fragment type indicating packet is whole. */ +#define FRAG_YES_NOTLAST 1 /**< Fragment type indicating packet is part of a fragmented packet, but not * the last part in the sequence. */ -#define FRAG_YES_LAST 2 +#define FRAG_YES_LAST 2 /**< Fragment type indicating packet is the last part in the sequence of parts. */ -#define FRAG_TEST 3 +#define FRAG_TEST 3 /**< Fragment type not implemented yet. * In the future might be used as a control packet for establishing MTU size. */ -#define FRAG_SEQ_ID_MASK 0x000000ff /**< Bit mask for %fragment sequence ID. */ -#define FRAG_SEQ_ID_SHIFT 2 /**< Bit shift for %fragment sequence ID. */ +#define FRAG_SEQ_ID_MASK 0x000000ff /**< Bit mask for %fragment sequence ID. */ +#define FRAG_SEQ_ID_SHIFT 2 /**< Bit shift for %fragment sequence ID. */ -#define FRAG_ID_MASK 0x0000001f /**< Bit mask for %fragment ID. */ -#define FRAG_ID_SHIFT 10 /**< Bit shift for %fragment ID. */ +#define FRAG_ID_MASK 0x0000001f /**< Bit mask for %fragment ID. */ +#define FRAG_ID_SHIFT 10 /**< Bit shift for %fragment ID. */ /* @@ -224,10 +226,10 @@ typedef uint32_t fragment_header_type; * max_frag_size is only sent over the wire if FRAG_LAST is set. Otherwise it is assumed * to be the actual %fragment size received. */ -#define FRAG_SIZE_MASK 0x00003fff /**< Bit mask for %fragment size. */ -#define FRAG_SIZE_SHIFT 15 /**< Bit shift for %fragment size. */ -#define FRAG_SIZE_ROUND_SHIFT 2 /**< Bit shift for %fragment size rounding. */ -#define FRAG_SIZE_ROUND_MASK ((1 << FRAG_SIZE_ROUND_SHIFT) - 1) +#define FRAG_SIZE_MASK 0x00003fff /**< Bit mask for %fragment size. */ +#define FRAG_SIZE_SHIFT 15 /**< Bit shift for %fragment size. */ +#define FRAG_SIZE_ROUND_SHIFT 2 /**< Bit shift for %fragment size rounding. */ +#define FRAG_SIZE_ROUND_MASK ((1 << FRAG_SIZE_ROUND_SHIFT) - 1) /**< Bit mask for %fragment size rounding. */ /* @@ -235,14 +237,14 @@ typedef uint32_t fragment_header_type; * * IF FRAG_WHOLE or FRAG_YES_NOTLAST, these 16 bits are available (not currently used) */ -#define FRAG_EXTRA_MASK 0x0000ffff /**< Bit mask for extra bits. */ -#define FRAG_EXTRA_SHIFT 15 /**< Bit shift for extra bits. */ +#define FRAG_EXTRA_MASK 0x0000ffff /**< Bit mask for extra bits. */ +#define FRAG_EXTRA_SHIFT 15 /**< Bit shift for extra bits. */ -/** @} name Fragment header *//********************************************/ +/** @} name Fragment header */ /********************************************/ /**************************************************************************/ -/** @name Functions for initialization and cleanup *//** @{ *//************/ +/** @name Functions for initialization and cleanup */ /** @{ */ /************/ /** * Allocate and initialize a \c fragment_master structure. @@ -278,7 +280,7 @@ void fragment_frame_init(struct fragment_master *f, const struct frame *frame); */ void fragment_free(struct fragment_master *f); -/** @} name Functions for initialization and cleanup *//*******************/ +/** @} name Functions for initialization and cleanup */ /*******************/ /**************************************************************************/ @@ -326,8 +328,7 @@ void fragment_free(struct fragment_master *f); * complete. If an error occurs during processing, the buffer length * is also set to zero. */ -void fragment_incoming(struct fragment_master *f, struct buffer *buf, - const struct frame *frame); +void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame); /** @} name Functions for processing packets received from a VPN tunnel */ @@ -378,8 +379,7 @@ void fragment_incoming(struct fragment_master *f, struct buffer *buf, * cases a fragmentation header will have been prepended to inform the * remote peer how to handle the packet. */ -void fragment_outgoing(struct fragment_master *f, struct buffer *buf, - const struct frame *frame); +void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame); /** * Check whether outgoing fragments are ready to be send, and if so make @@ -435,7 +435,7 @@ void fragment_wakeup(struct fragment_master *f, struct frame *frame); /**************************************************************************/ -/** @name Functions for regular housekeeping *//** @{ *//******************/ +/** @name Functions for regular housekeeping */ /** @{ */ /******************/ /** * Perform housekeeping of a \c fragment_master structure. @@ -459,10 +459,10 @@ fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct tim } } -/** @} name Functions for regular housekeeping *//*************************/ +/** @} name Functions for regular housekeeping */ /*************************/ -/** @} addtogroup fragmentation *//****************************************/ +/** @} addtogroup fragmentation */ /****************************************/ #endif /* ifdef ENABLE_FRAGMENT */ diff --git a/src/openvpn/gremlin.c b/src/openvpn/gremlin.c index a3ecc8da5..e6ebbef67 100644 --- a/src/openvpn/gremlin.c +++ b/src/openvpn/gremlin.c @@ -64,28 +64,29 @@ static const int corrupt_freq[] = { 500, 100, 50 }; * When network goes up, it will be up for between * UP_LOW and UP_HIGH seconds. */ -static const int up_low[] = { 60, 10, 5 }; +static const int up_low[] = { 60, 10, 5 }; static const int up_high[] = { 600, 60, 10 }; /* * When network goes down, it will be down for between * DOWN_LOW and DOWN_HIGH seconds. */ -static const int down_low[] = { 5, 10, 10 }; +static const int down_low[] = { 5, 10, 10 }; static const int down_high[] = { 10, 60, 120 }; /* * Packet flood levels: * { number of packets, packet size } */ -static const struct packet_flood_parms packet_flood_data[] = -{{10, 100}, {10, 1500}, {100, 1500}}; +static const struct packet_flood_parms packet_flood_data[] = { { 10, 100 }, + { 10, 1500 }, + { 100, 1500 } }; struct packet_flood_parms get_packet_flood_parms(int level) { ASSERT(level > 0 && level < 4); - return packet_flood_data [level - 1]; + return packet_flood_data[level - 1]; } /* @@ -147,18 +148,16 @@ ask_gremlin(int flags) int delta; if (up) { - delta = roll(down_low[up_down_level-1], down_high[up_down_level-1]); + delta = roll(down_low[up_down_level - 1], down_high[up_down_level - 1]); up = false; } else { - delta = roll(up_low[up_down_level-1], up_high[up_down_level-1]); + delta = roll(up_low[up_down_level - 1], up_high[up_down_level - 1]); up = true; } - msg(D_GREMLIN, - "GREMLIN: CONNECTION GOING %s FOR %d SECONDS", - (up ? "UP" : "DOWN"), + msg(D_GREMLIN, "GREMLIN: CONNECTION GOING %s FOR %d SECONDS", (up ? "UP" : "DOWN"), delta); next = now + delta; } @@ -166,7 +165,7 @@ ask_gremlin(int flags) if (drop_level) { - if (up && flip(drop_freq[drop_level-1])) + if (up && flip(drop_freq[drop_level - 1])) { dmsg(D_GREMLIN_VERBOSE, "GREMLIN: Random packet drop"); return false; @@ -185,7 +184,7 @@ corrupt_gremlin(struct buffer *buf, int flags) const int corrupt_level = GREMLIN_CORRUPT_LEVEL(flags); if (corrupt_level) { - if (flip(corrupt_freq[corrupt_level-1])) + if (flip(corrupt_freq[corrupt_level - 1])) { do { @@ -226,7 +225,7 @@ corrupt_gremlin(struct buffer *buf, int flags) { break; } - } while (flip(2)); /* a 50% chance we will corrupt again */ + } while (flip(2)); /* a 50% chance we will corrupt again */ } } } diff --git a/src/openvpn/gremlin.h b/src/openvpn/gremlin.h index 3cbfb773c..2422338d6 100644 --- a/src/openvpn/gremlin.h +++ b/src/openvpn/gremlin.h @@ -29,30 +29,32 @@ * Gremlin options, presented as bitmask argument to --gremlin directive */ -#define GREMLIN_CONNECTION_FLOOD_SHIFT (0) -#define GREMLIN_CONNECTION_FLOOD_MASK (0x07) +#define GREMLIN_CONNECTION_FLOOD_SHIFT (0) +#define GREMLIN_CONNECTION_FLOOD_MASK (0x07) -#define GREMLIN_PACKET_FLOOD_SHIFT (3) -#define GREMLIN_PACKET_FLOOD_MASK (0x03) +#define GREMLIN_PACKET_FLOOD_SHIFT (3) +#define GREMLIN_PACKET_FLOOD_MASK (0x03) -#define GREMLIN_CORRUPT_SHIFT (5) -#define GREMLIN_CORRUPT_MASK (0x03) +#define GREMLIN_CORRUPT_SHIFT (5) +#define GREMLIN_CORRUPT_MASK (0x03) -#define GREMLIN_UP_DOWN_SHIFT (7) -#define GREMLIN_UP_DOWN_MASK (0x03) +#define GREMLIN_UP_DOWN_SHIFT (7) +#define GREMLIN_UP_DOWN_MASK (0x03) /* 512:1/500 1024:1/100 1536:1/50 */ -#define GREMLIN_DROP_SHIFT (9) -#define GREMLIN_DROP_MASK (0x03) +#define GREMLIN_DROP_SHIFT (9) +#define GREMLIN_DROP_MASK (0x03) /* extract gremlin parms */ -#define GREMLIN_CONNECTION_FLOOD_LEVEL(x) (((x)>>GREMLIN_CONNECTION_FLOOD_SHIFT) & GREMLIN_CONNECTION_FLOOD_MASK) -#define GREMLIN_PACKET_FLOOD_LEVEL(x) (((x)>>GREMLIN_PACKET_FLOOD_SHIFT) & GREMLIN_PACKET_FLOOD_MASK) -#define GREMLIN_CORRUPT_LEVEL(x) (((x)>>GREMLIN_CORRUPT_SHIFT) & GREMLIN_CORRUPT_MASK) -#define GREMLIN_UP_DOWN_LEVEL(x) (((x)>>GREMLIN_UP_DOWN_SHIFT) & GREMLIN_UP_DOWN_MASK) -#define GREMLIN_DROP_LEVEL(x) (((x)>>GREMLIN_DROP_SHIFT) & GREMLIN_DROP_MASK) +#define GREMLIN_CONNECTION_FLOOD_LEVEL(x) \ + (((x) >> GREMLIN_CONNECTION_FLOOD_SHIFT) & GREMLIN_CONNECTION_FLOOD_MASK) +#define GREMLIN_PACKET_FLOOD_LEVEL(x) \ + (((x) >> GREMLIN_PACKET_FLOOD_SHIFT) & GREMLIN_PACKET_FLOOD_MASK) +#define GREMLIN_CORRUPT_LEVEL(x) (((x) >> GREMLIN_CORRUPT_SHIFT) & GREMLIN_CORRUPT_MASK) +#define GREMLIN_UP_DOWN_LEVEL(x) (((x) >> GREMLIN_UP_DOWN_SHIFT) & GREMLIN_UP_DOWN_MASK) +#define GREMLIN_DROP_LEVEL(x) (((x) >> GREMLIN_DROP_SHIFT) & GREMLIN_DROP_MASK) #include "buffer.h" diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 36b88f550..b2ecb1e94 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -70,14 +70,12 @@ print_opt_route(const in_addr_t network, const in_addr_t netmask, struct gc_aren if (netmask) { - buf_printf(&out, "route %s %s", - print_in_addr_t(network, 0, gc), + buf_printf(&out, "route %s %s", print_in_addr_t(network, 0, gc), print_in_addr_t(netmask, 0, gc)); } else { - buf_printf(&out, "route %s", - print_in_addr_t(network, 0, gc)); + buf_printf(&out, "route %s", print_in_addr_t(network, 0, gc)); } return BSTR(&out); @@ -113,11 +111,8 @@ static void helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o) { rol_check_alloc(o); - add_route_to_option_list(o->routes, - print_in_addr_t(network, 0, &o->gc), - print_in_addr_t(netmask, 0, &o->gc), - NULL, - NULL, + add_route_to_option_list(o->routes, print_in_addr_t(network, 0, &o->gc), + print_in_addr_t(netmask, 0, &o->gc), NULL, NULL, o->route_default_table_id); } @@ -127,10 +122,8 @@ verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, cons struct gc_arena gc = gc_new(); if ((a & subnet) != (b & subnet)) { - msg(M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet", - opt, - print_in_addr_t(a, 0, &gc), - print_in_addr_t(b, 0, &gc), + msg(M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet", opt, + print_in_addr_t(a, 0, &gc), print_in_addr_t(b, 0, &gc), print_in_addr_t(subnet, 0, &gc)); } gc_free(&gc); @@ -206,17 +199,17 @@ helper_client_server(struct options *o) } if (o->ifconfig_ipv6_pool_defined) { - msg(M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly"); + msg(M_USAGE, + "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly"); } o->mode = MODE_SERVER; o->tls_server = true; /* local ifconfig is "base address + 1" and "+2" */ - o->ifconfig_ipv6_local = - print_in6_addr( add_in6_addr( o->server_network_ipv6, 1), 0, &o->gc ); + o->ifconfig_ipv6_local = print_in6_addr(add_in6_addr(o->server_network_ipv6, 1), 0, &o->gc); o->ifconfig_ipv6_remote = - print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc ); + print_in6_addr(add_in6_addr(o->server_network_ipv6, 2), 0, &o->gc); o->ifconfig_ipv6_netbits = o->server_netbits_ipv6; /* basic sanity check */ @@ -228,8 +221,8 @@ helper_client_server(struct options *o) * * Smaller pools can't get that far, therefore we just increase by 2 */ - o->ifconfig_ipv6_pool_base = add_in6_addr(o->server_network_ipv6, - o->server_netbits_ipv6 < 112 ? 0x1000 : 2); + o->ifconfig_ipv6_pool_base = + add_in6_addr(o->server_network_ipv6, o->server_netbits_ipv6 < 112 ? 0x1000 : 2); o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; push_option(o, "tun-ipv6", M_USAGE); @@ -283,12 +276,14 @@ helper_client_server(struct options *o) if (o->shared_secret_file) { - msg(M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)"); + msg(M_USAGE, + "--server and --secret cannot be used together (you must use SSL/TLS keys)"); } if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined) { - msg(M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); + msg(M_USAGE, + "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); } if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN)) @@ -309,7 +304,8 @@ helper_client_server(struct options *o) if (netbits < IFCONFIG_POOL_MIN_NETBITS) { - msg(M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)", + msg(M_USAGE, + "--server directive netmask allows for too many host addresses (subnet must be %s or higher)", print_netmask(IFCONFIG_POOL_MIN_NETBITS, &gc)); } @@ -319,7 +315,8 @@ helper_client_server(struct options *o) if (netbits > 29) { - msg(M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower", + msg(M_USAGE, + "--server directive when used with --dev tun must define a subnet of %s or lower", print_netmask(29, &gc)); } @@ -342,14 +339,17 @@ helper_client_server(struct options *o) { o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_network + 4; - o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve; - ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); + o->ifconfig_pool_end = + (o->server_network | ~o->server_netmask) - pool_end_reserve; + ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, + o->ifconfig_pool_end); } helper_add_route(o->server_network, o->server_netmask, o); if (o->enable_c2c) { - push_option(o, print_opt_route(o->server_network, o->server_netmask, &o->gc), M_USAGE); + push_option(o, print_opt_route(o->server_network, o->server_netmask, &o->gc), + M_USAGE); } else if (o->topology == TOP_NET30) { @@ -366,7 +366,8 @@ helper_client_server(struct options *o) o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_network + 2; o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1; - ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); + ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, + o->ifconfig_pool_end); } o->ifconfig_pool_netmask = o->server_netmask; @@ -386,16 +387,17 @@ helper_client_server(struct options *o) if (o->topology == TOP_NET30 && !(o->server_flags & SF_NOPOOL)) { msg(M_WARN, "WARNING: --topology net30 support for server " - "configs with IPv4 pools will be removed in a future " - "release. Please migrate to --topology subnet as soon " - "as possible."); + "configs with IPv4 pools will be removed in a future " + "release. Please migrate to --topology subnet as soon " + "as possible."); } } else if (dev == DEV_TYPE_TAP) { if (netbits > 30) { - msg(M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower", + msg(M_USAGE, + "--server directive when used with --dev tap must define a subnet of %s or lower", print_netmask(30, &gc)); } @@ -463,12 +465,14 @@ helper_client_server(struct options *o) if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined) { - msg(M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); + msg(M_USAGE, + "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); } if (o->shared_secret_file) { - msg(M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)"); + msg(M_USAGE, + "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)"); } if (dev != DEV_TYPE_TAP) @@ -478,9 +482,12 @@ helper_client_server(struct options *o) if (o->server_bridge_defined) { - verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_start, o->server_bridge_netmask); - verify_common_subnet("--server-bridge", o->server_bridge_pool_start, o->server_bridge_pool_end, o->server_bridge_netmask); - verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end, o->server_bridge_netmask); + verify_common_subnet("--server-bridge", o->server_bridge_ip, + o->server_bridge_pool_start, o->server_bridge_netmask); + verify_common_subnet("--server-bridge", o->server_bridge_pool_start, + o->server_bridge_pool_end, o->server_bridge_netmask); + verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end, + o->server_bridge_netmask); } o->mode = MODE_SERVER; @@ -551,13 +558,14 @@ helper_keepalive(struct options *o) } if (o->keepalive_ping * 2 > o->keepalive_timeout) { - msg(M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.", - o->keepalive_timeout, - o->keepalive_ping); + msg(M_USAGE, + "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.", + o->keepalive_timeout, o->keepalive_ping); } if (o->ping_send_timeout || o->ping_rec_timeout) { - msg(M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives."); + msg(M_USAGE, + "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives."); } /* diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c index be700b27d..be2063853 100644 --- a/src/openvpn/httpdigest.c +++ b/src/openvpn/httpdigest.c @@ -32,10 +32,7 @@ #include "httpdigest.h" static void -CvtHex( - IN HASH Bin, - OUT HASHHEX Hex - ) +CvtHex(IN HASH Bin, OUT HASHHEX Hex) { unsigned short i; unsigned char j; @@ -45,20 +42,20 @@ CvtHex( j = (Bin[i] >> 4) & 0xf; if (j <= 9) { - Hex[i*2] = (j + '0'); + Hex[i * 2] = (j + '0'); } else { - Hex[i*2] = (j + 'a' - 10); + Hex[i * 2] = (j + 'a' - 10); } j = Bin[i] & 0xf; if (j <= 9) { - Hex[i*2+1] = (j + '0'); + Hex[i * 2 + 1] = (j + '0'); } else { - Hex[i*2+1] = (j + 'a' - 10); + Hex[i * 2 + 1] = (j + 'a' - 10); } } Hex[HASHHEXLEN] = '\0'; @@ -66,34 +63,27 @@ CvtHex( /* calculate H(A1) as per spec */ void -DigestCalcHA1( - IN char *pszAlg, - IN char *pszUserName, - IN char *pszRealm, - IN char *pszPassword, - IN char *pszNonce, - IN char *pszCNonce, - OUT HASHHEX SessionKey - ) +DigestCalcHA1(IN char *pszAlg, IN char *pszUserName, IN char *pszRealm, IN char *pszPassword, + IN char *pszNonce, IN char *pszCNonce, OUT HASHHEX SessionKey) { HASH HA1; md_ctx_t *md5_ctx = md_ctx_new(); md_ctx_init(md5_ctx, "MD5"); - md_ctx_update(md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword)); + md_ctx_update(md5_ctx, (const uint8_t *)pszUserName, strlen(pszUserName)); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)pszRealm, strlen(pszRealm)); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)pszPassword, strlen(pszPassword)); md_ctx_final(md5_ctx, HA1); if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0) { md_ctx_init(md5_ctx, "MD5"); md_ctx_update(md5_ctx, HA1, HASHLEN); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)pszNonce, strlen(pszNonce)); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)pszCNonce, strlen(pszCNonce)); md_ctx_final(md5_ctx, HA1); } md_ctx_cleanup(md5_ctx); @@ -103,17 +93,16 @@ DigestCalcHA1( /* calculate request-digest/response-digest as per HTTP Digest spec */ void -DigestCalcResponse( - IN HASHHEX HA1, /* H(A1) */ - IN char *pszNonce, /* nonce from server */ - IN char *pszNonceCount, /* 8 hex digits */ - IN char *pszCNonce, /* client nonce */ - IN char *pszQop, /* qop-value: "", "auth", "auth-int" */ - IN char *pszMethod, /* method from the request */ - IN char *pszDigestUri, /* requested URL */ - IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ - OUT HASHHEX Response /* request-digest or response-digest */ - ) +DigestCalcResponse(IN HASHHEX HA1, /* H(A1) */ + IN char *pszNonce, /* nonce from server */ + IN char *pszNonceCount, /* 8 hex digits */ + IN char *pszCNonce, /* client nonce */ + IN char *pszQop, /* qop-value: "", "auth", "auth-int" */ + IN char *pszMethod, /* method from the request */ + IN char *pszDigestUri, /* requested URL */ + IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ + OUT HASHHEX Response /* request-digest or response-digest */ +) { HASH HA2; HASH RespHash; @@ -123,12 +112,12 @@ DigestCalcResponse( /* calculate H(A2) */ md_ctx_init(md5_ctx, "MD5"); - md_ctx_update(md5_ctx, (const uint8_t *) pszMethod, strlen(pszMethod)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri)); + md_ctx_update(md5_ctx, (const uint8_t *)pszMethod, strlen(pszMethod)); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)pszDigestUri, strlen(pszDigestUri)); if (strcasecmp(pszQop, "auth-int") == 0) { - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); md_ctx_update(md5_ctx, HEntity, HASHHEXLEN); } md_ctx_final(md5_ctx, HA2); @@ -137,17 +126,17 @@ DigestCalcResponse( /* calculate response */ md_ctx_init(md5_ctx, "MD5"); md_ctx_update(md5_ctx, HA1, HASHHEXLEN); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)pszNonce, strlen(pszNonce)); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); if (*pszQop) { - md_ctx_update(md5_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszQop, strlen(pszQop)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)pszNonceCount, strlen(pszNonceCount)); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)pszCNonce, strlen(pszCNonce)); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); + md_ctx_update(md5_ctx, (const uint8_t *)pszQop, strlen(pszQop)); + md_ctx_update(md5_ctx, (const uint8_t *)":", 1); } md_ctx_update(md5_ctx, HA2Hex, HASHHEXLEN); md_ctx_final(md5_ctx, RespHash); diff --git a/src/openvpn/httpdigest.h b/src/openvpn/httpdigest.h index ecdd6d3fe..1b51a6285 100644 --- a/src/openvpn/httpdigest.h +++ b/src/openvpn/httpdigest.h @@ -25,34 +25,26 @@ #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; #define HASHHEXLEN 32 -typedef unsigned char HASHHEX[HASHHEXLEN+1]; +typedef unsigned char HASHHEX[HASHHEXLEN + 1]; #undef IN #undef OUT #define IN const #define OUT /* calculate H(A1) as per HTTP Digest spec */ -void DigestCalcHA1( - IN char *pszAlg, - IN char *pszUserName, - IN char *pszRealm, - IN char *pszPassword, - IN char *pszNonce, - IN char *pszCNonce, - OUT HASHHEX SessionKey - ); +void DigestCalcHA1(IN char *pszAlg, IN char *pszUserName, IN char *pszRealm, IN char *pszPassword, + IN char *pszNonce, IN char *pszCNonce, OUT HASHHEX SessionKey); /* calculate request-digest/response-digest as per HTTP Digest spec */ -void DigestCalcResponse( - IN HASHHEX HA1, /* H(A1) */ - IN char *pszNonce, /* nonce from server */ - IN char *pszNonceCount, /* 8 hex digits */ - IN char *pszCNonce, /* client nonce */ - IN char *pszQop, /* qop-value: "", "auth", "auth-int" */ - IN char *pszMethod, /* method from the request */ - IN char *pszDigestUri, /* requested URL */ - IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ - OUT HASHHEX Response /* request-digest or response-digest */ - ); +void DigestCalcResponse(IN HASHHEX HA1, /* H(A1) */ + IN char *pszNonce, /* nonce from server */ + IN char *pszNonceCount, /* 8 hex digits */ + IN char *pszCNonce, /* client nonce */ + IN char *pszQop, /* qop-value: "", "auth", "auth-int" */ + IN char *pszMethod, /* method from the request */ + IN char *pszDigestUri, /* requested URL */ + IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ + OUT HASHHEX Response /* request-digest or response-digest */ +); #endif /* if PROXY_DIGEST_AUTH */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 32f20e117..40ae2c8c0 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -58,15 +58,15 @@ #include "memdbg.h" -static struct context *static_context; /* GLOBAL */ +static struct context *static_context; /* GLOBAL */ static const char *saved_pid_file_name; /* GLOBAL */ /* * Crypto initialization flags */ -#define CF_LOAD_PERSISTED_PACKET_ID (1<<0) -#define CF_INIT_TLS_MULTI (1<<1) -#define CF_INIT_TLS_AUTH_STANDALONE (1<<2) +#define CF_LOAD_PERSISTED_PACKET_ID (1 << 0) +#define CF_INIT_TLS_MULTI (1 << 1) +#define CF_INIT_TLS_AUTH_STANDALONE (1 << 2) static void do_init_first_time(struct context *c); @@ -105,21 +105,14 @@ context_clear_all_except_first_time(struct context *c) * Used to execute the up/down script/plugins. */ static void -run_up_down(const char *command, - const struct plugin_list *plugins, - int plugin_type, +run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, #ifdef _WIN32 DWORD adapter_index, #endif - const char *dev_type, - int tun_mtu, - const char *ifconfig_local, - const char *ifconfig_remote, - const char *context, - const char *signal_text, - const char *script_type, - struct env_set *es) + const char *dev_type, int tun_mtu, const char *ifconfig_local, + const char *ifconfig_remote, const char *context, const char *signal_text, + const char *script_type, struct env_set *es) { struct gc_arena gc = gc_new(); @@ -155,9 +148,8 @@ run_up_down(const char *command, { struct argv argv = argv_new(); ASSERT(arg); - argv_printf(&argv, - "%s %d 0 %s %s %s", - arg, tun_mtu, ifconfig_local, ifconfig_remote, context); + argv_printf(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote, + context); if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { @@ -173,8 +165,8 @@ run_up_down(const char *command, ASSERT(arg); setenv_str(es, "script_type", script_type); argv_parse_cmd(&argv, command); - argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, - ifconfig_local, ifconfig_remote, context); + argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote, + context); argv_msg(M_INFO, &argv); openvpn_run_script(&argv, es, S_FATAL, "--up/--down"); argv_free(&argv); @@ -196,8 +188,7 @@ update_options_ce_post(struct options *options) * for the period of time before we pull the --ping-restart parameter * from the server. */ - if (options->pull - && options->ping_rec_timeout_action == PING_UNDEF + if (options->pull && options->ping_rec_timeout_action == PING_UNDEF && proto_is_dgram(options->ce.proto)) { options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART; @@ -303,11 +294,9 @@ ce_management_query_proxy(struct context *c) * @return if sending was successful */ static bool -management_callback_send_cc_message(void *arg, - const char *command, - const char *parameters) +management_callback_send_cc_message(void *arg, const char *command, const char *parameters) { - struct context *c = (struct context *) arg; + struct context *c = (struct context *)arg; size_t len = strlen(command) + 1 + strlen(parameters) + 1; if (len > PUSH_BUNDLE_SIZE) { @@ -331,7 +320,7 @@ static unsigned int management_callback_remote_entry_count(void *arg) { assert(arg); - struct context *c = (struct context *) arg; + struct context *c = (struct context *)arg; struct connection_list *l = c->options.connection_list; return l->len; @@ -343,7 +332,7 @@ management_callback_remote_entry_get(void *arg, unsigned int index, char **remot assert(arg); assert(remote); - struct context *c = (struct context *) arg; + struct context *c = (struct context *)arg; struct connection_list *l = c->options.connection_list; bool ret = true; @@ -354,8 +343,8 @@ management_callback_remote_entry_get(void *arg, unsigned int index, char **remot const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled"; /* space for output including 3 commas and a nul */ - int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) - + strlen(status) + 3 + 1; + int len = + strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + strlen(status) + 3 + 1; char *out = malloc(len); check_malloc_return(out); @@ -374,10 +363,12 @@ management_callback_remote_entry_get(void *arg, unsigned int index, char **remot static bool management_callback_remote_cmd(void *arg, const char **p) { - struct context *c = (struct context *) arg; + struct context *c = (struct context *)arg; struct connection_entry *ce = &c->options.ce; int ret = false; - if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) + if (p[1] + && ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) + == CE_MAN_QUERY_REMOTE_QUERY) { int flags = 0; if (!strcmp(p[1], "ACCEPT")) @@ -412,8 +403,8 @@ management_callback_remote_cmd(void *arg, const char **p) } if (ret) { - ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); + ce->flags |= ((flags & CE_MAN_QUERY_REMOTE_MASK) << CE_MAN_QUERY_REMOTE_SHIFT); } } return ret; @@ -438,8 +429,8 @@ ce_management_query_remote(struct context *c) ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); - while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) - & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) + while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) + == CE_MAN_QUERY_REMOTE_QUERY) { management_event_loop_n_seconds(management, 1); if (IS_SIG(c)) @@ -457,8 +448,7 @@ ce_management_query_remote(struct context *c) /* If it is likely a connection entry was modified, * check what changed in the flags and that it was not skipped */ - const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) - & CE_MAN_QUERY_REMOTE_MASK); + const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK); ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP); } return ce_changed; @@ -635,7 +625,7 @@ next_connection_entry(struct context *c) /* Check if this connection attempt would bring us over the limit */ if (c->options.connect_retry_max > 0 - && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max)) + && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max)) { msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting", c->options.connect_retry_max); @@ -660,12 +650,11 @@ init_query_passwords(const struct context *c) { enable_auth_user_pass(); #ifdef ENABLE_MANAGEMENT - auth_user_pass_setup(c->options.auth_user_pass_file, - c->options.auth_user_pass_file_inline, + auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline, &c->options.sc_info); #else - auth_user_pass_setup(c->options.auth_user_pass_file, - c->options.auth_user_pass_file_inline, NULL); + auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline, + NULL); #endif } } @@ -713,9 +702,9 @@ init_proxy_dowork(struct context *c) if (!did_http && c->options.ce.socks_proxy_server) { - c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server, - c->options.ce.socks_proxy_port, - c->options.ce.socks_proxy_authfile); + c->c1.socks_proxy = + socks_proxy_new(c->options.ce.socks_proxy_server, c->options.ce.socks_proxy_port, + c->options.ce.socks_proxy_authfile); if (c->c1.socks_proxy) { c->c1.socks_proxy_owned = true; @@ -738,8 +727,8 @@ uninit_proxy(struct context *c) static void do_link_socket_addr_new(struct context *c) { - ALLOC_ARRAY_CLEAR_GC(c->c1.link_socket_addrs, struct link_socket_addr, - c->c1.link_sockets_num, &c->gc); + ALLOC_ARRAY_CLEAR_GC(c->c1.link_socket_addrs, struct link_socket_addr, c->c1.link_sockets_num, + &c->gc); } void @@ -760,10 +749,11 @@ context_init_1(struct context *c) { int i; pkcs11_initialize(true, c->options.pkcs11_pin_cache_period); - for (i = 0; ioptions.pkcs11_providers[i] != NULL; i++) + for (i = 0; i < MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++) { - pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], - c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); + pkcs11_addProvider( + c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], + c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); } } #endif @@ -788,9 +778,8 @@ context_init_1(struct context *c) * See possibly_become_daemon() [init.c] for more details. */ sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu", - (unsigned long) getpid()); + (unsigned long)getpid()); #endif - } void @@ -818,10 +807,9 @@ init_port_share(struct context *c) { if (!port_share && (c->options.port_share_host && c->options.port_share_port)) { - port_share = port_share_open(c->options.port_share_host, - c->options.port_share_port, - c->c2.frame.buf.payload_size, - c->options.port_share_journal_dir); + port_share = + port_share_open(c->options.port_share_host, c->options.port_share_port, + c->c2.frame.buf.payload_size, c->options.port_share_journal_dir); if (port_share == NULL) { msg(M_FATAL, "Fatal error: Port sharing failed"); @@ -849,12 +837,12 @@ init_static(void) struct timeval tv; if (!gettimeofday(&tv, NULL)) { - const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec; + const unsigned int seed = (unsigned int)tv.tv_sec ^ tv.tv_usec; srandom(seed); } - error_reset(); /* initialize error.c */ - reset_check_status(); /* initialize status check code in socket.c */ + error_reset(); /* initialize error.c */ + reset_check_status(); /* initialize status check code in socket.c */ #ifdef _WIN32 init_win32(); @@ -892,9 +880,7 @@ init_static(void) #ifdef GEN_PATH_TEST { struct gc_arena gc = gc_new(); - const char *fn = gen_path("foo", - "bar", - &gc); + const char *fn = gen_path("foo", "bar", &gc); printf("%s\n", fn); gc_free(&gc); } @@ -1011,8 +997,7 @@ print_openssl_info(const struct options *options) } if (options->show_tls_ciphers) { - show_available_tls_ciphers(options->cipher_list, - options->cipher_list_tls13, + show_available_tls_ciphers(options->cipher_list, options->cipher_list_tls13, options->tls_cert_profile); } if (options->show_curves) @@ -1040,11 +1025,10 @@ do_genkey(const struct options *options) * We do not want user to use --genkey with --secret. In the transistion * phase we for secret. */ - if (options->genkey && options->genkey_type != GENKEY_SECRET - && options->shared_secret_file) + if (options->genkey && options->genkey_type != GENKEY_SECRET && options->shared_secret_file) { msg(M_USAGE, "Using --genkey type with --secret filename is " - "not supported. Use --genkey type filename instead."); + "not supported. Use --genkey type filename instead."); } if (options->genkey && options->genkey_type == GENKEY_SECRET) { @@ -1053,7 +1037,7 @@ do_genkey(const struct options *options) if (options->shared_secret_file && options->genkey_filename) { msg(M_USAGE, "You must provide a filename to either --genkey " - "or --secret, not both"); + "or --secret, not both"); } /* @@ -1063,7 +1047,7 @@ do_genkey(const struct options *options) if (options->shared_secret_file) { msg(M_WARN, "WARNING: Using --genkey --secret filename is " - "DEPRECATED. Use --genkey secret filename instead."); + "DEPRECATED. Use --genkey secret filename instead."); genkey_filename = options->shared_secret_file; } @@ -1073,8 +1057,7 @@ do_genkey(const struct options *options) msg(M_FATAL, "Failed to write key file"); } - msg(D_GENKEY | M_NOPREFIX, - "Randomly generated %d bit key written to %s", nbits_written, + msg(D_GENKEY | M_NOPREFIX, "Randomly generated %d bit key written to %s", nbits_written, options->shared_secret_file); return true; } @@ -1091,8 +1074,8 @@ do_genkey(const struct options *options) "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key"); } - tls_crypt_v2_write_client_key_file(options->genkey_filename, - options->genkey_extra_data, options->tls_crypt_v2_file, + tls_crypt_v2_write_client_key_file(options->genkey_filename, options->genkey_extra_data, + options->tls_crypt_v2_file, options->tls_crypt_v2_file_inline); return true; } @@ -1120,13 +1103,10 @@ do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx) /* sanity check on options for --mktun or --rmtun */ notnull(options->dev, "TUN/TAP device (--dev)"); - if (options->ce.remote || options->ifconfig_local - || options->ifconfig_remote_netmask - || options->shared_secret_file - || options->tls_server || options->tls_client - ) + if (options->ce.remote || options->ifconfig_local || options->ifconfig_remote_netmask + || options->shared_secret_file || options->tls_server || options->tls_client) { - msg(M_FATAL|M_OPTERR, + msg(M_FATAL | M_OPTERR, "options --mktun or --rmtun should only be used together with --dev"); } @@ -1150,21 +1130,20 @@ do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx) #endif #ifdef ENABLE_FEATURE_TUN_PERSIST - tuncfg(options->dev, options->dev_type, options->dev_node, - options->persist_mode, - options->username, options->groupname, &options->tuntap_options, - ctx); + tuncfg(options->dev, options->dev_type, options->dev_node, options->persist_mode, + options->username, options->groupname, &options->tuntap_options, ctx); if (options->persist_mode && options->lladdr) { set_lladdr(ctx, options->dev, options->lladdr, NULL); } return true; -#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */ - msg(M_FATAL|M_OPTERR, +#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */ + msg(M_FATAL | M_OPTERR, "options --mktun and --rmtun are not available on your operating " "system. Please check 'man tun' (or 'tap'), whether your system " "supports using 'ifconfig %s create' / 'destroy' to create/remove " - "persistent tunnel interfaces.", options->dev ); + "persistent tunnel interfaces.", + options->dev); #endif return false; } @@ -1241,9 +1220,7 @@ do_uid_gid_chroot(struct context *c, bool no_delay) { if (no_delay) { - platform_user_group_set(&c0->platform_state_user, - &c0->platform_state_group, - c); + platform_user_group_set(&c0->platform_state_user, &c0->platform_state_group, c); } else if (c->first_time) { @@ -1271,7 +1248,8 @@ do_uid_gid_chroot(struct context *c, bool no_delay) { if (-1 == setcon(c->options.selinux_context)) { - msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context); + msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", + c->options.selinux_context); } else { @@ -1316,17 +1294,12 @@ pre_setup(const struct options *options) #ifdef _WIN32 if (options->exit_event_name) { - win32_signal_open(&win32_signal, - WSO_FORCE_SERVICE, - options->exit_event_name, + win32_signal_open(&win32_signal, WSO_FORCE_SERVICE, options->exit_event_name, options->exit_event_initial_state); } else { - win32_signal_open(&win32_signal, - WSO_FORCE_CONSOLE, - NULL, - false); + win32_signal_open(&win32_signal, WSO_FORCE_CONSOLE, NULL, false); /* put a title on the top window bar */ if (win32_signal.mode == WSO_MODE_CONSOLE) @@ -1377,8 +1350,7 @@ do_init_timers(struct context *c, bool deferred) /* initialize inactivity timeout */ if (c->options.session_timeout) { - event_timeout_init(&c->c2.session_interval, c->options.session_timeout, - now); + event_timeout_init(&c->c2.session_interval, c->options.session_timeout, now); } /* initialize pings */ @@ -1409,8 +1381,7 @@ do_init_timers(struct context *c, bool deferred) if (c->options.auth_token_generate && c->options.auth_token_renewal < c->options.renegotiate_seconds) { - event_timeout_init(&c->c2.auth_token_renewal_interval, - c->options.auth_token_renewal, now); + event_timeout_init(&c->c2.auth_token_renewal_interval, c->options.auth_token_renewal, now); } if (!deferred) @@ -1420,16 +1391,16 @@ do_init_timers(struct context *c, bool deferred) /* initialize occ timers */ - if (c->options.occ - && !TLS_MODE(c) - && c->c2.options_string_local && c->c2.options_string_remote) + if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_local + && c->c2.options_string_remote) { event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now); } if (c->options.mtu_test) { - event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now); + event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, + now); } /* initialize packet_id persistence timer */ @@ -1482,10 +1453,8 @@ do_alloc_route_list(struct context *c) * options and saving routes in the environment. */ static void -do_init_route_list(const struct options *options, - struct route_list *route_list, - const struct link_socket_info *link_socket_info, - struct env_set *es, +do_init_route_list(const struct options *options, struct route_list *route_list, + const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx) { const char *gw = NULL; @@ -1514,13 +1483,8 @@ do_init_route_list(const struct options *options, metric = options->route_default_metric; } - if (init_route_list(route_list, - options->routes, - gw, - metric, - link_socket_current_remote(link_socket_info), - es, - ctx)) + if (init_route_list(route_list, options->routes, gw, metric, + link_socket_current_remote(link_socket_info), es, ctx)) { /* copy routes to environment */ setenv_routes(es, route_list); @@ -1528,14 +1492,12 @@ do_init_route_list(const struct options *options, } static void -do_init_route_ipv6_list(const struct options *options, - struct route_ipv6_list *route_ipv6_list, - const struct link_socket_info *link_socket_info, - struct env_set *es, +do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, + const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx) { const char *gw = NULL; - int metric = -1; /* no metric set */ + int metric = -1; /* no metric set */ /* see explanation in do_init_route_list() */ if (dco_enabled(options)) @@ -1543,7 +1505,7 @@ do_init_route_ipv6_list(const struct options *options, metric = DCO_DEFAULT_METRIC; } - gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ + gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ if (options->route_ipv6_default_gateway) { gw = options->route_ipv6_default_gateway; @@ -1563,19 +1525,14 @@ do_init_route_ipv6_list(const struct options *options, for (i = 0; opt_list[i]; i++) { - add_route_ipv6_to_option_list( options->routes_ipv6, - string_alloc(opt_list[i], options->routes_ipv6->gc), - NULL, NULL, options->route_default_table_id); + add_route_ipv6_to_option_list(options->routes_ipv6, + string_alloc(opt_list[i], options->routes_ipv6->gc), NULL, + NULL, options->route_default_table_id); } } - if (init_route_ipv6_list(route_ipv6_list, - options->routes_ipv6, - gw, - metric, - link_socket_current_remote_ipv6(link_socket_info), - es, - ctx)) + if (init_route_ipv6_list(route_ipv6_list, options->routes_ipv6, gw, metric, + link_socket_current_remote_ipv6(link_socket_info), es, ctx)) { /* copy routes to environment */ setenv_routes_ipv6(es, route_ipv6_list); @@ -1601,8 +1558,8 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) if (flags & ISC_ERRORS) { #ifdef _WIN32 - show_routes(M_INFO|M_NOPREFIX); - show_adapters(M_INFO|M_NOPREFIX); + show_routes(M_INFO | M_NOPREFIX); + show_adapters(M_INFO | M_NOPREFIX); msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); #else #ifdef ENABLE_SYSTEMD @@ -1620,7 +1577,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) } /* Flag that we initialized */ - if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0) + if ((flags & (ISC_ERRORS | ISC_SERVER)) == 0) { c->options.no_advance = true; } @@ -1682,13 +1639,8 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) tun_local = &c->c1.tuntap->local; tun_local6 = &c->c1.tuntap->local_ipv6; } - management_set_state(management, - OPENVPN_STATE_CONNECTED, - detail, - tun_local, - tun_local6, - &local, - &remote); + management_set_state(management, OPENVPN_STATE_CONNECTED, detail, tun_local, tun_local6, + &local, &remote); if (tun_local) { management_post_tunnel_open(management, *tun_local); @@ -1704,8 +1656,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) static bool route_noexec_enabled(const struct options *o, const struct tuntap *tt) { - return o->route_noexec - || (tt && tt->backend_driver == DRIVER_AFUNIX) + return o->route_noexec || (tt && tt->backend_driver == DRIVER_AFUNIX) || (tt && tt->backend_driver == DRIVER_NULL); } @@ -1714,19 +1665,14 @@ route_noexec_enabled(const struct options *o, const struct tuntap *tt) * based on options. */ bool -do_route(const struct options *options, - struct route_list *route_list, - struct route_ipv6_list *route_ipv6_list, - const struct tuntap *tt, - const struct plugin_list *plugins, - struct env_set *es, - openvpn_net_ctx_t *ctx) +do_route(const struct options *options, struct route_list *route_list, + struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, + const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx) { bool ret = true; - if (!route_noexec_enabled(options, tt) && ( route_list || route_ipv6_list ) ) + if (!route_noexec_enabled(options, tt) && (route_list || route_ipv6_list)) { - ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), - es, ctx); + ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es, ctx); setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list)); } #ifdef ENABLE_MANAGEMENT @@ -1738,7 +1684,8 @@ do_route(const struct options *options, if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP)) { - if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) + if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) + != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: route-up plugin call failed"); } @@ -1756,13 +1703,13 @@ do_route(const struct options *options, #ifdef _WIN32 if (options->show_net_up) { - show_routes(M_INFO|M_NOPREFIX); - show_adapters(M_INFO|M_NOPREFIX); + show_routes(M_INFO | M_NOPREFIX); + show_adapters(M_INFO | M_NOPREFIX); } else if (check_debug_level(D_SHOW_NET)) { - show_routes(D_SHOW_NET|M_NOPREFIX); - show_adapters(D_SHOW_NET|M_NOPREFIX); + show_routes(D_SHOW_NET | M_NOPREFIX); + show_adapters(D_SHOW_NET | M_NOPREFIX); } #endif return ret; @@ -1774,27 +1721,19 @@ do_route(const struct options *options, static void do_init_tun(struct context *c) { - c->c1.tuntap = init_tun(c->options.dev, - c->options.dev_type, - c->options.topology, - c->options.ifconfig_local, - c->options.ifconfig_remote_netmask, - c->options.ifconfig_ipv6_local, - c->options.ifconfig_ipv6_netbits, - c->options.ifconfig_ipv6_remote, - c->c1.link_socket_addrs[0].bind_local, - c->c1.link_socket_addrs[0].remote_list, - !c->options.ifconfig_nowarn, - c->c2.es, - &c->net_ctx, - c->c1.tuntap); + c->c1.tuntap = init_tun(c->options.dev, c->options.dev_type, c->options.topology, + c->options.ifconfig_local, c->options.ifconfig_remote_netmask, + c->options.ifconfig_ipv6_local, c->options.ifconfig_ipv6_netbits, + c->options.ifconfig_ipv6_remote, c->c1.link_socket_addrs[0].bind_local, + c->c1.link_socket_addrs[0].remote_list, !c->options.ifconfig_nowarn, + c->c2.es, &c->net_ctx, c->c1.tuntap); if (is_tun_afunix(c->options.dev_node)) { /* Using AF_UNIX trumps using DCO */ c->c1.tuntap->backend_driver = DRIVER_AFUNIX; } - else if (is_dev_type(c->options.dev, c->options.dev_type, "null")) + else if (is_dev_type(c->options.dev, c->options.dev_type, "null")) { c->c1.tuntap->backend_driver = DRIVER_NULL; } @@ -1814,9 +1753,7 @@ do_init_tun(struct context *c) } #endif - init_tun_post(c->c1.tuntap, - &c->c2.frame, - &c->options.tuntap_options); + init_tun_post(c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options); c->c1.tuntap_owned = true; } @@ -1916,10 +1853,10 @@ open_tun_backend(struct context *c) } else { - open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, - tt, &c->net_ctx); + open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, tt, &c->net_ctx); } - msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver), tt->actual_name); + msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver), + tt->actual_name); } @@ -1958,8 +1895,7 @@ do_open_tun(struct context *c, int *error_flags) #ifdef _WIN32 /* store (hide) interactive service handle in tuntap_options */ c->c1.tuntap->options.msg_channel = c->options.msg_channel; - msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR, - (intptr_t) c->options.msg_channel); + msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR, (intptr_t)c->options.msg_channel); #endif /* allocate route list structure */ @@ -1969,8 +1905,8 @@ do_open_tun(struct context *c, int *error_flags) ASSERT(c->c2.link_sockets[0]); if (c->options.routes && c->c1.route_list) { - do_init_route_list(&c->options, c->c1.route_list, - &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx); + do_init_route_list(&c->options, c->c1.route_list, &c->c2.link_sockets[0]->info, + c->c2.es, &c->net_ctx); } if (c->options.routes_ipv6 && c->c1.route_ipv6_list) { @@ -1979,15 +1915,12 @@ do_open_tun(struct context *c, int *error_flags) } /* do ifconfig */ - if (!ifconfig_noexec_enabled(c) - && ifconfig_order(c->c1.tuntap) == IFCONFIG_BEFORE_TUN_OPEN) + if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_BEFORE_TUN_OPEN) { /* guess actual tun/tap unit number that will be returned * by open_tun */ - const char *guess = guess_tuntap_dev(c->options.dev, - c->options.dev_type, - c->options.dev_node, - &gc); + const char *guess = + guess_tuntap_dev(c->options.dev, c->options.dev_type, c->options.dev_node, &gc); do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); } @@ -2019,31 +1952,23 @@ do_open_tun(struct context *c, int *error_flags) } /* do ifconfig */ - if (!ifconfig_noexec_enabled(c) - && ifconfig_order(c->c1.tuntap) == IFCONFIG_AFTER_TUN_OPEN) + if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_AFTER_TUN_OPEN) { - do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, - c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); + do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, c->c2.frame.tun_mtu, c->c2.es, + &c->net_ctx); } run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri); /* run the up script */ - run_up_down(c->options.up_script, - c->plugins, - OPENVPN_PLUGIN_UP, - c->c1.tuntap->actual_name, + run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name, #ifdef _WIN32 c->c1.tuntap->adapter_index, #endif - dev_type_string(c->options.dev, c->options.dev_type), - c->c2.frame.tun_mtu, + dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu, print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), - print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), - "init", - NULL, - "up", - c->c2.es); + print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", + NULL, "up", c->c2.es); add_wfp_block(c); @@ -2060,8 +1985,7 @@ do_open_tun(struct context *c, int *error_flags) } else { - msg(M_INFO, "Preserving previous TUN/TAP instance: %s", - c->c1.tuntap->actual_name); + msg(M_INFO, "Preserving previous TUN/TAP instance: %s", c->c1.tuntap->actual_name); /* explicitly set the ifconfig_* env vars */ do_ifconfig_setenv(c->c1.tuntap, c->c2.es); @@ -2071,21 +1995,15 @@ do_open_tun(struct context *c, int *error_flags) /* run the up script if user specified --up-restart */ if (c->options.up_restart) { - run_up_down(c->options.up_script, - c->plugins, - OPENVPN_PLUGIN_UP, + run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name, #ifdef _WIN32 c->c1.tuntap->adapter_index, #endif - dev_type_string(c->options.dev, c->options.dev_type), - c->c2.frame.tun_mtu, + dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu, print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), - "restart", - NULL, - "up", - c->c2.es); + "restart", NULL, "up", c->c2.es); } add_wfp_block(c); @@ -2101,8 +2019,7 @@ do_open_tun(struct context *c, int *error_flags) static void do_close_tun_simple(struct context *c) { - msg(D_CLOSE, "Closing %s interface", - print_tun_backend_driver(c->c1.tuntap->backend_driver)); + msg(D_CLOSE, "Closing %s interface", print_tun_backend_driver(c->c1.tuntap->backend_driver)); if (c->c1.tuntap) { @@ -2174,26 +2091,18 @@ do_close_tun(struct context *c, bool force) /* delete any routes we added */ if (c->c1.route_list || c->c1.route_ipv6_list) { - run_up_down(c->options.route_predown_script, - c->plugins, - OPENVPN_PLUGIN_ROUTE_PREDOWN, + run_up_down(c->options.route_predown_script, c->plugins, OPENVPN_PLUGIN_ROUTE_PREDOWN, tuntap_actual, #ifdef _WIN32 adapter_index, #endif - NULL, - c->c2.frame.tun_mtu, - print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), - print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), - "init", - signal_description(c->sig->signal_received, - c->sig->signal_text), - "route-pre-down", - c->c2.es); + NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), + print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", + signal_description(c->sig->signal_received, c->sig->signal_text), + "route-pre-down", c->c2.es); - delete_routes(c->c1.route_list, c->c1.route_ipv6_list, - c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), - c->c2.es, &c->net_ctx); + delete_routes(c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap, + ROUTE_OPTION_FLAGS(&c->options), c->c2.es, &c->net_ctx); } /* actually close tun/tap device based on --down-pre flag */ @@ -2204,21 +2113,13 @@ do_close_tun(struct context *c, bool force) /* Run the down script -- note that it will run at reduced * privilege if, for example, "--user" was used. */ - run_up_down(c->options.down_script, - c->plugins, - OPENVPN_PLUGIN_DOWN, - tuntap_actual, + run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual, #ifdef _WIN32 adapter_index, #endif - NULL, - c->c2.frame.tun_mtu, - print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), - print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), - "init", - signal_description(c->sig->signal_received, - c->sig->signal_text), - "down", + NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), + print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", + signal_description(c->sig->signal_received, c->sig->signal_text), "down", c->c2.es); del_wfp_block(c, adapter_index); @@ -2234,21 +2135,13 @@ do_close_tun(struct context *c, bool force) /* run the down script on this restart if --up-restart was specified */ if (c->options.up_restart) { - run_up_down(c->options.down_script, - c->plugins, - OPENVPN_PLUGIN_DOWN, - tuntap_actual, + run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual, #ifdef _WIN32 adapter_index, #endif - NULL, - c->c2.frame.tun_mtu, - print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), - print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), - "restart", - signal_description(c->sig->signal_received, - c->sig->signal_text), - "down", + NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), + print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", + signal_description(c->sig->signal_received, c->sig->signal_text), "down", c->c2.es); } @@ -2277,10 +2170,9 @@ tun_abort(void) * equal, or either one is all-zeroes. */ static bool -options_hash_changed_or_zero(const struct sha256_digest *a, - const struct sha256_digest *b) +options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b) { - const struct sha256_digest zero = {{0}}; + const struct sha256_digest zero = { { 0 } }; return memcmp(a, b, sizeof(struct sha256_digest)) || !memcmp(a, &zero, sizeof(struct sha256_digest)); } @@ -2316,13 +2208,12 @@ tls_print_deferred_options_results(struct context *c) if (cipher_kt_mode_aead(o->ciphername)) { - buf_printf(&out, "Data Channel: cipher '%s'", - cipher_kt_name(o->ciphername)); + buf_printf(&out, "Data Channel: cipher '%s'", cipher_kt_name(o->ciphername)); } else { - buf_printf(&out, "Data Channel: cipher '%s', auth '%s'", - cipher_kt_name(o->ciphername), md_kt_name(o->authname)); + buf_printf(&out, "Data Channel: cipher '%s', auth '%s'", cipher_kt_name(o->ciphername), + md_kt_name(o->authname)); } if (o->use_peer_id) @@ -2393,8 +2284,7 @@ tls_print_deferred_options_results(struct context *c) if (c->options.ce.explicit_exit_notification) { - buf_printf(&out, "explicit-exit-notify %d", - c->options.ce.explicit_exit_notification); + buf_printf(&out, "explicit-exit-notify %d", c->options.ce.explicit_exit_notification); } if (c->options.imported_protocol_flags) { @@ -2446,10 +2336,8 @@ do_deferred_options_part2(struct context *c) #endif struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(c->c2.tls_multi, session, - &c->options, &c->c2.frame, - frame_fragment, - get_link_socket_info(c), + if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, + frame_fragment, get_link_socket_info(c), &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); @@ -2486,14 +2374,13 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) * Was tun interface object persisted from previous restart iteration, * and if so did pulled options string change from previous iteration? */ - if (!c->c2.did_open_tun - && PULL_DEFINED(&c->options) - && c->c1.tuntap + if (!c->c2.did_open_tun && PULL_DEFINED(&c->options) && c->c1.tuntap && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest)) { /* if so, close tun, delete routes, then reinitialize tun and add routes */ - msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); + msg(M_INFO, + "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap); do_close_tun(c, true); @@ -2519,7 +2406,8 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) * reconnects to setup various things (like DCO and NCP cipher) that * might have changed from the previous connection. */ - if (!c->c2.do_up_ran || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING)) + if (!c->c2.do_up_ran + || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING)) { if (c->mode == MODE_POINT_TO_POINT) { @@ -2567,7 +2455,8 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined) { event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now); - event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); + event_timeout_init(&c->c2.route_wakeup_expire, + c->options.route_delay + c->options.route_delay_window, now); tun_standby_init(c->c1.tuntap); } else @@ -2630,7 +2519,8 @@ do_update(struct context *c, unsigned int option_types_found) if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined) { event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now); - event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); + event_timeout_init(&c->c2.route_wakeup_expire, + c->options.route_delay + c->options.route_delay_window, now); tun_standby_init(c->c1.tuntap); } @@ -2648,23 +2538,10 @@ do_update(struct context *c, unsigned int option_types_found) unsigned int pull_permission_mask(const struct context *c) { - unsigned int flags = - OPT_P_UP - | OPT_P_ROUTE_EXTRAS - | OPT_P_SOCKBUF - | OPT_P_SOCKFLAGS - | OPT_P_SETENV - | OPT_P_SHAPER - | OPT_P_TIMER - | OPT_P_COMP - | OPT_P_PERSIST - | OPT_P_MESSAGES - | OPT_P_EXPLICIT_NOTIFY - | OPT_P_ECHO - | OPT_P_PULL_MODE - | OPT_P_PEER_ID - | OPT_P_NCP - | OPT_P_PUSH_MTU; + unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS + | OPT_P_SETENV | OPT_P_SHAPER | OPT_P_TIMER | OPT_P_COMP | OPT_P_PERSIST + | OPT_P_MESSAGES | OPT_P_EXPLICIT_NOTIFY | OPT_P_ECHO | OPT_P_PULL_MODE + | OPT_P_PEER_ID | OPT_P_NCP | OPT_P_PUSH_MTU; if (!c->options.route_nopull) { @@ -2686,8 +2563,8 @@ do_deferred_p2p_ncp(struct context *c) struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, - &c->options.gc); + const char *ncp_cipher = + get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, &c->options.gc); if (ncp_cipher) { @@ -2696,8 +2573,8 @@ do_deferred_p2p_ncp(struct context *c) else if (!c->options.enable_ncp_fallback) { msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and " - "--data-ciphers-fallback not enabled. No usable " - "data channel cipher"); + "--data-ciphers-fallback not enabled. No usable " + "data channel cipher"); return false; } @@ -2709,9 +2586,8 @@ do_deferred_p2p_ncp(struct context *c) } #endif - if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, - &c->c2.frame, frame_fragment, - get_link_socket_info(c), + if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, + frame_fragment, get_link_socket_info(c), &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher"); @@ -2725,7 +2601,7 @@ do_deferred_options(struct context *c, const unsigned int found, const bool is_u { if (found & OPT_P_MESSAGES) { - init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2); + init_verb_mute(c, IVM_LEVEL_1 | IVM_LEVEL_2); msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed"); } if (found & OPT_P_TIMER) @@ -2754,9 +2630,9 @@ do_deferred_options(struct context *c, const unsigned int found, const bool is_u if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS)) { msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression " - "settings that are not allowed and will result " - "in a non-working connection. " - "See also allow-compression in the manual."); + "settings that are not allowed and will result " + "in a non-working connection. " + "See also allow-compression in the manual."); return false; } #ifdef USE_COMP @@ -2778,8 +2654,7 @@ do_deferred_options(struct context *c, const unsigned int found, const bool is_u for (int i = 0; i < c->c1.link_sockets_num; i++) { - link_socket_update_buffer_sizes(c->c2.link_sockets[i], - c->options.rcvbuf, + link_socket_update_buffer_sizes(c->c2.link_sockets[i], c->options.rcvbuf, c->options.sndbuf); } } @@ -2789,8 +2664,7 @@ do_deferred_options(struct context *c, const unsigned int found, const bool is_u msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified"); for (int i = 0; i < c->c1.link_sockets_num; i++) { - link_socket_update_flags(c->c2.link_sockets[i], - c->options.sockflags); + link_socket_update_flags(c->c2.link_sockets[i], c->options.sockflags); } } @@ -2838,12 +2712,11 @@ do_deferred_options(struct context *c, const unsigned int found, const bool is_u } /* Check if pushed options are compatible with DCO, if enabled */ - if (dco_enabled(&c->options) - && !dco_check_pull_options(D_PUSH_ERRORS, &c->options)) + if (dco_enabled(&c->options) && !dco_check_pull_options(D_PUSH_ERRORS, &c->options)) { msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible " - "with data channel offload. Use --disable-dco to connect to " - "this server"); + "with data channel offload. Use --disable-dco to connect to " + "this server"); return false; } } @@ -2856,7 +2729,7 @@ do_deferred_options(struct context *c, const unsigned int found, const bool is_u if (epoch_data && !datav2_enabled) { msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires " - "data v2 (peer-id) to be enabled."); + "data v2 (peer-id) to be enabled."); return false; } @@ -2871,7 +2744,8 @@ do_deferred_options(struct context *c, const unsigned int found, const bool is_u if (c->options.ce.tun_mtu > frame->tun_max_mtu) { - msg(D_PUSH_ERRORS, "Server-pushed tun-mtu is too large, please add " + msg(D_PUSH_ERRORS, + "Server-pushed tun-mtu is too large, please add " "tun-mtu-max %d in the client configuration", c->options.ce.tun_mtu); } @@ -2935,8 +2809,7 @@ socket_restart_pause(struct context *c) } /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */ - if (c->mode == CM_CHILD_TCP - || (c->options.ce.proto == PROTO_UDP && c->options.tls_client)) + if (c->mode == CM_CHILD_TCP || (c->options.ce.proto == PROTO_UDP && c->options.tls_client)) { backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4; if (backoff > 0) @@ -3005,10 +2878,8 @@ get_frame_mtu(struct context *c, const struct options *o) ASSERT(o->ce.link_mtu_defined); /* if we have a link mtu defined we calculate what the old code * would have come up with as tun-mtu */ - size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, - o, true); + size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, o, true); mtu = o->ce.link_mtu - overhead; - } else { @@ -3093,7 +2964,8 @@ frame_finalize_options(struct context *c, const struct options *o) size_t tailroom = headroom; #ifdef USE_COMP - msg(D_MTU_DEBUG, "MTU: adding %zu buffer tailroom for compression for %zu " + msg(D_MTU_DEBUG, + "MTU: adding %zu buffer tailroom for compression for %zu " "bytes of payload", COMP_EXTRA_BUFFER(payload_size), payload_size); tailroom += COMP_EXTRA_BUFFER(payload_size); @@ -3162,14 +3034,11 @@ do_init_crypto_static(struct context *c, const unsigned int flags) } /* Initialize packet ID tracking */ - packet_id_init(&c->c2.crypto_options.packet_id, - options->replay_window, - options->replay_time, + packet_id_init(&c->c2.crypto_options.packet_id, options->replay_window, options->replay_time, "STATIC", 0); c->c2.crypto_options.pid_persist = &c->c1.pid_persist; c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; - packet_id_persist_load_obj(&c->c1.pid_persist, - &c->c2.crypto_options.packet_id); + packet_id_persist_load_obj(&c->c1.pid_persist, &c->c2.crypto_options.packet_id); if (!key_ctx_bi_defined(&c->c1.ks.static_key)) { @@ -3179,10 +3048,8 @@ do_init_crypto_static(struct context *c, const unsigned int flags) /* Read cipher and hmac keys from shared secret file */ crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key, - options->shared_secret_file, - options->shared_secret_file_inline, - options->key_direction, "Static Key Encryption", - "secret", NULL); + options->shared_secret_file, options->shared_secret_file_inline, + options->key_direction, "Static Key Encryption", "secret", NULL); } else { @@ -3210,26 +3077,23 @@ do_init_tls_wrap_key(struct context *c) c->c1.ks.tls_auth_key_type.digest = options->authname; if (!md_valid(options->authname)) { - msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth " - "algorithm specified ('%s')", options->authname); + msg(M_FATAL, + "ERROR: tls-auth enabled, but no valid --auth " + "algorithm specified ('%s')", + options->authname); } - crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, - &c->c1.ks.tls_wrap_key, - options->ce.tls_auth_file, - options->ce.tls_auth_file_inline, - options->ce.key_direction, - "Control Channel Authentication", "tls-auth", - &c->c1.ks.original_wrap_keydata); + crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, &c->c1.ks.tls_wrap_key, + options->ce.tls_auth_file, options->ce.tls_auth_file_inline, + options->ce.key_direction, "Control Channel Authentication", + "tls-auth", &c->c1.ks.original_wrap_keydata); } /* TLS handshake encryption+authentication (--tls-crypt) */ if (options->ce.tls_crypt_file) { - tls_crypt_init_key(&c->c1.ks.tls_wrap_key, - &c->c1.ks.original_wrap_keydata, - options->ce.tls_crypt_file, - options->ce.tls_crypt_file_inline, + tls_crypt_init_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata, + options->ce.tls_crypt_file, options->ce.tls_crypt_file_inline, options->tls_server); } @@ -3238,16 +3102,14 @@ do_init_tls_wrap_key(struct context *c) { if (options->tls_server) { - tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key, - true, options->ce.tls_crypt_v2_file, + tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key, true, + options->ce.tls_crypt_v2_file, options->ce.tls_crypt_v2_file_inline); } else { - tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key, - &c->c1.ks.original_wrap_keydata, - &c->c1.ks.tls_crypt_v2_wkc, - options->ce.tls_crypt_v2_file, + tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata, + &c->c1.ks.tls_crypt_v2_wkc, options->ce.tls_crypt_v2_file, options->ce.tls_crypt_v2_file_inline); } /* We have to ensure that the loaded tls-crypt key is small enough @@ -3259,15 +3121,14 @@ do_init_tls_wrap_key(struct context *c) if (required_size > c->options.ce.tls_mtu) { - msg(M_WARN, "ERROR: tls-crypt-v2 client key too large to work with " + msg(M_WARN, + "ERROR: tls-crypt-v2 client key too large to work with " "requested --max-packet-size %d, requires at least " "--max-packet-size %d. Packets will ignore requested " - "maximum packet size", c->options.ce.tls_mtu, - required_size); + "maximum packet size", + c->options.ce.tls_mtu, required_size); } } - - } /* @@ -3296,7 +3157,7 @@ do_init_crypto_tls_c1(struct context *c) case AR_INTERACT: ssl_purge_auth(false); - /* Intentional [[fallthrough]]; */ + /* Intentional [[fallthrough]]; */ case AR_NOINTERACT: /* SOFT-SIGUSR1 -- Password failure error */ @@ -3337,8 +3198,7 @@ do_init_crypto_tls_c1(struct context *c) /* Do not warn if the cipher is used only in OCC */ bool warn = options->enable_ncp_fallback; - init_key_type(&c->c1.ks.key_type, ciphername, options->authname, - true, warn); + init_key_type(&c->c1.ks.key_type, ciphername, options->authname, true, warn); /* initialize tls-auth/crypt/crypt-v2 key */ do_init_tls_wrap_key(c); @@ -3346,8 +3206,7 @@ do_init_crypto_tls_c1(struct context *c) /* initialise auth-token crypto support */ if (c->options.auth_token_generate) { - auth_token_init_secret(&c->c1.ks.auth_token_key, - c->options.auth_token_secret_file, + auth_token_init_secret(&c->c1.ks.auth_token_key, c->options.auth_token_secret_file, c->options.auth_token_secret_file_inline); } @@ -3425,25 +3284,27 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) if (options->renegotiate_seconds_min < 0) { /* Add 10% jitter to reneg-sec by default (server side only) */ - int auto_jitter = options->mode != MODE_SERVER ? 0 : - get_random() % max_int(options->renegotiate_seconds / 10, 1); + int auto_jitter = options->mode != MODE_SERVER + ? 0 + : get_random() % max_int(options->renegotiate_seconds / 10, 1); to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter; } else { /* Add user-specified jitter to reneg-sec */ - to.renegotiate_seconds = options->renegotiate_seconds - -(get_random() % max_int(options->renegotiate_seconds - - options->renegotiate_seconds_min, 1)); + to.renegotiate_seconds = + options->renegotiate_seconds + - (get_random() + % max_int(options->renegotiate_seconds - options->renegotiate_seconds_min, 1)); } to.single_session = options->single_session; to.mode = options->mode; to.pull = options->pull; - if (options->push_peer_info) /* all there is */ + if (options->push_peer_info) /* all there is */ { to.push_peer_info_detail = 3; } - else if (options->pull) /* pull clients send some details */ + else if (options->pull) /* pull clients send some details */ { to.push_peer_info_detail = 2; } @@ -3451,7 +3312,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) { to.push_peer_info_detail = 0; } - else /* default: minimal info to allow NCP in P2P mode */ + else /* default: minimal info to allow NCP in P2P mode */ { to.push_peer_info_detail = 1; } @@ -3554,8 +3415,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } /* TLS handshake encryption (--tls-crypt) */ - if (options->ce.tls_crypt_file - || (options->ce.tls_crypt_v2_file && options->tls_client)) + if (options->ce.tls_crypt_file || (options->ce.tls_crypt_v2_file && options->tls_client)) { to.tls_wrap.mode = TLS_WRAP_CRYPT; } @@ -3613,10 +3473,8 @@ do_init_frame_tls(struct context *c) if (c->c2.tls_multi) { tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu); - ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= - c->c2.frame.buf.payload_size); - frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, - "Control Channel MTU parms"); + ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= c->c2.frame.buf.payload_size); + frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms"); /* Keep the max mtu also in the frame of tls multi so it can access * it in push_peer_info */ @@ -3624,9 +3482,9 @@ do_init_frame_tls(struct context *c) } if (c->c2.tls_auth_standalone) { - tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame, c->options.ce.tls_mtu); - frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, - "TLS-Auth MTU parms"); + tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame, + c->options.ce.tls_mtu); + frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, "TLS-Auth MTU parms"); c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc); c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc); } @@ -3642,14 +3500,12 @@ do_init_crypto_none(struct context *c) /* Initialise key_type with auth/cipher "none", so the key_type struct is * valid */ - init_key_type(&c->c1.ks.key_type, "none", "none", - c->options.test_crypto, true); + init_key_type(&c->c1.ks.key_type, "none", "none", c->options.test_crypto, true); - msg(M_WARN, - "******* WARNING *******: All encryption and authentication features " - "disabled -- All data will be tunnelled as clear text and will not be " - "protected against man-in-the-middle changes. " - "PLEASE DO RECONSIDER THIS CONFIGURATION!"); + msg(M_WARN, "******* WARNING *******: All encryption and authentication features " + "disabled -- All data will be tunnelled as clear text and will not be " + "protected against man-in-the-middle changes. " + "PLEASE DO RECONSIDER THIS CONFIGURATION!"); } static void @@ -3663,7 +3519,7 @@ do_init_crypto(struct context *c, const unsigned int flags) { do_init_crypto_tls(c, flags); } - else /* no encryption or authentication. */ + else /* no encryption or authentication. */ { do_init_crypto_none(c); } @@ -3701,7 +3557,8 @@ do_init_frame(struct context *c) #ifdef ENABLE_FRAGMENT if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment) { - msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " + msg(M_WARN, + "WARNING: if you use --mssfix and --fragment, you should " "set --fragment (%d) larger or equal than --mssfix (%d)", c->options.ce.fragment, c->options.ce.mssfix); } @@ -3709,7 +3566,7 @@ do_init_frame(struct context *c) && c->options.ce.fragment_encap != c->options.ce.mssfix_encap) { msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " - "use the \"mtu\" flag for both or none of of them."); + "use the \"mtu\" flag for both or none of of them."); } #endif } @@ -3728,34 +3585,39 @@ do_option_warnings(struct context *c) #ifdef ENABLE_SELINUX || o->selinux_context #endif - ) + ) { if (!o->persist_tun) { - msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); + msg(M_WARN, + "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); } } if (o->chroot_dir && !(o->username && o->groupname)) { - msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure"); + msg(M_WARN, + "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure"); } if (o->pull && o->ifconfig_local && c->first_time) { - msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want"); + msg(M_WARN, + "WARNING: using --pull/--client and --ifconfig together is probably not what you want"); } if (o->server_bridge_defined || o->server_bridge_proxy_dhcp) { - msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to"); + msg(M_WARN, + "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to"); } if (o->mode == MODE_SERVER) { if (o->duplicate_cn && o->client_config_dir) { - msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want"); + msg(M_WARN, + "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want"); } if (o->duplicate_cn && o->ifconfig_pool_persist_filename) { @@ -3771,14 +3633,12 @@ do_option_warnings(struct context *c) { warn_on_use_of_common_subnets(&c->net_ctx); } - if (o->tls_client - && !o->tls_verify - && o->verify_x509_type == VERIFY_X509_NONE - && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) - && !o->remote_cert_eku + if (o->tls_client && !o->tls_verify && o->verify_x509_type == VERIFY_X509_NONE + && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) && !o->remote_cert_eku && !(o->verify_hash_depth == 0 && o->verify_hash)) { - msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); + msg(M_WARN, + "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); } if (o->ns_cert_type) { @@ -3790,15 +3650,19 @@ do_option_warnings(struct context *c) { if (script_security() >= SSEC_SCRIPTS) { - msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); + msg(M_WARN, + "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); } else if (script_security() >= SSEC_PW_ENV) { - msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); + msg(M_WARN, + "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); } else { - msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables"); + msg(M_WARN, + "NOTE: starting with " PACKAGE_NAME + " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables"); } } } @@ -3877,8 +3741,8 @@ do_init_fragment(struct context *c) */ c->c2.frame_fragment = c->c2.frame; - frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, - &c->options, get_link_socket_info(c)); + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, &c->options, + get_link_socket_info(c)); fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); } #endif @@ -3891,8 +3755,7 @@ do_link_socket_new(struct context *c) { ASSERT(!c->c2.link_sockets); - ALLOC_ARRAY_GC(c->c2.link_sockets, struct link_socket *, - c->c1.link_sockets_num, &c->c2.gc); + ALLOC_ARRAY_GC(c->c2.link_sockets, struct link_socket *, c->c1.link_sockets_num, &c->c2.gc); for (int i = 0; i < c->c1.link_sockets_num; i++) { @@ -3955,8 +3818,7 @@ do_print_data_channel_mtu_parms(struct context *c) #ifdef ENABLE_FRAGMENT if (c->c2.fragment) { - frame_print(&c->c2.frame_fragment, D_MTU_INFO, - "Fragmentation MTU parms"); + frame_print(&c->c2.frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); } #endif } @@ -3970,23 +3832,18 @@ do_compute_occ_strings(struct context *c) struct gc_arena gc = gc_new(); c->c2.options_string_local = - options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, - false, &gc); + options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, false, &gc); c->c2.options_string_remote = - options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, - true, &gc); + options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, true, &gc); msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'", - options_string_version(c->c2.options_string_local, &gc), - c->c2.options_string_local); + options_string_version(c->c2.options_string_local, &gc), c->c2.options_string_local); msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'", - options_string_version(c->c2.options_string_remote, &gc), - c->c2.options_string_remote); + options_string_version(c->c2.options_string_remote, &gc), c->c2.options_string_remote); if (c->c2.tls_multi) { - tls_multi_init_set_options(c->c2.tls_multi, - c->c2.options_string_local, + tls_multi_init_set_options(c->c2.tls_multi, c->c2.options_string_local, c->c2.options_string_remote); } @@ -4010,10 +3867,8 @@ do_init_first_time(struct context *c) /* get user and/or group that we want to setuid/setgid to, * sets also platform_x_state */ - bool group_defined = platform_group_get(c->options.groupname, - &c0->platform_state_group); - bool user_defined = platform_user_get(c->options.username, - &c0->platform_state_user); + bool group_defined = platform_group_get(c->options.groupname, &c0->platform_state_group); + bool user_defined = platform_user_get(c->options.username, &c0->platform_state_user); c0->uid_gid_specified = user_defined || group_defined; @@ -4122,16 +3977,13 @@ do_close_link_socket(struct context *c) * reconnect to the same host again or there are still addresses that need * to be tried */ if (!(c->sig->signal_received == SIGUSR1 - && ( (c->options.persist_remote_ip) - || - ( c->sig->source != SIG_SOURCE_HARD - && ((c->c1.link_socket_addrs[0].current_remote - && c->c1.link_socket_addrs[0].current_remote->ai_next) - || c->options.no_advance)) - ))) + && ((c->options.persist_remote_ip) + || (c->sig->source != SIG_SOURCE_HARD + && ((c->c1.link_socket_addrs[0].current_remote + && c->c1.link_socket_addrs[0].current_remote->ai_next) + || c->options.no_advance))))) { - clear_remote_addrlist(&c->c1.link_socket_addrs[0], - !c->options.resolve_in_advance); + clear_remote_addrlist(&c->c1.link_socket_addrs[0], !c->options.resolve_in_advance); } /* Clear the remote actual address when persist_remote_ip is not in use */ @@ -4147,8 +3999,7 @@ do_close_link_socket(struct context *c) { for (int i = 0; i < c->c1.link_sockets_num; i++) { - if (c->c1.link_socket_addrs[i].bind_local - && !c->options.resolve_in_advance) + if (c->c1.link_socket_addrs[i].bind_local && !c->options.resolve_in_advance) { freeaddrinfo(c->c1.link_socket_addrs[i].bind_local); } @@ -4192,8 +4043,7 @@ do_close_fragment(struct context *c) */ static void -do_event_set_init(struct context *c, - bool need_us_timeout) +do_event_set_init(struct context *c, bool need_us_timeout) { unsigned int flags = 0; @@ -4230,11 +4080,9 @@ do_open_status_output(struct context *c) { if (!c->c1.status_output) { - c->c1.status_output = status_open(c->options.status_file, - c->options.status_file_update_freq, - -1, - NULL, - STATUS_OUTPUT_WRITE); + c->c1.status_output = + status_open(c->options.status_file, c->options.status_file_update_freq, -1, NULL, + STATUS_OUTPUT_WRITE); c->c1.status_output_owned = true; } } @@ -4261,8 +4109,9 @@ do_open_ifconfig_pool_persist(struct context *c) { if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename) { - c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename, - c->options.ifconfig_pool_persist_refresh_freq); + c->c1.ifconfig_pool_persist = + ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename, + c->options.ifconfig_pool_persist_refresh_freq); c->c1.ifconfig_pool_persist_owned = true; } } @@ -4376,12 +4225,9 @@ open_plugins(struct context *c, const bool import_options, int init_point) unsigned int option_types_found = 0; if (config.list[i] && config.list[i]->value) { - options_string_import(&c->options, - config.list[i]->value, - D_IMPORT_ERRORS|M_OPTERR, - OPT_P_DEFAULT & ~OPT_P_PLUGIN, - &option_types_found, - c->es); + options_string_import( + &c->options, config.list[i]->value, D_IMPORT_ERRORS | M_OPTERR, + OPT_P_DEFAULT & ~OPT_P_PLUGIN, &option_types_found, c->es); } } } @@ -4422,7 +4268,7 @@ do_inherit_plugins(struct context *c, const struct context *src) static void management_callback_status_p2p(void *arg, const int version, struct status_output *so) { - struct context *c = (struct context *) arg; + struct context *c = (struct context *)arg; print_status(c, so); } @@ -4455,7 +4301,7 @@ management_callback_network_change(void *arg, bool samenetwork) */ int socketfd = -1; - struct context *c = (struct context *) arg; + struct context *c = (struct context *)arg; if (!c->c2.link_sockets || !c->c2.link_sockets[0]) { return -1; @@ -4536,24 +4382,14 @@ open_management(struct context *c) { flags |= MF_SERVER; } - if (management_open(management, - c->options.management_addr, - c->options.management_port, - c->options.management_user_pass, - c->options.management_client_user, - c->options.management_client_group, - c->options.management_log_history_cache, - c->options.management_echo_buffer_size, - c->options.management_state_buffer_size, - c->options.remap_sigusr1, - flags)) + if (management_open( + management, c->options.management_addr, c->options.management_port, + c->options.management_user_pass, c->options.management_client_user, + c->options.management_client_group, c->options.management_log_history_cache, + c->options.management_echo_buffer_size, c->options.management_state_buffer_size, + c->options.remap_sigusr1, flags)) { - management_set_state(management, - OPENVPN_STATE_CONNECTING, - NULL, - NULL, - NULL, - NULL, + management_set_state(management, OPENVPN_STATE_CONNECTING, NULL, NULL, NULL, NULL, NULL); } @@ -4932,9 +4768,7 @@ close_instance(struct context *c) /* close event objects */ do_close_event_set(c); - if (c->mode == CM_P2P - || c->mode == CM_CHILD_TCP - || c->mode == CM_CHILD_UDP + if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP || c->mode == CM_TOP) { #ifdef USE_COMP @@ -5002,9 +4836,7 @@ close_instance(struct context *c) } void -inherit_context_child(struct context *dest, - const struct context *src, - struct link_socket *sock) +inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock) { CLEAR(*dest); @@ -5092,8 +4924,7 @@ inherit_context_child(struct context *dest, } void -inherit_context_top(struct context *dest, - const struct context *src) +inherit_context_top(struct context *dest, const struct context *src) { /* copy parent */ *dest = *src; @@ -5221,7 +5052,7 @@ remove_pid_file(void) static void * test_crypto_thread(void *arg) { - struct context *c = (struct context *) arg; + struct context *c = (struct context *)arg; const struct options *options = &c->options; ASSERT(options->test_crypto); @@ -5255,7 +5086,7 @@ do_test_crypto(const struct options *o) c.options = *o; options_detach(&c.options); c.first_time = true; - test_crypto_thread((void *) &c); + test_crypto_thread((void *)&c); return true; } return false; diff --git a/src/openvpn/init.h b/src/openvpn/init.h index 081a295ab..a807874c1 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -45,8 +45,8 @@ bool init_static(void); void uninit_static(void); -#define IVM_LEVEL_1 (1<<0) -#define IVM_LEVEL_2 (1<<1) +#define IVM_LEVEL_1 (1 << 0) +#define IVM_LEVEL_2 (1 << 1) void init_verb_mute(struct context *c, unsigned int flags); void init_options_dev(struct options *options); @@ -61,7 +61,8 @@ bool possibly_become_daemon(const struct options *options); void pre_setup(const struct options *options); -void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags); +void init_instance_handle_signals(struct context *c, const struct env_set *env, + const unsigned int flags); void init_instance(struct context *c, const struct env_set *env, const unsigned int flags); @@ -72,8 +73,7 @@ void init_query_passwords(const struct context *c); bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, - const struct plugin_list *plugins, struct env_set *es, - openvpn_net_ctx_t *ctx); + const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx); void close_instance(struct context *c); @@ -81,9 +81,7 @@ bool do_test_crypto(const struct options *o); void context_gc_free(struct context *c); -bool do_up(struct context *c, - bool pulled_options, - unsigned int option_types_found); +bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found); /** * @brief A simplified version of the do_up() function. This function is called @@ -109,17 +107,15 @@ void reset_coarse_timers(struct context *c); */ bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update); -void inherit_context_child(struct context *dest, - const struct context *src, +void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock); -void inherit_context_top(struct context *dest, - const struct context *src); +void inherit_context_top(struct context *dest, const struct context *src); -#define CC_GC_FREE (1<<0) -#define CC_USR1_TO_HUP (1<<1) -#define CC_HARD_USR1_TO_HUP (1<<2) -#define CC_NO_CLOSE (1<<3) +#define CC_GC_FREE (1 << 0) +#define CC_USR1_TO_HUP (1 << 1) +#define CC_HARD_USR1_TO_HUP (1 << 2) +#define CC_NO_CLOSE (1 << 3) void close_context(struct context *c, int sig, unsigned int flags); @@ -127,9 +123,9 @@ struct context_buffers *init_context_buffers(const struct frame *frame); void free_context_buffers(struct context_buffers *b); -#define ISC_ERRORS (1<<0) -#define ISC_SERVER (1<<1) -#define ISC_ROUTE_ERRORS (1<<2) +#define ISC_ERRORS (1 << 0) +#define ISC_SERVER (1 << 1) +#define ISC_ROUTE_ERRORS (1 << 2) void initialization_sequence_completed(struct context *c, const unsigned int flags); #ifdef ENABLE_MANAGEMENT diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h index 4a95f4e29..b82379ec1 100644 --- a/src/openvpn/integer.h +++ b/src/openvpn/integer.h @@ -26,13 +26,17 @@ #include "error.h" #ifndef htonll -#define htonll(x) ((1==htonl(1)) ? (x) : \ - ((uint64_t)htonl((uint32_t)((x) & 0xFFFFFFFF)) << 32) | htonl((uint32_t)((x) >> 32))) +#define htonll(x) \ + ((1 == htonl(1)) \ + ? (x) \ + : ((uint64_t)htonl((uint32_t)((x) & 0xFFFFFFFF)) << 32) | htonl((uint32_t)((x) >> 32))) #endif #ifndef ntohll -#define ntohll(x) ((1==ntohl(1)) ? (x) : \ - ((uint64_t)ntohl((uint32_t)((x) & 0xFFFFFFFF)) << 32) | ntohl((uint32_t)((x) >> 32))) +#define ntohll(x) \ + ((1 == ntohl(1)) \ + ? (x) \ + : ((uint64_t)ntohl((uint32_t)((x) & 0xFFFFFFFF)) << 32) | ntohl((uint32_t)((x) >> 32))) #endif static inline int @@ -196,10 +200,7 @@ index_verify(int index, int size, const char *file, int line) if (index < 0 || index >= size) { msg(M_FATAL, "Assertion Failed: Array index=%d out of bounds for array size=%d in %s:%d", - index, - size, - file, - line); + index, size, file, line); } return index; } diff --git a/src/openvpn/interval.c b/src/openvpn/interval.c index a2ac4f73f..2b3531402 100644 --- a/src/openvpn/interval.c +++ b/src/openvpn/interval.c @@ -39,9 +39,7 @@ interval_init(struct interval *top, int horizon, int refresh) } bool -event_timeout_trigger(struct event_timeout *et, - struct timeval *tv, - const int et_const_retry) +event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry) { if (!et->defined) { @@ -54,8 +52,7 @@ event_timeout_trigger(struct event_timeout *et, if (wakeup <= 0) { #if INTERVAL_DEBUG - dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, - et_const_retry); + dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, et_const_retry); #endif if (et_const_retry < 0) { @@ -72,8 +69,8 @@ event_timeout_trigger(struct event_timeout *et, if (tv && wakeup < tv->tv_sec) { #if INTERVAL_DEBUG - dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", - (int) wakeup, et->n, et_const_retry); + dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", (int)wakeup, et->n, + et_const_retry); #endif tv->tv_sec = wakeup; tv->tv_usec = 0; diff --git a/src/openvpn/interval.h b/src/openvpn/interval.h index 420a1be85..b133c44ca 100644 --- a/src/openvpn/interval.h +++ b/src/openvpn/interval.h @@ -74,8 +74,7 @@ interval_test(struct interval *top) } if (top->last_action + top->horizon > local_now - || top->last_test_true + top->refresh <= local_now - || trigger) + || top->last_test_true + top->refresh <= local_now || trigger) { top->last_test_true = local_now; #if INTERVAL_DEBUG @@ -134,9 +133,9 @@ interval_action(struct interval *top) struct event_timeout { - bool defined; /**< This timeout is active */ - interval_t n; /**< periodic interval for periodic timeouts */ - time_t last; /**< time of last event */ + bool defined; /**< This timeout is active */ + interval_t n; /**< periodic interval for periodic timeouts */ + time_t last; /**< time of last event */ }; static inline bool @@ -217,7 +216,7 @@ event_timeout_modify_wakeup(struct event_timeout *et, interval_t n) static inline interval_t event_timeout_remaining(struct event_timeout *et) { - return (interval_t) ((et->last + et->n) - now); + return (interval_t)((et->last + et->n) - now); } #define ETT_DEFAULT (-1) @@ -254,19 +253,18 @@ event_timeout_remaining(struct event_timeout *et) * @param et_const_retry see above * @return if the timeout has triggered and event has been reset */ -bool event_timeout_trigger(struct event_timeout *et, - struct timeval *tv, - int et_const_retry); +bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, int et_const_retry); /* * Measure time intervals in microseconds */ -#define USEC_TIMER_MAX 60 /* maximum interval size in seconds */ +#define USEC_TIMER_MAX 60 /* maximum interval size in seconds */ #define USEC_TIMER_MAX_USEC (USEC_TIMER_MAX * 1000000) -struct usec_timer { +struct usec_timer +{ struct timeval start; struct timeval end; }; diff --git a/src/openvpn/list.c b/src/openvpn/list.c index 48e549fc9..f30d54023 100644 --- a/src/openvpn/list.c +++ b/src/openvpn/list.c @@ -34,8 +34,7 @@ #include "memdbg.h" struct hash * -hash_init(const int n_buckets, - const uint32_t iv, +hash_init(const int n_buckets, const uint32_t iv, uint32_t (*hash_function)(const void *key, uint32_t iv), bool (*compare_function)(const void *key1, const void *key2)) { @@ -44,7 +43,7 @@ hash_init(const int n_buckets, ASSERT(n_buckets > 0); ALLOC_OBJ_CLEAR(h, struct hash); - h->n_buckets = (int) adjust_power_of_2(n_buckets); + h->n_buckets = (int)adjust_power_of_2(n_buckets); h->mask = h->n_buckets - 1; h->hash_function = hash_function; h->compare_function = compare_function; @@ -79,10 +78,7 @@ hash_free(struct hash *hash) } struct hash_element * -hash_lookup_fast(struct hash *hash, - struct hash_bucket *bucket, - const void *key, - uint32_t hv) +hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv) { struct hash_element *he; struct hash_element *prev = NULL; @@ -110,10 +106,7 @@ hash_lookup_fast(struct hash *hash, } bool -hash_remove_fast(struct hash *hash, - struct hash_bucket *bucket, - const void *key, - uint32_t hv) +hash_remove_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv) { struct hash_element *he; struct hash_element *prev = NULL; @@ -219,9 +212,7 @@ hash_remove_marked(struct hash *hash, struct hash_bucket *bucket) } void -hash_iterator_init_range(struct hash *hash, - struct hash_iterator *hi, - int start_bucket, +hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket) { if (end_bucket > hash->n_buckets) @@ -242,8 +233,7 @@ hash_iterator_init_range(struct hash *hash, } void -hash_iterator_init(struct hash *hash, - struct hash_iterator *hi) +hash_iterator_init(struct hash *hash, struct hash_iterator *hi) { hash_iterator_init_range(hash, hi, 0, hash->n_buckets); } @@ -390,17 +380,35 @@ hash_iterator_delete_element(struct hash_iterator *hi) * -------------------------------------------------------------------- */ -#define mix(a, b, c) \ - { \ - a -= b; a -= c; a ^= (c>>13); \ - b -= c; b -= a; b ^= (a<<8); \ - c -= a; c -= b; c ^= (b>>13); \ - a -= b; a -= c; a ^= (c>>12); \ - b -= c; b -= a; b ^= (a<<16); \ - c -= a; c -= b; c ^= (b>>5); \ - a -= b; a -= c; a ^= (c>>3); \ - b -= c; b -= a; b ^= (a<<10); \ - c -= a; c -= b; c ^= (b>>15); \ +#define mix(a, b, c) \ + { \ + a -= b; \ + a -= c; \ + a ^= (c >> 13); \ + b -= c; \ + b -= a; \ + b ^= (a << 8); \ + c -= a; \ + c -= b; \ + c ^= (b >> 13); \ + a -= b; \ + a -= c; \ + a ^= (c >> 12); \ + b -= c; \ + b -= a; \ + b ^= (a << 16); \ + c -= a; \ + c -= b; \ + c ^= (b >> 5); \ + a -= b; \ + a -= c; \ + a ^= (c >> 3); \ + b -= c; \ + b -= a; \ + b ^= (a << 10); \ + c -= a; \ + c -= b; \ + c ^= (b >> 15); \ } uint32_t @@ -410,21 +418,15 @@ hash_func(const uint8_t *k, uint32_t length, uint32_t initval) /* Set up the internal state */ len = length; - a = b = 0x9e3779b9; /* the golden ratio; an arbitrary value */ - c = initval; /* the previous hash value */ + a = b = 0x9e3779b9; /* the golden ratio; an arbitrary value */ + c = initval; /* the previous hash value */ /*---------------------------------------- handle most of the key */ while (len >= 12) { - a += (k[0] + ((uint32_t) k[1] << 8) - + ((uint32_t) k[2] << 16) - + ((uint32_t) k[3] << 24)); - b += (k[4] + ((uint32_t) k[5] << 8) - + ((uint32_t) k[6] << 16) - + ((uint32_t) k[7] << 24)); - c += (k[8] + ((uint32_t) k[9] << 8) - + ((uint32_t) k[10] << 16) - + ((uint32_t) k[11] << 24)); + a += (k[0] + ((uint32_t)k[1] << 8) + ((uint32_t)k[2] << 16) + ((uint32_t)k[3] << 24)); + b += (k[4] + ((uint32_t)k[5] << 8) + ((uint32_t)k[6] << 16) + ((uint32_t)k[7] << 24)); + c += (k[8] + ((uint32_t)k[9] << 8) + ((uint32_t)k[10] << 16) + ((uint32_t)k[11] << 24)); mix(a, b, c); k += 12; len -= 12; @@ -432,48 +434,48 @@ hash_func(const uint8_t *k, uint32_t length, uint32_t initval) /*------------------------------------- handle the last 11 bytes */ c += length; - switch (len) /* all the case statements fall through */ + switch (len) /* all the case statements fall through */ { case 11: - c += ((uint32_t) k[10] << 24); - /* Intentional [[fallthrough]]; */ + c += ((uint32_t)k[10] << 24); + /* Intentional [[fallthrough]]; */ case 10: - c += ((uint32_t) k[9] << 16); - /* Intentional [[fallthrough]]; */ + c += ((uint32_t)k[9] << 16); + /* Intentional [[fallthrough]]; */ case 9: - c += ((uint32_t) k[8] << 8); + c += ((uint32_t)k[8] << 8); /* Intentional [[fallthrough]]; */ /* the first byte of c is reserved for the length */ case 8: - b += ((uint32_t) k[7] << 24); - /* Intentional [[fallthrough]]; */ + b += ((uint32_t)k[7] << 24); + /* Intentional [[fallthrough]]; */ case 7: - b += ((uint32_t) k[6] << 16); - /* Intentional [[fallthrough]]; */ + b += ((uint32_t)k[6] << 16); + /* Intentional [[fallthrough]]; */ case 6: - b += ((uint32_t) k[5] << 8); - /* Intentional [[fallthrough]]; */ + b += ((uint32_t)k[5] << 8); + /* Intentional [[fallthrough]]; */ case 5: b += k[4]; - /* Intentional [[fallthrough]]; */ + /* Intentional [[fallthrough]]; */ case 4: - a += ((uint32_t) k[3] << 24); - /* Intentional [[fallthrough]]; */ + a += ((uint32_t)k[3] << 24); + /* Intentional [[fallthrough]]; */ case 3: - a += ((uint32_t) k[2] << 16); - /* Intentional [[fallthrough]]; */ + a += ((uint32_t)k[2] << 16); + /* Intentional [[fallthrough]]; */ case 2: - a += ((uint32_t) k[1] << 8); - /* Intentional [[fallthrough]]; */ + a += ((uint32_t)k[1] << 8); + /* Intentional [[fallthrough]]; */ case 1: a += k[0]; diff --git a/src/openvpn/list.h b/src/openvpn/list.h index 77807c7b7..fb3302dce 100644 --- a/src/openvpn/list.h +++ b/src/openvpn/list.h @@ -36,8 +36,8 @@ #include "basic.h" #include "buffer.h" -#define hashsize(n) ((uint32_t)1<<(n)) -#define hashmask(n) (hashsize(n)-1) +#define hashsize(n) ((uint32_t)1 << (n)) +#define hashmask(n) (hashsize(n) - 1) struct hash_element { @@ -63,8 +63,7 @@ struct hash struct hash_bucket *buckets; }; -struct hash *hash_init(const int n_buckets, - const uint32_t iv, +struct hash *hash_init(const int n_buckets, const uint32_t iv, uint32_t (*hash_function)(const void *key, uint32_t iv), bool (*compare_function)(const void *key1, const void *key2)); @@ -72,15 +71,10 @@ void hash_free(struct hash *hash); bool hash_add(struct hash *hash, const void *key, void *value, bool replace); -struct hash_element *hash_lookup_fast(struct hash *hash, - struct hash_bucket *bucket, - const void *key, - uint32_t hv); +struct hash_element *hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, + const void *key, uint32_t hv); -bool hash_remove_fast(struct hash *hash, - struct hash_bucket *bucket, - const void *key, - uint32_t hv); +bool hash_remove_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv); void hash_remove_by_value(struct hash *hash, void *value); @@ -96,9 +90,7 @@ struct hash_iterator int bucket_index_end; }; -void hash_iterator_init_range(struct hash *hash, - struct hash_iterator *hi, - int start_bucket, +void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket); void hash_iterator_init(struct hash *hash, struct hash_iterator *iter); @@ -154,10 +146,7 @@ hash_lookup(struct hash *hash, const void *key) /* NOTE: assumes that key is not a duplicate */ static inline void -hash_add_fast(struct hash *hash, - struct hash_bucket *bucket, - const void *key, - uint32_t hv, +hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value) { struct hash_element *he; diff --git a/src/openvpn/lladdr.c b/src/openvpn/lladdr.c index cc677b4b2..d8bcad95f 100644 --- a/src/openvpn/lladdr.c +++ b/src/openvpn/lladdr.c @@ -14,8 +14,7 @@ #include "proto.h" int -set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, - const struct env_set *es) +set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es) { int r; @@ -32,27 +31,16 @@ set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, #else /* if defined(TARGET_LINUX) */ struct argv argv = argv_new(); #if defined(TARGET_SOLARIS) - argv_printf(&argv, - "%s %s ether %s", - IFCONFIG_PATH, - ifname, lladdr); + argv_printf(&argv, "%s %s ether %s", IFCONFIG_PATH, ifname, lladdr); #elif defined(TARGET_OPENBSD) - argv_printf(&argv, - "%s %s lladdr %s", - IFCONFIG_PATH, - ifname, lladdr); + argv_printf(&argv, "%s %s lladdr %s", IFCONFIG_PATH, ifname, lladdr); #elif defined(TARGET_DARWIN) - argv_printf(&argv, - "%s %s lladdr %s", - IFCONFIG_PATH, - ifname, lladdr); + argv_printf(&argv, "%s %s lladdr %s", IFCONFIG_PATH, ifname, lladdr); #elif defined(TARGET_FREEBSD) - argv_printf(&argv, - "%s %s ether %s", - IFCONFIG_PATH, - ifname, lladdr); + argv_printf(&argv, "%s %s ether %s", IFCONFIG_PATH, ifname, lladdr); #else /* if defined(TARGET_SOLARIS) */ - msg(M_WARN, "Sorry, but I don't know how to configure link layer addresses on this operating system."); + msg(M_WARN, + "Sorry, but I don't know how to configure link layer addresses on this operating system."); return -1; #endif /* if defined(TARGET_SOLARIS) */ argv_msg(M_INFO, &argv); diff --git a/src/openvpn/lzo.c b/src/openvpn/lzo.c index d5f60cae8..3a73d5f29 100644 --- a/src/openvpn/lzo.c +++ b/src/openvpn/lzo.c @@ -50,9 +50,10 @@ lzo_compress_init(struct compress_context *compctx) int lzo_status = lzo_init(); if (lzo_status != LZO_E_OK) { - msg(M_FATAL, "Cannot initialize LZO compression library (lzo_init() returns %d)", lzo_status); + msg(M_FATAL, "Cannot initialize LZO compression library (lzo_init() returns %d)", + lzo_status); } - compctx->wu.lzo.wmem = (lzo_voidp) malloc(compctx->wu.lzo.wmem_size); + compctx->wu.lzo.wmem = (lzo_voidp)malloc(compctx->wu.lzo.wmem_size); check_malloc_return(compctx->wu.lzo.wmem); } @@ -64,8 +65,7 @@ lzo_compress_uninit(struct compress_context *compctx) } static void -lzo_compress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +lzo_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { uint8_t *header = buf_prepend(buf, 1); @@ -73,13 +73,12 @@ lzo_compress(struct buffer *buf, struct buffer work, } static void -lzo_decompress(struct buffer *buf, struct buffer work, - struct compress_context *compctx, +lzo_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { lzo_uint zlen = frame->buf.payload_size; int err; - uint8_t c; /* flag indicating whether or not our peer compressed */ + uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) { @@ -94,8 +93,7 @@ lzo_decompress(struct buffer *buf, struct buffer work, if (c == LZO_COMPRESS_BYTE) /* packet was compressed */ { ASSERT(buf_safe(&work, zlen)); - err = LZO_DECOMPRESS(BPTR(buf), BLEN(buf), BPTR(&work), &zlen, - compctx->wu.lzo.wmem); + err = LZO_DECOMPRESS(BPTR(buf), BLEN(buf), BPTR(&work), &zlen, compctx->wu.lzo.wmem); if (err != LZO_E_OK) { dmsg(D_COMP_ERRORS, "LZO decompression error: %d", err); @@ -112,7 +110,7 @@ lzo_decompress(struct buffer *buf, struct buffer work, *buf = work; } - else if (c == NO_COMPRESS_BYTE) /* packet was not compressed */ + else if (c == NO_COMPRESS_BYTE) /* packet was not compressed */ { /* nothing to do */ } @@ -123,11 +121,6 @@ lzo_decompress(struct buffer *buf, struct buffer work, } } -const struct compress_alg lzo_alg = { - "lzo", - lzo_compress_init, - lzo_compress_uninit, - lzo_compress, - lzo_decompress -}; +const struct compress_alg lzo_alg = { "lzo", lzo_compress_init, lzo_compress_uninit, lzo_compress, + lzo_decompress }; #endif /* ENABLE_LZO */ diff --git a/src/openvpn/lzo.h b/src/openvpn/lzo.h index c47db8324..9d4fa302a 100644 --- a/src/openvpn/lzo.h +++ b/src/openvpn/lzo.h @@ -56,19 +56,19 @@ extern const struct compress_alg lzo_alg; /**************************************************************************/ -/** @name LZO library interface defines *//** @{ *//***********************/ -#define LZO_COMPRESS lzo1x_1_15_compress +/** @name LZO library interface defines */ /** @{ */ /***********************/ +#define LZO_COMPRESS lzo1x_1_15_compress /**< LZO library compression function. * * Use \c lzo1x_1_15_compress because it * is described as faster than the * standard routine, although it does * need a bit more memory. */ -#define LZO_WORKSPACE LZO1X_1_15_MEM_COMPRESS +#define LZO_WORKSPACE LZO1X_1_15_MEM_COMPRESS /**< The size in bytes of the memory * %buffer required by the LZO library * compression algorithm. */ -#define LZO_DECOMPRESS lzo1x_decompress_safe +#define LZO_DECOMPRESS lzo1x_decompress_safe /**< LZO library decompression function. * * Use safe decompress because it @@ -78,26 +78,30 @@ extern const struct compress_alg lzo_alg; * verify the integrity of incoming * packets, you might want to consider * using the non-safe version. */ -/** @} name LZO library interface *//**************************************/ +/** @} name LZO library interface */ /**************************************/ /**************************************************************************/ -/** @name Adaptive compression defines *//** @{ *//************************/ -#define AC_SAMP_SEC 2 /**< Number of seconds in a sample period. */ -#define AC_MIN_BYTES 1000 /**< Minimum number of bytes a sample - * period must contain for it to be - * evaluated. */ -#define AC_SAVE_PCT 5 /**< Minimum size reduction percentage - * below which compression will be - * turned off. */ -#define AC_OFF_SEC 60 /**< Seconds to wait after compression has - * been turned off before retesting. */ -/** @} name Adaptive compression defines *//*******************************/ +/** @name Adaptive compression defines */ /** @{ */ /************************/ +#define AC_SAMP_SEC 2 /**< Number of seconds in a sample period. */ +#define AC_MIN_BYTES \ + 1000 /**< Minimum number of bytes a sample \ + * period must contain for it to be \ + * evaluated. */ +#define AC_SAVE_PCT \ + 5 /**< Minimum size reduction percentage \ + * below which compression will be \ + * turned off. */ +#define AC_OFF_SEC \ + 60 /**< Seconds to wait after compression has \ + * been turned off before retesting. */ +/** @} name Adaptive compression defines */ /*******************************/ /** * Adaptive compression state. */ -struct lzo_adaptive_compress { +struct lzo_adaptive_compress +{ bool compress_state; time_t next; int n_total; diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index c7bdd5ad2..aed04f54b 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -74,7 +74,8 @@ man_help(void) msg(M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract)."); msg(M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off)."); msg(M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer."); - msg(M_CLIENT, "cr-response response : Send a challenge response answer via CR_RESPONSE to server"); + msg(M_CLIENT, + "cr-response response : Send a challenge response answer via CR_RESPONSE to server"); msg(M_CLIENT, "exit|quit : Close management session."); msg(M_CLIENT, "forget-passwords : Forget passwords entered so far."); msg(M_CLIENT, "help : Print this message."); @@ -85,7 +86,8 @@ man_help(void) msg(M_CLIENT, "load-stats : Show global server load stats."); msg(M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display"); msg(M_CLIENT, " + show last N lines or 'all' for entire history."); - msg(M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent."); + msg(M_CLIENT, + "mute [n] : Set log mute level to n, or show level if n is absent."); msg(M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',"); msg(M_CLIENT, " where action = 'ok' or 'cancel'."); msg(M_CLIENT, "needstr type action : Enter confirmation for NEED-STR request of 'type',"); @@ -103,18 +105,25 @@ man_help(void) #endif msg(M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)"); msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID"); - msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason"); + msg(M_CLIENT, + "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason"); msg(M_CLIENT, " text R and optional client reason text CR"); - msg(M_CLIENT, "client-pending-auth CID KID MSG timeout : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg"); - msg(M_CLIENT, " to the client and wait for a final client-auth/client-deny"); + msg(M_CLIENT, + "client-pending-auth CID KID MSG timeout : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg"); + msg(M_CLIENT, + " to the client and wait for a final client-auth/client-deny"); msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)"); msg(M_CLIENT, "env-filter [level] : Set env-var filter level"); msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge"); - msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); + msg(M_CLIENT, + " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge"); - msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); - msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); - msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); + msg(M_CLIENT, + " Enter signature base64 on subsequent lines followed by END"); + msg(M_CLIENT, + "certificate : Enter a client certificate in response to >NEED-CERT challenge"); + msg(M_CLIENT, + " Enter certificate base64 on subsequent lines followed by END"); msg(M_CLIENT, "signal s : Send signal s to daemon,"); msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2."); msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history."); @@ -122,7 +131,8 @@ man_help(void) msg(M_CLIENT, "test n : Produce n lines of output for testing/debugging."); msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username."); msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent."); - msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon."); + msg(M_CLIENT, + "version [n] : Set client's version to n or show current version of daemon."); msg(M_CLIENT, "END"); } @@ -305,7 +315,7 @@ static void man_delete_unix_socket(struct management *man) { #if UNIX_SOCK_SUPPORT - if ((man->settings.flags & (MF_UNIX_SOCK|MF_CONNECT_AS_CLIENT)) == MF_UNIX_SOCK) + if ((man->settings.flags & (MF_UNIX_SOCK | MF_CONNECT_AS_CLIENT)) == MF_UNIX_SOCK) { socket_delete_unix(&man->settings.local_unix); } @@ -331,11 +341,11 @@ man_close_socket(struct management *man, const socket_descriptor_t sd) static void virtual_output_callback_func(void *arg, const unsigned int flags, const char *str) { - struct management *man = (struct management *) arg; + struct management *man = (struct management *)arg; static int recursive_level = 0; /* GLOBAL */ -#define AF_DID_PUSH (1<<0) -#define AF_DID_RESET (1<<1) +#define AF_DID_PUSH (1 << 0) +#define AF_DID_RESET (1 << 1) if (recursive_level < 5) /* limit recursion */ { struct gc_arena gc = gc_new(); @@ -369,10 +379,10 @@ virtual_output_callback_func(void *arg, const unsigned int flags, const char *st } else if (man->connection.log_realtime) { - out = log_entry_print(&e, LOG_PRINT_INT_DATE - | LOG_PRINT_MSG_FLAGS - | LOG_PRINT_LOG_PREFIX - | LOG_PRINT_CRLF, &gc); + out = log_entry_print(&e, + LOG_PRINT_INT_DATE | LOG_PRINT_MSG_FLAGS + | LOG_PRINT_LOG_PREFIX | LOG_PRINT_CRLF, + &gc); } if (out) { @@ -381,11 +391,11 @@ virtual_output_callback_func(void *arg, const unsigned int flags, const char *st } if (flags & M_FATAL) { - out = log_entry_print(&e, LOG_FATAL_NOTIFY|LOG_PRINT_CRLF, &gc); + out = log_entry_print(&e, LOG_FATAL_NOTIFY | LOG_PRINT_CRLF, &gc); if (out) { man_output_list_push_str(man, out); - action_flags |= (AF_DID_PUSH|AF_DID_RESET); + action_flags |= (AF_DID_PUSH | AF_DID_RESET); } } } @@ -407,7 +417,8 @@ virtual_output_callback_func(void *arg, const unsigned int flags, const char *st { /* cannot use msg here */ printf("virtual_output: message to management interface " - "dropped due to recursion: <%s>\n", str); + "dropped due to recursion: <%s>\n", + str); } } @@ -471,7 +482,8 @@ man_signal(struct management *man, const char *name) static void man_command_unsupported(const char *command_name) { - msg(M_CLIENT, "ERROR: The '%s' command is not supported by the current daemon mode", command_name); + msg(M_CLIENT, "ERROR: The '%s' command is not supported by the current daemon mode", + command_name); } static void @@ -494,8 +506,7 @@ man_bytecount(struct management *man, const int update_seconds) { man->connection.bytecount_update_seconds = update_seconds; event_timeout_init(&man->connection.bytecount_update_interval, - man->connection.bytecount_update_seconds, - now); + man->connection.bytecount_update_seconds, now); } else { @@ -506,8 +517,7 @@ man_bytecount(struct management *man, const int update_seconds) } static void -man_bytecount_output_client(struct management *man, - counter_type dco_read_bytes, +man_bytecount_output_client(struct management *man, counter_type dco_read_bytes, counter_type dco_write_bytes) { char in[32]; @@ -520,8 +530,7 @@ man_bytecount_output_client(struct management *man, } void -man_bytecount_output_server(const counter_type *bytes_in_total, - const counter_type *bytes_out_total, +man_bytecount_output_server(const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac) { char in[32]; @@ -546,7 +555,7 @@ man_kill(struct management *man, const char *victim) char p3[128]; int n_killed; - buf_set_read(&buf, (uint8_t *) victim, strlen(victim) + 1); + buf_set_read(&buf, (uint8_t *)victim, strlen(victim) + 1); buf_parse(&buf, ':', p1, sizeof(p1)); buf_parse(&buf, ':', p2, sizeof(p2)); buf_parse(&buf, ':', p3, sizeof(p3)); @@ -555,29 +564,29 @@ man_kill(struct management *man, const char *victim) { /* IP:port specified */ bool status; - const in_addr_t addr = getaddr(GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p2, 0, &status, NULL); + const in_addr_t addr = + getaddr(GETADDR_HOST_ORDER | GETADDR_MSG_VIRT_OUT, p2, 0, &status, NULL); if (status) { const int port = atoi(p3); - const int proto = (streq(p1, "tcp")) ? PROTO_TCP_SERVER : - (streq(p1, "udp")) ? PROTO_UDP : PROTO_NONE; + const int proto = (streq(p1, "tcp")) ? PROTO_TCP_SERVER + : (streq(p1, "udp")) ? PROTO_UDP + : PROTO_NONE; if ((port > 0 && port < 65536) && (proto != PROTO_NONE)) { - n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port, proto); + n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, + addr, port, proto); if (n_killed > 0) { - msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%s:%d killed", - n_killed, - proto2ascii(proto, AF_UNSPEC, false), - print_in_addr_t(addr, 0, &gc), + msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%s:%d killed", n_killed, + proto2ascii(proto, AF_UNSPEC, false), print_in_addr_t(addr, 0, &gc), port); } else { msg(M_CLIENT, "ERROR: client at address %s:%s:%d not found", - proto2ascii(proto, AF_UNSPEC, false), - print_in_addr_t(addr, 0, &gc), + proto2ascii(proto, AF_UNSPEC, false), print_in_addr_t(addr, 0, &gc), port); } } @@ -622,12 +631,8 @@ man_kill(struct management *man, const char *victim) * for the log and echo commands. */ static void -man_history(struct management *man, - const char *parm, - const char *type, - struct log_history *log, - bool *realtime, - const unsigned int lep_flags) +man_history(struct management *man, const char *parm, const char *type, struct log_history *log, + bool *realtime, const unsigned int lep_flags) { struct gc_arena gc = gc_new(); int n = 0; @@ -670,35 +675,22 @@ man_history(struct management *man, static void man_log(struct management *man, const char *parm) { - man_history(man, - parm, - "log", - man->persist.log, - &man->connection.log_realtime, - LOG_PRINT_INT_DATE|LOG_PRINT_MSG_FLAGS); + man_history(man, parm, "log", man->persist.log, &man->connection.log_realtime, + LOG_PRINT_INT_DATE | LOG_PRINT_MSG_FLAGS); } static void man_echo(struct management *man, const char *parm) { - man_history(man, - parm, - "echo", - man->persist.echo, - &man->connection.echo_realtime, - LOG_PRINT_INT_DATE|MANAGEMENT_ECHO_FLAGS); + man_history(man, parm, "echo", man->persist.echo, &man->connection.echo_realtime, + LOG_PRINT_INT_DATE | MANAGEMENT_ECHO_FLAGS); } static void man_state(struct management *man, const char *parm) { - man_history(man, - parm, - "state", - man->persist.state, - &man->connection.state_realtime, - LOG_PRINT_INT_DATE|LOG_PRINT_STATE - |LOG_PRINT_LOCAL_IP|LOG_PRINT_REMOTE_IP); + man_history(man, parm, "state", man->persist.state, &man->connection.state_realtime, + LOG_PRINT_INT_DATE | LOG_PRINT_STATE | LOG_PRINT_LOCAL_IP | LOG_PRINT_REMOTE_IP); } static void @@ -732,13 +724,8 @@ man_up_finalize(struct management *man) } static void -man_query_user_pass(struct management *man, - const char *type, - const char *string, - const bool needed, - const char *prompt, - char *dest, - int len) +man_query_user_pass(struct management *man, const char *type, const char *string, const bool needed, + const char *prompt, char *dest, int len) { if (needed) { @@ -747,16 +734,12 @@ man_query_user_pass(struct management *man, { strncpynt(dest, string, len); man_up_finalize(man); - msg(M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified", - type, - prompt); + msg(M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified", type, prompt); } else { - msg(M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'", - prompt, - type, - man->connection.up_query_type); + msg(M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'", prompt, + type, man->connection.up_query_type); } } else @@ -768,36 +751,42 @@ man_query_user_pass(struct management *man, static void man_query_username(struct management *man, const char *type, const char *string) { - const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS - ) && man->connection.up_query_type); - man_query_user_pass(man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN); + const bool needed = + ((man->connection.up_query_mode == UP_QUERY_USER_PASS) && man->connection.up_query_type); + man_query_user_pass(man, type, string, needed, "username", man->connection.up_query.username, + USER_PASS_LEN); } static void man_query_password(struct management *man, const char *type, const char *string) { const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS - || man->connection.up_query_mode == UP_QUERY_USER_PASS - ) && man->connection.up_query_type); + || man->connection.up_query_mode == UP_QUERY_USER_PASS) + && man->connection.up_query_type); if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */ { string = blank_up; } - man_query_user_pass(man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN); + man_query_user_pass(man, type, string, needed, "password", man->connection.up_query.password, + USER_PASS_LEN); } static void man_query_need_ok(struct management *man, const char *type, const char *action) { - const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type); - man_query_user_pass(man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN); + const bool needed = + ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type); + man_query_user_pass(man, type, action, needed, "needok-confirmation", + man->connection.up_query.password, USER_PASS_LEN); } static void man_query_need_str(struct management *man, const char *type, const char *action) { - const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type); - man_query_user_pass(man, type, action, needed, "needstr-string", man->connection.up_query.password, USER_PASS_LEN); + const bool needed = + ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type); + man_query_user_pass(man, type, action, needed, "needstr-string", + man->connection.up_query.password, USER_PASS_LEN); } static void @@ -826,8 +815,8 @@ man_send_cc_message(struct management *man, const char *message, const char *par { if (man->persist.callback.send_cc_message) { - const bool status = (*man->persist.callback.send_cc_message) - (man->persist.callback.arg, message, parameters); + const bool status = (*man->persist.callback.send_cc_message)(man->persist.callback.arg, + message, parameters); if (status) { msg(M_CLIENT, "SUCCESS: command succeeded"); @@ -892,13 +881,12 @@ man_remote_entry_get(struct management *man, const char *p1, const char *p2) { ASSERT(p1); - if (man->persist.callback.remote_entry_get - && man->persist.callback.remote_entry_count) + if (man->persist.callback.remote_entry_get && man->persist.callback.remote_entry_count) { unsigned int count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg); - unsigned int from = (unsigned int) atoi(p1); - unsigned int to = p2 ? (unsigned int) atoi(p2) : from + 1; + unsigned int from = (unsigned int)atoi(p1); + unsigned int to = p2 ? (unsigned int)atoi(p2) : from + 1; if (!strcmp(p1, "all")) { @@ -909,7 +897,8 @@ man_remote_entry_get(struct management *man, const char *p1, const char *p2) for (unsigned int i = from; i < min_uint(to, count); i++) { char *remote = NULL; - bool res = (*man->persist.callback.remote_entry_get)(man->persist.callback.arg, i, &remote); + bool res = + (*man->persist.callback.remote_entry_get)(man->persist.callback.arg, i, &remote); if (res && remote) { msg(M_CLIENT, "%u,%s", i, remote); @@ -955,8 +944,8 @@ man_hold(struct management *man, const char *cmd) } } -#define IER_RESET 0 -#define IER_NEW 1 +#define IER_RESET 0 +#define IER_NEW 1 static void in_extra_reset(struct man_connection *mc, const int mode) @@ -989,14 +978,9 @@ in_extra_dispatch(struct management *man) case IEC_CLIENT_AUTH: if (man->persist.callback.client_auth) { - const bool status = (*man->persist.callback.client_auth) - (man->persist.callback.arg, - man->connection.in_extra_cid, - man->connection.in_extra_kid, - true, - NULL, - NULL, - man->connection.in_extra); + const bool status = (*man->persist.callback.client_auth)( + man->persist.callback.arg, man->connection.in_extra_cid, + man->connection.in_extra_kid, true, NULL, NULL, man->connection.in_extra); man->connection.in_extra = NULL; report_command_status(status, "client-auth"); } @@ -1063,9 +1047,8 @@ parse_uint(const char *str, const char *what, unsigned int *uint) * @param timeout_str The timeout value in string form */ static void -man_client_pending_auth(struct management *man, const char *cid_str, - const char *kid_str, const char *extra, - const char *timeout_str) +man_client_pending_auth(struct management *man, const char *cid_str, const char *kid_str, + const char *extra, const char *timeout_str) { unsigned long cid = 0; unsigned int kid = 0; @@ -1075,8 +1058,8 @@ man_client_pending_auth(struct management *man, const char *cid_str, { if (man->persist.callback.client_pending_auth) { - bool ret = (*man->persist.callback.client_pending_auth) - (man->persist.callback.arg, cid, kid, extra, timeout); + bool ret = (*man->persist.callback.client_pending_auth)(man->persist.callback.arg, cid, + kid, extra, timeout); if (ret) { @@ -1085,7 +1068,7 @@ man_client_pending_auth(struct management *man, const char *cid_str, else { msg(M_CLIENT, "ERROR: client-pending-auth command failed." - " Extra parameter might be too long"); + " Extra parameter might be too long"); } } else @@ -1101,8 +1084,7 @@ man_client_auth(struct management *man, const char *cid_str, const char *kid_str struct man_connection *mc = &man->connection; mc->in_extra_cid = 0; mc->in_extra_kid = 0; - if (parse_cid(cid_str, &mc->in_extra_cid) - && parse_uint(kid_str, "KID", &mc->in_extra_kid)) + if (parse_cid(cid_str, &mc->in_extra_cid) && parse_uint(kid_str, "KID", &mc->in_extra_kid)) { mc->in_extra_cmd = IEC_CLIENT_AUTH; in_extra_reset(mc, IER_NEW); @@ -1114,7 +1096,8 @@ man_client_auth(struct management *man, const char *cid_str, const char *kid_str } static void -man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason) +man_client_deny(struct management *man, const char *cid_str, const char *kid_str, + const char *reason, const char *client_reason) { unsigned long cid = 0; unsigned int kid = 0; @@ -1122,14 +1105,8 @@ man_client_deny(struct management *man, const char *cid_str, const char *kid_str { if (man->persist.callback.client_auth) { - const bool status = (*man->persist.callback.client_auth) - (man->persist.callback.arg, - cid, - kid, - false, - reason, - client_reason, - NULL); + const bool status = (*man->persist.callback.client_auth)( + man->persist.callback.arg, cid, kid, false, reason, client_reason, NULL); if (status) { msg(M_CLIENT, "SUCCESS: client-deny command succeeded"); @@ -1154,7 +1131,8 @@ man_client_kill(struct management *man, const char *cid_str, const char *kill_ms { if (man->persist.callback.kill_by_cid) { - const bool status = (*man->persist.callback.kill_by_cid)(man->persist.callback.arg, cid, kill_msg); + const bool status = + (*man->persist.callback.kill_by_cid)(man->persist.callback.arg, cid, kill_msg); if (status) { msg(M_CLIENT, "SUCCESS: client-kill command succeeded"); @@ -1237,12 +1215,10 @@ man_load_stats(struct management *man) nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg); } msg(M_CLIENT, "SUCCESS: nclients=%d,bytesin=" counter_format ",bytesout=" counter_format, - nclients, - link_read_bytes_global, - link_write_bytes_global); + nclients, link_read_bytes_global, link_write_bytes_global); } -#define MN_AT_LEAST (1<<0) +#define MN_AT_LEAST (1 << 0) /** * Checks if the correct number of arguments to a management command are present * and otherwise prints an error and returns false. @@ -1262,11 +1238,8 @@ man_need(struct management *man, const char **p, const int n, unsigned int flags { if (!p[i]) { - msg(M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s", - p[0], - (flags & MN_AT_LEAST) ? "at least " : "", - n, - n > 1 ? "s" : ""); + msg(M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s", p[0], + (flags & MN_AT_LEAST) ? "at least " : "", n, n > 1 ? "s" : ""); return false; } } @@ -1312,8 +1285,7 @@ man_network_change(struct management *man, bool samenetwork) */ if (man->persist.callback.network_change) { - int fd = (*man->persist.callback.network_change) - (man->persist.callback.arg, samenetwork); + int fd = (*man->persist.callback.network_change)(man->persist.callback.arg, samenetwork); man->connection.fdtosend = fd; msg(M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd); if (fd == -2) @@ -1334,7 +1306,8 @@ set_client_version(struct management *man, const char *version) } static void -man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms) +man_dispatch_command(struct management *man, struct status_output *so, const char **p, + const int nparms) { struct gc_arena gc = gc_new(); @@ -1664,7 +1637,8 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha const int n = atoi(p[1]); for (i = 0; i < n; ++i) { - msg(M_CLIENT, "[%d] The purpose of this command is to generate large amounts of output.", i); + msg(M_CLIENT, + "[%d] The purpose of this command is to generate large amounts of output.", i); } } } @@ -1691,7 +1665,8 @@ man_start_ne32(struct management *man) case MS_CC_WAIT_READ: case MS_CC_WAIT_WRITE: - net_event_win32_start(&man->connection.ne32, FD_READ|FD_WRITE|FD_CLOSE, man->connection.sd_cli); + net_event_win32_start(&man->connection.ne32, FD_READ | FD_WRITE | FD_CLOSE, + man->connection.sd_cli); break; default: @@ -1736,27 +1711,24 @@ man_new_connection_post(struct management *man, const char *description) #if UNIX_SOCK_SUPPORT if (man->settings.flags & MF_UNIX_SOCK) { - msg(D_MANAGEMENT, "MANAGEMENT: %s %s", - description, + msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description, sockaddr_unix_name(&man->settings.local_unix, "NULL")); } else #endif - if (man->settings.flags & MF_CONNECT_AS_CLIENT) + if (man->settings.flags & MF_CONNECT_AS_CLIENT) { - msg(D_MANAGEMENT, "MANAGEMENT: %s %s", - description, + msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description, print_sockaddr(man->settings.local->ai_addr, &gc)); } else { struct sockaddr_storage addr; socklen_t addrlen = sizeof(addr); - if (!getpeername(man->connection.sd_cli, (struct sockaddr *) &addr, - &addrlen)) + if (!getpeername(man->connection.sd_cli, (struct sockaddr *)&addr, &addrlen)) { msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description, - print_sockaddr((struct sockaddr *) &addr, &gc)); + print_sockaddr((struct sockaddr *)&addr, &gc)); } else { @@ -1782,19 +1754,22 @@ man_verify_unix_peer_uid_gid(struct management *man, const socket_descriptor_t s { if (socket_defined(sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1)) { - static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --"; + static const char err_prefix[] = + "MANAGEMENT: unix domain socket client connection rejected --"; int uid, gid; if (unix_socket_get_peer_uid_gid(man->connection.sd_cli, &uid, &gid)) { if (man->settings.client_uid != -1 && man->settings.client_uid != uid) { - msg(D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user", + msg(D_MANAGEMENT, + "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user", err_prefix, uid, man->settings.client_uid); return false; } if (man->settings.client_gid != -1 && man->settings.client_gid != gid) { - msg(D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group", + msg(D_MANAGEMENT, + "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group", err_prefix, gid, man->settings.client_gid); return false; } @@ -1876,8 +1851,8 @@ man_listen(struct management *man) #endif { man->connection.sd_top = create_socket_tcp(man->settings.local); - socket_bind(man->connection.sd_top, man->settings.local, - man->settings.local->ai_family, "MANAGEMENT", false); + socket_bind(man->connection.sd_top, man->settings.local, man->settings.local->ai_family, + "MANAGEMENT", false); } /* @@ -1905,14 +1880,13 @@ man_listen(struct management *man) const struct sockaddr *man_addr = man->settings.local->ai_addr; struct sockaddr_storage addr; socklen_t addrlen = sizeof(addr); - if (!getsockname(man->connection.sd_top, (struct sockaddr *) &addr, &addrlen)) + if (!getsockname(man->connection.sd_top, (struct sockaddr *)&addr, &addrlen)) { - man_addr = (struct sockaddr *) &addr; + man_addr = (struct sockaddr *)&addr; } else { - msg(M_WARN|M_ERRNO, - "Failed to get the management socket address"); + msg(M_WARN | M_ERRNO, "Failed to get the management socket address"); } msg(D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s", print_sockaddr(man_addr, &gc)); @@ -1958,9 +1932,7 @@ man_connect(struct management *man) #endif { man->connection.sd_cli = create_socket_tcp(man->settings.local); - status = openvpn_connect(man->connection.sd_cli, - man->settings.local->ai_addr, - 5, + status = openvpn_connect(man->connection.sd_cli, man->settings.local->ai_addr, 5, &signal_received); } @@ -1975,15 +1947,13 @@ man_connect(struct management *man) #if UNIX_SOCK_SUPPORT if (man->settings.flags & MF_UNIX_SOCK) { - msg(D_LINK_ERRORS | M_ERRNO, - "MANAGEMENT: connect to unix socket %s failed", + msg(D_LINK_ERRORS | M_ERRNO, "MANAGEMENT: connect to unix socket %s failed", sockaddr_unix_name(&man->settings.local_unix, "NULL")); } else #endif { - msg(D_LINK_ERRORS | M_ERRNO, - "MANAGEMENT: connect to %s failed", + msg(D_LINK_ERRORS | M_ERRNO, "MANAGEMENT: connect to %s failed", print_sockaddr(man->settings.local->ai_addr, &gc)); } throw_signal_soft(SIGTERM, "management-connect-failed"); @@ -2048,7 +2018,7 @@ man_process_command(struct management *man, const char *line) struct gc_arena gc = gc_new(); struct status_output *so; int nparms; - char *parms[MAX_PARMS+1]; + char *parms[MAX_PARMS + 1]; CLEAR(parms); so = status_open(NULL, 0, -1, &man->persist.vout, 0); @@ -2101,8 +2071,7 @@ man_io_error(struct management *man, const char *prefix) if (!ignore_sys_error(err, crt_error)) { struct gc_arena gc = gc_new(); - msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix, - strerror(err)); + msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix, strerror(err)); gc_free(&gc); return true; } @@ -2119,7 +2088,8 @@ man_send_with_fd(int fd, void *ptr, size_t nbytes, int flags, int sendfd) struct msghdr msg = { 0 }; struct iovec iov[1]; - union { + union + { struct cmsghdr cm; char control[CMSG_SPACE(sizeof(int))]; } control_un; @@ -2132,7 +2102,7 @@ man_send_with_fd(int fd, void *ptr, size_t nbytes, int flags, int sendfd) cmptr->cmsg_len = CMSG_LEN(sizeof(int)); cmptr->cmsg_level = SOL_SOCKET; cmptr->cmsg_type = SCM_RIGHTS; - *((int *) CMSG_DATA(cmptr)) = sendfd; + *((int *)CMSG_DATA(cmptr)) = sendfd; msg.msg_name = NULL; msg.msg_namelen = 0; @@ -2152,13 +2122,14 @@ man_recv_with_fd(int fd, void *ptr, size_t nbytes, int flags, int *recvfd) struct iovec iov[1]; ssize_t n; - union { + union + { struct cmsghdr cm; char control[CMSG_SPACE(sizeof(int))]; } control_un; - struct cmsghdr *cmptr; + struct cmsghdr *cmptr; - msghdr.msg_control = control_un.control; + msghdr.msg_control = control_un.control; msghdr.msg_controllen = sizeof(control_un.control); msghdr.msg_name = NULL; @@ -2169,13 +2140,12 @@ man_recv_with_fd(int fd, void *ptr, size_t nbytes, int flags, int *recvfd) msghdr.msg_iov = iov; msghdr.msg_iovlen = 1; - if ( (n = recvmsg(fd, &msghdr, flags)) <= 0) + if ((n = recvmsg(fd, &msghdr, flags)) <= 0) { return (n); } - if ( (cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL - && cmptr->cmsg_len == CMSG_LEN(sizeof(int))) + if ((cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL && cmptr->cmsg_len == CMSG_LEN(sizeof(int))) { if (cmptr->cmsg_level != SOL_SOCKET) { @@ -2185,12 +2155,11 @@ man_recv_with_fd(int fd, void *ptr, size_t nbytes, int flags, int *recvfd) { msg(M_ERR, "control type != SCM_RIGHTS"); } - *recvfd = *((int *) CMSG_DATA(cmptr)); + *recvfd = *((int *)CMSG_DATA(cmptr)); } else { - *recvfd = -1; /* descriptor was not passed */ - + *recvfd = -1; /* descriptor was not passed */ } return (n); } @@ -2208,10 +2177,10 @@ management_android_control(struct management *man, const char *command, const ch } struct user_pass up; CLEAR(up); - strncpy(up.username, msg, sizeof(up.username)-1); + strncpy(up.username, msg, sizeof(up.username) - 1); - management_query_user_pass(management, &up, command, GET_USER_PASS_NEED_OK, (void *) 0); - return strcmp("ok", up.password)==0; + management_query_user_pass(management, &up, command, GET_USER_PASS_NEED_OK, (void *)0); + return strcmp("ok", up.password) == 0; } /* @@ -2226,8 +2195,8 @@ managment_android_persisttun_action(struct management *man) struct user_pass up; CLEAR(up); strcpy(up.username, "tunmethod"); - management_query_user_pass(management, &up, "PERSIST_TUN_ACTION", - GET_USER_PASS_NEED_OK, (void *) 0); + management_query_user_pass(management, &up, "PERSIST_TUN_ACTION", GET_USER_PASS_NEED_OK, + (void *)0); if (!strcmp("NOACTION", up.password)) { return ANDROID_KEEP_OLD_TUN; @@ -2238,7 +2207,8 @@ managment_android_persisttun_action(struct management *man) } else { - msg(M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up.password); + msg(M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", + up.password); } ASSERT(0); @@ -2264,7 +2234,7 @@ man_read(struct management *man) { man->connection.lastfdreceived = fd; } -#else /* ifdef TARGET_ANDROID */ +#else /* ifdef TARGET_ANDROID */ len = recv(man->connection.sd_cli, (void *)buf, sizeof(buf), MSG_NOSIGNAL); #endif @@ -2276,7 +2246,7 @@ man_read(struct management *man) { bool processed_command = false; - ASSERT(len <= (int) sizeof(buf)); + ASSERT(len <= (int)sizeof(buf)); command_line_add(man->connection.in, buf, len); /* @@ -2304,7 +2274,7 @@ man_read(struct management *man) } else { - man_process_command(man, (char *) line); + man_process_command(man, (char *)line); } if (man->connection.halt) { @@ -2357,12 +2327,13 @@ man_write(struct management *man) #ifdef TARGET_ANDROID if (man->connection.fdtosend > 0) { - sent = man_send_with_fd(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL, man->connection.fdtosend); + sent = man_send_with_fd(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL, + man->connection.fdtosend); man->connection.fdtosend = -1; } else #endif - sent = send(man->connection.sd_cli, (const void *)BPTR(buf), len, MSG_NOSIGNAL); + sent = send(man->connection.sd_cli, (const void *)BPTR(buf), len, MSG_NOSIGNAL); if (sent >= 0) { buffer_list_advance(man->connection.out, sent); @@ -2398,9 +2369,7 @@ man_connection_clear(struct man_connection *mc) } static void -man_persist_init(struct management *man, - const int log_history_cache, - const int echo_buffer_size, +man_persist_init(struct management *man, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size) { struct man_persist *mp = &man->persist; @@ -2458,17 +2427,10 @@ man_persist_close(struct man_persist *mp) } static void -man_settings_init(struct man_settings *ms, - const char *addr, - const char *port, - const char *pass_file, - const char *client_user, - const char *client_group, - const int log_history_cache, - const int echo_buffer_size, - const int state_buffer_size, - const int remap_sigusr1, - const unsigned int flags) +man_settings_init(struct man_settings *ms, const char *addr, const char *port, + const char *pass_file, const char *client_user, const char *client_group, + const int log_history_cache, const int echo_buffer_size, + const int state_buffer_size, const int remap_sigusr1, const unsigned int flags) { if (!ms->defined) { @@ -2514,7 +2476,6 @@ man_settings_init(struct man_settings *ms, else #endif { - /* * Run management over tunnel, or * separate channel? @@ -2526,16 +2487,16 @@ man_settings_init(struct man_settings *ms, else { int status; - int resolve_flags = GETADDR_RESOLVE|GETADDR_WARN_ON_SIGNAL|GETADDR_FATAL; + int resolve_flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | GETADDR_FATAL; if (!(flags & MF_CONNECT_AS_CLIENT)) { resolve_flags |= GETADDR_PASSIVE; } - status = openvpn_getaddrinfo(resolve_flags, addr, port, 0, - NULL, AF_UNSPEC, &ms->local); - ASSERT(status==0); + status = + openvpn_getaddrinfo(resolve_flags, addr, port, 0, NULL, AF_UNSPEC, &ms->local); + ASSERT(status == 0); } } @@ -2653,9 +2614,7 @@ management_init(void) struct management *man; ALLOC_OBJ_CLEAR(man, struct management); - man_persist_init(man, - MANAGEMENT_LOG_HISTORY_INITIAL_SIZE, - MANAGEMENT_ECHO_BUFFER_SIZE, + man_persist_init(man, MANAGEMENT_LOG_HISTORY_INITIAL_SIZE, MANAGEMENT_ECHO_BUFFER_SIZE, MANAGEMENT_STATE_BUFFER_SIZE); man_connection_clear(&man->connection); @@ -2664,16 +2623,9 @@ management_init(void) } bool -management_open(struct management *man, - const char *addr, - const char *port, - const char *pass_file, - const char *client_user, - const char *client_group, - const int log_history_cache, - const int echo_buffer_size, - const int state_buffer_size, - const int remap_sigusr1, +management_open(struct management *man, const char *addr, const char *port, const char *pass_file, + const char *client_user, const char *client_group, const int log_history_cache, + const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags) { bool ret = false; @@ -2682,17 +2634,8 @@ management_open(struct management *man, * Save the settings only if they have not * been saved before. */ - man_settings_init(&man->settings, - addr, - port, - pass_file, - client_user, - client_group, - log_history_cache, - echo_buffer_size, - state_buffer_size, - remap_sigusr1, - flags); + man_settings_init(&man->settings, addr, port, pass_file, client_user, client_group, + log_history_cache, echo_buffer_size, state_buffer_size, remap_sigusr1, flags); /* * The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE, @@ -2729,8 +2672,7 @@ management_close(struct management *man) } void -management_set_callback(struct management *man, - const struct management_callback *cb) +management_set_callback(struct management *man, const struct management_callback *cb) { man->persist.standalone_disabled = true; man->persist.callback = *cb; @@ -2746,15 +2688,12 @@ management_clear_callback(struct management *man) } void -management_set_state(struct management *man, - const int state, - const char *detail, - const in_addr_t *tun_local_ip, - const struct in6_addr *tun_local_ip6, - const struct openvpn_sockaddr *local, - const struct openvpn_sockaddr *remote) +management_set_state(struct management *man, const int state, const char *detail, + const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, + const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote) { - if (man->persist.state && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE)) + if (man->persist.state + && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE)) { struct gc_arena gc = gc_new(); struct log_entry e; @@ -2786,13 +2725,11 @@ management_set_state(struct management *man, if (man->connection.state_realtime) { - out = log_entry_print(&e, LOG_PRINT_STATE_PREFIX - | LOG_PRINT_INT_DATE - | LOG_PRINT_STATE - | LOG_PRINT_LOCAL_IP - | LOG_PRINT_REMOTE_IP - | LOG_PRINT_CRLF - | LOG_ECHO_TO_LOG, &gc); + out = log_entry_print(&e, + LOG_PRINT_STATE_PREFIX | LOG_PRINT_INT_DATE | LOG_PRINT_STATE + | LOG_PRINT_LOCAL_IP | LOG_PRINT_REMOTE_IP | LOG_PRINT_CRLF + | LOG_ECHO_TO_LOG, + &gc); } if (out) @@ -2807,25 +2744,23 @@ management_set_state(struct management *man, static bool env_filter_match(const char *env_str, const int env_filter_level) { - static const char *env_names[] = { - "username=", - "password=", - "X509_0_CN=", - "tls_serial_", - "untrusted_ip=", - "ifconfig_local=", - "ifconfig_netmask=", - "daemon_start_time=", - "daemon_pid=", - "dev=", - "ifconfig_pool_remote_ip=", - "ifconfig_pool_netmask=", - "time_duration=", - "bytes_sent=", - "bytes_received=", - "session_id=", - "session_state=" - }; + static const char *env_names[] = { "username=", + "password=", + "X509_0_CN=", + "tls_serial_", + "untrusted_ip=", + "ifconfig_local=", + "ifconfig_netmask=", + "daemon_start_time=", + "daemon_pid=", + "dev=", + "ifconfig_pool_remote_ip=", + "ifconfig_pool_netmask=", + "time_duration=", + "bytes_sent=", + "bytes_received=", + "session_id=", + "session_state=" }; if (env_filter_level == 0) { @@ -2853,7 +2788,8 @@ env_filter_match(const char *env_str, const int env_filter_level) } static void -man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix) +man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, + const char *prefix) { if (es) { @@ -2914,11 +2850,12 @@ man_output_peer_info_env(struct management *man, const struct man_def_auth_conte char line[256]; if (man->persist.callback.get_peer_info) { - const char *peer_info = (*man->persist.callback.get_peer_info)(man->persist.callback.arg, mdac->cid); + const char *peer_info = + (*man->persist.callback.get_peer_info)(man->persist.callback.arg, mdac->cid); if (peer_info) { struct buffer buf; - buf_set_read(&buf, (const uint8_t *) peer_info, strlen(peer_info)); + buf_set_read(&buf, (const uint8_t *)peer_info, strlen(peer_info)); while (buf_parse(&buf, '\n', line, sizeof(line))) { chomp(line); @@ -2936,10 +2873,8 @@ man_output_peer_info_env(struct management *man, const struct man_def_auth_conte } void -management_notify_client_needing_auth(struct management *management, - const unsigned int mda_key_id, - struct man_def_auth_context *mdac, - const struct env_set *es) +management_notify_client_needing_auth(struct management *management, const unsigned int mda_key_id, + struct man_def_auth_context *mdac, const struct env_set *es) { if (!(mdac->flags & DAF_CONNECTION_CLOSED)) { @@ -2950,7 +2885,7 @@ management_notify_client_needing_auth(struct management *management, } msg(M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id); man_output_extra_env(management, "CLIENT"); - if (management->connection.env_filter_level>0) + if (management->connection.env_filter_level > 0) { man_output_peer_info_env(management, mdac); } @@ -2960,18 +2895,15 @@ management_notify_client_needing_auth(struct management *management, } void -management_notify_client_cr_response(unsigned mda_key_id, - const struct man_def_auth_context *mdac, - const struct env_set *es, - const char *response) +management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, + const struct env_set *es, const char *response) { struct gc_arena gc; if (management) { gc = gc_new(); - msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s", - mdac->cid, mda_key_id, response); + msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s", mdac->cid, mda_key_id, response); man_output_extra_env(management, "CLIENT"); if (management->connection.env_filter_level > 0) { @@ -2983,8 +2915,7 @@ management_notify_client_cr_response(unsigned mda_key_id, } void -management_connection_established(struct management *management, - struct man_def_auth_context *mdac, +management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es) { mdac->flags |= DAF_CONNECTION_ESTABLISHED; @@ -2994,8 +2925,7 @@ management_connection_established(struct management *management, } void -management_notify_client_close(struct management *management, - struct man_def_auth_context *mdac, +management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es) { if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED)) @@ -3007,18 +2937,14 @@ management_notify_client_close(struct management *management, } void -management_learn_addr(struct management *management, - struct man_def_auth_context *mdac, - const struct mroute_addr *addr, - const bool primary) +management_learn_addr(struct management *management, struct man_def_auth_context *mdac, + const struct mroute_addr *addr, const bool primary) { struct gc_arena gc = gc_new(); if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED)) { - msg(M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d", - mdac->cid, - mroute_addr_print_ex(addr, MAPF_SUBNET, &gc), - BOOL_CAST(primary)); + msg(M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d", mdac->cid, + mroute_addr_print_ex(addr, MAPF_SUBNET, &gc), BOOL_CAST(primary)); } gc_free(&gc); } @@ -3042,7 +2968,10 @@ management_echo(struct management *man, const char *string, const bool pull) if (man->connection.echo_realtime) { - out = log_entry_print(&e, LOG_PRINT_INT_DATE|LOG_PRINT_ECHO_PREFIX|LOG_PRINT_CRLF|MANAGEMENT_ECHO_FLAGS, &gc); + out = log_entry_print(&e, + LOG_PRINT_INT_DATE | LOG_PRINT_ECHO_PREFIX | LOG_PRINT_CRLF + | MANAGEMENT_ECHO_FLAGS, + &gc); } if (out) @@ -3061,8 +2990,7 @@ management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip * If we are running management over the tunnel, * this is the place to initialize the connection. */ - if (man->settings.management_over_tunnel - && man->connection.state == MS_INITIAL) + if (man->settings.management_over_tunnel && man->connection.state == MS_INITIAL) { /* listen on our local TUN/TAP IP address */ struct in_addr ia; @@ -3071,12 +2999,11 @@ management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip ia.s_addr = htonl(tun_local_ip); inet_ntop(AF_INET, &ia, buf, sizeof(buf)); - ret = openvpn_getaddrinfo(GETADDR_PASSIVE, buf, NULL, 0, NULL, - AF_INET, &man->settings.local); - ASSERT(ret==0); + ret = + openvpn_getaddrinfo(GETADDR_PASSIVE, buf, NULL, 0, NULL, AF_INET, &man->settings.local); + ASSERT(ret == 0); man_connection_init(man); } - } void @@ -3124,9 +3051,7 @@ man_persist_state(unsigned int *persistent, const int n) #ifdef _WIN32 void -management_socket_set(struct management *man, - struct event_set *es, - void *arg, +management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent) { if (man->connection.state != MS_INITIAL) @@ -3153,7 +3078,7 @@ management_socket_set(struct management *man, case MS_CC_WAIT_WRITE: if (man_persist_state(persistent, 3)) { - event_ctl(es, ev, EVENT_READ|EVENT_WRITE, arg); + event_ctl(es, ev, EVENT_READ | EVENT_WRITE, arg); } break; @@ -3186,7 +3111,8 @@ management_io(struct management *man) net_event_win32_clear_selected_events(&man->connection.ne32, FD_ACCEPT); } } - else if (man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE) + else if (man->connection.state == MS_CC_WAIT_READ + || man->connection.state == MS_CC_WAIT_WRITE) { if (net_events & FD_READ) { @@ -3213,9 +3139,7 @@ management_io(struct management *man) #else /* ifdef _WIN32 */ void -management_socket_set(struct management *man, - struct event_set *es, - void *arg, +management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent) { switch (man->connection.state) @@ -3382,7 +3306,8 @@ man_output_standalone(struct management *man, volatile int *signal_received) * Process management event loop outside primary event loop */ static int -man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire) +man_standalone_event_loop(struct management *man, volatile int *signal_received, + const time_t expire) { int status = -1; if (man_standalone_ok(man)) @@ -3396,18 +3321,16 @@ man_standalone_event_loop(struct management *man, volatile int *signal_received, return status; } -#define MWCC_PASSWORD_WAIT (1<<0) -#define MWCC_HOLD_WAIT (1<<1) -#define MWCC_OTHER_WAIT (1<<2) +#define MWCC_PASSWORD_WAIT (1 << 0) +#define MWCC_HOLD_WAIT (1 << 1) +#define MWCC_OTHER_WAIT (1 << 2) /* * Block until client connects */ static void -man_wait_for_client_connection(struct management *man, - volatile int *signal_received, - const time_t expire, - unsigned int flags) +man_wait_for_client_connection(struct management *man, volatile int *signal_received, + const time_t expire, unsigned int flags) { ASSERT(man_standalone_ok(man)); if (man->connection.state == MS_LISTEN) @@ -3492,11 +3415,8 @@ management_event_loop_n_seconds(struct management *man, int sec) * Get a username/password from management channel in standalone mode. */ bool -management_query_user_pass(struct management *man, - struct user_pass *up, - const char *type, - const unsigned int flags, - const char *static_challenge) +management_query_user_pass(struct management *man, struct user_pass *up, const char *type, + const unsigned int flags, const char *static_challenge) { struct gc_arena gc = gc_new(); bool ret = false; @@ -3545,10 +3465,7 @@ management_query_user_pass(struct management *man, sc = static_challenge; } } - buf_printf(&alert_msg, ">%s:Need '%s' %s", - prefix, - type, - alert_type); + buf_printf(&alert_msg, ">%s:Need '%s' %s", prefix, type, alert_type); if (flags & (GET_USER_PASS_NEED_OK | GET_USER_PASS_NEED_STR)) { @@ -3559,7 +3476,7 @@ management_query_user_pass(struct management *man, { buf_printf(&alert_msg, " SC:%d,%s", BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO) - |(BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_CONCAT) << 1), + | (BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_CONCAT) << 1), sc); } @@ -3624,8 +3541,8 @@ management_query_user_pass(struct management *man, } static int -management_query_multiline(struct management *man, - const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) +management_query_multiline(struct management *man, const char *b64_data, const char *prompt, + const char *cmd, int *state, struct buffer_list **input) { struct gc_arena gc = gc_new(); int ret = 0; @@ -3644,12 +3561,12 @@ management_query_multiline(struct management *man, if (b64_data) { - alert_msg = alloc_buf_gc(strlen(b64_data)+strlen(prompt)+3, &gc); + alert_msg = alloc_buf_gc(strlen(b64_data) + strlen(prompt) + 3, &gc); buf_printf(&alert_msg, ">%s:%s", prompt, b64_data); } else { - alert_msg = alloc_buf_gc(strlen(prompt)+3, &gc); + alert_msg = alloc_buf_gc(strlen(prompt) + 3, &gc); buf_printf(&alert_msg, ">%s", prompt); } @@ -3702,8 +3619,9 @@ done: static char * /* returns allocated base64 signature */ -management_query_multiline_flatten_newline(struct management *man, - const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) +management_query_multiline_flatten_newline(struct management *man, const char *b64_data, + const char *prompt, const char *cmd, int *state, + struct buffer_list **input) { int ok; char *result = NULL; @@ -3716,7 +3634,7 @@ management_query_multiline_flatten_newline(struct management *man, buf = buffer_list_peek(*input); if (buf && BLEN(buf) > 0) { - result = (char *) malloc(BLEN(buf)+1); + result = (char *)malloc(BLEN(buf) + 1); check_malloc_return(result); memcpy(result, buf->data, BLEN(buf)); result[BLEN(buf)] = '\0'; @@ -3731,8 +3649,8 @@ management_query_multiline_flatten_newline(struct management *man, static char * /* returns allocated base64 signature */ -management_query_multiline_flatten(struct management *man, - const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) +management_query_multiline_flatten(struct management *man, const char *b64_data, const char *prompt, + const char *cmd, int *state, struct buffer_list **input) { int ok; char *result = NULL; @@ -3745,7 +3663,7 @@ management_query_multiline_flatten(struct management *man, buf = buffer_list_peek(*input); if (buf && BLEN(buf) > 0) { - result = (char *) malloc(BLEN(buf)+1); + result = (char *)malloc(BLEN(buf) + 1); check_malloc_return(result); memcpy(result, buf->data, BLEN(buf)); result[BLEN(buf)] = '\0'; @@ -3760,8 +3678,7 @@ management_query_multiline_flatten(struct management *man, char * /* returns allocated base64 signature */ -management_query_pk_sig(struct management *man, const char *b64_data, - const char *algorithm) +management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm) { const char *prompt = "PK_SIGN"; const char *desc = "pk-sign"; @@ -3773,15 +3690,15 @@ management_query_pk_sig(struct management *man, const char *b64_data, desc = "rsa-sign"; } - buf_write(&buf_data, b64_data, (int) strlen(b64_data)); + buf_write(&buf_data, b64_data, (int)strlen(b64_data)); if (man->connection.client_version > 2) { - buf_write(&buf_data, ",", (int) strlen(",")); - buf_write(&buf_data, algorithm, (int) strlen(algorithm)); + buf_write(&buf_data, ",", (int)strlen(",")); + buf_write(&buf_data, algorithm, (int)strlen(algorithm)); } - char *ret = management_query_multiline_flatten(man, - (char *)buf_bptr(&buf_data), prompt, desc, - &man->connection.ext_key_state, &man->connection.ext_key_input); + char *ret = management_query_multiline_flatten(man, (char *)buf_bptr(&buf_data), prompt, desc, + &man->connection.ext_key_state, + &man->connection.ext_key_input); free_buf(&buf_data); return ret; } @@ -3792,12 +3709,12 @@ management_query_cert(struct management *man, const char *cert_name) const char prompt_1[] = "NEED-CERTIFICATE:"; struct buffer buf_prompt = alloc_buf(strlen(cert_name) + 20); buf_write(&buf_prompt, prompt_1, strlen(prompt_1)); - buf_write(&buf_prompt, cert_name, strlen(cert_name)+1); /* +1 for \0 */ + buf_write(&buf_prompt, cert_name, strlen(cert_name) + 1); /* +1 for \0 */ char *result; - result = management_query_multiline_flatten_newline(management, - NULL, (char *)buf_bptr(&buf_prompt), "certificate", - &man->connection.ext_cert_state, &man->connection.ext_cert_input); + result = management_query_multiline_flatten_newline( + management, NULL, (char *)buf_bptr(&buf_prompt), "certificate", + &man->connection.ext_cert_state, &man->connection.ext_cert_input); free_buf(&buf_prompt); return result; } @@ -3824,7 +3741,8 @@ management_hold(struct management *man, int holdtime) const bool standalone_disabled_save = man->persist.standalone_disabled; struct gc_arena gc = gc_new(); - man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ + man->persist.standalone_disabled = + false; /* This is so M_CLIENT messages will be correctly passed through msg() */ man->persist.special_state_msg = NULL; man->settings.mansig |= MANSIG_IGNORE_USR1_HUP; @@ -3903,7 +3821,7 @@ command_line_add(struct command_line *cl, const unsigned char *buf, const int le int i; for (i = 0; i < len; ++i) { - if (buf[i] && char_class(buf[i], (CC_PRINT|CC_NEWLINE))) + if (buf[i] && char_class(buf[i], (CC_PRINT | CC_NEWLINE))) { if (!buf_write_u8(&cl->buf, buf[i])) { @@ -3987,10 +3905,16 @@ log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena * } if (flags & LOG_PRINT_REMOTE_IP) { - buf_printf(&out, ",%s", (!addr_defined(&e->remote_sock) ? "," : - print_sockaddr_ex(&e->remote_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc))); - buf_printf(&out, ",%s", (!addr_defined(&e->local_sock) ? "," : - print_sockaddr_ex(&e->local_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc))); + buf_printf(&out, ",%s", + (!addr_defined(&e->remote_sock) + ? "," + : print_sockaddr_ex(&e->remote_sock.addr.sa, ",", + PS_DONT_SHOW_FAMILY | PS_SHOW_PORT, gc))); + buf_printf(&out, ",%s", + (!addr_defined(&e->local_sock) + ? "," + : print_sockaddr_ex(&e->local_sock.addr.sa, ",", + PS_DONT_SHOW_FAMILY | PS_SHOW_PORT, gc))); } if (flags & LOG_PRINT_LOCAL_IP && !IN6_IS_ADDR_UNSPECIFIED(&e->local_ip6)) { @@ -4143,8 +4067,7 @@ management_sleep(const int n) void management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval) { - if (event_timeout_trigger(&man->connection.bytecount_update_interval, - timeval, ETT_DEFAULT)) + if (event_timeout_trigger(&man->connection.bytecount_update_interval, timeval, ETT_DEFAULT)) { counter_type dco_read_bytes = 0; counter_type dco_write_bytes = 0; @@ -4181,7 +4104,7 @@ man_persist_client_stats(struct management *man, struct context *c) } } -#else /* ifdef ENABLE_MANAGEMENT */ +#else /* ifdef ENABLE_MANAGEMENT */ #include "win32.h" void diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 36a19056f..083caf5ce 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -24,24 +24,24 @@ #define MANAGE_H /* management_open flags */ -#define MF_SERVER (1<<0) -#define MF_QUERY_PASSWORDS (1<<1) -#define MF_HOLD (1<<2) -#define MF_SIGNAL (1<<3) -#define MF_FORGET_DISCONNECT (1<<4) -#define MF_CONNECT_AS_CLIENT (1<<5) -#define MF_CLIENT_AUTH (1<<6) +#define MF_SERVER (1 << 0) +#define MF_QUERY_PASSWORDS (1 << 1) +#define MF_HOLD (1 << 2) +#define MF_SIGNAL (1 << 3) +#define MF_FORGET_DISCONNECT (1 << 4) +#define MF_CONNECT_AS_CLIENT (1 << 5) +#define MF_CLIENT_AUTH (1 << 6) /* #define MF_CLIENT_PF (1<<7) *REMOVED FEATURE* */ -#define MF_UNIX_SOCK (1<<8) -#define MF_EXTERNAL_KEY (1<<9) -#define MF_EXTERNAL_KEY_NOPADDING (1<<10) -#define MF_EXTERNAL_KEY_PKCS1PAD (1<<11) -#define MF_UP_DOWN (1<<12) -#define MF_QUERY_REMOTE (1<<13) -#define MF_QUERY_PROXY (1<<14) -#define MF_EXTERNAL_CERT (1<<15) -#define MF_EXTERNAL_KEY_PSSPAD (1<<16) -#define MF_EXTERNAL_KEY_DIGEST (1<<17) +#define MF_UNIX_SOCK (1 << 8) +#define MF_EXTERNAL_KEY (1 << 9) +#define MF_EXTERNAL_KEY_NOPADDING (1 << 10) +#define MF_EXTERNAL_KEY_PKCS1PAD (1 << 11) +#define MF_UP_DOWN (1 << 12) +#define MF_QUERY_REMOTE (1 << 13) +#define MF_QUERY_PROXY (1 << 14) +#define MF_EXTERNAL_CERT (1 << 15) +#define MF_EXTERNAL_KEY_PSSPAD (1 << 16) +#define MF_EXTERNAL_KEY_DIGEST (1 << 17) #ifdef ENABLE_MANAGEMENT @@ -51,21 +51,22 @@ #include "socket.h" #include "mroute.h" -#define MANAGEMENT_VERSION 5 -#define MANAGEMENT_N_PASSWORD_RETRIES 3 -#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 -#define MANAGEMENT_ECHO_BUFFER_SIZE 100 -#define MANAGEMENT_STATE_BUFFER_SIZE 100 +#define MANAGEMENT_VERSION 5 +#define MANAGEMENT_N_PASSWORD_RETRIES 3 +#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 +#define MANAGEMENT_ECHO_BUFFER_SIZE 100 +#define MANAGEMENT_STATE_BUFFER_SIZE 100 /* * Management-interface-based deferred authentication */ -struct man_def_auth_context { +struct man_def_auth_context +{ unsigned long cid; -#define DAF_CONNECTION_ESTABLISHED (1<<0) -#define DAF_CONNECTION_CLOSED (1<<1) -#define DAF_INITIAL_AUTH (1<<2) +#define DAF_CONNECTION_ESTABLISHED (1 << 0) +#define DAF_CONNECTION_CLOSED (1 << 1) +#define DAF_INITIAL_AUTH (1 << 2) unsigned int flags; unsigned int mda_key_id_counter; @@ -98,7 +99,8 @@ void command_line_next(struct command_line *cl); * Manage log file history */ -union log_entry_union { +union log_entry_union +{ unsigned int msg_flags; int state; int intval; @@ -115,23 +117,23 @@ struct log_entry union log_entry_union u; }; -#define LOG_PRINT_LOG_PREFIX (1<<0) -#define LOG_PRINT_ECHO_PREFIX (1<<1) -#define LOG_PRINT_STATE_PREFIX (1<<2) +#define LOG_PRINT_LOG_PREFIX (1 << 0) +#define LOG_PRINT_ECHO_PREFIX (1 << 1) +#define LOG_PRINT_STATE_PREFIX (1 << 2) -#define LOG_PRINT_INT_DATE (1<<3) -#define LOG_PRINT_MSG_FLAGS (1<<4) -#define LOG_PRINT_STATE (1<<5) -#define LOG_PRINT_LOCAL_IP (1<<6) +#define LOG_PRINT_INT_DATE (1 << 3) +#define LOG_PRINT_MSG_FLAGS (1 << 4) +#define LOG_PRINT_STATE (1 << 5) +#define LOG_PRINT_LOCAL_IP (1 << 6) -#define LOG_PRINT_CRLF (1<<7) -#define LOG_FATAL_NOTIFY (1<<8) +#define LOG_PRINT_CRLF (1 << 7) +#define LOG_FATAL_NOTIFY (1 << 8) -#define LOG_PRINT_INTVAL (1<<9) +#define LOG_PRINT_INTVAL (1 << 9) -#define LOG_PRINT_REMOTE_IP (1<<10) +#define LOG_PRINT_REMOTE_IP (1 << 10) -#define LOG_ECHO_TO_LOG (1<<11) +#define LOG_ECHO_TO_LOG (1 << 11) const char *log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc); @@ -173,32 +175,25 @@ struct management_callback { void *arg; -#define MCF_SERVER (1<<0) /* is OpenVPN being run as a server? */ +#define MCF_SERVER (1 << 0) /* is OpenVPN being run as a server? */ unsigned int flags; - void (*status) (void *arg, const int version, struct status_output *so); - void (*show_net) (void *arg, const int msglevel); - int (*kill_by_cn) (void *arg, const char *common_name); - int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port, const int proto); - void (*delete_event) (void *arg, event_t event); - int (*n_clients) (void *arg); - bool (*send_cc_message) (void *arg, const char *message, const char *parameter); + void (*status)(void *arg, const int version, struct status_output *so); + void (*show_net)(void *arg, const int msglevel); + int (*kill_by_cn)(void *arg, const char *common_name); + int (*kill_by_addr)(void *arg, const in_addr_t addr, const int port, const int proto); + void (*delete_event)(void *arg, event_t event); + int (*n_clients)(void *arg); + bool (*send_cc_message)(void *arg, const char *message, const char *parameter); bool (*kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg); - bool (*client_auth) (void *arg, - const unsigned long cid, - const unsigned int mda_key_id, - const bool auth, - const char *reason, - const char *client_reason, - struct buffer_list *cc_config); /* ownership transferred */ - bool (*client_pending_auth) (void *arg, - const unsigned long cid, - const unsigned int kid, - const char *extra, - unsigned int timeout); - char *(*get_peer_info) (void *arg, const unsigned long cid); + bool (*client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, + const bool auth, const char *reason, const char *client_reason, + struct buffer_list *cc_config); /* ownership transferred */ + bool (*client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, + const char *extra, unsigned int timeout); + char *(*get_peer_info)(void *arg, const unsigned long cid); bool (*proxy_cmd)(void *arg, const char **p); - bool (*remote_cmd) (void *arg, const char **p); + bool (*remote_cmd)(void *arg, const char **p); #ifdef TARGET_ANDROID int (*network_change)(void *arg, bool samenetwork); #endif @@ -220,7 +215,8 @@ struct management_callback * connections. */ -struct man_persist { +struct man_persist +{ bool defined; struct log_history *log; @@ -240,7 +236,8 @@ struct man_persist { counter_type bytes_out; }; -struct man_settings { +struct man_settings +{ bool defined; unsigned int flags; /* MF_x flags */ struct addrinfo *local; @@ -256,9 +253,9 @@ struct man_settings { int client_gid; /* flags for handling the management interface "signal" command */ -#define MANSIG_IGNORE_USR1_HUP (1<<0) -#define MANSIG_MAP_USR1_TO_HUP (1<<1) -#define MANSIG_MAP_USR1_TO_TERM (1<<2) +#define MANSIG_IGNORE_USR1_HUP (1 << 0) +#define MANSIG_MAP_USR1_TO_HUP (1 << 1) +#define MANSIG_MAP_USR1_TO_TERM (1 << 2) unsigned int mansig; }; @@ -270,12 +267,13 @@ struct man_settings { #define UP_QUERY_NEED_STR 4 /* states */ -#define MS_INITIAL 0 /* all sockets are closed */ -#define MS_LISTEN 1 /* no client is connected */ -#define MS_CC_WAIT_READ 2 /* client is connected, waiting for read on socket */ -#define MS_CC_WAIT_WRITE 3 /* client is connected, waiting for ability to write to socket */ +#define MS_INITIAL 0 /* all sockets are closed */ +#define MS_LISTEN 1 /* no client is connected */ +#define MS_CC_WAIT_READ 2 /* client is connected, waiting for read on socket */ +#define MS_CC_WAIT_WRITE 3 /* client is connected, waiting for ability to write to socket */ -struct man_connection { +struct man_connection +{ int state; socket_descriptor_t sd_top; @@ -344,16 +342,10 @@ struct user_pass; struct management *management_init(void); -bool management_open(struct management *man, - const char *addr, - const char *port, - const char *pass_file, - const char *client_user, - const char *client_group, - const int log_history_cache, - const int echo_buffer_size, - const int state_buffer_size, - const int remap_sigusr1, +bool management_open(struct management *man, const char *addr, const char *port, + const char *pass_file, const char *client_user, const char *client_group, + const int log_history_cache, const int echo_buffer_size, + const int state_buffer_size, const int remap_sigusr1, const unsigned int flags); void management_close(struct management *man); @@ -362,28 +354,22 @@ void management_post_tunnel_open(struct management *man, const in_addr_t tun_loc void management_pre_tunnel_close(struct management *man); -void management_socket_set(struct management *man, - struct event_set *es, - void *arg, +void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent); void management_io(struct management *man); -void management_set_callback(struct management *man, - const struct management_callback *cb); +void management_set_callback(struct management *man, const struct management_callback *cb); void management_clear_callback(struct management *man); -bool management_query_user_pass(struct management *man, - struct user_pass *up, - const char *type, - const unsigned int flags, - const char *static_challenge); +bool management_query_user_pass(struct management *man, struct user_pass *up, const char *type, + const unsigned int flags, const char *static_challenge); #ifdef TARGET_ANDROID bool management_android_control(struct management *man, const char *command, const char *msg); -#define ANDROID_KEEP_OLD_TUN 1 +#define ANDROID_KEEP_OLD_TUN 1 #define ANDROID_OPEN_BEFORE_CLOSE 2 int managment_android_persisttun_action(struct management *man); @@ -397,7 +383,8 @@ void management_event_loop_n_seconds(struct management *man, int sec); void management_up_down(struct management *man, const char *updown, const struct env_set *es); -void management_notify(struct management *man, const char *severity, const char *type, const char *text); +void management_notify(struct management *man, const char *severity, const char *type, + const char *text); void management_notify_generic(struct management *man, const char *str); @@ -407,25 +394,19 @@ void management_notify_client_needing_auth(struct management *management, const struct env_set *es); void management_connection_established(struct management *management, - struct man_def_auth_context *mdac, - const struct env_set *es); + struct man_def_auth_context *mdac, const struct env_set *es); void management_notify_client_close(struct management *management, - struct man_def_auth_context *mdac, - const struct env_set *es); + struct man_def_auth_context *mdac, const struct env_set *es); -void management_learn_addr(struct management *management, - struct man_def_auth_context *mdac, - const struct mroute_addr *addr, - const bool primary); +void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, + const struct mroute_addr *addr, const bool primary); void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, - const struct env_set *es, - const char *response); + const struct env_set *es, const char *response); -char *management_query_pk_sig(struct management *man, const char *b64_data, - const char *algorithm); +char *management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm); char *management_query_cert(struct management *man, const char *cert_name); @@ -465,30 +446,28 @@ management_enable_def_auth(const struct management *man) */ /* client/server states */ -#define OPENVPN_STATE_INITIAL 0 /* Initial, undefined state */ -#define OPENVPN_STATE_CONNECTING 1 /* Management interface has been initialized */ -#define OPENVPN_STATE_ASSIGN_IP 2 /* Assigning IP address to virtual network interface */ -#define OPENVPN_STATE_ADD_ROUTES 3 /* Adding routes to system */ -#define OPENVPN_STATE_CONNECTED 4 /* Initialization sequence completed */ -#define OPENVPN_STATE_RECONNECTING 5 /* Restart */ -#define OPENVPN_STATE_EXITING 6 /* Exit */ +#define OPENVPN_STATE_INITIAL 0 /* Initial, undefined state */ +#define OPENVPN_STATE_CONNECTING 1 /* Management interface has been initialized */ +#define OPENVPN_STATE_ASSIGN_IP 2 /* Assigning IP address to virtual network interface */ +#define OPENVPN_STATE_ADD_ROUTES 3 /* Adding routes to system */ +#define OPENVPN_STATE_CONNECTED 4 /* Initialization sequence completed */ +#define OPENVPN_STATE_RECONNECTING 5 /* Restart */ +#define OPENVPN_STATE_EXITING 6 /* Exit */ /* client-only states */ -#define OPENVPN_STATE_WAIT 7 /* Waiting for initial response from server */ -#define OPENVPN_STATE_AUTH 8 /* Authenticating with server */ -#define OPENVPN_STATE_GET_CONFIG 9 /* Downloading configuration from server */ -#define OPENVPN_STATE_RESOLVE 10 /* DNS lookup */ -#define OPENVPN_STATE_TCP_CONNECT 11 /* Connecting to TCP server */ -#define OPENVPN_STATE_AUTH_PENDING 12 /* Waiting in auth-pending mode - * technically variant of GET_CONFIG */ - -#define OPENVPN_STATE_CLIENT_BASE 7 /* Base index of client-only states */ - -void management_set_state(struct management *man, - const int state, - const char *detail, - const in_addr_t *tun_local_ip, - const struct in6_addr *tun_local_ip6, +#define OPENVPN_STATE_WAIT 7 /* Waiting for initial response from server */ +#define OPENVPN_STATE_AUTH 8 /* Authenticating with server */ +#define OPENVPN_STATE_GET_CONFIG 9 /* Downloading configuration from server */ +#define OPENVPN_STATE_RESOLVE 10 /* DNS lookup */ +#define OPENVPN_STATE_TCP_CONNECT 11 /* Connecting to TCP server */ +#define OPENVPN_STATE_AUTH_PENDING \ + 12 /* Waiting in auth-pending mode \ + * technically variant of GET_CONFIG */ + +#define OPENVPN_STATE_CLIENT_BASE 7 /* Base index of client-only states */ + +void management_set_state(struct management *man, const int state, const char *detail, + const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local_addr, const struct openvpn_sockaddr *remote_addr); @@ -513,15 +492,10 @@ void management_auth_token(struct management *man, const char *token); * These functions drive the bytecount in/out counters. */ -void -management_check_bytecount(struct context *c, - struct management *man, - struct timeval *timeval); +void management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval); static inline void -management_bytes_client(struct management *man, - const int size_in, - const int size_out) +management_bytes_client(struct management *man, const int size_in, const int size_out) { if (!(man->persist.callback.flags & MCF_SERVER)) { @@ -530,27 +504,24 @@ management_bytes_client(struct management *man, } } -void -man_bytecount_output_server(const counter_type *bytes_in_total, - const counter_type *bytes_out_total, - struct man_def_auth_context *mdac); +void man_bytecount_output_server(const counter_type *bytes_in_total, + const counter_type *bytes_out_total, + struct man_def_auth_context *mdac); static inline void -management_bytes_server(struct management *man, - const counter_type *bytes_in_total, - const counter_type *bytes_out_total, - struct man_def_auth_context *mdac) +management_bytes_server(struct management *man, const counter_type *bytes_in_total, + const counter_type *bytes_out_total, struct man_def_auth_context *mdac) { if (man->connection.bytecount_update_seconds > 0 && now >= mdac->bytecount_last_update + man->connection.bytecount_update_seconds - && (mdac->flags & (DAF_CONNECTION_ESTABLISHED | DAF_CONNECTION_CLOSED)) == DAF_CONNECTION_ESTABLISHED) + && (mdac->flags & (DAF_CONNECTION_ESTABLISHED | DAF_CONNECTION_CLOSED)) + == DAF_CONNECTION_ESTABLISHED) { man_bytecount_output_server(bytes_in_total, bytes_out_total, mdac); } } -void -man_persist_client_stats(struct management *man, struct context *c); +void man_persist_client_stats(struct management *man, struct context *c); #endif /* ifdef ENABLE_MANAGEMENT */ diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index 655c48f2b..62ed257ee 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -48,7 +48,7 @@ #include #ifdef HAVE_PSA_CRYPTO_H - #include +#include #endif #if MBEDTLS_VERSION_NUMBER >= 0x03000000 @@ -89,8 +89,7 @@ mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info) * an error code. */ static inline int -mbedtls_compat_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx, - const unsigned char *additional, +mbedtls_compat_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t add_len) { #if MBEDTLS_VERSION_NUMBER > 0x03000000 @@ -115,8 +114,7 @@ mbedtls_compat_pk_check_pair(const mbedtls_pk_context *pub, const mbedtls_pk_con } static inline int -mbedtls_compat_pk_parse_key(mbedtls_pk_context *ctx, - const unsigned char *key, size_t keylen, +mbedtls_compat_pk_parse_key(mbedtls_pk_context *ctx, const unsigned char *key, size_t keylen, const unsigned char *pwd, size_t pwdlen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { @@ -128,8 +126,7 @@ mbedtls_compat_pk_parse_key(mbedtls_pk_context *ctx, } static inline int -mbedtls_compat_pk_parse_keyfile(mbedtls_pk_context *ctx, - const char *path, const char *password, +mbedtls_compat_pk_parse_keyfile(mbedtls_pk_context *ctx, const char *path, const char *password, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { #if MBEDTLS_VERSION_NUMBER < 0x03020100 @@ -140,8 +137,9 @@ mbedtls_compat_pk_parse_keyfile(mbedtls_pk_context *ctx, } #if MBEDTLS_VERSION_NUMBER < 0x03020100 -typedef enum { - MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */ +typedef enum +{ + MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */ MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */ MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */ } mbedtls_ssl_protocol_version; diff --git a/src/openvpn/mbuf.c b/src/openvpn/mbuf.c index 76f2e58d7..0750fecdf 100644 --- a/src/openvpn/mbuf.c +++ b/src/openvpn/mbuf.c @@ -50,7 +50,7 @@ mbuf_free(struct mbuf_set *ms) if (ms) { int i; - for (i = 0; i < (int) ms->len; ++i) + for (i = 0; i < (int)ms->len; ++i) { struct mbuf_item *item = &ms->array[MBUF_INDEX(ms->head, i, ms->capacity)]; mbuf_free_buf(item->buffer); @@ -134,7 +134,7 @@ mbuf_peek_dowork(struct mbuf_set *ms) if (ms) { int i; - for (i = 0; i < (int) ms->len; ++i) + for (i = 0; i < (int)ms->len; ++i) { struct mbuf_item *item = &ms->array[MBUF_INDEX(ms->head, i, ms->capacity)]; if (item->instance) @@ -153,7 +153,7 @@ mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi) if (ms) { int i; - for (i = 0; i < (int) ms->len; ++i) + for (i = 0; i < (int)ms->len; ++i) { struct mbuf_item *item = &ms->array[MBUF_INDEX(ms->head, i, ms->capacity)]; if (item->instance == mi) diff --git a/src/openvpn/mbuf.h b/src/openvpn/mbuf.h index 8cc7ab195..7f8c1b7f2 100644 --- a/src/openvpn/mbuf.h +++ b/src/openvpn/mbuf.h @@ -35,14 +35,14 @@ struct multi_instance; -#define MBUF_INDEX(head, offset, size) (((head) + (offset)) & ((size)-1)) +#define MBUF_INDEX(head, offset, size) (((head) + (offset)) & ((size) - 1)) struct mbuf_buffer { struct buffer buf; int refcount; -#define MF_UNICAST (1<<0) +#define MF_UNICAST (1 << 0) unsigned int flags; }; @@ -90,7 +90,7 @@ mbuf_len(const struct mbuf_set *ms) static inline int mbuf_maximum_queued(const struct mbuf_set *ms) { - return (int) ms->max_queued; + return (int)ms->max_queued; } struct multi_instance *mbuf_peek_dowork(struct mbuf_set *ms); diff --git a/src/openvpn/memdbg.h b/src/openvpn/memdbg.h index 9f8ff112b..738a775d7 100644 --- a/src/openvpn/memdbg.h +++ b/src/openvpn/memdbg.h @@ -38,7 +38,8 @@ * from uninitialized data, we need to untaint it before use -- * otherwise we will get a lot of useless warnings. * - * valgrind --tool=memcheck --error-limit=no --suppressions=debug/valgrind-suppress --gen-suppressions=yes ./openvpn ... + * valgrind --tool=memcheck --error-limit=no --suppressions=debug/valgrind-suppress + * --gen-suppressions=yes ./openvpn ... */ #ifdef USE_VALGRIND @@ -47,7 +48,7 @@ #define VALGRIND_MAKE_READABLE(addr, len) -#else /* ifdef USE_VALGRIND */ +#else /* ifdef USE_VALGRIND */ #define VALGRIND_MAKE_READABLE(addr, len) @@ -85,7 +86,8 @@ #include -#define openvpn_dmalloc(file, line, size) dmalloc_malloc((file), (line), (size), DMALLOC_FUNC_MALLOC, 0, 0) +#define openvpn_dmalloc(file, line, size) \ + dmalloc_malloc((file), (line), (size), DMALLOC_FUNC_MALLOC, 0, 0) /* * This #define will put the line number of the log diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 5776d6afe..17f7706ea 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -84,7 +84,7 @@ hostname_randomize(const char *hostname, struct gc_arena *gc) uint8_t rnd_bytes[n_rnd_bytes]; const char *rnd_str; - struct buffer hname = alloc_buf_gc(strlen(hostname)+sizeof(rnd_bytes)*2+4, gc); + struct buffer hname = alloc_buf_gc(strlen(hostname) + sizeof(rnd_bytes) * 2 + 4, gc); prng_bytes(rnd_bytes, sizeof(rnd_bytes)); rnd_str = format_hex_ex(rnd_bytes, sizeof(rnd_bytes), 40, 0, NULL, gc); @@ -118,7 +118,9 @@ auth_user_pass_mgmt(struct user_pass *up, const char *prefix, const unsigned int } else { - msg(M_FATAL, "ERROR: could not read %s username/password/ok/string from management interface", prefix); + msg(M_FATAL, + "ERROR: could not read %s username/password/ok/string from management interface", + prefix); } } return true; @@ -134,7 +136,8 @@ auth_user_pass_mgmt(struct user_pass *up, const char *prefix, const unsigned int * @param auth_challenge The authentication challenge string to parse. Can't be NULL. * @param gc The gc_arena structure for memory allocation. * - * @return A pointer to the parsed auth_challenge_info structure, or NULL if parsing fails. + * @return A pointer to the parsed auth_challenge_info structure, or NULL if parsing + * fails. */ static struct auth_challenge_info * parse_auth_challenge(const char *auth_challenge, struct gc_arena *gc) @@ -143,7 +146,7 @@ parse_auth_challenge(const char *auth_challenge, struct gc_arena *gc) struct auth_challenge_info *ac; const int len = strlen(auth_challenge); - char *work = (char *) gc_malloc(len+1, false, gc); + char *work = (char *)gc_malloc(len + 1, false, gc); char *cp; struct buffer b; @@ -191,7 +194,7 @@ parse_auth_challenge(const char *auth_challenge, struct gc_arena *gc) { return NULL; } - ac->user = (char *) gc_malloc(strlen(work)+1, true, gc); + ac->user = (char *)gc_malloc(strlen(work) + 1, true, gc); openvpn_base64_decode(work, (void *)ac->user, -1); /* parse challenge text */ @@ -207,11 +210,8 @@ parse_auth_challenge(const char *auth_challenge, struct gc_arena *gc) */ bool -get_user_pass_cr(struct user_pass *up, - const char *auth_file, - const char *prefix, - const unsigned int flags, - const char *auth_challenge) +get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, + const unsigned int flags, const char *auth_challenge) { struct gc_arena gc = gc_new(); @@ -232,8 +232,7 @@ get_user_pass_cr(struct user_pass *up, /* * Get username/password from management interface? */ - if (management - && (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT)) + if (management && (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT)) && management_query_user_pass_enabled(management)) { response_from_stdin = false; @@ -244,117 +243,118 @@ get_user_pass_cr(struct user_pass *up, } else #endif /* ifdef ENABLE_MANAGEMENT */ - /* - * Get NEED_OK confirmation from the console - */ - if (flags & GET_USER_PASS_NEED_OK) - { - struct buffer user_prompt = alloc_buf_gc(128, &gc); - - buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username); - if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt), - up->password, USER_PASS_LEN, false)) + /* + * Get NEED_OK confirmation from the console + */ + if (flags & GET_USER_PASS_NEED_OK) { - msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix); - } + struct buffer user_prompt = alloc_buf_gc(128, &gc); - if (!strlen(up->password)) - { - strcpy(up->password, "ok"); + buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username); + if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt), up->password, + USER_PASS_LEN, false)) + { + msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix); + } + + if (!strlen(up->password)) + { + strcpy(up->password, "ok"); + } } - } - else if (flags & GET_USER_PASS_INLINE_CREDS) - { - struct buffer buf; - buf_set_read(&buf, (uint8_t *) auth_file, strlen(auth_file) + 1); - if (!(flags & GET_USER_PASS_PASSWORD_ONLY)) + else if (flags & GET_USER_PASS_INLINE_CREDS) { - buf_parse(&buf, '\n', up->username, USER_PASS_LEN); - } - buf_parse(&buf, '\n', up->password, USER_PASS_LEN); + struct buffer buf; + buf_set_read(&buf, (uint8_t *)auth_file, strlen(auth_file) + 1); + if (!(flags & GET_USER_PASS_PASSWORD_ONLY)) + { + buf_parse(&buf, '\n', up->username, USER_PASS_LEN); + } + buf_parse(&buf, '\n', up->password, USER_PASS_LEN); - if (strlen(up->password) == 0) - { - password_from_stdin = 1; + if (strlen(up->password) == 0) + { + password_from_stdin = 1; + } } - } - /* - * Read from auth file unless this is a dynamic challenge request. - */ - else if (from_authfile && !(flags & GET_USER_PASS_DYNAMIC_CHALLENGE)) - { /* - * Try to get username/password from a file. + * Read from auth file unless this is a dynamic challenge request. */ - FILE *fp; - char password_buf[USER_PASS_LEN] = { '\0' }; - - fp = platform_fopen(auth_file, "r"); - if (!fp) + else if (from_authfile && !(flags & GET_USER_PASS_DYNAMIC_CHALLENGE)) { - msg(M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file); - } + /* + * Try to get username/password from a file. + */ + FILE *fp; + char password_buf[USER_PASS_LEN] = { '\0' }; + + fp = platform_fopen(auth_file, "r"); + if (!fp) + { + msg(M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file); + } - if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0) - { - /* Read username first */ - if (fgets(up->username, USER_PASS_LEN, fp) == NULL) + if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0) { - msg(M_FATAL, "Error reading username from %s authfile: %s", - prefix, - auth_file); + /* Read username first */ + if (fgets(up->username, USER_PASS_LEN, fp) == NULL) + { + msg(M_FATAL, "Error reading username from %s authfile: %s", prefix, + auth_file); + } } - } - chomp(up->username); + chomp(up->username); - if (fgets(password_buf, USER_PASS_LEN, fp) != NULL) - { - chomp(password_buf); - } + if (fgets(password_buf, USER_PASS_LEN, fp) != NULL) + { + chomp(password_buf); + } - if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0]) - { - msg(M_FATAL, "Error reading password from %s authfile: %s", prefix, auth_file); - } + if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0]) + { + msg(M_FATAL, "Error reading password from %s authfile: %s", prefix, auth_file); + } - if (password_buf[0]) - { - strncpy(up->password, password_buf, USER_PASS_LEN); - } - /* The auth-file does not have the password: get both username - * and password from the management interface if possible. - * Otherwise set to read password from console. - */ + if (password_buf[0]) + { + strncpy(up->password, password_buf, USER_PASS_LEN); + } + /* The auth-file does not have the password: get both username + * and password from the management interface if possible. + * Otherwise set to read password from console. + */ #if defined(ENABLE_MANAGEMENT) - else if (management - && (flags & GET_USER_PASS_MANAGEMENT) - && management_query_user_pass_enabled(management)) - { - msg(D_LOW, "No password found in %s authfile '%s'. Querying the management interface", prefix, auth_file); - if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge)) + else if (management && (flags & GET_USER_PASS_MANAGEMENT) + && management_query_user_pass_enabled(management)) { - fclose(fp); - return false; + msg(D_LOW, + "No password found in %s authfile '%s'. Querying the management interface", + prefix, auth_file); + if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge)) + { + fclose(fp); + return false; + } } - } #endif - else - { - password_from_stdin = 1; - } + else + { + password_from_stdin = 1; + } - fclose(fp); + fclose(fp); - if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen(up->username) == 0) + if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen(up->username) == 0) + { + msg(M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, + auth_file); + } + } + else { - msg(M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file); + username_from_stdin = true; + password_from_stdin = true; } - } - else - { - username_from_stdin = true; - password_from_stdin = true; - } /* * Get username/password from standard input? @@ -367,15 +367,15 @@ get_user_pass_cr(struct user_pass *up, struct auth_challenge_info *ac = parse_auth_challenge(auth_challenge, &gc); if (ac) { - char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc); + char *response = (char *)gc_malloc(USER_PASS_LEN, false, &gc); struct buffer packed_resp, challenge; - challenge = alloc_buf_gc(14+strlen(ac->challenge_text), &gc); + challenge = alloc_buf_gc(14 + strlen(ac->challenge_text), &gc); buf_printf(&challenge, "CHALLENGE: %s", ac->challenge_text); buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN); - if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), - response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO))) + if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), response, + USER_PASS_LEN, BOOL_CAST(ac->flags & CR_ECHO))) { msg(M_FATAL, "ERROR: could not read challenge response from stdin"); } @@ -399,17 +399,17 @@ get_user_pass_cr(struct user_pass *up, if (username_from_stdin && !(flags & GET_USER_PASS_PASSWORD_ONLY)) { - query_user_add(BSTR(&user_prompt), BLEN(&user_prompt), - up->username, USER_PASS_LEN, true); + query_user_add(BSTR(&user_prompt), BLEN(&user_prompt), up->username, + USER_PASS_LEN, true); } if (password_from_stdin) { - query_user_add(BSTR(&pass_prompt), BLEN(&pass_prompt), - up->password, USER_PASS_LEN, false); + query_user_add(BSTR(&pass_prompt), BLEN(&pass_prompt), up->password, + USER_PASS_LEN, false); } - if (!query_user_exec() ) + if (!query_user_exec()) { msg(M_FATAL, "ERROR: Failed retrieving username or password"); } @@ -423,17 +423,18 @@ get_user_pass_cr(struct user_pass *up, } #ifdef ENABLE_MANAGEMENT - if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin) + if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) + && response_from_stdin) { - char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc); + char *response = (char *)gc_malloc(USER_PASS_LEN, false, &gc); struct buffer packed_resp, challenge; char *pw64 = NULL, *resp64 = NULL; - challenge = alloc_buf_gc(14+strlen(auth_challenge), &gc); + challenge = alloc_buf_gc(14 + strlen(auth_challenge), &gc); buf_printf(&challenge, "CHALLENGE: %s", auth_challenge); - if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), - response, USER_PASS_LEN, + if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), response, + USER_PASS_LEN, BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO))) { msg(M_FATAL, "ERROR: could not retrieve static challenge response"); @@ -456,7 +457,8 @@ get_user_pass_cr(struct user_pass *up, { if (strlen(up->password) + strlen(response) >= USER_PASS_LEN) { - msg(M_FATAL, "ERROR: could not concatenate password/static_response: string too long"); + msg(M_FATAL, + "ERROR: could not concatenate password/static_response: string too long"); } strncat(up->password, response, USER_PASS_LEN - strlen(up->password) - 1); } @@ -499,7 +501,8 @@ purge_user_pass(struct user_pass *up, const bool force) */ if (!warn_shown) { - msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); + msg(M_WARN, + "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); warn_shown = true; } } @@ -594,7 +597,7 @@ make_inline_array(const char *str, struct gc_arena *gc) char **ret = NULL; int i = 0; - buf_set_read(&buf, (const uint8_t *) str, strlen(str)); + buf_set_read(&buf, (const uint8_t *)str, strlen(str)); while (buf_parse(&buf, '\n', line, sizeof(line))) { ++len; @@ -603,7 +606,7 @@ make_inline_array(const char *str, struct gc_arena *gc) /* alloc return array */ ALLOC_ARRAY_CLEAR_GC(ret, char *, len + 1, gc); - buf_set_read(&buf, (const uint8_t *) str, strlen(str)); + buf_set_read(&buf, (const uint8_t *)str, strlen(str)); while (buf_parse(&buf, '\n', line, sizeof(line))) { chomp(line); @@ -668,12 +671,12 @@ make_extended_arg_array(char **p, bool is_inline, struct gc_arena *gc) const char * sanitize_control_message(const char *src, struct gc_arena *gc) { - char *ret = gc_malloc(strlen(src)+1, false, gc); + char *ret = gc_malloc(strlen(src) + 1, false, gc); char *dest = ret; bool redact = false; int skip = 0; - for (;; ) + for (;;) { const char c = *src; if (c == '\0') @@ -690,8 +693,7 @@ sanitize_control_message(const char *src, struct gc_arena *gc) skip = 4; redact = true; } - else if (!check_debug_level(D_SHOW_KEYS) - && (c == 'a' && !strncmp(src, "auth-token ", 11))) + else if (!check_debug_level(D_SHOW_KEYS) && (c == 'a' && !strncmp(src, "auth-token ", 11))) { /* Unless --verb is 7 or higher (D_SHOW_KEYS), hide * the auth-token value coming in the src string @@ -755,8 +757,7 @@ validate_peer_info_line(char *line) case 2: /* after the '=', replace non-printable or shell meta with '_' */ - if (!isprint(c) || isspace(c) - || c == '$' || c == '(' || c == '`') + if (!isprint(c) || isspace(c) || c == '$' || c == '(' || c == '`') { *line = '_'; } @@ -771,12 +772,12 @@ output_peer_info_env(struct env_set *es, const char *peer_info) { char line[256]; struct buffer buf; - buf_set_read(&buf, (const uint8_t *) peer_info, strlen(peer_info)); + buf_set_read(&buf, (const uint8_t *)peer_info, strlen(peer_info)); while (buf_parse(&buf, '\n', line, sizeof(line))) { chomp(line); if (validate_peer_info_line(line) - && (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) ) + && (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0)) { msg(M_INFO, "peer info: %s", line); env_set_add(es, line); diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index eb2449c2a..1b10cd9e5 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -42,8 +42,7 @@ void set_std_files_to_null(bool stdin_only); const char **make_arg_array(const char *first, const char *parms, struct gc_arena *gc); -const char **make_extended_arg_array(char **p, bool is_inline, - struct gc_arena *gc); +const char **make_extended_arg_array(char **p, bool is_inline, struct gc_arena *gc); /* prepend a random prefix to hostname */ const char *hostname_randomize(const char *hostname, struct gc_arena *gc); @@ -76,9 +75,10 @@ struct user_pass /* * Challenge response info on client as pushed by server. */ -struct auth_challenge_info { -#define CR_ECHO (1<<0) /* echo response when typed by user */ -#define CR_RESPONSE (1<<1) /* response needed */ +struct auth_challenge_info +{ +#define CR_ECHO (1 << 0) /* echo response when typed by user */ +#define CR_RESPONSE (1 << 1) /* response needed */ unsigned int flags; const char *user; @@ -89,38 +89,43 @@ struct auth_challenge_info { /* * Challenge response info on client as pushed by server. */ -struct static_challenge_info { -#define SC_ECHO (1<<0) /* echo response when typed by user */ -#define SC_CONCAT (1<<1) /* concatenate password and response and do not base64 encode */ +struct static_challenge_info +{ +#define SC_ECHO (1 << 0) /* echo response when typed by user */ +#define SC_CONCAT (1 << 1) /* concatenate password and response and do not base64 encode */ unsigned int flags; const char *challenge_text; }; #else /* ifdef ENABLE_MANAGEMENT */ -struct auth_challenge_info {}; -struct static_challenge_info {}; +struct auth_challenge_info +{ +}; +struct static_challenge_info +{ +}; #endif /* ifdef ENABLE_MANAGEMENT */ /* * Flags for get_user_pass and management_query_user_pass */ -#define GET_USER_PASS_MANAGEMENT (1<<0) +#define GET_USER_PASS_MANAGEMENT (1 << 0) /* GET_USER_PASS_SENSITIVE (1<<1) not used anymore */ -#define GET_USER_PASS_PASSWORD_ONLY (1<<2) -#define GET_USER_PASS_NEED_OK (1<<3) -#define GET_USER_PASS_NOFATAL (1<<4) -#define GET_USER_PASS_NEED_STR (1<<5) -#define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1<<6) +#define GET_USER_PASS_PASSWORD_ONLY (1 << 2) +#define GET_USER_PASS_NEED_OK (1 << 3) +#define GET_USER_PASS_NOFATAL (1 << 4) +#define GET_USER_PASS_NEED_STR (1 << 5) +#define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1 << 6) -#define GET_USER_PASS_DYNAMIC_CHALLENGE (1<<7) /**< CRV1 protocol -- dynamic challenge */ -#define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /**< SCRV1 protocol -- static challenge */ -#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /**< SCRV1 protocol -- echo response */ +#define GET_USER_PASS_DYNAMIC_CHALLENGE (1 << 7) /**< CRV1 protocol -- dynamic challenge */ +#define GET_USER_PASS_STATIC_CHALLENGE (1 << 8) /**< SCRV1 protocol -- static challenge */ +#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1 << 9) /**< SCRV1 protocol -- echo response */ /** indicates that auth_file is actually inline creds */ -#define GET_USER_PASS_INLINE_CREDS (1<<10) +#define GET_USER_PASS_INLINE_CREDS (1 << 10) /** indicates password and response should be concatenated */ -#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT (1<<11) +#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT (1 << 11) /** * Retrieves the user credentials from various sources depending on the flags. @@ -132,11 +137,8 @@ struct static_challenge_info {}; * @param auth_challenge The authentication challenge string. * @return true if the user credentials were successfully retrieved, false otherwise. */ -bool get_user_pass_cr(struct user_pass *up, - const char *auth_file, - const char *prefix, - const unsigned int flags, - const char *auth_challenge); +bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, + const unsigned int flags, const char *auth_challenge); /** * Retrieves the user credentials from various sources depending on the flags. @@ -148,9 +150,7 @@ bool get_user_pass_cr(struct user_pass *up, * @return true if the user credentials were successfully retrieved, false otherwise. */ static inline bool -get_user_pass(struct user_pass *up, - const char *auth_file, - const char *prefix, +get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags) { return get_user_pass_cr(up, auth_file, prefix, flags, NULL); @@ -205,29 +205,24 @@ void output_peer_info_env(struct env_set *es, const char *peer_info); /** * Prepend a directory to a path. */ -struct buffer -prepend_dir(const char *dir, const char *path, struct gc_arena *gc); +struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc); /** * Encrypt username and password buffers in user_pass */ -void -protect_user_pass(struct user_pass *up); +void protect_user_pass(struct user_pass *up); /** * Decrypt username and password buffers in user_pass */ -void -unprotect_user_pass(struct user_pass *up); +void unprotect_user_pass(struct user_pass *up); -#define _STRINGIFY(S) #S +#define _STRINGIFY(S) #S /* *INDENT-OFF* - uncrustify need to ignore this macro */ -#define MAC_FMT _STRINGIFY(%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx) +#define MAC_FMT _STRINGIFY(%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx) /* *INDENT-ON* */ -#define MAC_PRINT_ARG(_mac) _mac[0], _mac[1], _mac[2], \ - _mac[3], _mac[4], _mac[5] -#define MAC_SCAN_ARG(_mac) &_mac[0], &_mac[1], &_mac[2], \ - &_mac[3], &_mac[4], &_mac[5] +#define MAC_PRINT_ARG(_mac) _mac[0], _mac[1], _mac[2], _mac[3], _mac[4], _mac[5] +#define MAC_SCAN_ARG(_mac) &_mac[0], &_mac[1], &_mac[2], &_mac[3], &_mac[4], &_mac[5] #endif /* ifndef MISC_H */ diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index b14be7e0a..a598037ba 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -47,14 +47,13 @@ mroute_addr_init(struct mroute_addr *addr) static inline bool is_mac_mcast_addr(const uint8_t *mac) { - return (bool) (mac[0] & 1); + return (bool)(mac[0] & 1); } static inline bool is_mac_mcast_maddr(const struct mroute_addr *addr) { - return (addr->type & MR_ADDR_MASK) == MR_ADDR_ETHER - && is_mac_mcast_addr(addr->ether.addr); + return (addr->type & MR_ADDR_MASK) == MR_ADDR_ETHER && is_mac_mcast_addr(addr->ether.addr); } /* @@ -81,8 +80,7 @@ mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc) } /* only networkss shorter than 8 bits are allowed to be all 0s. */ - if (all_zeros - && !((addr->type & MR_WITH_NETBITS) && (addr->netbits < 8))) + if (all_zeros && !((addr->type & MR_WITH_NETBITS) && (addr->netbits < 8))) { msg(D_MULTI_LOW, "Can't learn %s: network is all 0s, but netbits >= 8", mroute_addr_print(addr, gc)); @@ -91,8 +89,7 @@ mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc) if (all_ones) { - msg(D_MULTI_LOW, "Can't learn %s: network is all 1s", - mroute_addr_print(addr, gc)); + msg(D_MULTI_LOW, "Can't learn %s: network is all 1s", mroute_addr_print(addr, gc)); return false; } @@ -147,8 +144,7 @@ mroute_is_mcast_ipv6(const struct in6_addr addr) unsigned int -mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest, - const struct buffer *buf) +mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest, const struct buffer *buf) { unsigned int ret = 0; if (BLEN(buf) >= 1) @@ -156,9 +152,9 @@ mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest, switch (OPENVPN_IPH_GET_VER(*BPTR(buf))) { case 4: - if (BLEN(buf) >= (int) sizeof(struct openvpn_iphdr)) + if (BLEN(buf) >= (int)sizeof(struct openvpn_iphdr)) { - const struct openvpn_iphdr *ip = (const struct openvpn_iphdr *) BPTR(buf); + const struct openvpn_iphdr *ip = (const struct openvpn_iphdr *)BPTR(buf); mroute_get_in_addr_t(src, ip->saddr, 0); mroute_get_in_addr_t(dest, ip->daddr, 0); @@ -180,10 +176,10 @@ mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest, break; case 6: - if (BLEN(buf) >= (int) sizeof(struct openvpn_ipv6hdr)) + if (BLEN(buf) >= (int)sizeof(struct openvpn_ipv6hdr)) { - const struct openvpn_ipv6hdr *ipv6 = (const struct openvpn_ipv6hdr *) BPTR(buf); -#if 0 /* very basic debug */ + const struct openvpn_ipv6hdr *ipv6 = (const struct openvpn_ipv6hdr *)BPTR(buf); +#if 0 /* very basic debug */ struct gc_arena gc = gc_new(); msg( M_INFO, "IPv6 packet! src=%s, dst=%s", print_in6_addr( ipv6->saddr, 0, &gc ), @@ -212,9 +208,7 @@ mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest, } static void -mroute_copy_ether_to_addr(struct mroute_addr *maddr, - const uint8_t *ether_addr, - uint16_t vid) +mroute_copy_ether_to_addr(struct mroute_addr *maddr, const uint8_t *ether_addr, uint16_t vid) { maddr->type = MR_ADDR_ETHER; maddr->netbits = 0; @@ -225,15 +219,13 @@ mroute_copy_ether_to_addr(struct mroute_addr *maddr, } unsigned int -mroute_extract_addr_ether(struct mroute_addr *src, - struct mroute_addr *dest, - uint16_t vid, +mroute_extract_addr_ether(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf) { unsigned int ret = 0; - if (BLEN(buf) >= (int) sizeof(struct openvpn_ethhdr)) + if (BLEN(buf) >= (int)sizeof(struct openvpn_ethhdr)) { - const struct openvpn_ethhdr *eth = (const struct openvpn_ethhdr *) BPTR(buf); + const struct openvpn_ethhdr *eth = (const struct openvpn_ethhdr *)BPTR(buf); if (src) { mroute_copy_ether_to_addr(src, eth->source, vid); @@ -250,7 +242,6 @@ mroute_extract_addr_ether(struct mroute_addr *src, } ret |= MROUTE_EXTRACT_SUCCEEDED; - } return ret; } @@ -260,8 +251,7 @@ mroute_extract_addr_ether(struct mroute_addr *src, * to a struct mroute_addr (addr). */ bool -mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, - const struct openvpn_sockaddr *osaddr, +mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port) { switch (osaddr->addr.sa.sa_family) @@ -335,7 +325,7 @@ mroute_addr_mask_host_bits(struct mroute_addr *ma) } else if ((ma->type & MR_ADDR_MASK) == MR_ADDR_IPV6) { - int byte = sizeof(ma->v6.addr) - 1; /* rightmost byte in address */ + int byte = sizeof(ma->v6.addr) - 1; /* rightmost byte in address */ int bits_to_clear = 128 - ma->netbits; while (byte >= 0 && bits_to_clear > 0) @@ -351,7 +341,7 @@ mroute_addr_mask_host_bits(struct mroute_addr *ma) bits_to_clear = 0; } } - ASSERT( bits_to_clear == 0 ); + ASSERT(bits_to_clear == 0); } else { @@ -367,29 +357,24 @@ mroute_addr_mask_host_bits(struct mroute_addr *ma) uint32_t mroute_addr_hash_function(const void *key, uint32_t iv) { - return hash_func(mroute_addr_hash_ptr((const struct mroute_addr *) key), - mroute_addr_hash_len((const struct mroute_addr *) key), - iv); + return hash_func(mroute_addr_hash_ptr((const struct mroute_addr *)key), + mroute_addr_hash_len((const struct mroute_addr *)key), iv); } bool mroute_addr_compare_function(const void *key1, const void *key2) { - return mroute_addr_equal((const struct mroute_addr *) key1, - (const struct mroute_addr *) key2); + return mroute_addr_equal((const struct mroute_addr *)key1, (const struct mroute_addr *)key2); } const char * -mroute_addr_print(const struct mroute_addr *ma, - struct gc_arena *gc) +mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc) { return mroute_addr_print_ex(ma, MAPF_IA_EMPTY_IF_UNDEF, gc); } const char * -mroute_addr_print_ex(const struct mroute_addr *ma, - const unsigned int flags, - struct gc_arena *gc) +mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); if (ma) @@ -399,8 +384,8 @@ mroute_addr_print_ex(const struct mroute_addr *ma, switch (maddr.type & MR_ADDR_MASK) { case MR_ADDR_ETHER: - buf_printf(&out, "%s", format_hex_ex(ma->ether.addr, - sizeof(ma->ether.addr), 0, 1, ":", gc)); + buf_printf(&out, "%s", + format_hex_ex(ma->ether.addr, sizeof(ma->ether.addr), 0, 1, ":", gc)); buf_printf(&out, "@%hu", ma->ether.vid); break; @@ -418,8 +403,10 @@ mroute_addr_print_ex(const struct mroute_addr *ma, { buf_printf(&out, "[AF_INET]"); } - buf_printf(&out, "%s", print_in_addr_t(ntohl(maddr.v4.addr), - (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc)); + buf_printf(&out, "%s", + print_in_addr_t(ntohl(maddr.v4.addr), + (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, + gc)); if (maddr.type & MR_WITH_NETBITS) { if (flags & MAPF_SUBNET) @@ -449,10 +436,10 @@ mroute_addr_print_ex(const struct mroute_addr *ma, { buf_printf(&out, "[AF_INET6]"); } - if (IN6_IS_ADDR_V4MAPPED( &maddr.v6.addr ) ) + if (IN6_IS_ADDR_V4MAPPED(&maddr.v6.addr)) { - buf_printf(&out, "%s", print_in_addr_t(maddr.v4mappedv6.addr, - IA_NET_ORDER, gc)); + buf_printf(&out, "%s", + print_in_addr_t(maddr.v4mappedv6.addr, IA_NET_ORDER, gc)); } else if (maddr.type & MR_WITH_PORT) { @@ -508,7 +495,7 @@ mroute_helper_regenerate(struct mroute_helper *mh) { if (mh->net_len_refcount[i] > 0) { - mh->net_len[j++] = (uint8_t) i; + mh->net_len[j++] = (uint8_t)i; } } mh->n_net_len = j; diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h index e06d27220..5b0c69440 100644 --- a/src/openvpn/mroute.h +++ b/src/openvpn/mroute.h @@ -29,22 +29,22 @@ #include -#define IP_MCAST_SUBNET_MASK ((in_addr_t)240<<24) -#define IP_MCAST_NETWORK ((in_addr_t)224<<24) +#define IP_MCAST_SUBNET_MASK ((in_addr_t)240 << 24) +#define IP_MCAST_NETWORK ((in_addr_t)224 << 24) /* Return status values for mroute_extract_addr_from_packet */ -#define MROUTE_EXTRACT_SUCCEEDED (1<<0) -#define MROUTE_EXTRACT_BCAST (1<<1) -#define MROUTE_EXTRACT_MCAST (1<<2) -#define MROUTE_EXTRACT_IGMP (1<<3) +#define MROUTE_EXTRACT_SUCCEEDED (1 << 0) +#define MROUTE_EXTRACT_BCAST (1 << 1) +#define MROUTE_EXTRACT_MCAST (1 << 2) +#define MROUTE_EXTRACT_IGMP (1 << 3) -#define MROUTE_SEC_EXTRACT_SUCCEEDED (1<<(0+MROUTE_SEC_SHIFT)) -#define MROUTE_SEC_EXTRACT_BCAST (1<<(1+MROUTE_SEC_SHIFT)) -#define MROUTE_SEC_EXTRACT_MCAST (1<<(2+MROUTE_SEC_SHIFT)) -#define MROUTE_SEC_EXTRACT_IGMP (1<<(3+MROUTE_SEC_SHIFT)) +#define MROUTE_SEC_EXTRACT_SUCCEEDED (1 << (0 + MROUTE_SEC_SHIFT)) +#define MROUTE_SEC_EXTRACT_BCAST (1 << (1 + MROUTE_SEC_SHIFT)) +#define MROUTE_SEC_EXTRACT_MCAST (1 << (2 + MROUTE_SEC_SHIFT)) +#define MROUTE_SEC_EXTRACT_IGMP (1 << (3 + MROUTE_SEC_SHIFT)) -#define MROUTE_SEC_SHIFT 4 +#define MROUTE_SEC_SHIFT 4 /* * Choose the largest address possible with @@ -56,60 +56,64 @@ /* * Address Types */ -#define MR_ADDR_NONE 0 -#define MR_ADDR_ETHER 1 -#define MR_ADDR_IPV4 2 -#define MR_ADDR_IPV6 3 -#define MR_ADDR_MASK 3 +#define MR_ADDR_NONE 0 +#define MR_ADDR_ETHER 1 +#define MR_ADDR_IPV4 2 +#define MR_ADDR_IPV6 3 +#define MR_ADDR_MASK 3 /* Address type mask indicating that port # is part of address */ -#define MR_WITH_PORT 4 +#define MR_WITH_PORT 4 /* Address type mask indicating that netbits is part of address */ -#define MR_WITH_NETBITS 8 +#define MR_WITH_NETBITS 8 /* Indicates than IPv4 addr was extracted from ARP packet */ -#define MR_ARP 16 +#define MR_ARP 16 /* Address type mask indicating that proto # is part of address */ -#define MR_WITH_PROTO 32 +#define MR_WITH_PROTO 32 -struct mroute_addr { - uint8_t len; /* length of address */ +struct mroute_addr +{ + uint8_t len; /* length of address */ uint8_t proto; - uint8_t type; /* MR_ADDR/MR_WITH flags */ + uint8_t type; /* MR_ADDR/MR_WITH flags */ uint8_t netbits; /* number of bits in network part of address, * valid if MR_WITH_NETBITS is set */ - union { + union + { uint8_t raw_addr[MR_MAX_ADDR_LEN]; /* actual address */ - struct { + struct + { uint8_t addr[OPENVPN_ETH_ALEN]; uint16_t vid; } ether; - struct { - in_addr_t addr; /* _network order_ IPv4 address */ - in_port_t port; /* _network order_ TCP/UDP port */ + struct + { + in_addr_t addr; /* _network order_ IPv4 address */ + in_port_t port; /* _network order_ TCP/UDP port */ } v4; - struct { + struct + { struct in6_addr addr; - in_port_t port; /* _network order_ TCP/UDP port */ + in_port_t port; /* _network order_ TCP/UDP port */ } v6; - struct { + struct + { uint8_t prefix[12]; - in_addr_t addr; /* _network order_ IPv4 address */ + in_addr_t addr; /* _network order_ IPv4 address */ } v4mappedv6; }; }; /* Double-check that struct packing works as expected */ -static_assert(offsetof(struct mroute_addr, v4.port) == - offsetof(struct mroute_addr, v4) + 4, +static_assert(offsetof(struct mroute_addr, v4.port) == offsetof(struct mroute_addr, v4) + 4, "Unexpected struct packing of v4"); -static_assert(offsetof(struct mroute_addr, v6.port) == - offsetof(struct mroute_addr, v6) + 16, +static_assert(offsetof(struct mroute_addr, v6.port) == offsetof(struct mroute_addr, v6) + 16, "Unexpected struct packing of v6"); -static_assert(offsetof(struct mroute_addr, v4mappedv6.addr) == - offsetof(struct mroute_addr, v4mappedv6) + 12, +static_assert(offsetof(struct mroute_addr, v4mappedv6.addr) + == offsetof(struct mroute_addr, v4mappedv6) + 12, "Unexpected struct packing of v4mappedv6"); /* @@ -120,22 +124,21 @@ static_assert(offsetof(struct mroute_addr, v4mappedv6.addr) == /* * Used to help maintain CIDR routing table. */ -struct mroute_helper { - unsigned int cache_generation; /* incremented when route added */ - int ageable_ttl_secs; /* host route cache entry time-to-live*/ - int n_net_len; /* length of net_len array */ - uint8_t net_len[MR_HELPER_NET_LEN]; /* CIDR netlengths in descending order */ +struct mroute_helper +{ + unsigned int cache_generation; /* incremented when route added */ + int ageable_ttl_secs; /* host route cache entry time-to-live*/ + int n_net_len; /* length of net_len array */ + uint8_t net_len[MR_HELPER_NET_LEN]; /* CIDR netlengths in descending order */ int net_len_refcount[MR_HELPER_NET_LEN]; /* refcount of each netlength */ }; struct openvpn_sockaddr; bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, - const struct openvpn_sockaddr *osaddr, - bool use_port); + const struct openvpn_sockaddr *osaddr, bool use_port); -bool mroute_learnable_address(const struct mroute_addr *addr, - struct gc_arena *gc); +bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc); uint32_t mroute_addr_hash_function(const void *key, uint32_t iv); @@ -143,15 +146,13 @@ bool mroute_addr_compare_function(const void *key1, const void *key2); void mroute_addr_init(struct mroute_addr *addr); -const char *mroute_addr_print(const struct mroute_addr *ma, - struct gc_arena *gc); +const char *mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc); -#define MAPF_SUBNET (1<<0) -#define MAPF_IA_EMPTY_IF_UNDEF (1<<1) -#define MAPF_SHOW_ARP (1<<2) -#define MAPF_SHOW_FAMILY (1<<3) -const char *mroute_addr_print_ex(const struct mroute_addr *ma, - const unsigned int flags, +#define MAPF_SUBNET (1 << 0) +#define MAPF_IA_EMPTY_IF_UNDEF (1 << 1) +#define MAPF_SHOW_ARP (1 << 2) +#define MAPF_SHOW_FAMILY (1 << 3) +const char *mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc); void mroute_addr_mask_host_bits(struct mroute_addr *ma); @@ -164,25 +165,19 @@ void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits); void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits); -unsigned int mroute_extract_addr_ip(struct mroute_addr *src, - struct mroute_addr *dest, +unsigned int mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest, const struct buffer *buf); -unsigned int mroute_extract_addr_ether(struct mroute_addr *src, - struct mroute_addr *dest, - uint16_t vid, - const struct buffer *buf); +unsigned int mroute_extract_addr_ether(struct mroute_addr *src, struct mroute_addr *dest, + uint16_t vid, const struct buffer *buf); /* * Given a raw packet in buf, return the src and dest * addresses of the packet. */ static inline unsigned int -mroute_extract_addr_from_packet(struct mroute_addr *src, - struct mroute_addr *dest, - uint16_t vid, - const struct buffer *buf, - int tunnel_type) +mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, + const struct buffer *buf, int tunnel_type) { unsigned int ret = 0; verify_align_4(buf); @@ -232,13 +227,13 @@ static inline const uint8_t * mroute_addr_hash_ptr(const struct mroute_addr *a) { /* NOTE: depends on ordering of struct mroute_addr */ - return (uint8_t *) &a->proto; + return (uint8_t *)&a->proto; } static inline uint32_t mroute_addr_hash_len(const struct mroute_addr *a) { - return (uint32_t) a->len + 3; + return (uint32_t)a->len + 3; } static inline void diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 96a9af032..32cd3f873 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -48,27 +48,24 @@ mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss) const struct openvpn_iphdr *pip; int hlen; - if (BLEN(buf) < (int) sizeof(struct openvpn_iphdr)) + if (BLEN(buf) < (int)sizeof(struct openvpn_iphdr)) { return; } verify_align_4(buf); - pip = (struct openvpn_iphdr *) BPTR(buf); + pip = (struct openvpn_iphdr *)BPTR(buf); hlen = OPENVPN_IPH_GET_LEN(pip->version_len); - if (pip->protocol == OPENVPN_IPPROTO_TCP - && ntohs(pip->tot_len) == BLEN(buf) - && (ntohs(pip->frag_off) & OPENVPN_IP_OFFMASK) == 0 - && hlen <= BLEN(buf) - && BLEN(buf) - hlen - >= (int) sizeof(struct openvpn_tcphdr)) + if (pip->protocol == OPENVPN_IPPROTO_TCP && ntohs(pip->tot_len) == BLEN(buf) + && (ntohs(pip->frag_off) & OPENVPN_IP_OFFMASK) == 0 && hlen <= BLEN(buf) + && BLEN(buf) - hlen >= (int)sizeof(struct openvpn_tcphdr)) { struct buffer newbuf = *buf; if (buf_advance(&newbuf, hlen)) { - struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); + struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *)BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) { mss_fixup_dowork(&newbuf, maxmss); @@ -88,18 +85,18 @@ mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss) const struct openvpn_ipv6hdr *pip6; struct buffer newbuf; - if (BLEN(buf) < (int) sizeof(struct openvpn_ipv6hdr)) + if (BLEN(buf) < (int)sizeof(struct openvpn_ipv6hdr)) { return; } verify_align_4(buf); - pip6 = (struct openvpn_ipv6hdr *) BPTR(buf); + pip6 = (struct openvpn_ipv6hdr *)BPTR(buf); /* do we have the full IPv6 packet? * "payload_len" does not include IPv6 header (+40 bytes) */ - if (BLEN(buf) != (int) ntohs(pip6->payload_len)+40) + if (BLEN(buf) != (int)ntohs(pip6->payload_len) + 40) { return; } @@ -123,13 +120,12 @@ mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss) * verify remainder is large enough to contain a full TCP header */ newbuf = *buf; - if (buf_advance( &newbuf, 40 ) - && BLEN(&newbuf) >= (int) sizeof(struct openvpn_tcphdr)) + if (buf_advance(&newbuf, 40) && BLEN(&newbuf) >= (int)sizeof(struct openvpn_tcphdr)) { - struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); + struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *)BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) { - mss_fixup_dowork(&newbuf, maxmss-20); + mss_fixup_dowork(&newbuf, maxmss - 20); } } } @@ -148,25 +144,22 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) int accumulate; struct openvpn_tcphdr *tc; - if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr)) + if (BLEN(buf) < (int)sizeof(struct openvpn_tcphdr)) { return; } verify_align_4(buf); - tc = (struct openvpn_tcphdr *) BPTR(buf); + tc = (struct openvpn_tcphdr *)BPTR(buf); hlen = OPENVPN_TCPH_GET_DOFF(tc->doff_res); /* Invalid header length or header without options. */ - if (hlen <= (int) sizeof(struct openvpn_tcphdr) - || hlen > BLEN(buf)) + if (hlen <= (int)sizeof(struct openvpn_tcphdr) || hlen > BLEN(buf)) { return; } - for (olen = hlen - (int) sizeof(struct openvpn_tcphdr), - opt = (uint8_t *)(tc + 1); - olen > 1; + for (olen = hlen - (int)sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); olen > 1; olen -= optlen, opt += optlen) { if (*opt == OPENVPN_TCPOPT_EOL) @@ -196,8 +189,8 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) { dmsg(D_MSS, "MSS: %" PRIu16 " -> %" PRIu16, mssval, maxmss); accumulate = htons(mssval); - opt[2] = (uint8_t)((maxmss>>8)&0xff); - opt[3] = (uint8_t)(maxmss&0xff); + opt[2] = (uint8_t)((maxmss >> 8) & 0xff); + opt[3] = (uint8_t)(maxmss & 0xff); accumulate -= htons(maxmss); ADJUST_CHECKSUM(accumulate, tc->check); } @@ -227,8 +220,7 @@ adjust_payload_max_cbc(const struct key_type *kt, size_t target) } static size_t -get_ip_encap_overhead(const struct options *options, - const struct link_socket_info *lsi) +get_ip_encap_overhead(const struct options *options, const struct link_socket_info *lsi) { /* Add the overhead of the encapsulating IP packets */ sa_family_t af; @@ -252,8 +244,7 @@ get_ip_encap_overhead(const struct options *options, } static void -frame_calculate_fragment(struct frame *frame, struct key_type *kt, - const struct options *options, +frame_calculate_fragment(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi) { #if defined(ENABLE_FRAGMENT) @@ -283,8 +274,7 @@ frame_calculate_fragment(struct frame *frame, struct key_type *kt, } static void -frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options, +frame_calculate_mssfix(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi) { if (options->ce.mssfix_fixed) @@ -326,13 +316,10 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, /* This is the target value our payload needs to be smaller */ size_t target = options->ce.mssfix - overhead; frame->mss_fix = (uint16_t)(adjust_payload_max_cbc(kt, target) - payload_overhead); - - } void -frame_calculate_dynamic(struct frame *frame, struct key_type *kt, - const struct options *options, +frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi) { if (options->ce.fragment > 0) @@ -363,30 +350,29 @@ frame_adjust_path_mtu(struct context *c) int encap_overhead = datagram_overhead(af, proto); /* check if mssfix and fragment need to be adjusted */ - if (pmtu < o->ce.mssfix - || (o->ce.mssfix_encap && pmtu < o->ce.mssfix + encap_overhead)) + if (pmtu < o->ce.mssfix || (o->ce.mssfix_encap && pmtu < o->ce.mssfix + encap_overhead)) { const char *mtustr = o->ce.mssfix_encap ? " mtu" : ""; - msg(D_MTU_INFO, "Note adjusting 'mssfix %d%s' to 'mssfix %d mtu' " - "according to path MTU discovery", o->ce.mssfix, - mtustr, pmtu); + msg(D_MTU_INFO, + "Note adjusting 'mssfix %d%s' to 'mssfix %d mtu' " + "according to path MTU discovery", + o->ce.mssfix, mtustr, pmtu); o->ce.mssfix = pmtu; o->ce.mssfix_encap = true; frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, o, lsi); } #if defined(ENABLE_FRAGMENT) - if (pmtu < o->ce.fragment - || (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead)) + if (pmtu < o->ce.fragment || (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead)) { const char *mtustr = o->ce.fragment_encap ? " mtu" : ""; - msg(D_MTU_INFO, "Note adjusting 'fragment %d%s' to 'fragment %d mtu' " - "according to path MTU discovery", o->ce.fragment, - mtustr, pmtu); + msg(D_MTU_INFO, + "Note adjusting 'fragment %d%s' to 'fragment %d mtu' " + "according to path MTU discovery", + o->ce.fragment, mtustr, pmtu); o->ce.fragment = pmtu; o->ce.fragment_encap = true; - frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, - o, lsi); + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, o, lsi); } #endif } diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index 1b1eafb09..05f12a73f 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -36,8 +36,7 @@ void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); /** Set the --mssfix option. */ void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, - const struct options *options, - struct link_socket_info *lsi); + const struct options *options, struct link_socket_info *lsi); /** * Checks and adjusts the fragment and mssfix value according to the diff --git a/src/openvpn/mstats.c b/src/openvpn/mstats.c index d9ecee3a3..bd6316cdf 100644 --- a/src/openvpn/mstats.c +++ b/src/openvpn/mstats.c @@ -83,7 +83,7 @@ mstats_open(const char *fn) } /* mmap the file */ - data = mmap(NULL, sizeof(struct mmap_stats), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); + data = mmap(NULL, sizeof(struct mmap_stats), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (data == MAP_FAILED) { msg(M_ERR, "mstats_open: write error: %s", fn); diff --git a/src/openvpn/mstats.h b/src/openvpn/mstats.h index b9f33b680..c38b0f2ee 100644 --- a/src/openvpn/mstats.h +++ b/src/openvpn/mstats.h @@ -30,7 +30,8 @@ #include "basic.h" /* this struct is mapped to the file */ -struct mmap_stats { +struct mmap_stats +{ counter_type link_read_bytes; /* counter_type can be assumed to be a uint64_t */ counter_type link_write_bytes; int n_clients; diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index 97817242b..81310a2bb 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn/mtcp.c @@ -66,8 +66,9 @@ multi_create_instance_tcp(struct multi_context *m, struct link_socket *sock) if (he) { - struct multi_instance *oldmi = (struct multi_instance *) he->value; - msg(D_MULTI_LOW, "MULTI TCP: new incoming client address matches existing client address -- new client takes precedence"); + struct multi_instance *oldmi = (struct multi_instance *)he->value; + msg(D_MULTI_LOW, + "MULTI TCP: new incoming client address matches existing client address -- new client takes precedence"); oldmi->did_real_hash = false; multi_close_instance(m, oldmi, false); he->key = &mi->real; @@ -108,12 +109,10 @@ multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance ASSERT(mi->context.c2.link_sockets[0]->info.lsa); ASSERT(mi->context.c2.link_sockets[0]->mode == LS_MODE_TCP_ACCEPT_FROM); ASSERT(mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET - || mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6 - ); + || mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6); mi->real.proto = mi->context.c2.link_sockets[0]->info.proto; - if (!mroute_extract_openvpn_sockaddr(&mi->real, - &mi->context.c2.link_sockets[0]->info.lsa->actual.dest, - true)) + if (!mroute_extract_openvpn_sockaddr( + &mi->real, &mi->context.c2.link_sockets[0]->info.lsa->actual.dest, true)) { msg(D_MULTI_ERRORS, "MULTI TCP: TCP client address is undefined"); return false; @@ -149,7 +148,8 @@ multi_tcp_dereference_instance(struct multi_io *multi_io, struct multi_instance } bool -multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags) +multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi, + const unsigned int mpp_flags) { struct mbuf_item item; bool ret = true; diff --git a/src/openvpn/mtcp.h b/src/openvpn/mtcp.h index 5158427d8..f4b806ccf 100644 --- a/src/openvpn/mtcp.h +++ b/src/openvpn/mtcp.h @@ -39,9 +39,11 @@ bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_inst void multi_tcp_instance_specific_free(struct multi_instance *mi); -bool multi_tcp_process_outgoing_link(struct multi_context *m, bool defer, const unsigned int mpp_flags); +bool multi_tcp_process_outgoing_link(struct multi_context *m, bool defer, + const unsigned int mpp_flags); -bool multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags); +bool multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi, + const unsigned int mpp_flags); struct multi_instance *multi_create_instance_tcp(struct multi_context *m, struct link_socket *sock); diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 7245f9560..c9d3389b9 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -38,8 +38,7 @@ /* allocate a buffer for socket or tun layer */ void -alloc_buf_sock_tun(struct buffer *buf, - const struct frame *frame) +alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame) { /* allocate buffer for overlapped I/O */ *buf = alloc_buf(BUF_SIZE(frame)); @@ -59,8 +58,7 @@ calc_packet_id_size_dc(const struct options *options, const struct key_type *kt) } size_t -frame_calculate_protocol_header_size(const struct key_type *kt, - const struct options *options, +frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ) { /* Sum of all the overhead that reduces the usable packet size */ @@ -97,8 +95,7 @@ frame_calculate_protocol_header_size(const struct key_type *kt, size_t -frame_calculate_payload_overhead(size_t extra_tun, - const struct options *options, +frame_calculate_payload_overhead(size_t extra_tun, const struct options *options, const struct key_type *kt) { size_t overhead = 0; @@ -138,8 +135,7 @@ frame_calculate_payload_overhead(size_t extra_tun, } size_t -frame_calculate_payload_size(const struct frame *frame, - const struct options *options, +frame_calculate_payload_size(const struct frame *frame, const struct options *options, const struct key_type *kt) { size_t payload_size = options->ce.tun_mtu; @@ -174,7 +170,7 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) * overhead */ /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */ - overhead += 64/8 + 64/8; + overhead += 64 / 8 + 64 / 8; /* set ciphername to none, so its size does get added in the * fake_kt and the cipher is not tried to be resolved */ ciphername = "none"; @@ -191,9 +187,7 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) } void -frame_print(const struct frame *frame, - int level, - const char *prefix) +frame_print(const struct frame *frame, int level, const char *prefix) { struct gc_arena gc = gc_new(); struct buffer out = alloc_buf_gc(256, &gc); @@ -229,19 +223,18 @@ set_mtu_discover_type(socket_descriptor_t sd, int mtu_type, sa_family_t proto_af { #if defined(IP_MTU_DISCOVER) case AF_INET: - if (setsockopt(sd, IPPROTO_IP, IP_MTU_DISCOVER, - (void *) &mtu_type, sizeof(mtu_type))) + if (setsockopt(sd, IPPROTO_IP, IP_MTU_DISCOVER, (void *)&mtu_type, + sizeof(mtu_type))) { - msg(M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket", - mtu_type); + msg(M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket", mtu_type); } break; #endif #if defined(IPV6_MTU_DISCOVER) case AF_INET6: - if (setsockopt(sd, IPPROTO_IPV6, IPV6_MTU_DISCOVER, - (void *) &mtu_type, sizeof(mtu_type))) + if (setsockopt(sd, IPPROTO_IPV6, IPV6_MTU_DISCOVER, (void *)&mtu_type, + sizeof(mtu_type))) { msg(M_ERR, "Error setting IPV6_MTU_DISCOVER type=%d on TCP6/UDP6 socket", mtu_type); @@ -272,13 +265,11 @@ translate_mtu_discover_type_name(const char *name) { return IP_PMTUDISC_DONT; } - msg(M_FATAL, - "invalid --mtu-disc type: '%s' -- valid types are 'yes', 'maybe', or 'no'", - name); -#else /* if defined(IP_PMTUDISC_DONT) && defined(IP_PMTUDISC_WANT) && defined(IP_PMTUDISC_DO) */ + msg(M_FATAL, "invalid --mtu-disc type: '%s' -- valid types are 'yes', 'maybe', or 'no'", name); +#else /* if defined(IP_PMTUDISC_DONT) && defined(IP_PMTUDISC_WANT) && defined(IP_PMTUDISC_DO) */ msg(M_FATAL, MTUDISC_NOT_SUPPORTED_MSG); #endif - return -1; /* NOTREACHED */ + return -1; /* NOTREACHED */ } #if EXTENDED_SOCKET_ERROR_CAPABILITY @@ -300,7 +291,7 @@ format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc) struct sock_extended_err *e; struct sockaddr_storage addr; struct buffer out = alloc_buf_gc(256, gc); - char *cbuf = (char *) gc_malloc(256, false, gc); + char *cbuf = (char *)gc_malloc(256, false, gc); *mtu = 0; @@ -309,7 +300,7 @@ format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc) memset(&rcvbuf, -1, sizeof(rcvbuf)); iov.iov_base = &rcvbuf; iov.iov_len = sizeof(rcvbuf); - msg.msg_name = (uint8_t *) &addr; + msg.msg_name = (uint8_t *)&addr; msg.msg_namelen = sizeof(addr); msg.msg_iov = &iov; msg.msg_iovlen = 1; @@ -331,7 +322,7 @@ format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc) { if (cmsg->cmsg_type == IP_RECVERR) { - e = (struct sock_extended_err *) CMSG_DATA(cmsg); + e = (struct sock_extended_err *)CMSG_DATA(cmsg); } else { @@ -342,7 +333,7 @@ format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc) { if (cmsg->cmsg_type == IPV6_RECVERR) { - e = (struct sock_extended_err *) CMSG_DATA(cmsg); + e = (struct sock_extended_err *)CMSG_DATA(cmsg); } else { @@ -405,7 +396,7 @@ set_sock_extended_error_passing(int sd, sa_family_t proto_af) /* see "man 7 ip" (on Linux) * this works on IPv4 and IPv6(-dual-stack) sockets (v4-mapped) */ - if (setsockopt(sd, SOL_IP, IP_RECVERR, (void *) &on, sizeof(on)) != 0) + if (setsockopt(sd, SOL_IP, IP_RECVERR, (void *)&on, sizeof(on)) != 0) { msg(M_WARN | M_ERRNO, "Note: enable extended error passing on TCP/UDP socket failed (IP_RECVERR)"); @@ -414,7 +405,7 @@ set_sock_extended_error_passing(int sd, sa_family_t proto_af) * this only works on IPv6 sockets */ if (proto_af == AF_INET6 - && setsockopt(sd, IPPROTO_IPV6, IPV6_RECVERR, (void *) &on, sizeof(on)) != 0) + && setsockopt(sd, IPPROTO_IPV6, IPV6_RECVERR, (void *)&on, sizeof(on)) != 0) { msg(M_WARN | M_ERRNO, "Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR)"); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 64fd5b9c4..925ef0bfa 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -50,38 +50,38 @@ /* * Standard ethernet MTU */ -#define ETHERNET_MTU 1500 +#define ETHERNET_MTU 1500 /* * It is a fatal error if mtu is less than * this value for tun device. */ -#define TUN_MTU_MIN 100 +#define TUN_MTU_MIN 100 /* * Default MTU of network over which tunnel data will pass by TCP/UDP. */ -#define LINK_MTU_DEFAULT 1500 +#define LINK_MTU_DEFAULT 1500 /* * Default MTU of tunnel device. */ -#define TUN_MTU_DEFAULT 1500 +#define TUN_MTU_DEFAULT 1500 /* * MTU Defaults for TAP devices */ -#define TAP_MTU_EXTRA_DEFAULT 32 +#define TAP_MTU_EXTRA_DEFAULT 32 /* * Default MSSFIX value, used for reducing TCP MTU size */ -#define MSSFIX_DEFAULT 1492 +#define MSSFIX_DEFAULT 1492 /* * Default maximum size of control channel packets */ -#define TLS_MTU_DEFAULT 1250 +#define TLS_MTU_DEFAULT 1250 /* * Alignment of payload data such as IP packet or @@ -94,62 +94,64 @@ /** * Packet geometry parameters. */ -struct frame { - struct { +struct frame +{ + struct + { /* This struct holds all the information about the buffers that are * allocated to match this frame */ - int payload_size; /**< the maximum size that a payload that our - * buffers can hold from either tun device - * or network link. - */ + int payload_size; /**< the maximum size that a payload that our + * buffers can hold from either tun device + * or network link. + */ - int headroom; /**< the headroom in the buffer, this is choosen - * to allow all potential header to be added - * before the packet */ + int headroom; /**< the headroom in the buffer, this is choosen + * to allow all potential header to be added + * before the packet */ - int tailroom; /**< the tailroom in the buffer. Chosen large - * enough to also accompany any extrea header - * or work space required by - * decryption/encryption or compression. */ + int tailroom; /**< the tailroom in the buffer. Chosen large + * enough to also accompany any extrea header + * or work space required by + * decryption/encryption or compression. */ } buf; - uint16_t mss_fix; /**< The actual MSS value that should be - * written to the payload packets. This - * is the value for IPv4 TCP packets. For - * IPv6 packets another 20 bytes must - * be subtracted */ - - int max_fragment_size; /**< The maximum size of a fragment. - * Fragmentation is done on the unencrypted - * payload after (potential) compression. So - * this value specifies the maximum payload - * size that can be send in a single fragment - */ - - int tun_mtu; /**< the (user) configured tun-mtu. This is used - * in configuring the tun interface or - * in calculations that use the desired size - * of the payload in the buffer. - * - * This variable is also used in control - * frame context to set the desired maximum - * control frame payload (although most of - * code ignores it) - */ - int tun_max_mtu; /**< the maximum tun-mtu size the buffers are - * are sized for. This is the upper bound that - * a server can push as MTU */ - - int extra_tun; /**< Maximum number of bytes in excess of - * the tun/tap MTU that might be read - * from or written to the virtual - * tun/tap network interface. - * - * Only set with the option --tun-mtu-extra - * which defaults to 0 for tun and 32 - * (\c TAP_MTU_EXTRA_DEFAULT) for tap. - * */ + uint16_t mss_fix; /**< The actual MSS value that should be + * written to the payload packets. This + * is the value for IPv4 TCP packets. For + * IPv6 packets another 20 bytes must + * be subtracted */ + + int max_fragment_size; /**< The maximum size of a fragment. + * Fragmentation is done on the unencrypted + * payload after (potential) compression. So + * this value specifies the maximum payload + * size that can be send in a single fragment + */ + + int tun_mtu; /**< the (user) configured tun-mtu. This is used + * in configuring the tun interface or + * in calculations that use the desired size + * of the payload in the buffer. + * + * This variable is also used in control + * frame context to set the desired maximum + * control frame payload (although most of + * code ignores it) + */ + int tun_max_mtu; /**< the maximum tun-mtu size the buffers are + * are sized for. This is the upper bound that + * a server can push as MTU */ + + int extra_tun; /**< Maximum number of bytes in excess of + * the tun/tap MTU that might be read + * from or written to the virtual + * tun/tap network interface. + * + * Only set with the option --tun-mtu-extra + * which defaults to 0 for tun and 32 + * (\c TAP_MTU_EXTRA_DEFAULT) for tap. + * */ }; /* Forward declarations, to prevent includes */ @@ -174,9 +176,7 @@ struct options; * Function prototypes. */ -void frame_print(const struct frame *frame, - int level, - const char *prefix); +void frame_print(const struct frame *frame, int level, const char *prefix); void set_mtu_discover_type(socket_descriptor_t sd, int mtu_type, sa_family_t proto_af); @@ -194,10 +194,8 @@ struct key_type; * * * [IP][UDP][OPENVPN PROTOCOL HEADER][ **PAYLOAD incl compression header** ] */ -size_t -frame_calculate_payload_size(const struct frame *frame, - const struct options *options, - const struct key_type *kt); +size_t frame_calculate_payload_size(const struct frame *frame, const struct options *options, + const struct key_type *kt); /** * Calculates the size of the payload overhead according to tun-mtu and @@ -215,10 +213,8 @@ frame_calculate_payload_size(const struct frame *frame, * * * [IP][UDP][OPENVPN PROTOCOL HEADER][ **PAYLOAD incl compression header** ] */ -size_t -frame_calculate_payload_overhead(size_t extra_tun, - const struct options *options, - const struct key_type *kt); +size_t frame_calculate_payload_overhead(size_t extra_tun, const struct options *options, + const struct key_type *kt); /** @@ -236,10 +232,8 @@ frame_calculate_payload_overhead(size_t extra_tun, * @param occ Use the calculation for the OCC link-mtu * @return size of the overhead in bytes */ -size_t -frame_calculate_protocol_header_size(const struct key_type *kt, - const struct options *options, - bool occ); +size_t frame_calculate_protocol_header_size(const struct key_type *kt, + const struct options *options, bool occ); /** * Calculate the link-mtu to advertise to our peer. The actual value is not @@ -248,23 +242,18 @@ frame_calculate_protocol_header_size(const struct key_type *kt, * value they expect. This assumes that the traditional cipher/auth directives * in the config match the config of the peer. */ -size_t -calc_options_string_link_mtu(const struct options *options, - const struct frame *frame); +size_t calc_options_string_link_mtu(const struct options *options, const struct frame *frame); /** * Return the size of the packet ID size that is currently in use by cipher and * options for the data channel. */ -unsigned int -calc_packet_id_size_dc(const struct options *options, - const struct key_type *kt); +unsigned int calc_packet_id_size_dc(const struct options *options, const struct key_type *kt); /* * allocate a buffer for socket or tun layer */ -void alloc_buf_sock_tun(struct buffer *buf, - const struct frame *frame); +void alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame); /* * EXTENDED_SOCKET_ERROR_CAPABILITY functions -- print extra error info diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 575527370..7259a4bb6 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -38,18 +38,15 @@ #endif static void -send_hmac_reset_packet(struct multi_context *m, - struct tls_pre_decrypt_state *state, - struct tls_auth_standalone *tas, - struct session_id *sid, +send_hmac_reset_packet(struct multi_context *m, struct tls_pre_decrypt_state *state, + struct tls_auth_standalone *tas, struct session_id *sid, bool request_resend_wkc) { reset_packet_id_send(&state->tls_wrap_tmp.opt.packet_id.send); state->tls_wrap_tmp.opt.packet_id.rec.initialized = true; uint8_t header = 0 | (P_CONTROL_HARD_RESET_SERVER_V2 << P_OPCODE_SHIFT); struct buffer buf = tls_reset_standalone(&state->tls_wrap_tmp, tas, sid, - &state->peer_session_id, header, - request_resend_wkc); + &state->peer_session_id, header, request_resend_wkc); struct context *c = &m->top; @@ -65,8 +62,7 @@ send_hmac_reset_packet(struct multi_context *m, /* Returns true if this packet should create a new session */ static bool -do_pre_decrypt_check(struct multi_context *m, - struct tls_pre_decrypt_state *state, +do_pre_decrypt_check(struct multi_context *m, struct tls_pre_decrypt_state *state, struct mroute_addr addr) { ASSERT(m->top.c2.tls_auth_standalone); @@ -108,8 +104,8 @@ do_pre_decrypt_check(struct multi_context *m, if (early_neg_support) { /* Calculate the session ID HMAC for our reply and create reset packet */ - struct session_id sid = calculate_session_id_hmac(state->peer_session_id, - from, hmac, handwindow, 0); + struct session_id sid = + calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, 0); send_hmac_reset_packet(m, state, tas, &sid, true); return false; @@ -124,8 +120,10 @@ do_pre_decrypt_check(struct multi_context *m, { struct gc_arena gc = gc_new(); const char *peer = print_link_socket_actual(&m->top.c2.from, &gc); - msg(D_MULTI_DEBUG, "tls-crypt-v2 force-cookie is enabled, " - "ignoring connection attempt from old client (%s)", peer); + msg(D_MULTI_DEBUG, + "tls-crypt-v2 force-cookie is enabled, " + "ignoring connection attempt from old client (%s)", + peer); gc_free(&gc); return false; } @@ -138,14 +136,13 @@ do_pre_decrypt_check(struct multi_context *m, else if (verdict == VERDICT_VALID_RESET_V2) { /* Calculate the session ID HMAC for our reply and create reset packet */ - struct session_id sid = calculate_session_id_hmac(state->peer_session_id, - from, hmac, handwindow, 0); + struct session_id sid = + calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, 0); send_hmac_reset_packet(m, state, tas, &sid, false); /* We have a reply do not create a new session */ return false; - } else if (verdict == VERDICT_VALID_CONTROL_V1 || verdict == VERDICT_VALID_ACK_V1 || verdict == VERDICT_VALID_WKC_V1) @@ -157,7 +154,7 @@ do_pre_decrypt_check(struct multi_context *m, bool ret = check_session_id_hmac(state, from, hmac, handwindow); const char *peer = print_link_socket_actual(&m->top.c2.from, &gc); - uint8_t pkt_firstbyte = *BPTR( &m->top.c2.buf); + uint8_t pkt_firstbyte = *BPTR(&m->top.c2.buf); int op = pkt_firstbyte >> P_OPCODE_SHIFT; if (!ret) @@ -167,8 +164,10 @@ do_pre_decrypt_check(struct multi_context *m, } else { - msg(D_MULTI_DEBUG, "Valid packet (%s) with HMAC challenge from peer (%s), " - "accepting new connection.", packet_opcode_name(op), peer); + msg(D_MULTI_DEBUG, + "Valid packet (%s) with HMAC challenge from peer (%s), " + "accepting new connection.", + packet_opcode_name(op), peer); } gc_free(&gc); @@ -186,18 +185,16 @@ do_pre_decrypt_check(struct multi_context *m, */ struct multi_instance * -multi_get_create_instance_udp(struct multi_context *m, bool *floated, - struct link_socket *sock) +multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct link_socket *sock) { struct gc_arena gc = gc_new(); - struct mroute_addr real = {0}; + struct mroute_addr real = { 0 }; struct multi_instance *mi = NULL; struct hash *hash = m->hash; real.proto = sock->info.proto; m->hmac_reply_ls = sock; - if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true) - && m->top.c2.buf.len > 0) + if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true) && m->top.c2.buf.len > 0) { struct hash_element *he; const uint32_t hv = hash_value(hash, &real); @@ -217,14 +214,16 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated, { /* Floating on TCP will never be possible, so ensure we only process * UDP clients */ - if (m->instances[peer_id]->context.c2.link_sockets[0]->info.proto == sock->info.proto) + if (m->instances[peer_id]->context.c2.link_sockets[0]->info.proto + == sock->info.proto) { mi = m->instances[peer_id]; *floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from); if (*floated) { - /* reset prefix, since here we are not sure peer is the one it claims to be */ + /* reset prefix, since here we are not sure peer is the one it claims to be + */ ungenerate_prefix(mi); msg(D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id, mroute_addr_print(&real, &gc)); @@ -237,19 +236,20 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated, he = hash_lookup_fast(hash, bucket, &real, hv); if (he) { - mi = (struct multi_instance *) he->value; + mi = (struct multi_instance *)he->value; } } /* we have no existing multi instance for this connection */ if (!mi) { - struct tls_pre_decrypt_state state = {0}; + struct tls_pre_decrypt_state state = { 0 }; if (m->deferred_shutdown_signal.signal_received) { msg(D_MULTI_ERRORS, "MULTI: Connection attempt from %s ignored while server is " - "shutting down", mroute_addr_print(&real, &gc)); + "shutting down", + mroute_addr_print(&real, &gc)); } else if (do_pre_decrypt_check(m, &state, real)) { @@ -277,7 +277,8 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated, && session_id_defined((&state.peer_session_id))) { mi->context.c2.tls_multi->n_sessions++; - struct tls_session *session = &mi->context.c2.tls_multi->session[TM_INITIAL]; + struct tls_session *session = + &mi->context.c2.tls_multi->session[TM_INITIAL]; session_skip_to_pre_start(session, &state, &m->top.c2.from); } } @@ -297,9 +298,7 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated, { const char *status = mi ? "[ok]" : "[failed]"; - dmsg(D_MULTI_DEBUG, "GET INST BY REAL: %s %s", - mroute_addr_print(&real, &gc), - status); + dmsg(D_MULTI_DEBUG, "GET INST BY REAL: %s %s", mroute_addr_print(&real, &gc), status); } #endif } @@ -339,8 +338,8 @@ multi_process_io_udp(struct multi_context *m, struct link_socket *sock) { const unsigned int status = m->multi_io->udp_flags; const unsigned int mpp_flags = m->top.c2.fast_io - ? (MPP_CONDITIONAL_PRE_SELECT | MPP_CLOSE_ON_SIGNAL) - : (MPP_PRE_SELECT | MPP_CLOSE_ON_SIGNAL); + ? (MPP_CONDITIONAL_PRE_SELECT | MPP_CLOSE_ON_SIGNAL) + : (MPP_PRE_SELECT | MPP_CLOSE_ON_SIGNAL); #ifdef MULTI_DEBUG_EVENT_LOOP char buf[16]; @@ -369,7 +368,7 @@ multi_process_io_udp(struct multi_context *m, struct link_socket *sock) #endif /* ifdef MULTI_DEBUG_EVENT_LOOP */ #ifdef ENABLE_MANAGEMENT - if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE)) + if (status & (MANAGEMENT_READ | MANAGEMENT_WRITE)) { ASSERT(management); management_io(management); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a306b1250..8b352e95a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -91,9 +91,7 @@ update_mstat_n_clients(const int n_clients) } static bool -learn_address_script(const struct multi_context *m, - const struct multi_instance *mi, - const char *op, +learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr) { struct gc_arena gc = gc_new(); @@ -124,14 +122,13 @@ learn_address_script(const struct multi_context *m, if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS)) { struct argv argv = argv_new(); - argv_printf(&argv, "%s %s", - op, - mroute_addr_print(addr, &gc)); + argv_printf(&argv, "%s %s", op, mroute_addr_print(addr, &gc)); if (mi) { argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false)); } - if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) + if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) + != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: learn-address plugin call failed"); ret = false; @@ -164,8 +161,7 @@ void multi_ifconfig_pool_persist(struct multi_context *m, bool force) { /* write pool data to file */ - if (m->ifconfig_pool - && m->top.c1.ifconfig_pool_persist + if (m->ifconfig_pool && m->top.c1.ifconfig_pool_persist && (force || ifconfig_pool_write_trigger(m->top.c1.ifconfig_pool_persist))) { ifconfig_pool_write(m->top.c1.ifconfig_pool_persist, m->ifconfig_pool); @@ -173,9 +169,7 @@ multi_ifconfig_pool_persist(struct multi_context *m, bool force) } static void -multi_reap_range(const struct multi_context *m, - int start_bucket, - int end_bucket) +multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket) { struct gc_arena gc = gc_new(); struct hash_iterator hi; @@ -191,11 +185,10 @@ multi_reap_range(const struct multi_context *m, hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket); while ((he = hash_iterator_next(&hi)) != NULL) { - struct multi_route *r = (struct multi_route *) he->value; + struct multi_route *r = (struct multi_route *)he->value; if (!multi_route_defined(m, r)) { - dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s", - mroute_addr_print(&r->addr, &gc)); + dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s", mroute_addr_print(&r->addr, &gc)); learn_address_script(m, NULL, "delete", &r->addr); multi_route_del(r); hash_iterator_delete_element(&hi); @@ -256,7 +249,7 @@ static uint32_t cid_hash_function(const void *key, uint32_t iv) { const unsigned long *k = (const unsigned long *)key; - return (uint32_t) *k; + return (uint32_t)*k; } static bool @@ -295,8 +288,7 @@ multi_init(struct context *t) struct multi_context *m = t->multi; int dev = DEV_TYPE_UNDEF; - msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d", - t->options.real_hash_size, + msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d", t->options.real_hash_size, t->options.virtual_hash_size); /* @@ -315,18 +307,14 @@ multi_init(struct context *t) * to determine which client sent an incoming packet * which is seen on the TCP/UDP socket. */ - m->hash = hash_init(t->options.real_hash_size, - get_random(), - mroute_addr_hash_function, + m->hash = hash_init(t->options.real_hash_size, get_random(), mroute_addr_hash_function, mroute_addr_compare_function); /* * Virtual address hash table. Used to determine * which client to route a packet to. */ - m->vhash = hash_init(t->options.virtual_hash_size, - get_random(), - mroute_addr_hash_function, + m->vhash = hash_init(t->options.virtual_hash_size, get_random(), mroute_addr_hash_function, mroute_addr_compare_function); /* @@ -334,16 +322,10 @@ multi_init(struct context *t) * bucket size of one so that it can be used * for fast iteration through the list. */ - m->iter = hash_init(1, - get_random(), - mroute_addr_hash_function, - mroute_addr_compare_function); + m->iter = hash_init(1, get_random(), mroute_addr_hash_function, mroute_addr_compare_function); #ifdef ENABLE_MANAGEMENT - m->cid_hash = hash_init(t->options.real_hash_size, - 0, - cid_hash_function, - cid_compare_function); + m->cid_hash = hash_init(t->options.real_hash_size, 0, cid_hash_function, cid_compare_function); #endif #ifdef ENABLE_ASYNC_PUSH @@ -351,10 +333,8 @@ multi_init(struct context *t) * Mapping between inotify watch descriptors and * multi_instances. */ - m->inotify_watchers = hash_init(t->options.real_hash_size, - get_random(), - int_hash_function, - int_compare_function); + m->inotify_watchers = + hash_init(t->options.real_hash_size, get_random(), int_hash_function, int_compare_function); #endif /* @@ -367,10 +347,9 @@ multi_init(struct context *t) * Limit frequency of incoming connections to control * DoS. */ - m->new_connection_limiter = frequency_limit_init(t->options.cf_max, - t->options.cf_per); - m->initial_rate_limiter = initial_rate_limit_init(t->options.cf_initial_max, - t->options.cf_initial_per); + m->new_connection_limiter = frequency_limit_init(t->options.cf_max, t->options.cf_per); + m->initial_rate_limiter = + initial_rate_limit_init(t->options.cf_initial_max, t->options.cf_initial_per); /* * Allocate broadcast/multicast buffer list @@ -387,8 +366,7 @@ multi_init(struct context *t) * differently based on whether a tun or tap style * tunnel. */ - if (t->options.ifconfig_pool_defined - || t->options.ifconfig_ipv6_pool_defined) + if (t->options.ifconfig_pool_defined || t->options.ifconfig_ipv6_pool_defined) { int pool_type = IFCONFIG_POOL_INDIV; @@ -397,14 +375,11 @@ multi_init(struct context *t) pool_type = IFCONFIG_POOL_30NET; } - m->ifconfig_pool = ifconfig_pool_init(t->options.ifconfig_pool_defined, - pool_type, - t->options.ifconfig_pool_start, - t->options.ifconfig_pool_end, - t->options.duplicate_cn, - t->options.ifconfig_ipv6_pool_defined, - t->options.ifconfig_ipv6_pool_base, - t->options.ifconfig_ipv6_pool_netbits ); + m->ifconfig_pool = ifconfig_pool_init( + t->options.ifconfig_pool_defined, pool_type, t->options.ifconfig_pool_start, + t->options.ifconfig_pool_end, t->options.duplicate_cn, + t->options.ifconfig_ipv6_pool_defined, t->options.ifconfig_ipv6_pool_base, + t->options.ifconfig_ipv6_pool_netbits); /* reload pool data from file */ if (t->c1.ifconfig_pool_persist) @@ -454,7 +429,8 @@ multi_init(struct context *t) /* initialize stale routes check timer */ if (t->options.stale_routes_check_interval > 0) { - msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds", + msg(M_INFO, + "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds", t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time); event_timeout_init(&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0); } @@ -475,8 +451,7 @@ multi_instance_string(const struct multi_instance *mi, bool null, struct gc_aren buf_printf(&out, "%s/", cn); } buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc)); - if (mi->context.c2.tls_multi - && check_debug_level(D_DCO_DEBUG) + if (mi->context.c2.tls_multi && check_debug_level(D_DCO_DEBUG) && dco_enabled(&mi->context.options)) { buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id); @@ -523,8 +498,7 @@ ungenerate_prefix(struct multi_instance *mi) * CIDR netlengths. */ static void -multi_del_iroutes(struct multi_context *m, - struct multi_instance *mi) +multi_del_iroutes(struct multi_context *m, struct multi_instance *mi) { const struct iroute *ir; const struct iroute_ipv6 *ir6; @@ -580,7 +554,9 @@ multi_client_disconnect_script(struct multi_context *m, struct multi_instance *m if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT)) { - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS) + if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, + mi->context.c2.es) + != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-disconnect plugin call failed"); } @@ -603,9 +579,7 @@ multi_client_disconnect_script(struct multi_context *m, struct multi_instance *m } void -multi_close_instance(struct multi_context *m, - struct multi_instance *mi, - bool shutdown) +multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown) { perf_push(PERF_MULTI_CLOSE_INSTANCE); @@ -650,7 +624,7 @@ multi_close_instance(struct multi_context *m, #ifdef ENABLE_ASYNC_PUSH if (mi->inotify_watch != -1) { - hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch); + hash_remove(m->inotify_watchers, (void *)(unsigned long)mi->inotify_watch); mi->inotify_watch = -1; } #endif @@ -660,7 +634,7 @@ multi_close_instance(struct multi_context *m, m->instances[mi->context.c2.tls_multi->peer_id] = NULL; } - schedule_remove_entry(m->schedule, (struct schedule_entry *) mi); + schedule_remove_entry(m->schedule, (struct schedule_entry *)mi); ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false); @@ -717,7 +691,7 @@ multi_uninit(struct multi_context *m) hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { - struct multi_instance *mi = (struct multi_instance *) he->value; + struct multi_instance *mi = (struct multi_instance *)he->value; mi->did_iter = false; multi_close_instance(m, mi, true); } @@ -789,7 +763,9 @@ multi_create_instance(struct multi_context *m, const struct mroute_addr *real, if (hash_n_elements(m->hash) >= m->max_clients) { - msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients); + msg(D_MULTI_ERRORS, + "MULTI: new incoming connection would exceed maximum number of clients (%d)", + m->max_clients); goto err; } @@ -879,7 +855,7 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); - const struct multi_instance *mi = (struct multi_instance *) he->value; + const struct multi_instance *mi = (struct multi_instance *)he->value; if (!mi->halt) { @@ -900,21 +876,19 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); - const struct multi_route *route = (struct multi_route *) he->value; + const struct multi_route *route = (struct multi_route *)he->value; if (multi_route_defined(m, route)) { const struct multi_instance *mi = route->instance; const struct mroute_addr *ma = &route->addr; - char flags[2] = {0, 0}; + char flags[2] = { 0, 0 }; if (route->flags & MULTI_ROUTE_CACHE) { flags[0] = 'C'; } - status_printf(so, "%s%s,%s,%s,%s", - mroute_addr_print(ma, &gc), - flags, + status_printf(so, "%s%s,%s,%s,%s", mroute_addr_print(ma, &gc), flags, tls_common_name(mi->context.c2.tls_multi, false), mroute_addr_print(&mi->real, &gc), time_string(route->last_reference, 0, false, &gc)); @@ -926,8 +900,7 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int status_printf(so, "GLOBAL STATS"); if (m->mbuf) { - status_printf(so, "Max bcast/mcast queue length,%d", - mbuf_maximum_queued(m->mbuf)); + status_printf(so, "Max bcast/mcast queue length,%d", mbuf_maximum_queued(m->mbuf)); } status_printf(so, "END"); @@ -940,69 +913,77 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int * Status file version 2 and 3 */ status_printf(so, "TITLE%c%s", sep, title_string); - status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now); - status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher", - sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep); + status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, + (unsigned int)now); + status_printf( + so, + "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher", + sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep); hash_iterator_init(m->hash, &hi); while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); - const struct multi_instance *mi = (struct multi_instance *) he->value; + const struct multi_instance *mi = (struct multi_instance *)he->value; if (!mi->halt) { - status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c" + status_printf( + so, + "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format + "%c%s%c%u%c%s%c" #ifdef ENABLE_MANAGEMENT - "%lu" + "%lu" #else - "" + "" #endif - "%c%" PRIu32 "%c%s", - sep, tls_common_name(mi->context.c2.tls_multi, false), - sep, mroute_addr_print(&mi->real, &gc), - sep, print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc), - sep, print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc), - sep, mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes, - sep, mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes, - sep, time_string(mi->created, 0, false, &gc), - sep, (unsigned int)mi->created, - sep, tls_username(mi->context.c2.tls_multi, false), + "%c%" PRIu32 "%c%s", + sep, tls_common_name(mi->context.c2.tls_multi, false), sep, + mroute_addr_print(&mi->real, &gc), sep, + print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc), sep, + print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc), sep, + mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes, sep, + mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes, sep, + time_string(mi->created, 0, false, &gc), sep, (unsigned int)mi->created, + sep, tls_username(mi->context.c2.tls_multi, false), #ifdef ENABLE_MANAGEMENT - sep, mi->context.c2.mda_context.cid, + sep, mi->context.c2.mda_context.cid, #else - sep, + sep, #endif - sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX, - sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername)); + sep, + mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX, + sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername)); } gc_free(&gc); } hash_iterator_free(&hi); - status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)", - sep, sep, sep, sep, sep, sep); + status_printf( + so, + "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)", + sep, sep, sep, sep, sep, sep); hash_iterator_init(m->vhash, &hi); while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); - const struct multi_route *route = (struct multi_route *) he->value; + const struct multi_route *route = (struct multi_route *)he->value; if (multi_route_defined(m, route)) { const struct multi_instance *mi = route->instance; const struct mroute_addr *ma = &route->addr; - char flags[2] = {0, 0}; + char flags[2] = { 0, 0 }; if (route->flags & MULTI_ROUTE_CACHE) { flags[0] = 'C'; } - status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u", - sep, mroute_addr_print(ma, &gc), flags, - sep, tls_common_name(mi->context.c2.tls_multi, false), - sep, mroute_addr_print(&mi->real, &gc), - sep, time_string(route->last_reference, 0, false, &gc), - sep, (unsigned int)route->last_reference); + status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u", sep, + mroute_addr_print(ma, &gc), flags, sep, + tls_common_name(mi->context.c2.tls_multi, false), sep, + mroute_addr_print(&mi->real, &gc), sep, + time_string(route->last_reference, 0, false, &gc), sep, + (unsigned int)route->last_reference); } gc_free(&gc); } @@ -1010,11 +991,12 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int if (m->mbuf) { - status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d", - sep, sep, mbuf_maximum_queued(m->mbuf)); + status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d", sep, sep, + mbuf_maximum_queued(m->mbuf)); } - status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep, dco_enabled(&m->top.options)); + status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep, + dco_enabled(&m->top.options)); status_printf(so, "END"); } else @@ -1024,19 +1006,22 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int #ifdef PACKET_TRUNCATION_CHECK { - status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc"); + status_printf( + so, + "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc"); hash_iterator_init(m->hash, &hi); while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); - const struct multi_instance *mi = (struct multi_instance *) he->value; + const struct multi_instance *mi = (struct multi_instance *)he->value; if (!mi->halt) { - status_printf(so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format, + status_printf(so, + "ERRORS,%s," counter_format "," counter_format "," counter_format + "," counter_format, tls_common_name(mi->context.c2.tls_multi, false), - m->top.c2.n_trunc_tun_read, - mi->context.c2.n_trunc_tun_write, + m->top.c2.n_trunc_tun_read, mi->context.c2.n_trunc_tun_write, mi->context.c2.n_trunc_pre_encrypt, mi->context.c2.n_trunc_post_decrypt); } @@ -1067,9 +1052,7 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int * or NULL if none. */ static struct multi_instance * -multi_learn_addr(struct multi_context *m, - struct multi_instance *mi, - const struct mroute_addr *addr, +multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags) { struct hash_element *he; @@ -1083,7 +1066,7 @@ multi_learn_addr(struct multi_context *m, he = hash_lookup_fast(m->vhash, bucket, addr, hv); if (he) { - oldroute = (struct multi_route *) he->value; + oldroute = (struct multi_route *)he->value; } if (oldroute && multi_route_defined(m, oldroute)) { @@ -1141,10 +1124,8 @@ multi_learn_addr(struct multi_context *m, } } - msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s", - learn_succeeded ? "" : " FAILED", - mroute_addr_print(&newroute->addr, &gc), - multi_instance_string(mi, false, &gc)); + msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s", learn_succeeded ? "" : " FAILED", + mroute_addr_print(&newroute->addr, &gc), multi_instance_string(mi, false, &gc)); if (!learn_succeeded) { @@ -1160,8 +1141,7 @@ multi_learn_addr(struct multi_context *m, * Get client instance based on virtual address. */ static struct multi_instance * -multi_get_instance_by_virtual_addr(struct multi_context *m, - const struct mroute_addr *addr, +multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing) { struct multi_route *route; @@ -1173,7 +1153,7 @@ multi_get_instance_by_virtual_addr(struct multi_context *m, return NULL; } - route = (struct multi_route *) hash_lookup(m->vhash, addr); + route = (struct multi_route *)hash_lookup(m->vhash, addr); /* does host route (possible cached) exist? */ if (route && multi_route_defined(m, route)) @@ -1197,13 +1177,13 @@ multi_get_instance_by_virtual_addr(struct multi_context *m, mroute_addr_mask_host_bits(&tryaddr); /* look up a possible route with netbits netmask */ - route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr); + route = (struct multi_route *)hash_lookup(m->vhash, &tryaddr); if (route && multi_route_defined(m, route)) { /* found an applicable route, cache host route */ struct multi_instance *mi = route->instance; - multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE); + multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE | MULTI_ROUTE_AGEABLE); ret = mi; break; } @@ -1217,15 +1197,12 @@ multi_get_instance_by_virtual_addr(struct multi_context *m, const char *addr_text = mroute_addr_print(addr, &gc); if (ret) { - dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s", - addr_text, - multi_instance_string(ret, false, &gc), - mroute_addr_print(&route->addr, &gc)); + dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s", addr_text, + multi_instance_string(ret, false, &gc), mroute_addr_print(&route->addr, &gc)); } else { - dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]", - addr_text); + dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]", addr_text); } gc_free(&gc); } @@ -1239,14 +1216,12 @@ multi_get_instance_by_virtual_addr(struct multi_context *m, * Helper function to multi_learn_addr(). */ static struct multi_instance * -multi_learn_in_addr_t(struct multi_context *m, - struct multi_instance *mi, - in_addr_t a, - int netbits, /* -1 if host route, otherwise # of network bits in address */ +multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, + int netbits, /* -1 if host route, otherwise # of network bits in address */ bool primary) { struct openvpn_sockaddr remote_si; - struct mroute_addr addr = {0}; + struct mroute_addr addr = { 0 }; CLEAR(remote_si); remote_si.addr.in4.sin_family = AF_INET; @@ -1257,7 +1232,7 @@ multi_learn_in_addr_t(struct multi_context *m, if (netbits >= 0) { addr.type |= MR_WITH_NETBITS; - addr.netbits = (uint8_t) netbits; + addr.netbits = (uint8_t)netbits; } struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0); @@ -1272,7 +1247,7 @@ multi_learn_in_addr_t(struct multi_context *m, /* "primary" is the VPN ifconfig address of the peer and already * known to DCO, so only install "extra" iroutes (primary = false) */ - ASSERT(netbits >= 0); /* DCO requires populated netbits */ + ASSERT(netbits >= 0); /* DCO requires populated netbits */ dco_install_iroute(m, mi, &addr); } @@ -1280,13 +1255,11 @@ multi_learn_in_addr_t(struct multi_context *m, } static struct multi_instance * -multi_learn_in6_addr(struct multi_context *m, - struct multi_instance *mi, - struct in6_addr a6, - int netbits, /* -1 if host route, otherwise # of network bits in address */ +multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, + int netbits, /* -1 if host route, otherwise # of network bits in address */ bool primary) { - struct mroute_addr addr = {0}; + struct mroute_addr addr = { 0 }; addr.len = 16; addr.type = MR_ADDR_IPV6; @@ -1296,8 +1269,8 @@ multi_learn_in6_addr(struct multi_context *m, if (netbits >= 0) { addr.type |= MR_WITH_NETBITS; - addr.netbits = (uint8_t) netbits; - mroute_addr_mask_host_bits( &addr ); + addr.netbits = (uint8_t)netbits; + mroute_addr_mask_host_bits(&addr); } struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0); @@ -1312,7 +1285,7 @@ multi_learn_in6_addr(struct multi_context *m, /* "primary" is the VPN ifconfig address of the peer and already * known to DCO, so only install "extra" iroutes (primary = false) */ - ASSERT(netbits >= 0); /* DCO requires populated netbits */ + ASSERT(netbits >= 0); /* DCO requires populated netbits */ dco_install_iroute(m, mi, &addr); } @@ -1324,8 +1297,7 @@ multi_learn_in6_addr(struct multi_context *m, * to internal routing table. */ static void -multi_add_iroutes(struct multi_context *m, - struct multi_instance *mi) +multi_add_iroutes(struct multi_context *m, struct multi_instance *mi) { struct gc_arena gc = gc_new(); const struct iroute *ir; @@ -1338,15 +1310,13 @@ multi_add_iroutes(struct multi_context *m, if (ir->netbits >= 0) { msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s", - print_in_addr_t(ir->network, 0, &gc), - ir->netbits, + print_in_addr_t(ir->network, 0, &gc), ir->netbits, multi_instance_string(mi, false, &gc)); } else { msg(D_MULTI_LOW, "MULTI: internal route %s -> %s", - print_in_addr_t(ir->network, 0, &gc), - multi_instance_string(mi, false, &gc)); + print_in_addr_t(ir->network, 0, &gc), multi_instance_string(mi, false, &gc)); } mroute_helper_add_iroute46(m->route_helper, ir->netbits); @@ -1356,8 +1326,7 @@ multi_add_iroutes(struct multi_context *m, for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next) { msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s", - print_in6_addr(ir6->network, 0, &gc), - ir6->netbits, + print_in6_addr(ir6->network, 0, &gc), ir6->netbits, multi_instance_string(mi, false, &gc)); mroute_helper_add_iroute46(m->route_helper, ir6->netbits); @@ -1387,7 +1356,7 @@ multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi) hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { - struct multi_instance *mi = (struct multi_instance *) he->value; + struct multi_instance *mi = (struct multi_instance *)he->value; if (mi != new_mi && !mi->halt) { const char *cn = tls_common_name(mi->context.c2.tls_multi, true); @@ -1404,7 +1373,9 @@ multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi) if (count) { - msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn); + msg(D_MULTI_LOW, + "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", + new_cn); } } } @@ -1413,7 +1384,6 @@ multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi) static void check_stale_routes(struct multi_context *m) { - struct gc_arena gc = gc_new(); struct hash_iterator hi; struct hash_element *he; @@ -1422,8 +1392,9 @@ check_stale_routes(struct multi_context *m) hash_iterator_init_range(m->vhash, &hi, 0, hash_n_buckets(m->vhash)); while ((he = hash_iterator_next(&hi)) != NULL) { - struct multi_route *r = (struct multi_route *) he->value; - if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time) + struct multi_route *r = (struct multi_route *)he->value; + if (multi_route_defined(m, r) + && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time) { dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'", mroute_addr_print(&r->addr, &gc)); @@ -1446,7 +1417,8 @@ ifconfig_push_constraint_satisfied(const struct context *c) const struct options *o = &c->options; if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined) { - return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network; + return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) + == o->push_ifconfig_constraint_network; } else { @@ -1480,7 +1452,8 @@ multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi) mi->context.c2.push_ifconfig_defined = true; mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local; - mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask; + mi->context.c2.push_ifconfig_remote_netmask = + mi->context.options.push_ifconfig_remote_netmask; mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias; /* the current implementation does not allow "static IPv4, pool IPv6", @@ -1490,7 +1463,8 @@ multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi) if (mi->context.options.ifconfig_ipv6_pool_defined && !mi->context.options.push_ifconfig_ipv6_defined) { - msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." ); + msg(M_INFO, + "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then."); } } else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */ @@ -1505,30 +1479,33 @@ multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi) } CLEAR(remote_ipv6); - mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn); + mi->vaddr_handle = + ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn); if (mi->vaddr_handle >= 0) { const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap); const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap); - msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s", - (mi->context.options.ifconfig_pool_defined - ? print_in_addr_t(remote, 0, &gc) - : "(Not enabled)"), - (mi->context.options.ifconfig_ipv6_pool_defined - ? print_in6_addr( remote_ipv6, 0, &gc ) - : "(Not enabled)") ); + msg(M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s", + (mi->context.options.ifconfig_pool_defined ? print_in_addr_t(remote, 0, &gc) + : "(Not enabled)"), + (mi->context.options.ifconfig_ipv6_pool_defined + ? print_in6_addr(remote_ipv6, 0, &gc) + : "(Not enabled)")); if (mi->context.options.ifconfig_pool_defined) { /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */ mi->context.c2.push_ifconfig_local = remote; - if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET)) + if (tunnel_type == DEV_TYPE_TAP + || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET)) { - mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask; + mi->context.c2.push_ifconfig_remote_netmask = + mi->context.options.ifconfig_pool_netmask; if (!mi->context.c2.push_ifconfig_remote_netmask) { - mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask; + mi->context.c2.push_ifconfig_remote_netmask = + mi->context.c1.tuntap->remote_netmask; } } else if (tunnel_type == DEV_TYPE_TUN) @@ -1558,8 +1535,7 @@ multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi) if (mi->context.options.ifconfig_ipv6_pool_defined) { mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6; - mi->context.c2.push_ifconfig_ipv6_remote = - mi->context.c1.tuntap->local_ipv6; + mi->context.c2.push_ifconfig_ipv6_remote = mi->context.c1.tuntap->local_ipv6; mi->context.c2.push_ifconfig_ipv6_netbits = mi->context.options.ifconfig_ipv6_netbits; mi->context.c2.push_ifconfig_ipv6_defined = true; @@ -1580,17 +1556,14 @@ multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi) */ if (mi->context.options.push_ifconfig_ipv6_defined) { - mi->context.c2.push_ifconfig_ipv6_local = - mi->context.options.push_ifconfig_ipv6_local; - mi->context.c2.push_ifconfig_ipv6_remote = - mi->context.options.push_ifconfig_ipv6_remote; - mi->context.c2.push_ifconfig_ipv6_netbits = - mi->context.options.push_ifconfig_ipv6_netbits; + mi->context.c2.push_ifconfig_ipv6_local = mi->context.options.push_ifconfig_ipv6_local; + mi->context.c2.push_ifconfig_ipv6_remote = mi->context.options.push_ifconfig_ipv6_remote; + mi->context.c2.push_ifconfig_ipv6_netbits = mi->context.options.push_ifconfig_ipv6_netbits; mi->context.c2.push_ifconfig_ipv6_defined = true; - msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d", - print_in6_addr( mi->context.c2.push_ifconfig_ipv6_local, 0, &gc ), - mi->context.c2.push_ifconfig_ipv6_netbits ); + msg(M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d", + print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc), + mi->context.c2.push_ifconfig_ipv6_netbits); } gc_free(&gc); @@ -1611,24 +1584,19 @@ multi_set_virtual_addr_env(struct multi_instance *mi) const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap); const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap); - setenv_in_addr_t(mi->context.c2.es, - "ifconfig_pool_remote_ip", - mi->context.c2.push_ifconfig_local, - SA_SET_IF_NONZERO); + setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_remote_ip", + mi->context.c2.push_ifconfig_local, SA_SET_IF_NONZERO); - if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET)) + if (tunnel_type == DEV_TYPE_TAP + || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET)) { - setenv_in_addr_t(mi->context.c2.es, - "ifconfig_pool_netmask", - mi->context.c2.push_ifconfig_remote_netmask, - SA_SET_IF_NONZERO); + setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_netmask", + mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO); } else if (tunnel_type == DEV_TYPE_TUN) { - setenv_in_addr_t(mi->context.c2.es, - "ifconfig_pool_local_ip", - mi->context.c2.push_ifconfig_remote_netmask, - SA_SET_IF_NONZERO); + setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_local_ip", + mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO); } } @@ -1638,16 +1606,11 @@ multi_set_virtual_addr_env(struct multi_instance *mi) if (mi->context.c2.push_ifconfig_ipv6_defined) { - setenv_in6_addr(mi->context.c2.es, - "ifconfig_pool_remote", - &mi->context.c2.push_ifconfig_ipv6_local, - SA_SET_IF_NONZERO); - setenv_in6_addr(mi->context.c2.es, - "ifconfig_pool_local", - &mi->context.c2.push_ifconfig_ipv6_remote, - SA_SET_IF_NONZERO); - setenv_int(mi->context.c2.es, - "ifconfig_pool_ip6_netbits", + setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_remote", + &mi->context.c2.push_ifconfig_ipv6_local, SA_SET_IF_NONZERO); + setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_local", + &mi->context.c2.push_ifconfig_ipv6_remote, SA_SET_IF_NONZERO); + setenv_int(mi->context.c2.es, "ifconfig_pool_ip6_netbits", mi->context.c2.push_ifconfig_ipv6_netbits); } } @@ -1656,20 +1619,14 @@ multi_set_virtual_addr_env(struct multi_instance *mi) * Called after client-connect script is called */ static void -multi_client_connect_post(struct multi_context *m, - struct multi_instance *mi, - const char *dc_file, +multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found) { /* Did script generate a dynamic config file? */ if (platform_test_file(dc_file)) { - options_server_import(&mi->context.options, - dc_file, - D_IMPORT_ERRORS|M_OPTERR, - CLIENT_CONNECT_OPT_MASK, - option_types_found, - mi->context.c2.es); + options_server_import(&mi->context.options, dc_file, D_IMPORT_ERRORS | M_OPTERR, + CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); /* * If the --client-connect script generates a config file @@ -1688,10 +1645,8 @@ multi_client_connect_post(struct multi_context *m, * Called after client-connect plug-in is called */ static void -multi_client_connect_post_plugin(struct multi_context *m, - struct multi_instance *mi, - const struct plugin_return *pr, - unsigned int *option_types_found) +multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, + const struct plugin_return *pr, unsigned int *option_types_found) { struct plugin_return config; @@ -1705,12 +1660,9 @@ multi_client_connect_post_plugin(struct multi_context *m, { if (config.list[i] && config.list[i]->value) { - options_string_import(&mi->context.options, - config.list[i]->value, - D_IMPORT_ERRORS|M_OPTERR, - CLIENT_CONNECT_OPT_MASK, - option_types_found, - mi->context.c2.es); + options_string_import(&mi->context.options, config.list[i]->value, + D_IMPORT_ERRORS | M_OPTERR, CLIENT_CONNECT_OPT_MASK, + option_types_found, mi->context.c2.es); } } @@ -1732,9 +1684,7 @@ multi_client_connect_post_plugin(struct multi_context *m, * Called to load management-derived client-connect config */ enum client_connect_return -multi_client_connect_mda(struct multi_context *m, - struct multi_instance *mi, - bool deferred, +multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found) { /* We never return CC_RET_DEFERRED */ @@ -1747,12 +1697,8 @@ multi_client_connect_mda(struct multi_context *m, for (be = mi->cc_config->head; be != NULL; be = be->next) { const char *opt = BSTR(&be->buf); - options_string_import(&mi->context.options, - opt, - D_IMPORT_ERRORS|M_OPTERR, - CLIENT_CONNECT_OPT_MASK, - option_types_found, - mi->context.c2.es); + options_string_import(&mi->context.options, opt, D_IMPORT_ERRORS | M_OPTERR, + CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); } /* @@ -1817,9 +1763,9 @@ multi_client_set_protocol_options(struct context *c) else if (dco_enabled(o)) { msg(M_INFO, "Client does not support DATA_V2. Data channel offloading " - "requires DATA_V2. Dropping client."); + "requires DATA_V2. Dropping client."); auth_set_client_reason(tls_multi, "Data channel negotiation " - "failed (missing DATA_V2)"); + "failed (missing DATA_V2)"); return false; } @@ -1828,8 +1774,8 @@ multi_client_set_protocol_options(struct context *c) if (proto & IV_PROTO_NCP_P2P) { msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client " - "option). It will not negotiate ciphers with this server. " - "Expect this connection to fail."); + "option). It will not negotiate ciphers with this server. " + "Expect this connection to fail."); } if (proto & IV_PROTO_REQUEST_PUSH) @@ -1844,11 +1790,11 @@ multi_client_set_protocol_options(struct context *c) else if (o->force_key_material_export) { msg(M_INFO, "PUSH: client does not support TLS Keying Material " - "Exporters but --force-tls-key-material-export is enabled."); + "Exporters but --force-tls-key-material-export is enabled."); auth_set_client_reason(tls_multi, "Client incompatible with this " - "server. Keying Material Exporters (RFC 5705) " - "support missing. Upgrade to a client that " - "supports this feature (OpenVPN 2.6.0+)."); + "server. Keying Material Exporters (RFC 5705) " + "support missing. Upgrade to a client that " + "supports this feature (OpenVPN 2.6.0+)."); return false; } if (proto & IV_PROTO_DYN_TLS_CRYPT) @@ -1869,10 +1815,11 @@ multi_client_set_protocol_options(struct context *c) */ if (get_primary_key(tls_multi)->crypto_options.key_ctx_bi.initialized) { - msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but " + msg(M_INFO, + "PUSH: client wants to negotiate cipher (NCP), but " "server has already generated data channel keys, " "re-sending previously negotiated cipher '%s'", - o->ciphername ); + o->ciphername); return true; } @@ -1880,14 +1827,13 @@ multi_client_set_protocol_options(struct context *c) * Push the first cipher from --data-ciphers to the client that * the client announces to be supporting. */ - char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info, - tls_multi->remote_ciphername, - &o->gc); + char *push_cipher = + ncp_get_best_cipher(o->ncp_ciphers, peer_info, tls_multi->remote_ciphername, &o->gc); if (push_cipher) { /* Enable epoch data key format if supported and AEAD cipher in use */ - if (tls_multi->session[TM_ACTIVE].opt->data_epoch_supported - && (proto & IV_PROTO_DATA_EPOCH) && cipher_kt_mode_aead(push_cipher)) + if (tls_multi->session[TM_ACTIVE].opt->data_epoch_supported && (proto & IV_PROTO_DATA_EPOCH) + && cipher_kt_mode_aead(push_cipher)) { o->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT; } @@ -1908,16 +1854,17 @@ multi_client_set_protocol_options(struct context *c) * side, in this situation we fail the auth*/ if (strlen(peer_ciphers) > 0) { - msg(M_INFO, "PUSH: No common cipher between server and client. " + msg(M_INFO, + "PUSH: No common cipher between server and client. " "Server data-ciphers: '%s'%s, client supported ciphers '%s'", o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), peer_ciphers); } else if (tls_multi->remote_ciphername) { - msg(M_INFO, "PUSH: No common cipher between server and client. " + msg(M_INFO, + "PUSH: No common cipher between server and client. " "Server data-ciphers: '%s'%s, client supports cipher '%s'", - o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), - tls_multi->remote_ciphername); + o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), tls_multi->remote_ciphername); } else { @@ -1925,20 +1872,22 @@ multi_client_set_protocol_options(struct context *c) if (o->enable_ncp_fallback && !tls_multi->remote_ciphername) { - msg(M_INFO, "Using data channel cipher '%s' since " - "--data-ciphers-fallback is set.", o->ciphername); + msg(M_INFO, + "Using data channel cipher '%s' since " + "--data-ciphers-fallback is set.", + o->ciphername); ret = true; } else { msg(M_INFO, "Use --data-ciphers-fallback with the cipher the " - "client is using if you want to allow the client to connect"); + "client is using if you want to allow the client to connect"); } } if (!ret) { auth_set_client_reason(tls_multi, "Data channel cipher negotiation " - "failed (no shared cipher)"); + "failed (no shared cipher)"); } gc_free(&gc); @@ -1961,8 +1910,7 @@ ccs_delete_deferred_ret_file(struct multi_instance *mi) setenv_del(mi->context.c2.es, "client_connect_deferred_file"); if (!platform_unlink(ccs->deferred_ret_file)) { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - ccs->deferred_ret_file); + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->deferred_ret_file); } free(ccs->deferred_ret_file); ccs->deferred_ret_file = NULL; @@ -1993,8 +1941,7 @@ ccs_gen_deferred_ret_file(struct multi_instance *mi) } ccs->deferred_ret_file = string_alloc(fn, NULL); - setenv_str(mi->context.c2.es, "client_connect_deferred_file", - ccs->deferred_ret_file); + setenv_str(mi->context.c2.es, "client_connect_deferred_file", ccs->deferred_ret_file); gc_free(&gc); return true; @@ -2045,7 +1992,7 @@ ccs_test_deferred_ret_file(struct multi_instance *mi) default: /* We received an unknown/unexpected value. Assume failure. */ msg(M_WARN, "WARNING: Unknown/unexpected value in deferred " - "client-connect resultfile"); + "client-connect resultfile"); ret = CC_RET_FAILED; } fclose(fp); @@ -2067,8 +2014,7 @@ ccs_delete_config_file(struct multi_instance *mi) setenv_del(mi->context.c2.es, "client_connect_config_file"); if (!platform_unlink(ccs->config_file)) { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - ccs->config_file); + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->config_file); } free(ccs->config_file); ccs->config_file = NULL; @@ -2102,18 +2048,15 @@ ccs_gen_config_file(struct multi_instance *mi) } ccs->config_file = string_alloc(fn, NULL); - setenv_str(mi->context.c2.es, "client_connect_config_file", - ccs->config_file); + setenv_str(mi->context.c2.es, "client_connect_config_file", ccs->config_file); gc_free(&gc); return true; } static enum client_connect_return -multi_client_connect_call_plugin_v1(struct multi_context *m, - struct multi_instance *mi, - bool deferred, - unsigned int *option_types_found) +multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, + bool deferred, unsigned int *option_types_found) { enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN @@ -2131,8 +2074,7 @@ multi_client_connect_call_plugin_v1(struct multi_context *m, if (!deferred) { call = OPENVPN_PLUGIN_CLIENT_CONNECT; - if (!ccs_gen_config_file(mi) - || !ccs_gen_deferred_ret_file(mi)) + if (!ccs_gen_config_file(mi) || !ccs_gen_deferred_ret_file(mi)) { ret = CC_RET_FAILED; goto cleanup; @@ -2147,8 +2089,7 @@ multi_client_connect_call_plugin_v1(struct multi_context *m, } argv_printf(&argv, "%s", ccs->config_file); - int plug_ret = plugin_call(mi->context.plugins, call, - &argv, NULL, mi->context.c2.es); + int plug_ret = plugin_call(mi->context.plugins, call, &argv, NULL, mi->context.c2.es); if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { ret = CC_RET_SUCCEEDED; @@ -2188,8 +2129,7 @@ multi_client_connect_call_plugin_v1(struct multi_context *m, /* if we still think we have succeeded, do postprocessing */ if (ret == CC_RET_SUCCEEDED) { - multi_client_connect_post(m, mi, ccs->config_file, - option_types_found); + multi_client_connect_post(m, mi, ccs->config_file, option_types_found); } cleanup: argv_free(&argv); @@ -2205,10 +2145,8 @@ cleanup: } static enum client_connect_return -multi_client_connect_call_plugin_v2(struct multi_context *m, - struct multi_instance *mi, - bool deferred, - unsigned int *option_types_found) +multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, + bool deferred, unsigned int *option_types_found) { enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN @@ -2216,8 +2154,7 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, ASSERT(mi); ASSERT(option_types_found); - int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 : - OPENVPN_PLUGIN_CLIENT_CONNECT_V2; + int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 : OPENVPN_PLUGIN_CLIENT_CONNECT_V2; /* V2 callback, use a plugin_return struct for passing back return info */ if (plugin_defined(mi->context.plugins, call)) { @@ -2225,8 +2162,7 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, plugin_return_init(&pr); - int plug_ret = plugin_call(mi->context.plugins, call, - NULL, &pr, mi->context.c2.es); + int plug_ret = plugin_call(mi->context.plugins, call, NULL, &pr, mi->context.c2.es); if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { multi_client_connect_post_plugin(m, mi, &pr, option_types_found); @@ -2235,13 +2171,12 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED) { ret = CC_RET_DEFERRED; - if (!(plugin_defined(mi->context.plugins, - OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2))) + if (!(plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2))) { msg(M_WARN, "A plugin that defers from the " - "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also " - "declare support for " - "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2"); + "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also " + "declare support for " + "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2"); ret = CC_RET_FAILED; } } @@ -2259,8 +2194,7 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, } static enum client_connect_return -multi_client_connect_script_deferred(struct multi_context *m, - struct multi_instance *mi, +multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found) { ASSERT(mi); @@ -2285,8 +2219,7 @@ multi_client_connect_script_deferred(struct multi_context *m, if (ret == CC_RET_SUCCEEDED) { ccs_delete_deferred_ret_file(mi); - multi_client_connect_post(m, mi, ccs->config_file, - option_types_found); + multi_client_connect_post(m, mi, ccs->config_file, option_types_found); ccs_delete_config_file(mi); } if (ret == CC_RET_FAILED) @@ -2302,9 +2235,7 @@ multi_client_connect_script_deferred(struct multi_context *m, * Runs the --client-connect script if one is defined. */ static enum client_connect_return -multi_client_connect_call_script(struct multi_context *m, - struct multi_instance *mi, - bool deferred, +multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found) { if (deferred) @@ -2324,8 +2255,7 @@ multi_client_connect_call_script(struct multi_context *m, setenv_str(mi->context.c2.es, "script_type", "client-connect"); - if (!ccs_gen_config_file(mi) - || !ccs_gen_deferred_ret_file(mi)) + if (!ccs_gen_config_file(mi) || !ccs_gen_deferred_ret_file(mi)) { ret = CC_RET_FAILED; goto cleanup; @@ -2342,8 +2272,7 @@ multi_client_connect_call_script(struct multi_context *m, } else { - multi_client_connect_post(m, mi, ccs->config_file, - option_types_found); + multi_client_connect_post(m, mi, ccs->config_file, option_types_found); ret = CC_RET_SUCCEEDED; } } @@ -2364,8 +2293,7 @@ cleanup: } static bool -multi_client_setup_dco_initial(struct multi_context *m, - struct multi_instance *mi, +multi_client_setup_dco_initial(struct multi_context *m, struct multi_instance *mi, struct gc_arena *gc) { if (!dco_enabled(&mi->context.options)) @@ -2376,8 +2304,8 @@ multi_client_setup_dco_initial(struct multi_context *m, int ret = dco_multi_add_new_peer(m, mi); if (ret < 0) { - msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)", - multi_instance_string(mi, false, gc), strerror(-ret), ret); + msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)", multi_instance_string(mi, false, gc), + strerror(-ret), ret); return false; } @@ -2398,9 +2326,8 @@ multi_client_generate_tls_keys(struct context *c) } #endif struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, - &c->c2.frame, frame_fragment, - get_link_socket_info(c), + if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, + frame_fragment, get_link_socket_info(c), &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); @@ -2412,8 +2339,7 @@ multi_client_generate_tls_keys(struct context *c) } static void -multi_client_connect_late_setup(struct multi_context *m, - struct multi_instance *mi, +multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found) { ASSERT(m); @@ -2430,7 +2356,8 @@ multi_client_connect_late_setup(struct multi_context *m, */ if (!mi->context.c2.push_ifconfig_defined) { - msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote " + msg(D_MULTI_ERRORS, + "MULTI: no dynamic or static remote " "--ifconfig address is available for %s", multi_instance_string(mi, false, &gc)); } @@ -2446,7 +2373,8 @@ multi_client_connect_late_setup(struct multi_context *m, print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc); /* JYFIXME -- this should cause the connection to fail */ - msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) " + msg(D_MULTI_ERRORS, + "MULTI ERROR: primary virtual IP for %s (%s) " "violates tunnel network/netmask constraint (%s/%s)", multi_instance_string(mi, false, &gc), print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc), @@ -2490,9 +2418,7 @@ multi_client_connect_late_setup(struct multi_context *m, { if (mi->context.c2.push_ifconfig_defined) { - multi_learn_in_addr_t(m, mi, - mi->context.c2.push_ifconfig_local, - -1, true); + multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true); msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s", multi_instance_string(mi, false, &gc), print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc)); @@ -2500,15 +2426,12 @@ multi_client_connect_late_setup(struct multi_context *m, if (mi->context.c2.push_ifconfig_ipv6_defined) { - multi_learn_in6_addr(m, mi, - mi->context.c2.push_ifconfig_ipv6_local, - -1, true); + multi_learn_in6_addr(m, mi, mi->context.c2.push_ifconfig_ipv6_local, -1, true); /* TODO: find out where addresses are "unlearned"!! */ const char *ifconfig_local_ipv6 = print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc); msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s", - multi_instance_string(mi, false, &gc), - ifconfig_local_ipv6); + multi_instance_string(mi, false, &gc), ifconfig_local_ipv6); } /* add routes locally, pointing to new client, if @@ -2524,7 +2447,8 @@ multi_client_connect_late_setup(struct multi_context *m, } else if (mi->context.options.iroutes) { - msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute " + msg(D_MULTI_ERRORS, + "MULTI: --iroute options rejected for %s -- iroute " "only works with tun-style tunnels", multi_instance_string(mi, false, &gc)); } @@ -2538,8 +2462,7 @@ multi_client_connect_late_setup(struct multi_context *m, } static void -multi_client_connect_early_setup(struct multi_context *m, - struct multi_instance *mi) +multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi) { ASSERT(mi->context.c1.tuntap); /* @@ -2574,10 +2497,8 @@ multi_client_connect_early_setup(struct multi_context *m, * ccd/script to do compression on a special client. */ static enum client_connect_return -multi_client_connect_compress_migrate(struct multi_context *m, - struct multi_instance *mi, - bool deferred, - unsigned int *option_types_found) +multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, + bool deferred, unsigned int *option_types_found) { #ifdef USE_COMP struct options *o = &mi->context.options; @@ -2608,9 +2529,7 @@ multi_client_connect_compress_migrate(struct multi_context *m, * --client-config-dir directory. */ static enum client_connect_return -multi_client_connect_source_ccd(struct multi_context *m, - struct multi_instance *mi, - bool deferred, +multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found) { /* Since we never return a CC_RET_DEFERRED, this indicates a serious @@ -2624,12 +2543,10 @@ multi_client_connect_source_ccd(struct multi_context *m, const char *ccd_client = platform_gen_path(mi->context.options.client_config_dir, - tls_common_name(mi->context.c2.tls_multi, false), - &gc); + tls_common_name(mi->context.c2.tls_multi, false), &gc); const char *ccd_default = - platform_gen_path(mi->context.options.client_config_dir, - CCD_DEFAULT, &gc); + platform_gen_path(mi->context.options.client_config_dir, CCD_DEFAULT, &gc); /* try common-name file */ @@ -2645,12 +2562,8 @@ multi_client_connect_source_ccd(struct multi_context *m, if (ccd_file) { - options_server_import(&mi->context.options, - ccd_file, - D_IMPORT_ERRORS|M_OPTERR, - CLIENT_CONNECT_OPT_MASK, - option_types_found, - mi->context.c2.es); + options_server_import(&mi->context.options, ccd_file, D_IMPORT_ERRORS | M_OPTERR, + CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); /* * Select a virtual address from either --ifconfig-push in * --client-config-dir file or --ifconfig-pool. @@ -2666,9 +2579,9 @@ multi_client_connect_source_ccd(struct multi_context *m, return ret; } -typedef enum client_connect_return (*multi_client_connect_handler) - (struct multi_context *m, struct multi_instance *mi, - bool from_deferred, unsigned int *option_types_found); +typedef enum client_connect_return (*multi_client_connect_handler)( + struct multi_context *m, struct multi_instance *mi, bool from_deferred, + unsigned int *option_types_found); static const multi_client_connect_handler client_connect_handlers[] = { multi_client_connect_compress_migrate, @@ -2694,9 +2607,9 @@ override_locked_username(struct multi_instance *mi) if (!multi->locked_username) { msg(D_MULTI_ERRORS, "MULTI: Ignoring override-username as no " - "user/password method is enabled. Enable " - "--management-client-auth, --auth-user-pass-verify, or a " - "plugin with user/password verify capability."); + "user/password method is enabled. Enable " + "--management-client-auth, --auth-user-pass-verify, or a " + "plugin with user/password verify capability."); return false; } @@ -2727,16 +2640,15 @@ override_locked_username(struct multi_instance *mi) { struct user_pass up; CLEAR(up); - strncpynt(up.username, multi->locked_username, - sizeof(up.username)); + strncpynt(up.username, multi->locked_username, sizeof(up.username)); generate_auth_token(&up, multi); } - msg(D_MULTI_LOW, "MULTI: Note, override-username changes username " + msg(D_MULTI_LOW, + "MULTI: Note, override-username changes username " "from '%s' to '%s'", - multi->locked_original_username, - multi->locked_username); + multi->locked_original_username, multi->locked_username); } return true; } @@ -2767,8 +2679,7 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING); int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index; - unsigned int *option_types_found = - &mi->client_connect_defer_state.option_types_found; + unsigned int *option_types_found = &mi->client_connect_defer_state.option_types_found; /* We are called for the first time */ if (!from_deferred) @@ -2783,12 +2694,10 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) bool cc_succeeded = true; - while (cc_succeeded - && client_connect_handlers[*cur_handler_index] != NULL) + while (cc_succeeded && client_connect_handlers[*cur_handler_index] != NULL) { enum client_connect_return ret; - ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred, - option_types_found); + ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred, option_types_found); from_deferred = false; @@ -2836,7 +2745,7 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) if (mi->context.options.disable) { msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to " - "'disable' directive"); + "'disable' directive"); cc_succeeded = false; } @@ -2889,8 +2798,8 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) #ifdef ENABLE_MANAGEMENT if (management) { - management_connection_established(management, - &mi->context.c2.mda_context, mi->context.c2.es); + management_connection_established(management, &mi->context.c2.mda_context, + mi->context.c2.es); } #endif } @@ -2912,13 +2821,14 @@ multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) while (buffer_i < r) { /* parse inotify events */ - struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i]; + struct inotify_event *pevent = (struct inotify_event *)&buffer[buffer_i]; size_t event_size = sizeof(struct inotify_event) + pevent->len; buffer_i += event_size; msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask); - struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd); + struct multi_instance *mi = + hash_lookup(m->inotify_watchers, (void *)(unsigned long)pevent->wd); if (pevent->mask & IN_CLOSE_WRITE) { @@ -2937,7 +2847,7 @@ multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) /* this event is _always_ fired when watch is removed or file is deleted */ if (mi) { - hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd); + hash_remove(m->inotify_watchers, (void *)(unsigned long)pevent->wd); mi->inotify_watch = -1; } } @@ -2954,9 +2864,7 @@ multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) * instance. */ void -multi_add_mbuf(struct multi_context *m, - struct multi_instance *mi, - struct mbuf_buffer *mb) +multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb) { if (multi_output_queue_ready(m, mi)) { @@ -2975,9 +2883,7 @@ multi_add_mbuf(struct multi_context *m, * Add a packet to a client instance output queue. */ static inline void -multi_unicast(struct multi_context *m, - const struct buffer *buf, - struct multi_instance *mi) +multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi) { struct mbuf_buffer *mb; @@ -2994,10 +2900,8 @@ multi_unicast(struct multi_context *m, * Broadcast a packet to all clients. */ static void -multi_bcast(struct multi_context *m, - const struct buffer *buf, - const struct multi_instance *sender_instance, - uint16_t vid) +multi_bcast(struct multi_context *m, const struct buffer *buf, + const struct multi_instance *sender_instance, uint16_t vid) { struct hash_iterator hi; struct hash_element *he; @@ -3015,7 +2919,7 @@ multi_bcast(struct multi_context *m, while ((he = hash_iterator_next(&hi))) { - mi = (struct multi_instance *) he->value; + mi = (struct multi_instance *)he->value; if (mi != sender_instance && !mi->halt) { if (vid != 0 && vid != mi->context.options.vlan_pvid) @@ -3073,29 +2977,24 @@ multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi tv_add(&mi->wakeup, &mi->context.c2.timeval); /* tell scheduler to wake us up at some point in the future */ - schedule_add_entry(m->schedule, - (struct schedule_entry *) mi, - &mi->wakeup, + schedule_add_entry(m->schedule, (struct schedule_entry *)mi, &mi->wakeup, compute_wakeup_sigma(&mi->context.c2.timeval)); } #if defined(ENABLE_ASYNC_PUSH) static void -add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi, - int inotify_fd, const char *file) +add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi, int inotify_fd, + const char *file) { /* watch acf file */ - long watch_descriptor = inotify_add_watch(inotify_fd, file, - IN_CLOSE_WRITE | IN_ONESHOT); + long watch_descriptor = inotify_add_watch(inotify_fd, file, IN_CLOSE_WRITE | IN_ONESHOT); if (watch_descriptor >= 0) { if (mi->inotify_watch != -1) { - hash_remove(m->inotify_watchers, - (void *) (unsigned long)mi->inotify_watch); + hash_remove(m->inotify_watchers, (void *)(unsigned long)mi->inotify_watch); } - hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, - mi, true); + hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true); mi->inotify_watch = watch_descriptor; } else @@ -3117,7 +3016,9 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns { bool ret = true; - if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context)))) + if (!IS_SIG(&mi->context) + && ((flags & MPP_PRE_SELECT) + || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context)))) { #if defined(ENABLE_ASYNC_PUSH) bool was_unauthenticated = true; @@ -3142,14 +3043,12 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated && (ks->authenticated == KS_AUTH_DEFERRED)) { - add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, - ks->plugin_auth.auth_control_file); + add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->plugin_auth.auth_control_file); } if (ks && ks->script_auth.auth_control_file && was_unauthenticated && (ks->authenticated == KS_AUTH_DEFERRED)) { - add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, - ks->script_auth.auth_control_file); + add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->script_auth.auth_control_file); } #endif @@ -3167,8 +3066,7 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns && mi->client_connect_defer_state.deferred_ret_file) { add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, - mi->client_connect_defer_state. - deferred_ret_file); + mi->client_connect_defer_state.deferred_ret_file); } #endif /* tell scheduler to wake us up at some point in the future */ @@ -3190,14 +3088,10 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL); #ifdef MULTI_DEBUG_EVENT_LOOP - printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n", - id(mi), - (int) (mi == m->pending), - mi ? mi->context.c2.to_tun.len : -1, - mi ? mi->context.c2.to_link.len : -1, + printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n", id(mi), (int)(mi == m->pending), + mi ? mi->context.c2.to_tun.len : -1, mi ? mi->context.c2.to_link.len : -1, (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1, - (int64_t)mi->context.c2.timeval.tv_sec, - (long)mi->context.c2.timeval.tv_usec); + (int64_t)mi->context.c2.timeval.tv_sec, (long)mi->context.c2.timeval.tv_usec); #endif } @@ -3218,10 +3112,9 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns * updates hashtables in multi_context. */ static void -multi_process_float(struct multi_context *m, struct multi_instance *mi, - struct link_socket *sock) +multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock) { - struct mroute_addr real = {0}; + struct mroute_addr real = { 0 }; struct hash *hash = m->hash; struct gc_arena gc = gc_new(); @@ -3243,7 +3136,7 @@ multi_process_float(struct multi_context *m, struct multi_instance *mi, struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv); if (he) { - struct multi_instance *ex_mi = (struct multi_instance *) he->value; + struct multi_instance *ex_mi = (struct multi_instance *)he->value; struct tls_multi *m1 = mi->context.c2.tls_multi; struct tls_multi *m2 = ex_mi->context.c2.tls_multi; @@ -3265,23 +3158,23 @@ multi_process_float(struct multi_context *m, struct multi_instance *mi, */ if (m1->peer_id == m2->peer_id) { - msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to " + msg(M_WARN, + "disallowing peer %" PRIu32 " (%s) from floating to " "its own address (%s)", m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false), mroute_addr_print(&mi->real, &gc)); goto done; } - msg(D_MULTI_LOW, "closing instance %s due to float collision with %s " + msg(D_MULTI_LOW, + "closing instance %s due to float collision with %s " "using the same certificate", - multi_instance_string(ex_mi, false, &gc), - multi_instance_string(mi, false, &gc)); + multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, false, &gc)); multi_close_instance(m, ex_mi, false); } msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s", - mi->context.c2.tls_multi->peer_id, - tls_common_name(mi->context.c2.tls_multi, false), + mi->context.c2.tls_multi->peer_id, tls_common_name(mi->context.c2.tls_multi, false), mroute_addr_print_ex(&mi->real, MAPF_SHOW_FAMILY, &gc), mroute_addr_print_ex(&real, MAPF_SHOW_FAMILY, &gc)); @@ -3327,7 +3220,8 @@ multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *m multi_close_instance(m, mi, false); } -#if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) || defined(ENABLE_MANAGEMENT) +#if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) \ + || defined(ENABLE_MANAGEMENT) static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig) { @@ -3338,8 +3232,7 @@ multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const #if defined(ENABLE_DCO) static void -process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi, - dco_context_t *dco) +process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi, dco_context_t *dco) { const char *reason = "ovpn-dco: unknown reason"; switch (dco->dco_del_peer_reason) @@ -3436,9 +3329,10 @@ multi_process_incoming_dco(struct multi_context *m) */ msglevel = D_DCO_DEBUG; } - msg(msglevel, "Received DCO message for unknown peer-id: %d, " - "type %d, del_peer_reason %d", peer_id, dco->dco_message_type, - dco->dco_del_peer_reason); + msg(msglevel, + "Received DCO message for unknown peer-id: %d, " + "type %d, del_peer_reason %d", + peer_id, dco->dco_message_type, dco->dco_del_peer_reason); } dco->dco_message_type = 0; @@ -3528,11 +3422,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN) { /* extract packet source and dest addresses */ - mroute_flags = mroute_extract_addr_from_packet(&src, - &dest, - 0, - &c->c2.to_tun, - DEV_TYPE_TUN); + mroute_flags = + mroute_extract_addr_from_packet(&src, &dest, 0, &c->c2.to_tun, DEV_TYPE_TUN); /* drop packet if extract failed */ if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED)) @@ -3543,14 +3434,15 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending) { /* IPv6 link-local address (fe80::xxx)? */ - if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6 - && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) ) + if ((src.type & MR_ADDR_MASK) == MR_ADDR_IPV6 + && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr)) { /* do nothing, for now. TODO: add address learning */ } else { - msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped", + msg(D_MULTI_DROPPED, + "MULTI: bad source address from client [%s], packet dropped", mroute_addr_print(&src, &gc)); } c->c2.to_tun.len = 0; @@ -3599,11 +3491,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst } } /* extract packet source and dest addresses */ - mroute_flags = mroute_extract_addr_from_packet(&src, - &dest, - vid, - &c->c2.to_tun, - DEV_TYPE_TAP); + mroute_flags = + mroute_extract_addr_from_packet(&src, &dest, vid, &c->c2.to_tun, DEV_TYPE_TAP); if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED) { @@ -3612,7 +3501,7 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst /* check for broadcast */ if (m->enable_c2c) { - if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST)) + if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST)) { multi_bcast(m, &c->c2.to_tun, m->pending, vid); } @@ -3632,7 +3521,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst } else { - msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped", + msg(D_MULTI_DROPPED, + "MULTI: bad source address from client [%s], packet dropped", mroute_addr_print(&src, &gc)); c->c2.to_tun.len = 0; } @@ -3666,7 +3556,7 @@ multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags if (BLEN(&m->top.c2.buf) > 0) { unsigned int mroute_flags; - struct mroute_addr src = {0}, dest = {0}; + struct mroute_addr src = { 0 }, dest = { 0 }; const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap); int16_t vid = 0; @@ -3693,25 +3583,22 @@ multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags * the appropriate multi_instance object. */ - mroute_flags = mroute_extract_addr_from_packet(&src, - &dest, - vid, - &m->top.c2.buf, - dev_type); + mroute_flags = mroute_extract_addr_from_packet(&src, &dest, vid, &m->top.c2.buf, dev_type); if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED) { struct context *c; /* broadcast or multicast dest addr? */ - if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST)) + if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST)) { /* for now, treat multicast as broadcast */ multi_bcast(m, &m->top.c2.buf, NULL, vid); } else { - multi_set_pending(m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN)); + multi_set_pending( + m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN)); if (m->pending) { @@ -3729,7 +3616,8 @@ multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags else { /* drop packet */ - msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)"); + msg(D_MULTI_DROPPED, + "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)"); buf_reset_len(&c->c2.buf); } } @@ -3763,7 +3651,8 @@ multi_get_queue(struct mbuf_set *ms) set_prefix(item.instance); item.instance->context.c2.buf = item.buffer->buf; - if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */ + if (item.buffer->flags + & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */ { pip_flags |= PIP_MSSFIX; } @@ -3801,7 +3690,8 @@ multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags) { if (m->earliest_wakeup == (struct multi_instance *)&m->deferred_shutdown_signal) { - schedule_remove_entry(m->schedule, (struct schedule_entry *) &m->deferred_shutdown_signal); + schedule_remove_entry(m->schedule, + (struct schedule_entry *)&m->deferred_shutdown_signal); throw_signal(m->deferred_shutdown_signal.signal_received); } else @@ -3844,9 +3734,9 @@ void route_quota_exceeded(const struct multi_instance *mi) { struct gc_arena gc = gc_new(); - msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)", - mi->context.options.max_routes_per_client, - multi_instance_string(mi, false, &gc)); + msg(D_ROUTE_QUOTA, + "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)", + mi->context.options.max_routes_per_client, multi_instance_string(mi, false, &gc)); gc_free(&gc); } @@ -3869,8 +3759,7 @@ gremlin_flood_clients(struct multi_context *m) parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size); msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d", - parm.n_packets, - parm.packet_size); + parm.n_packets, parm.packet_size); for (i = 0; i < parm.packet_size; ++i) { @@ -3958,10 +3847,11 @@ multi_push_restart_schedule_exit(struct multi_context *m, bool next_server) hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { - struct multi_instance *mi = (struct multi_instance *) he->value; + struct multi_instance *mi = (struct multi_instance *)he->value; if (!mi->halt && proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto)) { - send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH); + send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", + D_PUSH); multi_schedule_context_wakeup(m, mi); } } @@ -3975,8 +3865,7 @@ multi_push_restart_schedule_exit(struct multi_context *m, bool next_server) m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received; - schedule_add_entry(m->schedule, - (struct schedule_entry *) &m->deferred_shutdown_signal, + schedule_add_entry(m->schedule, (struct schedule_entry *)&m->deferred_shutdown_signal, &m->deferred_shutdown_signal.wakeup, compute_wakeup_sigma(&m->deferred_shutdown_signal.wakeup)); @@ -3997,8 +3886,7 @@ multi_process_signal(struct multi_context *m) status_close(so); return false; } - else if (has_udp_in_local_list(&m->top.options) - && is_exit_restart(m->top.sig->signal_received) + else if (has_udp_in_local_list(&m->top.options) && is_exit_restart(m->top.sig->signal_received) && (m->deferred_shutdown_signal.signal_received == 0) && m->top.options.ce.explicit_exit_notification != 0) { @@ -4016,7 +3904,7 @@ multi_process_signal(struct multi_context *m) static void management_callback_status(void *arg, const int version, struct status_output *so) { - struct multi_context *m = (struct multi_context *) arg; + struct multi_context *m = (struct multi_context *)arg; if (!version) { @@ -4031,14 +3919,14 @@ management_callback_status(void *arg, const int version, struct status_output *s static int management_callback_n_clients(void *arg) { - struct multi_context *m = (struct multi_context *) arg; + struct multi_context *m = (struct multi_context *)arg; return m->n_clients; } static int management_callback_kill_by_cn(void *arg, const char *del_cn) { - struct multi_context *m = (struct multi_context *) arg; + struct multi_context *m = (struct multi_context *)arg; struct hash_iterator hi; struct hash_element *he; int count = 0; @@ -4046,7 +3934,7 @@ management_callback_kill_by_cn(void *arg, const char *del_cn) hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { - struct multi_instance *mi = (struct multi_instance *) he->value; + struct multi_instance *mi = (struct multi_instance *)he->value; if (!mi->halt) { const char *cn = tls_common_name(mi->context.c2.tls_multi, false); @@ -4062,10 +3950,9 @@ management_callback_kill_by_cn(void *arg, const char *del_cn) } static int -management_callback_kill_by_addr(void *arg, const in_addr_t addr, - const int port, const int proto) +management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port, const int proto) { - struct multi_context *m = (struct multi_context *) arg; + struct multi_context *m = (struct multi_context *)arg; struct hash_iterator hi; struct hash_element *he; struct openvpn_sockaddr saddr; @@ -4082,7 +3969,7 @@ management_callback_kill_by_addr(void *arg, const in_addr_t addr, hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { - struct multi_instance *mi = (struct multi_instance *) he->value; + struct multi_instance *mi = (struct multi_instance *)he->value; if (!mi->halt && mroute_addr_equal(&maddr, &mi->real)) { multi_signal_instance(m, mi, SIGTERM); @@ -4097,7 +3984,7 @@ management_callback_kill_by_addr(void *arg, const in_addr_t addr, static void management_delete_event(void *arg, event_t event) { - struct multi_context *m = (struct multi_context *) arg; + struct multi_context *m = (struct multi_context *)arg; if (m->multi_io) { multi_tcp_delete_event(m->multi_io, event); @@ -4109,7 +3996,7 @@ lookup_by_cid(struct multi_context *m, const unsigned long cid) { if (m) { - struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid); + struct multi_instance *mi = (struct multi_instance *)hash_lookup(m->cid_hash, &cid); if (mi && !mi->halt) { return mi; @@ -4121,7 +4008,7 @@ lookup_by_cid(struct multi_context *m, const unsigned long cid) static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg) { - struct multi_context *m = (struct multi_context *) arg; + struct multi_context *m = (struct multi_context *)arg; struct multi_instance *mi = lookup_by_cid(m, cid); if (mi) { @@ -4136,13 +4023,10 @@ management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg) } static bool -management_client_pending_auth(void *arg, - const unsigned long cid, - const unsigned int mda_key_id, - const char *extra, - unsigned int timeout) +management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, + const char *extra, unsigned int timeout) { - struct multi_context *m = (struct multi_context *) arg; + struct multi_context *m = (struct multi_context *)arg; struct multi_instance *mi = lookup_by_cid(m, cid); if (mi) @@ -4164,8 +4048,7 @@ management_client_pending_auth(void *arg, } /* sends INFO_PRE and AUTH_PENDING messages to client */ - bool ret = send_auth_pending_messages(multi, session, extra, - timeout); + bool ret = send_auth_pending_messages(multi, session, extra, timeout); reschedule_multi_process(&mi->context); multi_schedule_context_wakeup(m, mi); return ret; @@ -4175,15 +4058,11 @@ management_client_pending_auth(void *arg, static bool -management_client_auth(void *arg, - const unsigned long cid, - const unsigned int mda_key_id, - const bool auth, - const char *reason, - const char *client_reason, - struct buffer_list *cc_config) /* ownership transferred */ +management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, + const bool auth, const char *reason, const char *client_reason, + struct buffer_list *cc_config) /* ownership transferred */ { - struct multi_context *m = (struct multi_context *) arg; + struct multi_context *m = (struct multi_context *)arg; struct multi_instance *mi = lookup_by_cid(m, cid); bool cc_config_owned = true; bool ret = false; @@ -4203,7 +4082,8 @@ management_client_auth(void *arg, } else if (reason) { - msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason)); + msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, + np(client_reason)); } } } @@ -4217,7 +4097,7 @@ management_client_auth(void *arg, static char * management_get_peer_info(void *arg, const unsigned long cid) { - struct multi_context *m = (struct multi_context *) arg; + struct multi_context *m = (struct multi_context *)arg; struct multi_instance *mi = lookup_by_cid(m, cid); char *ret = NULL; @@ -4361,7 +4241,7 @@ tunnel_server(struct context *top) tunnel_server_loop(&multi); - #ifdef ENABLE_ASYNC_PUSH +#ifdef ENABLE_ASYNC_PUSH close(top->c2.inotify_fd); #endif @@ -4375,5 +4255,4 @@ tunnel_server(struct context *top) multi_uninit(&multi); multi_top_free(&multi); close_instance(top); - } diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 3c3db974c..e87e46557 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -99,27 +99,28 @@ struct client_connect_defer_state * page describes the role the structure plays when OpenVPN is running in * server-mode. */ -struct multi_instance { - struct schedule_entry se; /* this must be the first element of the structure, - * We cast between this and schedule_entry so the - * beginning of the struct must be identical */ +struct multi_instance +{ + struct schedule_entry se; /* this must be the first element of the structure, + * We cast between this and schedule_entry so the + * beginning of the struct must be identical */ - struct event_arg ev_arg; /**< this struct will store a pointer to either mi or - * link_socket, depending on the event type, to keep - * it accessible it's placed within the same struct - * it points to. */ + struct event_arg ev_arg; /**< this struct will store a pointer to either mi or + * link_socket, depending on the event type, to keep + * it accessible it's placed within the same struct + * it points to. */ struct gc_arena gc; bool halt; int refcount; - int route_count; /* number of routes (including cached routes) owned by this instance */ - time_t created; /**< Time at which a VPN tunnel instance - * was created. This parameter is set - * by the \c multi_create_instance() - * function. */ - struct timeval wakeup; /* absolute time */ - struct mroute_addr real; /**< External network address of the - * remote peer. */ + int route_count; /* number of routes (including cached routes) owned by this instance */ + time_t created; /**< Time at which a VPN tunnel instance + * was created. This parameter is set + * by the \c multi_create_instance() + * function. */ + struct timeval wakeup; /* absolute time */ + struct mroute_addr real; /**< External network address of the + * remote peer. */ ifconfig_pool_handle vaddr_handle; char msg_prefix[MULTI_PREFIX_MAX_LENGTH]; @@ -128,7 +129,7 @@ struct multi_instance { struct mbuf_set *tcp_link_out_deferred; bool socket_set_called; - in_addr_t reporting_addr; /* IP address shown in status listing */ + in_addr_t reporting_addr; /* IP address shown in status listing */ struct in6_addr reporting_addr_ipv6; /* IPv6 address in status listing */ bool did_real_hash; @@ -138,10 +139,10 @@ struct multi_instance { struct buffer_list *cc_config; #endif bool did_iroutes; - int n_clients_delta; /* added to multi_context.n_clients when instance is closed */ + int n_clients_delta; /* added to multi_context.n_clients when instance is closed */ - struct context context; /**< The context structure storing state - * for this VPN tunnel. */ + struct context context; /**< The context structure storing state + * for this VPN tunnel. */ struct client_connect_defer_state client_connect_defer_state; #ifdef ENABLE_ASYNC_PUSH int inotify_watch; /* watch descriptor for acf */ @@ -159,22 +160,23 @@ struct multi_instance { * page describes the role the structure plays when OpenVPN is running in * server-mode. */ -struct multi_context { - struct multi_instance **instances; /**< Array of multi_instances. An instance can be - * accessed using peer-id as an index. */ - - struct hash *hash; /**< VPN tunnel instances indexed by real - * address of the remote peer. */ - struct hash *vhash; /**< VPN tunnel instances indexed by - * virtual address of remote hosts. */ - struct hash *iter; /**< VPN tunnel instances indexed by real - * address of the remote peer, optimized - * for iteration. */ +struct multi_context +{ + struct multi_instance **instances; /**< Array of multi_instances. An instance can be + * accessed using peer-id as an index. */ + + struct hash *hash; /**< VPN tunnel instances indexed by real + * address of the remote peer. */ + struct hash *vhash; /**< VPN tunnel instances indexed by + * virtual address of remote hosts. */ + struct hash *iter; /**< VPN tunnel instances indexed by real + * address of the remote peer, optimized + * for iteration. */ struct schedule *schedule; - struct mbuf_set *mbuf; /**< Set of buffers for passing data - * channel packets between VPN tunnel - * instances. */ - struct multi_io *multi_io; /**< I/O state and events tracker */ + struct mbuf_set *mbuf; /**< Set of buffers for passing data + * channel packets between VPN tunnel + * instances. */ + struct multi_io *multi_io; /**< I/O state and events tracker */ struct ifconfig_pool *ifconfig_pool; struct frequency_limit *new_connection_limiter; struct initial_packet_rate_limit *initial_rate_limiter; @@ -198,8 +200,8 @@ struct multi_context { struct context_buffers *context_buffers; time_t per_second_trigger; - struct context top; /**< Storage structure for process-wide - * configuration. */ + struct context top; /**< Storage structure for process-wide + * configuration. */ struct buffer hmac_reply; struct link_socket_actual *hmac_reply_dest; @@ -237,8 +239,8 @@ struct multi_route struct mroute_addr addr; struct multi_instance *instance; -#define MULTI_ROUTE_CACHE (1<<0) -#define MULTI_ROUTE_AGEABLE (1<<1) +#define MULTI_ROUTE_CACHE (1 << 0) +#define MULTI_ROUTE_AGEABLE (1 << 1) unsigned int flags; unsigned int cache_generation; @@ -262,17 +264,18 @@ const char *multi_instance_string(const struct multi_instance *mi, bool null, st * Called by mtcp.c, mudp.c, or other (to be written) protocol drivers */ -struct multi_instance *multi_create_instance(struct multi_context *m, const struct mroute_addr *real, +struct multi_instance *multi_create_instance(struct multi_context *m, + const struct mroute_addr *real, struct link_socket *sock); void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown); bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags); -#define MPP_PRE_SELECT (1<<0) -#define MPP_CONDITIONAL_PRE_SELECT (1<<1) -#define MPP_CLOSE_ON_SIGNAL (1<<2) -#define MPP_RECORD_TOUCH (1<<3) +#define MPP_PRE_SELECT (1 << 0) +#define MPP_CONDITIONAL_PRE_SELECT (1 << 1) +#define MPP_CLOSE_ON_SIGNAL (1 << 2) +#define MPP_RECORD_TOUCH (1 << 3) /**************************************************************************/ @@ -297,7 +300,8 @@ bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags * signal during processing. * - False, if the VPN tunnel instance \a mi was closed. */ -bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags); +bool multi_process_post(struct multi_context *m, struct multi_instance *mi, + const unsigned int flags); /** * Process an incoming DCO message (from kernel space). @@ -334,8 +338,8 @@ bool multi_process_incoming_dco(struct multi_context *m); * @param mpp_flags - Fast I/O optimization flags. * @param sock - Socket where the packet was received. */ -bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags, - struct link_socket *sock); +bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, + const unsigned int mpp_flags, struct link_socket *sock); /** @@ -360,9 +364,7 @@ void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int struct multi_instance *multi_get_queue(struct mbuf_set *ms); -void multi_add_mbuf(struct multi_context *m, - struct multi_instance *mi, - struct mbuf_buffer *mb); +void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb); void multi_ifconfig_pool_persist(struct multi_context *m, bool force); @@ -388,8 +390,7 @@ void multi_process_file_closed(struct multi_context *m, const unsigned int mpp_f * Return true if our output queue is not full */ static inline bool -multi_output_queue_ready(const struct multi_context *m, - const struct multi_instance *mi) +multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi) { if (mi->tcp_link_out_deferred) { @@ -485,8 +486,7 @@ multi_route_del(struct multi_route *route) } static inline bool -multi_route_defined(const struct multi_context *m, - const struct multi_route *r) +multi_route_defined(const struct multi_context *m, const struct multi_route *r) { if (r->instance->halt) { @@ -511,8 +511,7 @@ multi_route_defined(const struct multi_context *m, /* * Takes prefix away from multi_instance. */ -void -ungenerate_prefix(struct multi_instance *mi); +void ungenerate_prefix(struct multi_instance *mi); /* * Set a msg() function prefix with our current client instance ID. @@ -548,10 +547,10 @@ clear_prefix(void) * don't want to reap in a single pass. */ -#define REAP_MAX_WAKEUP 10 /* Do reap pass at least once per n seconds */ -#define REAP_DIVISOR 256 /* How many passes to cover whole hash table */ -#define REAP_MIN 16 /* Minimum number of buckets per pass */ -#define REAP_MAX 1024 /* Maximum number of buckets per pass */ +#define REAP_MAX_WAKEUP 10 /* Do reap pass at least once per n seconds */ +#define REAP_DIVISOR 256 /* How many passes to cover whole hash table */ +#define REAP_MIN 16 /* Minimum number of buckets per pass */ +#define REAP_MAX 1024 /* Maximum number of buckets per pass */ /* * Mark a cached host route for deletion after this @@ -596,7 +595,7 @@ multi_get_timeout(struct multi_context *m, struct timeval *dest) struct timeval tv, current; CLEAR(tv); - m->earliest_wakeup = (struct multi_instance *) schedule_get_earliest_wakeup(m->schedule, &tv); + m->earliest_wakeup = (struct multi_instance *)schedule_get_earliest_wakeup(m->schedule, &tv); if (m->earliest_wakeup) { ASSERT(!openvpn_gettimeofday(¤t, NULL)); @@ -641,9 +640,7 @@ multi_process_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags ASSERT(mi); #ifdef MULTI_DEBUG_EVENT_LOOP - printf("%s -> TUN len=%d\n", - id(mi), - mi->context.c2.to_tun.len); + printf("%s -> TUN len=%d\n", id(mi), mi->context.c2.to_tun.len); #endif set_prefix(mi); vlan_process_outgoing_tun(m, mi); @@ -653,12 +650,13 @@ multi_process_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags return ret; } -#define CLIENT_CONNECT_OPT_MASK (OPT_P_INSTANCE | OPT_P_INHERIT \ - |OPT_P_PUSH | OPT_P_TIMER | OPT_P_CONFIG \ - |OPT_P_ECHO | OPT_P_COMP | OPT_P_SOCKFLAGS) +#define CLIENT_CONNECT_OPT_MASK \ + (OPT_P_INSTANCE | OPT_P_INHERIT | OPT_P_PUSH | OPT_P_TIMER | OPT_P_CONFIG | OPT_P_ECHO \ + | OPT_P_COMP | OPT_P_SOCKFLAGS) static inline bool -multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags) +multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi, + const unsigned int mpp_flags) { bool ret = true; set_prefix(mi); diff --git a/src/openvpn/multi_io.c b/src/openvpn/multi_io.c index 82f8372e6..ece789cf7 100644 --- a/src/openvpn/multi_io.c +++ b/src/openvpn/multi_io.c @@ -39,12 +39,12 @@ /* * Special tags passed to event.[ch] functions */ -#define MULTI_IO_SOCKET ((void *)1) -#define MULTI_IO_TUN ((void *)2) -#define MULTI_IO_SIG ((void *)3) /* Only on Windows */ -#define MULTI_IO_MANAGEMENT ((void *)4) +#define MULTI_IO_SOCKET ((void *)1) +#define MULTI_IO_TUN ((void *)2) +#define MULTI_IO_SIG ((void *)3) /* Only on Windows */ +#define MULTI_IO_MANAGEMENT ((void *)4) #define MULTI_IO_FILE_CLOSE_WRITE ((void *)5) -#define MULTI_IO_DCO ((void *)6) +#define MULTI_IO_DCO ((void *)6) struct ta_iow_flags { @@ -127,7 +127,8 @@ multi_io_init(int maxevents, int *maxclients) wait_signal(multi_io->es, MULTI_IO_SIG); ALLOC_ARRAY(multi_io->esr, struct event_set_return, multi_io->maxevents); *maxclients = max_int(min_int(multi_io->maxevents - extra_events, *maxclients), 1); - msg(D_MULTI_LOW, "MULTI IO: MULTI_IO INIT maxclients=%d maxevents=%d", *maxclients, multi_io->maxevents); + msg(D_MULTI_LOW, "MULTI IO: MULTI_IO INIT maxclients=%d maxevents=%d", *maxclients, + multi_io->maxevents); return multi_io; } @@ -142,18 +143,13 @@ multi_io_set_global_rw_flags(struct multi_context *m, struct multi_instance *mi) mi->socket_set_called = true; if (proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto)) { - socket_set(mi->context.c2.link_sockets[0], - m->multi_io->es, - EVENT_READ, - &mi->context.c2.link_sockets[0]->ev_arg, - NULL); + socket_set(mi->context.c2.link_sockets[0], m->multi_io->es, EVENT_READ, + &mi->context.c2.link_sockets[0]->ev_arg, NULL); } else { - socket_set(mi->context.c2.link_sockets[0], - m->multi_io->es, - mbuf_defined(mi->tcp_link_out_deferred) ? EVENT_WRITE : EVENT_READ, - &mi->ev_arg, + socket_set(mi->context.c2.link_sockets[0], m->multi_io->es, + mbuf_defined(mi->tcp_link_out_deferred) ? EVENT_WRITE : EVENT_READ, &mi->ev_arg, &mi->tcp_rwflags); } } @@ -197,7 +193,8 @@ multi_io_wait(struct multi_context *m) #ifdef ENABLE_MANAGEMENT if (management) { - management_socket_set(management, m->multi_io->es, MULTI_IO_MANAGEMENT, &m->multi_io->management_persist_flags); + management_socket_set(management, m->multi_io->es, MULTI_IO_MANAGEMENT, + &m->multi_io->management_persist_flags); } #endif @@ -206,7 +203,8 @@ multi_io_wait(struct multi_context *m) event_ctl(m->multi_io->es, m->top.c2.inotify_fd, EVENT_READ, MULTI_IO_FILE_CLOSE_WRITE); #endif - status = event_wait(m->multi_io->es, &m->top.c2.timeval, m->multi_io->esr, m->multi_io->maxevents); + status = + event_wait(m->multi_io->es, &m->top.c2.timeval, m->multi_io->esr, m->multi_io->maxevents); update_time(); m->multi_io->n_esr = 0; if (status > 0) @@ -217,13 +215,13 @@ multi_io_wait(struct multi_context *m) } static int -multi_io_wait_lite(struct multi_context *m, struct multi_instance *mi, const int action, bool *tun_input_pending) +multi_io_wait_lite(struct multi_context *m, struct multi_instance *mi, const int action, + bool *tun_input_pending) { struct context *c = multi_get_context(m, mi); unsigned int looking_for = 0; - dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_wait_lite a=%s mi=" ptr_format, - pract(action), + dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_wait_lite a=%s mi=" ptr_format, pract(action), (ptr_type)mi); tv_clear(&c->c2.timeval); /* ZERO-TIMEOUT */ @@ -254,7 +252,7 @@ multi_io_wait_lite(struct multi_context *m, struct multi_instance *mi, const int case TA_SOCKET_WRITE: looking_for = SOCKET_WRITE; - io_wait(c, IOW_TO_LINK|IOW_READ_TUN_FORCE); + io_wait(c, IOW_TO_LINK | IOW_READ_TUN_FORCE); break; default: @@ -290,12 +288,11 @@ multi_io_wait_lite(struct multi_context *m, struct multi_instance *mi, const int static struct multi_instance * multi_io_dispatch(struct multi_context *m, struct multi_instance *mi, const int action) { - const unsigned int mpp_flags = MPP_PRE_SELECT|MPP_RECORD_TOUCH; + const unsigned int mpp_flags = MPP_PRE_SELECT | MPP_RECORD_TOUCH; struct multi_instance *touched = mi; m->mpp_touched = &touched; - dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_dispatch a=%s mi=" ptr_format, - pract(action), + dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_dispatch a=%s mi=" ptr_format, pract(action), (ptr_type)mi); switch (action) @@ -318,8 +315,7 @@ multi_io_dispatch(struct multi_context *m, struct multi_instance *mi, const int clear_prefix(); if (!IS_SIG(&mi->context)) { - multi_process_incoming_link(m, mi, mpp_flags, - mi->context.c2.link_sockets[0]); + multi_process_incoming_link(m, mi, mpp_flags, mi->context.c2.link_sockets[0]); if (!IS_SIG(&mi->context)) { stream_buf_read_setup(mi->context.c2.link_sockets[0]); @@ -372,9 +368,9 @@ multi_io_post(struct multi_context *m, struct multi_instance *mi, const int acti struct context *c = multi_get_context(m, mi); int newaction = TA_UNDEF; -#define MTP_NONE 0 -#define MTP_TUN_OUT (1<<0) -#define MTP_LINK_OUT (1<<1) +#define MTP_NONE 0 +#define MTP_TUN_OUT (1 << 0) +#define MTP_LINK_OUT (1 << 1) unsigned int flags = MTP_NONE; if (TUN_OUT(c)) @@ -388,7 +384,7 @@ multi_io_post(struct multi_context *m, struct multi_instance *mi, const int acti switch (flags) { - case MTP_TUN_OUT|MTP_LINK_OUT: + case MTP_TUN_OUT | MTP_LINK_OUT: case MTP_TUN_OUT: newaction = TA_TUN_WRITE; break; @@ -412,16 +408,13 @@ multi_io_post(struct multi_context *m, struct multi_instance *mi, const int acti { struct gc_arena gc = gc_new(); msg(M_FATAL, "MULTI IO: multi_io_post bad state, mi=%s flags=%d", - multi_instance_string(mi, false, &gc), - flags); + multi_instance_string(mi, false, &gc), flags); gc_free(&gc); break; } } - dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_post %s -> %s", - pract(action), - pract(newaction)); + dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_post %s -> %s", pract(action), pract(newaction)); return newaction; } @@ -500,47 +493,47 @@ multi_io_process_io(struct multi_context *m) } else #endif - /* incoming data on TUN? */ - if (e->arg == MULTI_IO_TUN) - { - if (e->rwflags & EVENT_WRITE) + /* incoming data on TUN? */ + if (e->arg == MULTI_IO_TUN) { - multi_io_action(m, NULL, TA_TUN_WRITE, false); + if (e->rwflags & EVENT_WRITE) + { + multi_io_action(m, NULL, TA_TUN_WRITE, false); + } + else if (e->rwflags & EVENT_READ) + { + multi_io_action(m, NULL, TA_TUN_READ, false); + } } - else if (e->rwflags & EVENT_READ) + /* new incoming TCP client attempting to connect? */ + else if (e->arg == MULTI_IO_SOCKET) { - multi_io_action(m, NULL, TA_TUN_READ, false); + struct multi_instance *mi; + ASSERT(m->top.c2.link_sockets[0]); + socket_reset_listen_persistent(m->top.c2.link_sockets[0]); + mi = multi_create_instance_tcp(m, m->top.c2.link_sockets[0]); + if (mi) + { + multi_io_action(m, mi, TA_INITIAL, false); + } } - } - /* new incoming TCP client attempting to connect? */ - else if (e->arg == MULTI_IO_SOCKET) - { - struct multi_instance *mi; - ASSERT(m->top.c2.link_sockets[0]); - socket_reset_listen_persistent(m->top.c2.link_sockets[0]); - mi = multi_create_instance_tcp(m, m->top.c2.link_sockets[0]); - if (mi) +#if defined(ENABLE_DCO) + /* incoming data on DCO? */ + else if (e->arg == MULTI_IO_DCO) { - multi_io_action(m, mi, TA_INITIAL, false); + multi_process_incoming_dco(m); } - } -#if defined(ENABLE_DCO) - /* incoming data on DCO? */ - else if (e->arg == MULTI_IO_DCO) - { - multi_process_incoming_dco(m); - } #endif - /* signal received? */ - else if (e->arg == MULTI_IO_SIG) - { - get_signal(&m->top.sig->signal_received); - } + /* signal received? */ + else if (e->arg == MULTI_IO_SIG) + { + get_signal(&m->top.sig->signal_received); + } #ifdef ENABLE_ASYNC_PUSH - else if (e->arg == MULTI_IO_FILE_CLOSE_WRITE) - { - multi_process_file_closed(m, MPP_PRE_SELECT | MPP_RECORD_TOUCH); - } + else if (e->arg == MULTI_IO_FILE_CLOSE_WRITE) + { + multi_process_file_closed(m, MPP_PRE_SELECT | MPP_RECORD_TOUCH); + } #endif } if (IS_SIG(&m->top)) @@ -569,9 +562,7 @@ multi_io_action(struct multi_context *m, struct multi_instance *mi, int action, do { - dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_action a=%s p=%d", - pract(action), - poll); + dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_action a=%s p=%d", pract(action), poll); /* * If TA_SOCKET_READ_RESIDUAL, it means we still have pending @@ -590,7 +581,8 @@ multi_io_action(struct multi_context *m, struct multi_instance *mi, int action, action = multi_io_wait_lite(m, mi, action, &tun_input_pending); if (action == TA_UNDEF) { - msg(M_FATAL, "MULTI IO: I/O wait required blocking in multi_io_action, action=%d", orig_action); + msg(M_FATAL, "MULTI IO: I/O wait required blocking in multi_io_action, action=%d", + orig_action); } } diff --git a/src/openvpn/networking.h b/src/openvpn/networking.h index eccd8d2a0..6c253f997 100644 --- a/src/openvpn/networking.h +++ b/src/openvpn/networking.h @@ -101,8 +101,8 @@ void net_ctx_free(openvpn_net_ctx_t *ctx); * * @return 0 on success, negative error code on error */ -int net_iface_new(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, - const char *type, void *arg); +int net_iface_new(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, const char *type, + void *arg); /** * Retrieve the interface type @@ -113,8 +113,7 @@ int net_iface_new(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, * * @return 0 on success, a negative error code otherwise */ -int net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, - char type[IFACE_TYPE_LEN_MAX]); +int net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, char type[IFACE_TYPE_LEN_MAX]); /** * Remove an interface @@ -134,8 +133,7 @@ int net_iface_del(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface); * * @return 0 on success, a negative error code otherwise */ -int net_iface_up(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, - bool up); +int net_iface_up(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, bool up); /** * Set the MTU for an interface @@ -146,8 +144,7 @@ int net_iface_up(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, * * @return 0 on success, a negative error code otherwise */ -int net_iface_mtu_set(openvpn_net_ctx_t *ctx, - const openvpn_net_iface_t *iface, uint32_t mtu); +int net_iface_mtu_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, uint32_t mtu); /** * Set the Link Layer (Ethernet) address of the TAP interface @@ -158,8 +155,7 @@ int net_iface_mtu_set(openvpn_net_ctx_t *ctx, * * @return 0 on success, a negative error code otherwise */ -int net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, - uint8_t *addr); +int net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, uint8_t *addr); /** * Add an IPv4 address to an interface @@ -171,8 +167,8 @@ int net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, * * @return 0 on success, a negative error code otherwise */ -int net_addr_v4_add(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, - const in_addr_t *addr, int prefixlen); +int net_addr_v4_add(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, const in_addr_t *addr, + int prefixlen); /** * Add an IPv6 address to an interface @@ -197,8 +193,8 @@ int net_addr_v6_add(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, * * @return 0 on success, a negative error code otherwise */ -int net_addr_v4_del(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, - const in_addr_t *addr, int prefixlen); +int net_addr_v4_del(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, const in_addr_t *addr, + int prefixlen); /** * Remove an IPv6 from an interface @@ -222,8 +218,7 @@ int net_addr_v6_del(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, * * @return 0 on success, a negative error code otherwise */ -int net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, - const openvpn_net_iface_t *iface, +int net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, const in_addr_t *local, const in_addr_t *remote); /** @@ -236,8 +231,7 @@ int net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, * * @return 0 on success, a negative error code otherwise */ -int net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, - const openvpn_net_iface_t *iface, +int net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, const in_addr_t *local, const in_addr_t *remote); #endif /* ENABLE_SITNL || ENABLE_IPROUTE */ @@ -257,9 +251,8 @@ int net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, * * @return 0 on success, a negative error code otherwise */ -int net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, - int prefixlen, const in_addr_t *gw, - const openvpn_net_iface_t *iface, uint32_t table, +int net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, + const in_addr_t *gw, const openvpn_net_iface_t *iface, uint32_t table, int metric); /** @@ -276,10 +269,9 @@ int net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, * * @return 0 on success, a negative error code otherwise */ -int net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - int prefixlen, const struct in6_addr *gw, - const openvpn_net_iface_t *iface, - uint32_t table, int metric); +int net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen, + const struct in6_addr *gw, const openvpn_net_iface_t *iface, uint32_t table, + int metric); /** * Delete a route for an IPv4 address/network @@ -295,9 +287,8 @@ int net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, * * @return 0 on success, a negative error code otherwise */ -int net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, - int prefixlen, const in_addr_t *gw, - const openvpn_net_iface_t *iface, uint32_t table, +int net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, + const in_addr_t *gw, const openvpn_net_iface_t *iface, uint32_t table, int metric); /** @@ -314,10 +305,9 @@ int net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, * * @return 0 on success, a negative error code otherwise */ -int net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - int prefixlen, const struct in6_addr *gw, - const openvpn_net_iface_t *iface, - uint32_t table, int metric); +int net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen, + const struct in6_addr *gw, const openvpn_net_iface_t *iface, uint32_t table, + int metric); #endif /* ENABLE_SITNL || ENABLE_IPROUTE || TARGET_FREEBSD */ @@ -334,8 +324,8 @@ int net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, * * @return 0 on success, a negative error code otherwise */ -int net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst, - in_addr_t *best_gw, openvpn_net_iface_t *best_iface); +int net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst, in_addr_t *best_gw, + openvpn_net_iface_t *best_iface); /** * Retrieve the gateway and outgoing interface for the specified IPv6 @@ -349,8 +339,7 @@ int net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst, * @return 0 on success, a negative error code otherwise */ int net_route_v6_best_gw(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - struct in6_addr *best_gw, - openvpn_net_iface_t *best_iface); + struct in6_addr *best_gw, openvpn_net_iface_t *best_iface); #endif /* ENABLE_SITNL || ENABLE_IPROUTE */ diff --git a/src/openvpn/networking_freebsd.c b/src/openvpn/networking_freebsd.c index 1c94756e9..b47444cc7 100644 --- a/src/openvpn/networking_freebsd.c +++ b/src/openvpn/networking_freebsd.c @@ -9,9 +9,8 @@ #if defined(TARGET_FREEBSD) static int -net_route_v4(const char *op, const in_addr_t *dst, int prefixlen, - const in_addr_t *gw, const char *iface, uint32_t table, - int metric) +net_route_v4(const char *op, const in_addr_t *dst, int prefixlen, const in_addr_t *gw, + const char *iface, uint32_t table, int metric) { char buf1[INET_ADDRSTRLEN], buf2[INET_ADDRSTRLEN]; in_addr_t _dst, _gw; @@ -21,16 +20,12 @@ net_route_v4(const char *op, const in_addr_t *dst, int prefixlen, _dst = ntohl(*dst); _gw = ntohl(*gw); - argv_printf(&argv, "%s %s -net %s/%d %s -fib %d", - ROUTE_PATH, op, - inet_ntop(AF_INET, &_dst, buf1, sizeof(buf1)), - prefixlen, - inet_ntop(AF_INET, &_gw, buf2, sizeof(buf2)), - table); + argv_printf(&argv, "%s %s -net %s/%d %s -fib %d", ROUTE_PATH, op, + inet_ntop(AF_INET, &_dst, buf1, sizeof(buf1)), prefixlen, + inet_ntop(AF_INET, &_gw, buf2, sizeof(buf2)), table); argv_msg(M_INFO, &argv); - status = openvpn_execve_check(&argv, NULL, 0, - "ERROR: FreeBSD route command failed"); + status = openvpn_execve_check(&argv, NULL, 0, "ERROR: FreeBSD route command failed"); argv_free(&argv); @@ -38,24 +33,19 @@ net_route_v4(const char *op, const in_addr_t *dst, int prefixlen, } static int -net_route_v6(const char *op, const struct in6_addr *dst, - int prefixlen, const struct in6_addr *gw, const char *iface, - uint32_t table, int metric) +net_route_v6(const char *op, const struct in6_addr *dst, int prefixlen, const struct in6_addr *gw, + const char *iface, uint32_t table, int metric) { char buf1[INET6_ADDRSTRLEN], buf2[INET6_ADDRSTRLEN]; struct argv argv = argv_new(); bool status; - argv_printf(&argv, "%s -6 %s -net %s/%d %s -fib %d", - ROUTE_PATH, op, - inet_ntop(AF_INET6, dst, buf1, sizeof(buf1)), - prefixlen, - inet_ntop(AF_INET6, gw, buf2, sizeof(buf2)), - table); + argv_printf(&argv, "%s -6 %s -net %s/%d %s -fib %d", ROUTE_PATH, op, + inet_ntop(AF_INET6, dst, buf1, sizeof(buf1)), prefixlen, + inet_ntop(AF_INET6, gw, buf2, sizeof(buf2)), table); argv_msg(M_INFO, &argv); - status = openvpn_execve_check(&argv, NULL, 0, - "ERROR: FreeBSD route command failed"); + status = openvpn_execve_check(&argv, NULL, 0, "ERROR: FreeBSD route command failed"); argv_free(&argv); @@ -63,33 +53,29 @@ net_route_v6(const char *op, const struct in6_addr *dst, } int -net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, - const in_addr_t *gw, const char *iface, uint32_t table, - int metric) +net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw, + const char *iface, uint32_t table, int metric) { return net_route_v4("add", dst, prefixlen, gw, iface, table, metric); } int -net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - int prefixlen, const struct in6_addr *gw, const char *iface, - uint32_t table, int metric) +net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen, + const struct in6_addr *gw, const char *iface, uint32_t table, int metric) { return net_route_v6("add", dst, prefixlen, gw, iface, table, metric); } int -net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, - const in_addr_t *gw, const char *iface, uint32_t table, - int metric) +net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw, + const char *iface, uint32_t table, int metric) { return net_route_v4("del", dst, prefixlen, gw, iface, table, metric); } int -net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - int prefixlen, const struct in6_addr *gw, const char *iface, - uint32_t table, int metric) +net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen, + const struct in6_addr *gw, const char *iface, uint32_t table, int metric) { return net_route_v6("del", dst, prefixlen, gw, iface, table, metric); } diff --git a/src/openvpn/networking_iproute2.c b/src/openvpn/networking_iproute2.c index ec8ab1e71..0635b5d6b 100644 --- a/src/openvpn/networking_iproute2.c +++ b/src/openvpn/networking_iproute2.c @@ -61,8 +61,7 @@ net_ctx_free(openvpn_net_ctx_t *ctx) } int -net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type, - void *arg) +net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type, void *arg) { struct argv argv = argv_new(); @@ -76,8 +75,7 @@ net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type, } int -net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, - char type[IFACE_TYPE_LEN_MAX]) +net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, char type[IFACE_TYPE_LEN_MAX]) { /* not supported by iproute2 */ msg(M_WARN, "%s: operation not supported by iproute2 backend", __func__); @@ -102,8 +100,7 @@ net_iface_up(openvpn_net_ctx_t *ctx, const char *iface, bool up) { struct argv argv = argv_new(); - argv_printf(&argv, "%s link set dev %s %s", iproute_path, iface, - up ? "up" : "down"); + argv_printf(&argv, "%s link set dev %s %s", iproute_path, iface, up ? "up" : "down"); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip link set failed"); @@ -117,8 +114,7 @@ net_iface_mtu_set(openvpn_net_ctx_t *ctx, const char *iface, uint32_t mtu) { struct argv argv = argv_new(); - argv_printf(&argv, "%s link set dev %s up mtu %d", iproute_path, iface, - mtu); + argv_printf(&argv, "%s link set dev %s up mtu %d", iproute_path, iface, mtu); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip link set failed"); @@ -128,19 +124,16 @@ net_iface_mtu_set(openvpn_net_ctx_t *ctx, const char *iface, uint32_t mtu) } int -net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, - uint8_t *addr) +net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, uint8_t *addr) { struct argv argv = argv_new(); int ret = 0; - argv_printf(&argv, - "%s link set addr " MAC_FMT " dev %s", - iproute_path, MAC_PRINT_ARG(addr), iface); + argv_printf(&argv, "%s link set addr " MAC_FMT " dev %s", iproute_path, MAC_PRINT_ARG(addr), + iface); argv_msg(M_INFO, &argv); - if (!openvpn_execve_check(&argv, ctx->es, 0, - "Linux ip link set addr failed")) + if (!openvpn_execve_check(&argv, ctx->es, 0, "Linux ip link set addr failed")) { ret = -1; } @@ -151,15 +144,13 @@ net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, } int -net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface, - const in_addr_t *addr, int prefixlen) +net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *addr, int prefixlen) { struct argv argv = argv_new(); const char *addr_str = print_in_addr_t(*addr, 0, &ctx->gc); - argv_printf(&argv, "%s addr add dev %s %s/%d", iproute_path, iface, - addr_str, prefixlen); + argv_printf(&argv, "%s addr add dev %s %s/%d", iproute_path, iface, addr_str, prefixlen); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip addr add failed"); @@ -169,17 +160,15 @@ net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface, } int -net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface, - const struct in6_addr *addr, int prefixlen) +net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface, const struct in6_addr *addr, + int prefixlen) { struct argv argv = argv_new(); char *addr_str = (char *)print_in6_addr(*addr, 0, &ctx->gc); - argv_printf(&argv, "%s -6 addr add %s/%d dev %s", iproute_path, addr_str, - prefixlen, iface); + argv_printf(&argv, "%s -6 addr add %s/%d dev %s", iproute_path, addr_str, prefixlen, iface); argv_msg(M_INFO, &argv); - openvpn_execve_check(&argv, ctx->es, S_FATAL, - "Linux ip -6 addr add failed"); + openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip -6 addr add failed"); argv_free(&argv); @@ -187,14 +176,12 @@ net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface, } int -net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface, - const in_addr_t *addr, int prefixlen) +net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *addr, int prefixlen) { struct argv argv = argv_new(); const char *addr_str = print_in_addr_t(*addr, 0, &ctx->gc); - argv_printf(&argv, "%s addr del dev %s %s/%d", iproute_path, iface, - addr_str, prefixlen); + argv_printf(&argv, "%s addr del dev %s %s/%d", iproute_path, iface, addr_str, prefixlen); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, ctx->es, 0, "Linux ip addr del failed"); @@ -205,14 +192,13 @@ net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface, } int -net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface, - const struct in6_addr *addr, int prefixlen) +net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface, const struct in6_addr *addr, + int prefixlen) { struct argv argv = argv_new(); char *addr_str = (char *)print_in6_addr(*addr, 0, &ctx->gc); - argv_printf(&argv, "%s -6 addr del %s/%d dev %s", iproute_path, - addr_str, prefixlen, iface); + argv_printf(&argv, "%s -6 addr del %s/%d dev %s", iproute_path, addr_str, prefixlen, iface); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, ctx->es, 0, "Linux ip -6 addr del failed"); @@ -222,15 +208,15 @@ net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface, } int -net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface, - const in_addr_t *local, const in_addr_t *remote) +net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *local, + const in_addr_t *remote) { struct argv argv = argv_new(); const char *local_str = print_in_addr_t(*local, 0, &ctx->gc); const char *remote_str = print_in_addr_t(*remote, 0, &ctx->gc); - argv_printf(&argv, "%s addr add dev %s local %s peer %s", iproute_path, - iface, local_str, remote_str); + argv_printf(&argv, "%s addr add dev %s local %s peer %s", iproute_path, iface, local_str, + remote_str); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip addr add failed"); @@ -240,15 +226,15 @@ net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface, } int -net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface, - const in_addr_t *local, const in_addr_t *remote) +net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *local, + const in_addr_t *remote) { struct argv argv = argv_new(); const char *local_str = print_in_addr_t(*local, 0, &ctx->gc); const char *remote_str = print_in_addr_t(*remote, 0, &ctx->gc); - argv_printf(&argv, "%s addr del dev %s local %s peer %s", iproute_path, - iface, local_str, remote_str); + argv_printf(&argv, "%s addr del dev %s local %s peer %s", iproute_path, iface, local_str, + remote_str); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, ctx->es, 0, "Linux ip addr del failed"); @@ -258,9 +244,8 @@ net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface, } int -net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, - const in_addr_t *gw, const char *iface, uint32_t table, - int metric) +net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw, + const char *iface, uint32_t table, int metric) { struct argv argv = argv_new(); const char *dst_str = print_in_addr_t(*dst, 0, &ctx->gc); @@ -297,16 +282,14 @@ net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, } int -net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - int prefixlen, const struct in6_addr *gw, const char *iface, - uint32_t table, int metric) +net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen, + const struct in6_addr *gw, const char *iface, uint32_t table, int metric) { struct argv argv = argv_new(); char *dst_str = (char *)print_in6_addr(*dst, 0, &ctx->gc); int ret = 0; - argv_printf(&argv, "%s -6 route add %s/%d dev %s", iproute_path, dst_str, - prefixlen, iface); + argv_printf(&argv, "%s -6 route add %s/%d dev %s", iproute_path, dst_str, prefixlen, iface); if (gw) { @@ -332,9 +315,8 @@ net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, } int -net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, - const in_addr_t *gw, const char *iface, uint32_t table, - int metric) +net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw, + const char *iface, uint32_t table, int metric) { struct argv argv = argv_new(); const char *dst_str = print_in_addr_t(*dst, 0, &ctx->gc); @@ -359,16 +341,14 @@ net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, } int -net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - int prefixlen, const struct in6_addr *gw, const char *iface, - uint32_t table, int metric) +net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen, + const struct in6_addr *gw, const char *iface, uint32_t table, int metric) { struct argv argv = argv_new(); char *dst_str = (char *)print_in6_addr(*dst, 0, &ctx->gc); int ret = 0; - argv_printf(&argv, "%s -6 route del %s/%d dev %s", iproute_path, dst_str, - prefixlen, iface); + argv_printf(&argv, "%s -6 route del %s/%d dev %s", iproute_path, dst_str, prefixlen, iface); if (gw) { diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c index 97e574900..4210e92c5 100644 --- a/src/openvpn/networking_sitnl.c +++ b/src/openvpn/networking_sitnl.c @@ -43,12 +43,12 @@ #define SNDBUF_SIZE (1024 * 2) #define RCVBUF_SIZE (1024 * 4) -#define SITNL_ADDATTR(_msg, _max_size, _attr, _data, _size) \ - { \ +#define SITNL_ADDATTR(_msg, _max_size, _attr, _data, _size) \ + { \ if (sitnl_addattr(_msg, _max_size, _attr, _data, _size) < 0) \ - { \ - goto err; \ - } \ + { \ + goto err; \ + } \ } #define SITNL_NEST(_msg, _max_size, _attr) \ @@ -58,8 +58,8 @@ _nest; \ }) -#define SITNL_NEST_END(_msg, _nest) \ - { \ +#define SITNL_NEST_END(_msg, _nest) \ + { \ _nest->rta_len = (void *)sitnl_nlmsg_tail(_msg) - (void *)_nest; \ } @@ -73,7 +73,7 @@ * The only way out to avoid any warning/error is to force the function to * not be inline'd. */ -static __attribute__ ((noinline)) void * +static __attribute__((noinline)) void * sitnl_nlmsg_tail(const struct nlmsghdr *nlh) { return (unsigned char *)nlh + NLMSG_ALIGN(nlh->nlmsg_len); @@ -83,7 +83,8 @@ sitnl_nlmsg_tail(const struct nlmsghdr *nlh) * Generic address data structure used to pass addresses and prefixes as * argument to AF family agnostic functions */ -typedef union { +typedef union +{ in_addr_t ipv4; struct in6_addr ipv6; } inet_address_t; @@ -91,7 +92,8 @@ typedef union { /** * Link state request message */ -struct sitnl_link_req { +struct sitnl_link_req +{ struct nlmsghdr n; struct ifinfomsg i; char buf[256]; @@ -100,7 +102,8 @@ struct sitnl_link_req { /** * Address request message */ -struct sitnl_addr_req { +struct sitnl_addr_req +{ struct nlmsghdr n; struct ifaddrmsg i; char buf[256]; @@ -109,7 +112,8 @@ struct sitnl_addr_req { /** * Route request message */ -struct sitnl_route_req { +struct sitnl_route_req +{ struct nlmsghdr n; struct rtmsg r; char buf[256]; @@ -120,7 +124,8 @@ typedef int (*sitnl_parse_reply_cb)(struct nlmsghdr *msg, void *arg); /** * Object returned by route request operation */ -struct sitnl_route_data_cb { +struct sitnl_route_data_cb +{ unsigned int iface; inet_address_t gw; }; @@ -129,16 +134,14 @@ struct sitnl_route_data_cb { * Helper function used to easily add attributes to a rtnl message */ static int -sitnl_addattr(struct nlmsghdr *n, int maxlen, int type, const void *data, - int alen) +sitnl_addattr(struct nlmsghdr *n, int maxlen, int type, const void *data, int alen) { int len = RTA_LENGTH(alen); struct rtattr *rta; if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) { - msg(M_WARN, "%s: rtnl: message exceeded bound of %d", __func__, - maxlen); + msg(M_WARN, "%s: rtnl: message exceeded bound of %d", __func__, maxlen); return -EMSGSIZE; } @@ -240,8 +243,8 @@ sitnl_bind(int fd, uint32_t groups) * Send Netlink message and run callback on reply (if specified) */ static int -sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups, - sitnl_parse_reply_cb cb, void *arg_cb) +sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups, sitnl_parse_reply_cb cb, + void *arg_cb) { int len, rem_len, fd, ret, rcv_len; struct sockaddr_nl nladdr; @@ -249,13 +252,11 @@ sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups, struct nlmsghdr *h; unsigned int seq; char buf[1024 * 16]; - struct iovec iov = - { + struct iovec iov = { .iov_base = payload, .iov_len = payload->nlmsg_len, }; - struct msghdr nlmsg = - { + struct msghdr nlmsg = { .msg_name = &nladdr, .msg_namelen = sizeof(nladdr), .msg_iov = &iov, @@ -334,8 +335,8 @@ sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups, if (nlmsg.msg_namelen != sizeof(nladdr)) { - msg(M_WARN, "%s: sender address length: %u (expected %zu)", - __func__, nlmsg.msg_namelen, sizeof(nladdr)); + msg(M_WARN, "%s: sender address length: %u (expected %zu)", __func__, nlmsg.msg_namelen, + sizeof(nladdr)); ret = -EIO; goto out; } @@ -359,17 +360,18 @@ sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups, goto out; } -/* if (((int)nladdr.nl_pid != peer) || (h->nlmsg_pid != nladdr.nl_pid) - * || (h->nlmsg_seq != seq)) - * { - * rcv_len -= NLMSG_ALIGN(len); - * h = (struct nlmsghdr *)((char *)h + NLMSG_ALIGN(len)); - * msg(M_DEBUG, "%s: skipping unrelated message. nl_pid:%d (peer:%d) nl_msg_pid:%d nl_seq:%d seq:%d", - * __func__, (int)nladdr.nl_pid, peer, h->nlmsg_pid, - * h->nlmsg_seq, seq); - * continue; - * } - */ + /* if (((int)nladdr.nl_pid != peer) || (h->nlmsg_pid != nladdr.nl_pid) + * || (h->nlmsg_seq != seq)) + * { + * rcv_len -= NLMSG_ALIGN(len); + * h = (struct nlmsghdr *)((char *)h + NLMSG_ALIGN(len)); + * msg(M_DEBUG, "%s: skipping unrelated message. nl_pid:%d (peer:%d) + * nl_msg_pid:%d nl_seq:%d seq:%d", + * __func__, (int)nladdr.nl_pid, peer, h->nlmsg_pid, + * h->nlmsg_seq, seq); + * continue; + * } + */ if (h->nlmsg_type == NLMSG_DONE) { @@ -401,8 +403,8 @@ sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups, } else { - msg(M_WARN, "%s: rtnl: generic error (%d): %s", - __func__, err->error, strerror(-err->error)); + msg(M_WARN, "%s: rtnl: generic error (%d): %s", __func__, err->error, + strerror(-err->error)); ret = err->error; } } @@ -446,7 +448,8 @@ out: return ret; } -typedef struct { +typedef struct +{ int addr_size; inet_address_t gw; char iface[IFNAMSIZ]; @@ -508,8 +511,7 @@ sitnl_route_save(struct nlmsghdr *n, void *arg) if (!if_indextoname(ifindex, res->iface)) { - msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifname for index %d", - __func__, ifindex); + msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifname for index %d", __func__, ifindex); return -1; } @@ -522,8 +524,8 @@ sitnl_route_save(struct nlmsghdr *n, void *arg) } static int -sitnl_route_best_gw(sa_family_t af_family, const inet_address_t *dst, - void *best_gw, char *best_iface) +sitnl_route_best_gw(sa_family_t af_family, const inet_address_t *dst, void *best_gw, + char *best_iface) { struct sitnl_route_req req; route_res_t res; @@ -585,15 +587,14 @@ sitnl_route_best_gw(sa_family_t af_family, const inet_address_t *dst, strncpy(best_iface, res.iface, IFNAMSIZ); err: return ret; - } /* used by iproute2 implementation too */ int -net_route_v6_best_gw(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - struct in6_addr *best_gw, char *best_iface) +net_route_v6_best_gw(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, struct in6_addr *best_gw, + char *best_iface) { - inet_address_t dst_v6 = {0}; + inet_address_t dst_v6 = { 0 }; char buf[INET6_ADDRSTRLEN]; int ret; @@ -602,8 +603,7 @@ net_route_v6_best_gw(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, dst_v6.ipv6 = *dst; } - msg(D_ROUTE, "%s query: dst %s", __func__, - inet_ntop(AF_INET6, &dst_v6.ipv6, buf, sizeof(buf))); + msg(D_ROUTE, "%s query: dst %s", __func__, inet_ntop(AF_INET6, &dst_v6.ipv6, buf, sizeof(buf))); ret = sitnl_route_best_gw(AF_INET6, &dst_v6, best_gw, best_iface); if (ret < 0) @@ -615,15 +615,14 @@ net_route_v6_best_gw(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, inet_ntop(AF_INET6, best_gw, buf, sizeof(buf)), best_iface); return ret; - } /* used by iproute2 implementation too */ int -net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst, - in_addr_t *best_gw, char *best_iface) +net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst, in_addr_t *best_gw, + char *best_iface) { - inet_address_t dst_v4 = {0}; + inet_address_t dst_v4 = { 0 }; char buf[INET_ADDRSTRLEN]; int ret; @@ -632,8 +631,7 @@ net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst, dst_v4.ipv4 = htonl(*dst); } - msg(D_ROUTE, "%s query: dst %s", __func__, - inet_ntop(AF_INET, &dst_v4.ipv4, buf, sizeof(buf))); + msg(D_ROUTE, "%s query: dst %s", __func__, inet_ntop(AF_INET, &dst_v4.ipv4, buf, sizeof(buf))); ret = sitnl_route_best_gw(AF_INET, &dst_v4, best_gw, best_iface); if (ret < 0) @@ -669,8 +667,7 @@ net_iface_up(openvpn_net_ctx_t *ctx, const char *iface, bool up) ifindex = if_nametoindex(iface); if (ifindex == 0) { - msg(M_WARN, "%s: rtnl: cannot get ifindex for %s: %s", __func__, iface, - strerror(errno)); + msg(M_WARN, "%s: rtnl: cannot get ifindex for %s: %s", __func__, iface, strerror(errno)); return -ENOENT; } @@ -696,8 +693,7 @@ net_iface_up(openvpn_net_ctx_t *ctx, const char *iface, bool up) } int -net_iface_mtu_set(openvpn_net_ctx_t *ctx, const char *iface, - uint32_t mtu) +net_iface_mtu_set(openvpn_net_ctx_t *ctx, const char *iface, uint32_t mtu) { struct sitnl_link_req req; int ifindex, ret = -1; @@ -707,8 +703,7 @@ net_iface_mtu_set(openvpn_net_ctx_t *ctx, const char *iface, ifindex = if_nametoindex(iface); if (ifindex == 0) { - msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, - iface); + msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, iface); return -1; } @@ -729,8 +724,7 @@ err: } int -net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, - uint8_t *addr) +net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, uint8_t *addr) { struct sitnl_link_req req; int ifindex, ret = -1; @@ -740,8 +734,7 @@ net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, ifindex = if_nametoindex(iface); if (ifindex == 0) { - msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, - iface); + msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, iface); return -1; } @@ -754,8 +747,7 @@ net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, SITNL_ADDATTR(&req.n, sizeof(req), IFLA_ADDRESS, addr, OPENVPN_ETH_ALEN); - msg(M_INFO, "%s: lladdr " MAC_FMT " for %s", __func__, MAC_PRINT_ARG(addr), - iface); + msg(M_INFO, "%s: lladdr " MAC_FMT " for %s", __func__, MAC_PRINT_ARG(addr), iface); ret = sitnl_send(&req.n, 0, 0, NULL, NULL); err: @@ -764,8 +756,7 @@ err: static int sitnl_addr_set(int cmd, uint32_t flags, int ifindex, sa_family_t af_family, - const inet_address_t *local, const inet_address_t *remote, - int prefixlen) + const inet_address_t *local, const inet_address_t *remote, int prefixlen) { struct sitnl_addr_req req; uint32_t size; @@ -791,8 +782,7 @@ sitnl_addr_set(int cmd, uint32_t flags, int ifindex, sa_family_t af_family, break; default: - msg(M_WARN, "%s: rtnl: unknown address family %d", __func__, - af_family); + msg(M_WARN, "%s: rtnl: unknown address family %d", __func__, af_family); return -EINVAL; } @@ -823,8 +813,7 @@ err: } static int -sitnl_addr_ptp_add(sa_family_t af_family, const char *iface, - const inet_address_t *local, +sitnl_addr_ptp_add(sa_family_t af_family, const char *iface, const inet_address_t *local, const inet_address_t *remote) { int ifindex; @@ -848,18 +837,16 @@ sitnl_addr_ptp_add(sa_family_t af_family, const char *iface, ifindex = if_nametoindex(iface); if (ifindex == 0) { - msg(M_WARN, "%s: cannot get ifindex for %s: %s", __func__, np(iface), - strerror(errno)); + msg(M_WARN, "%s: cannot get ifindex for %s: %s", __func__, np(iface), strerror(errno)); return -ENOENT; } - return sitnl_addr_set(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, ifindex, - af_family, local, remote, 0); + return sitnl_addr_set(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, ifindex, af_family, local, + remote, 0); } static int -sitnl_addr_ptp_del(sa_family_t af_family, const char *iface, - const inet_address_t *local) +sitnl_addr_ptp_del(sa_family_t af_family, const char *iface, const inet_address_t *local) { int ifindex; @@ -890,9 +877,8 @@ sitnl_addr_ptp_del(sa_family_t af_family, const char *iface, } static int -sitnl_route_set(int cmd, uint32_t flags, int ifindex, sa_family_t af_family, - const void *dst, int prefixlen, - const void *gw, enum rt_class_t table, int metric, +sitnl_route_set(int cmd, uint32_t flags, int ifindex, sa_family_t af_family, const void *dst, + int prefixlen, const void *gw, enum rt_class_t table, int metric, enum rt_scope_t scope, int protocol, int type) { struct sitnl_route_req req; @@ -960,8 +946,7 @@ err: } static int -sitnl_addr_add(sa_family_t af_family, const char *iface, - const inet_address_t *addr, int prefixlen) +sitnl_addr_add(sa_family_t af_family, const char *iface, const inet_address_t *addr, int prefixlen) { int ifindex; @@ -984,18 +969,16 @@ sitnl_addr_add(sa_family_t af_family, const char *iface, ifindex = if_nametoindex(iface); if (ifindex == 0) { - msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, - iface); + msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, iface); return -ENOENT; } - return sitnl_addr_set(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, ifindex, - af_family, addr, NULL, prefixlen); + return sitnl_addr_set(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, ifindex, af_family, addr, NULL, + prefixlen); } static int -sitnl_addr_del(sa_family_t af_family, const char *iface, inet_address_t *addr, - int prefixlen) +sitnl_addr_del(sa_family_t af_family, const char *iface, inet_address_t *addr, int prefixlen) { int ifindex; @@ -1018,18 +1001,15 @@ sitnl_addr_del(sa_family_t af_family, const char *iface, inet_address_t *addr, ifindex = if_nametoindex(iface); if (ifindex == 0) { - msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, - iface); + msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, iface); return -ENOENT; } - return sitnl_addr_set(RTM_DELADDR, 0, ifindex, af_family, addr, NULL, - prefixlen); + return sitnl_addr_set(RTM_DELADDR, 0, ifindex, af_family, addr, NULL, prefixlen); } int -net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface, - const in_addr_t *addr, int prefixlen) +net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *addr, int prefixlen) { inet_address_t addr_v4 = { 0 }; char buf[INET_ADDRSTRLEN]; @@ -1041,15 +1021,15 @@ net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface, addr_v4.ipv4 = htonl(*addr); - msg(M_INFO, "%s: %s/%d dev %s", __func__, - inet_ntop(AF_INET, &addr_v4.ipv4, buf, sizeof(buf)), prefixlen, iface); + msg(M_INFO, "%s: %s/%d dev %s", __func__, inet_ntop(AF_INET, &addr_v4.ipv4, buf, sizeof(buf)), + prefixlen, iface); return sitnl_addr_add(AF_INET, iface, &addr_v4, prefixlen); } int -net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface, - const struct in6_addr *addr, int prefixlen) +net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface, const struct in6_addr *addr, + int prefixlen) { inet_address_t addr_v6 = { 0 }; char buf[INET6_ADDRSTRLEN]; @@ -1061,15 +1041,14 @@ net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface, addr_v6.ipv6 = *addr; - msg(M_INFO, "%s: %s/%d dev %s", __func__, - inet_ntop(AF_INET6, &addr_v6.ipv6, buf, sizeof(buf)), prefixlen, iface); + msg(M_INFO, "%s: %s/%d dev %s", __func__, inet_ntop(AF_INET6, &addr_v6.ipv6, buf, sizeof(buf)), + prefixlen, iface); return sitnl_addr_add(AF_INET6, iface, &addr_v6, prefixlen); } int -net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface, - const in_addr_t *addr, int prefixlen) +net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *addr, int prefixlen) { inet_address_t addr_v4 = { 0 }; char buf[INET_ADDRSTRLEN]; @@ -1081,15 +1060,15 @@ net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface, addr_v4.ipv4 = htonl(*addr); - msg(M_INFO, "%s: %s dev %s", __func__, - inet_ntop(AF_INET, &addr_v4.ipv4, buf, sizeof(buf)), iface); + msg(M_INFO, "%s: %s dev %s", __func__, inet_ntop(AF_INET, &addr_v4.ipv4, buf, sizeof(buf)), + iface); return sitnl_addr_del(AF_INET, iface, &addr_v4, prefixlen); } int -net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface, - const struct in6_addr *addr, int prefixlen) +net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface, const struct in6_addr *addr, + int prefixlen) { inet_address_t addr_v6 = { 0 }; char buf[INET6_ADDRSTRLEN]; @@ -1101,15 +1080,15 @@ net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface, addr_v6.ipv6 = *addr; - msg(M_INFO, "%s: %s/%d dev %s", __func__, - inet_ntop(AF_INET6, &addr_v6.ipv6, buf, sizeof(buf)), prefixlen, iface); + msg(M_INFO, "%s: %s/%d dev %s", __func__, inet_ntop(AF_INET6, &addr_v6.ipv6, buf, sizeof(buf)), + prefixlen, iface); return sitnl_addr_del(AF_INET6, iface, &addr_v6, prefixlen); } int -net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface, - const in_addr_t *local, const in_addr_t *remote) +net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *local, + const in_addr_t *remote) { inet_address_t local_v4 = { 0 }; inet_address_t remote_v4 = { 0 }; @@ -1136,8 +1115,8 @@ net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface, } int -net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface, - const in_addr_t *local, const in_addr_t *remote) +net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *local, + const in_addr_t *remote) { inet_address_t local_v4 = { 0 }; char buf[INET6_ADDRSTRLEN]; @@ -1150,15 +1129,15 @@ net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface, local_v4.ipv4 = htonl(*local); - msg(M_INFO, "%s: %s dev %s", __func__, - inet_ntop(AF_INET, &local_v4.ipv4, buf, sizeof(buf)), iface); + msg(M_INFO, "%s: %s dev %s", __func__, inet_ntop(AF_INET, &local_v4.ipv4, buf, sizeof(buf)), + iface); return sitnl_addr_ptp_del(AF_INET, iface, &local_v4); } static int -sitnl_route_add(const char *iface, sa_family_t af_family, const void *dst, - int prefixlen, const void *gw, uint32_t table, int metric) +sitnl_route_add(const char *iface, sa_family_t af_family, const void *dst, int prefixlen, + const void *gw, uint32_t table, int metric) { enum rt_scope_t scope = RT_SCOPE_UNIVERSE; int ifindex = 0; @@ -1168,8 +1147,7 @@ sitnl_route_add(const char *iface, sa_family_t af_family, const void *dst, ifindex = if_nametoindex(iface); if (ifindex == 0) { - msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifindex for %s", - __func__, iface); + msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifindex for %s", __func__, iface); return -ENOENT; } } @@ -1184,15 +1162,13 @@ sitnl_route_add(const char *iface, sa_family_t af_family, const void *dst, scope = RT_SCOPE_LINK; } - return sitnl_route_set(RTM_NEWROUTE, NLM_F_CREATE, ifindex, - af_family, dst, prefixlen, gw, table, metric, scope, - RTPROT_BOOT, RTN_UNICAST); + return sitnl_route_set(RTM_NEWROUTE, NLM_F_CREATE, ifindex, af_family, dst, prefixlen, gw, + table, metric, scope, RTPROT_BOOT, RTN_UNICAST); } int -net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, - const in_addr_t *gw, const char *iface, - uint32_t table, int metric) +net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw, + const char *iface, uint32_t table, int metric) { in_addr_t *dst_ptr = NULL, *gw_ptr = NULL; in_addr_t dst_be = 0, gw_be = 0; @@ -1212,18 +1188,15 @@ net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, } msg(D_ROUTE, "%s: %s/%d via %s dev %s table %d metric %d", __func__, - inet_ntop(AF_INET, &dst_be, dst_str, sizeof(dst_str)), - prefixlen, inet_ntop(AF_INET, &gw_be, gw_str, sizeof(gw_str)), - np(iface), table, metric); + inet_ntop(AF_INET, &dst_be, dst_str, sizeof(dst_str)), prefixlen, + inet_ntop(AF_INET, &gw_be, gw_str, sizeof(gw_str)), np(iface), table, metric); - return sitnl_route_add(iface, AF_INET, dst_ptr, prefixlen, gw_ptr, table, - metric); + return sitnl_route_add(iface, AF_INET, dst_ptr, prefixlen, gw_ptr, table, metric); } int -net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - int prefixlen, const struct in6_addr *gw, - const char *iface, uint32_t table, int metric) +net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen, + const struct in6_addr *gw, const char *iface, uint32_t table, int metric) { inet_address_t dst_v6 = { 0 }; inet_address_t gw_v6 = { 0 }; @@ -1241,18 +1214,15 @@ net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, } msg(D_ROUTE, "%s: %s/%d via %s dev %s table %d metric %d", __func__, - inet_ntop(AF_INET6, &dst_v6.ipv6, dst_str, sizeof(dst_str)), - prefixlen, inet_ntop(AF_INET6, &gw_v6.ipv6, gw_str, sizeof(gw_str)), - np(iface), table, metric); + inet_ntop(AF_INET6, &dst_v6.ipv6, dst_str, sizeof(dst_str)), prefixlen, + inet_ntop(AF_INET6, &gw_v6.ipv6, gw_str, sizeof(gw_str)), np(iface), table, metric); - return sitnl_route_add(iface, AF_INET6, dst, prefixlen, gw, table, - metric); + return sitnl_route_add(iface, AF_INET6, dst, prefixlen, gw, table, metric); } static int -sitnl_route_del(const char *iface, sa_family_t af_family, inet_address_t *dst, - int prefixlen, inet_address_t *gw, uint32_t table, - int metric) +sitnl_route_del(const char *iface, sa_family_t af_family, inet_address_t *dst, int prefixlen, + inet_address_t *gw, uint32_t table, int metric) { int ifindex = 0; @@ -1261,8 +1231,7 @@ sitnl_route_del(const char *iface, sa_family_t af_family, inet_address_t *dst, ifindex = if_nametoindex(iface); if (ifindex == 0) { - msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifindex for %s", - __func__, iface); + msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifindex for %s", __func__, iface); return -ENOENT; } } @@ -1272,14 +1241,13 @@ sitnl_route_del(const char *iface, sa_family_t af_family, inet_address_t *dst, table = RT_TABLE_MAIN; } - return sitnl_route_set(RTM_DELROUTE, 0, ifindex, af_family, dst, prefixlen, - gw, table, metric, RT_SCOPE_NOWHERE, 0, 0); + return sitnl_route_set(RTM_DELROUTE, 0, ifindex, af_family, dst, prefixlen, gw, table, metric, + RT_SCOPE_NOWHERE, 0, 0); } int -net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, - const in_addr_t *gw, const char *iface, uint32_t table, - int metric) +net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw, + const char *iface, uint32_t table, int metric) { inet_address_t dst_v4 = { 0 }; inet_address_t gw_v4 = { 0 }; @@ -1297,18 +1265,15 @@ net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, } msg(D_ROUTE, "%s: %s/%d via %s dev %s table %d metric %d", __func__, - inet_ntop(AF_INET, &dst_v4.ipv4, dst_str, sizeof(dst_str)), - prefixlen, inet_ntop(AF_INET, &gw_v4.ipv4, gw_str, sizeof(gw_str)), - np(iface), table, metric); + inet_ntop(AF_INET, &dst_v4.ipv4, dst_str, sizeof(dst_str)), prefixlen, + inet_ntop(AF_INET, &gw_v4.ipv4, gw_str, sizeof(gw_str)), np(iface), table, metric); - return sitnl_route_del(iface, AF_INET, &dst_v4, prefixlen, &gw_v4, table, - metric); + return sitnl_route_del(iface, AF_INET, &dst_v4, prefixlen, &gw_v4, table, metric); } int -net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, - int prefixlen, const struct in6_addr *gw, - const char *iface, uint32_t table, int metric) +net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen, + const struct in6_addr *gw, const char *iface, uint32_t table, int metric) { inet_address_t dst_v6 = { 0 }; inet_address_t gw_v6 = { 0 }; @@ -1326,20 +1291,17 @@ net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, } msg(D_ROUTE, "%s: %s/%d via %s dev %s table %d metric %d", __func__, - inet_ntop(AF_INET6, &dst_v6.ipv6, dst_str, sizeof(dst_str)), - prefixlen, inet_ntop(AF_INET6, &gw_v6.ipv6, gw_str, sizeof(gw_str)), - np(iface), table, metric); + inet_ntop(AF_INET6, &dst_v6.ipv6, dst_str, sizeof(dst_str)), prefixlen, + inet_ntop(AF_INET6, &gw_v6.ipv6, gw_str, sizeof(gw_str)), np(iface), table, metric); - return sitnl_route_del(iface, AF_INET6, &dst_v6, prefixlen, &gw_v6, - table, metric); + return sitnl_route_del(iface, AF_INET6, &dst_v6, prefixlen, &gw_v6, table, metric); } int -net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type, - void *arg) +net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type, void *arg) { - struct sitnl_link_req req = { }; + struct sitnl_link_req req = {}; int ret = -1; ASSERT(iface); @@ -1357,8 +1319,7 @@ net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type, { dco_context_t *dco = arg; struct rtattr *data = SITNL_NEST(&req.n, sizeof(req), IFLA_INFO_DATA); - SITNL_ADDATTR(&req.n, sizeof(req), IFLA_OVPN_MODE, &dco->ifmode, - sizeof(uint8_t)); + SITNL_ADDATTR(&req.n, sizeof(req), IFLA_OVPN_MODE, &dco->ifmode, sizeof(uint8_t)); SITNL_NEST_END(&req.n, data); } #endif @@ -1366,7 +1327,7 @@ net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type, req.i.ifi_family = AF_PACKET; - msg(D_ROUTE, "%s: add %s type %s", __func__, iface, type); + msg(D_ROUTE, "%s: add %s type %s", __func__, iface, type); ret = sitnl_send(&req.n, 0, 0, NULL, NULL); err: @@ -1374,8 +1335,8 @@ err: } static int -sitnl_parse_rtattr_flags(struct rtattr *tb[], int max, struct rtattr *rta, - int len, unsigned short flags) +sitnl_parse_rtattr_flags(struct rtattr *tb[], int max, struct rtattr *rta, int len, + unsigned short flags) { unsigned short type; @@ -1395,8 +1356,7 @@ sitnl_parse_rtattr_flags(struct rtattr *tb[], int max, struct rtattr *rta, if (len) { - msg(D_ROUTE, "%s: %d bytes not parsed! (rta_len=%d)", __func__, len, - rta->rta_len); + msg(D_ROUTE, "%s: %d bytes not parsed! (rta_len=%d)", __func__, len, rta->rta_len); } return 0; @@ -1409,8 +1369,7 @@ sitnl_parse_rtattr(struct rtattr *tb[], int max, struct rtattr *rta, int len) } #define sitnl_parse_rtattr_nested(tb, max, rta) \ - (sitnl_parse_rtattr_flags(tb, max, RTA_DATA(rta), RTA_PAYLOAD(rta), \ - NLA_F_NESTED)) + (sitnl_parse_rtattr_flags(tb, max, RTA_DATA(rta), RTA_PAYLOAD(rta), NLA_F_NESTED)) static int sitnl_type_save(struct nlmsghdr *n, void *arg) @@ -1430,8 +1389,7 @@ sitnl_type_save(struct nlmsghdr *n, void *arg) { struct rtattr *tb_link[IFLA_INFO_MAX + 1]; - ret = sitnl_parse_rtattr_nested(tb_link, IFLA_INFO_MAX, - tb[IFLA_LINKINFO]); + ret = sitnl_parse_rtattr_nested(tb_link, IFLA_INFO_MAX, tb[IFLA_LINKINFO]); if (ret < 0) { return ret; @@ -1449,10 +1407,9 @@ sitnl_type_save(struct nlmsghdr *n, void *arg) } int -net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, - char type[IFACE_TYPE_LEN_MAX]) +net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, char type[IFACE_TYPE_LEN_MAX]) { - struct sitnl_link_req req = { }; + struct sitnl_link_req req = {}; int ifindex = if_nametoindex(iface); if (!ifindex) @@ -1472,8 +1429,7 @@ net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, int ret = sitnl_send(&req.n, 0, 0, sitnl_type_save, type); if (ret < 0) { - msg(D_ROUTE, "%s: cannot retrieve iface %s: %s (%d)", __func__, iface, - strerror(-ret), ret); + msg(D_ROUTE, "%s: cannot retrieve iface %s: %s (%d)", __func__, iface, strerror(-ret), ret); return ret; } @@ -1485,7 +1441,7 @@ net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, int net_iface_del(openvpn_net_ctx_t *ctx, const char *iface) { - struct sitnl_link_req req = { }; + struct sitnl_link_req req = {}; int ifindex = if_nametoindex(iface); if (!ifindex) diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 94e5d9508..dc5c93ff6 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -44,15 +44,14 @@ #ifdef _MSC_VER /* MS compilers */ #define UINTEGER64 __int64 -#define UINT64(c) c ## Ui64 +#define UINT64(c) c##Ui64 #else /* Non MS compilers */ #define UINTEGER64 unsigned long long -#define UINT64(c) c ## LL +#define UINT64(c) c##LL #endif - static void gen_md4_hash(const uint8_t *data, int data_len, uint8_t *result) { @@ -64,8 +63,7 @@ gen_md4_hash(const uint8_t *data, int data_len, uint8_t *result) } static void -gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, - uint8_t *result) +gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, uint8_t *result) { hmac_ctx_t *hmac_ctx = hmac_ctx_new(); @@ -91,13 +89,13 @@ gen_timestamp(uint8_t *timestamp) /* store little endian value */ timestamp[0] = timestamp_ull & UINT64(0xFF); - timestamp[1] = (timestamp_ull >> 8) & UINT64(0xFF); - timestamp[2] = (timestamp_ull >> 16) & UINT64(0xFF); - timestamp[3] = (timestamp_ull >> 24) & UINT64(0xFF); - timestamp[4] = (timestamp_ull >> 32) & UINT64(0xFF); - timestamp[5] = (timestamp_ull >> 40) & UINT64(0xFF); - timestamp[6] = (timestamp_ull >> 48) & UINT64(0xFF); - timestamp[7] = (timestamp_ull >> 56) & UINT64(0xFF); + timestamp[1] = (timestamp_ull >> 8) & UINT64(0xFF); + timestamp[2] = (timestamp_ull >> 16) & UINT64(0xFF); + timestamp[3] = (timestamp_ull >> 24) & UINT64(0xFF); + timestamp[4] = (timestamp_ull >> 32) & UINT64(0xFF); + timestamp[5] = (timestamp_ull >> 40) & UINT64(0xFF); + timestamp[6] = (timestamp_ull >> 48) & UINT64(0xFF); + timestamp[7] = (timestamp_ull >> 56) & UINT64(0xFF); } static void @@ -106,7 +104,7 @@ gen_nonce(unsigned char *nonce) /* Generates 8 random bytes to be used as client nonce */ int i; - for (i = 0; i<8; i++) + for (i = 0; i < 8; i++) { nonce[i] = (unsigned char)get_random(); } @@ -152,8 +150,8 @@ unicodize(char *dst, const char *src) } static void -add_security_buffer(int sb_offset, void *data, int length, - unsigned char *msg_buf, int *msg_bufpos, size_t msg_bufsize) +add_security_buffer(int sb_offset, void *data, int length, unsigned char *msg_buf, int *msg_bufpos, + size_t msg_bufsize) { if (*msg_bufpos + length > msg_bufsize) { @@ -188,8 +186,7 @@ ntlm_phase_1(const struct http_proxy_info *p, struct gc_arena *gc) } const char * -ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, - struct gc_arena *gc) +ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc) { /* NTLM handshake * @@ -205,13 +202,13 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, int i, ret_val; uint8_t ntlmv2_response[256]; - char userdomain_u[256]; /* for uppercase unicode username and domain */ - char userdomain[128]; /* the same as previous but ascii */ + char userdomain_u[256]; /* for uppercase unicode username and domain */ + char userdomain[128]; /* the same as previous but ascii */ uint8_t ntlmv2_hash[MD5_DIGEST_LENGTH]; uint8_t ntlmv2_hmacmd5[16]; - uint8_t *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */ + uint8_t *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */ int ntlmv2_blob_size = 0; - int phase3_bufpos = 0x40; /* offset to next security buffer data to be added */ + int phase3_bufpos = 0x40; /* offset to next security buffer data to be added */ size_t len; char domain[128]; @@ -225,20 +222,20 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, separator = strchr(p->up.username, '\\'); if (separator == NULL) { - strncpy(username, p->up.username, sizeof(username)-1); - username[sizeof(username)-1] = 0; + strncpy(username, p->up.username, sizeof(username) - 1); + username[sizeof(username) - 1] = 0; domain[0] = 0; } else { - strncpy(username, separator+1, sizeof(username)-1); - username[sizeof(username)-1] = 0; + strncpy(username, separator + 1, sizeof(username) - 1); + username[sizeof(username) - 1] = 0; len = separator - p->up.username; if (len > sizeof(domain) - 1) { len = sizeof(domain) - 1; } - strncpy(domain, p->up.username, len); + strncpy(domain, p->up.username, len); domain[len] = 0; } @@ -264,9 +261,9 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, } /* extract the challenge from bytes 24-31 */ - for (i = 0; i<8; i++) + for (i = 0; i < 8; i++) { - challenge[i] = buf2[i+24]; + challenge[i] = buf2[i + 24]; } /* Generate NTLMv2 response */ @@ -284,17 +281,16 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, msg(M_INFO, "NTLM: Username or domain too long"); } unicodize(userdomain_u, userdomain); - gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash, - ntlmv2_hash); + gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash, ntlmv2_hash); /* NTLMv2 Blob */ - memset(ntlmv2_blob, 0, 128); /* Clear blob buffer */ - ntlmv2_blob[0x00] = 1; /* Signature */ - ntlmv2_blob[0x01] = 1; /* Signature */ - ntlmv2_blob[0x04] = 0; /* Reserved */ - gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */ - gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */ - ntlmv2_blob[0x18] = 0; /* Unknown, zero should work */ + memset(ntlmv2_blob, 0, 128); /* Clear blob buffer */ + ntlmv2_blob[0x00] = 1; /* Signature */ + ntlmv2_blob[0x01] = 1; /* Signature */ + ntlmv2_blob[0x04] = 0; /* Reserved */ + gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */ + gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */ + ntlmv2_blob[0x18] = 0; /* Unknown, zero should work */ /* Add target information block to the blob */ @@ -311,11 +307,11 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, * byte order on the wire for the NTLM header is LE. */ const size_t hoff = 0x14; - unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8) - |(buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24); + unsigned long flags = + buf2[hoff] | (buf2[hoff + 1] << 8) | (buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24); if ((flags & 0x00800000) == 0x00800000) { - tib_len = buf2[0x28]; /* Get Target Information block size */ + tib_len = buf2[0x28]; /* Get Target Information block size */ if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response)) { msg(M_WARN, "NTLM: target information buffer too long for response (len=%d)", tib_len); @@ -327,7 +323,9 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, uint8_t tib_pos = buf2[0x2c]; if (tib_pos + tib_len > sizeof(buf2)) { - msg(M_ERR, "NTLM: phase 2 response from server too long (need %d bytes at offset %u)", tib_len, tib_pos); + msg(M_ERR, + "NTLM: phase 2 response from server too long (need %d bytes at offset %u)", + tib_len, tib_pos); return NULL; } /* Get Target Information block pointer */ @@ -351,41 +349,38 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, memcpy(&ntlmv2_response[8], challenge, 8); /* hmac-md5 */ - gen_hmac_md5(&ntlmv2_response[8], ntlmv2_blob_size + 8, ntlmv2_hash, - ntlmv2_hmacmd5); + gen_hmac_md5(&ntlmv2_response[8], ntlmv2_blob_size + 8, ntlmv2_hash, ntlmv2_hmacmd5); /* Add hmac-md5 result to the blob. * Note: This overwrites challenge previously written at * ntlmv2_response[8..15] */ memcpy(ntlmv2_response, ntlmv2_hmacmd5, MD5_DIGEST_LENGTH); - memset(phase3, 0, sizeof(phase3)); /* clear reply */ + memset(phase3, 0, sizeof(phase3)); /* clear reply */ - strcpy((char *)phase3, "NTLMSSP\0"); /* signature */ - phase3[8] = 3; /* type 3 */ + strcpy((char *)phase3, "NTLMSSP\0"); /* signature */ + phase3[8] = 3; /* type 3 */ /* NTLMv2 response */ - add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, - phase3, &phase3_bufpos, sizeof(phase3)); + add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, phase3, &phase3_bufpos, + sizeof(phase3)); /* username in ascii */ - add_security_buffer(0x24, username, strlen(username), phase3, - &phase3_bufpos, sizeof(phase3)); + add_security_buffer(0x24, username, strlen(username), phase3, &phase3_bufpos, sizeof(phase3)); /* Set domain. If is empty, default domain will be used * (i.e. proxy's domain) */ add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos, sizeof(phase3)); /* other security buffers will be empty */ - phase3[0x10] = phase3_bufpos; /* lm not used */ - phase3[0x30] = phase3_bufpos; /* no workstation name supplied */ - phase3[0x38] = phase3_bufpos; /* no session key */ + phase3[0x10] = phase3_bufpos; /* lm not used */ + phase3[0x30] = phase3_bufpos; /* no workstation name supplied */ + phase3[0x38] = phase3_bufpos; /* no session key */ /* flags */ phase3[0x3c] = 0x02; /* negotiate oem */ phase3[0x3d] = 0x02; /* negotiate ntlm */ - return ((const char *)make_base64_string2((unsigned char *)phase3, - phase3_bufpos, gc)); + return ((const char *)make_base64_string2((unsigned char *)phase3, phase3_bufpos, gc)); } #endif /* if NTLM */ diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index 00b2fa4d3..8821a06cc 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -51,95 +51,93 @@ * OCC_STRING_SIZE must be set to sizeof (occ_magic) */ -const uint8_t occ_magic[] = { - 0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81, - 0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c -}; +const uint8_t occ_magic[] = { 0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81, + 0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c }; static const struct mtu_load_test mtu_load_test_sequence[] = { - {OCC_MTU_LOAD_REQUEST, -1000}, - {OCC_MTU_LOAD, -1000}, - {OCC_MTU_LOAD_REQUEST, -1000}, - {OCC_MTU_LOAD, -1000}, - {OCC_MTU_LOAD_REQUEST, -1000}, - {OCC_MTU_LOAD, -1000}, - - {OCC_MTU_LOAD_REQUEST, -750}, - {OCC_MTU_LOAD, -750}, - {OCC_MTU_LOAD_REQUEST, -750}, - {OCC_MTU_LOAD, -750}, - {OCC_MTU_LOAD_REQUEST, -750}, - {OCC_MTU_LOAD, -750}, - - {OCC_MTU_LOAD_REQUEST, -500}, - {OCC_MTU_LOAD, -500}, - {OCC_MTU_LOAD_REQUEST, -500}, - {OCC_MTU_LOAD, -500}, - {OCC_MTU_LOAD_REQUEST, -500}, - {OCC_MTU_LOAD, -500}, - - {OCC_MTU_LOAD_REQUEST, -400}, - {OCC_MTU_LOAD, -400}, - {OCC_MTU_LOAD_REQUEST, -400}, - {OCC_MTU_LOAD, -400}, - {OCC_MTU_LOAD_REQUEST, -400}, - {OCC_MTU_LOAD, -400}, - - {OCC_MTU_LOAD_REQUEST, -300}, - {OCC_MTU_LOAD, -300}, - {OCC_MTU_LOAD_REQUEST, -300}, - {OCC_MTU_LOAD, -300}, - {OCC_MTU_LOAD_REQUEST, -300}, - {OCC_MTU_LOAD, -300}, - - {OCC_MTU_LOAD_REQUEST, -200}, - {OCC_MTU_LOAD, -200}, - {OCC_MTU_LOAD_REQUEST, -200}, - {OCC_MTU_LOAD, -200}, - {OCC_MTU_LOAD_REQUEST, -200}, - {OCC_MTU_LOAD, -200}, - - {OCC_MTU_LOAD_REQUEST, -150}, - {OCC_MTU_LOAD, -150}, - {OCC_MTU_LOAD_REQUEST, -150}, - {OCC_MTU_LOAD, -150}, - {OCC_MTU_LOAD_REQUEST, -150}, - {OCC_MTU_LOAD, -150}, - - {OCC_MTU_LOAD_REQUEST, -100}, - {OCC_MTU_LOAD, -100}, - {OCC_MTU_LOAD_REQUEST, -100}, - {OCC_MTU_LOAD, -100}, - {OCC_MTU_LOAD_REQUEST, -100}, - {OCC_MTU_LOAD, -100}, - - {OCC_MTU_LOAD_REQUEST, -50}, - {OCC_MTU_LOAD, -50}, - {OCC_MTU_LOAD_REQUEST, -50}, - {OCC_MTU_LOAD, -50}, - {OCC_MTU_LOAD_REQUEST, -50}, - {OCC_MTU_LOAD, -50}, - - {OCC_MTU_LOAD_REQUEST, 0}, - {OCC_MTU_LOAD, 0}, - {OCC_MTU_LOAD_REQUEST, 0}, - {OCC_MTU_LOAD, 0}, - {OCC_MTU_LOAD_REQUEST, 0}, - {OCC_MTU_LOAD, 0}, - - {OCC_MTU_REQUEST, 0}, - {OCC_MTU_REQUEST, 0}, - {OCC_MTU_REQUEST, 0}, - {OCC_MTU_REQUEST, 0}, - {OCC_MTU_REQUEST, 0}, - {OCC_MTU_REQUEST, 0}, - {OCC_MTU_REQUEST, 0}, - {OCC_MTU_REQUEST, 0}, - {OCC_MTU_REQUEST, 0}, - {OCC_MTU_REQUEST, 0}, - - {-1, 0} + { OCC_MTU_LOAD_REQUEST, -1000 }, + { OCC_MTU_LOAD, -1000 }, + { OCC_MTU_LOAD_REQUEST, -1000 }, + { OCC_MTU_LOAD, -1000 }, + { OCC_MTU_LOAD_REQUEST, -1000 }, + { OCC_MTU_LOAD, -1000 }, + + { OCC_MTU_LOAD_REQUEST, -750 }, + { OCC_MTU_LOAD, -750 }, + { OCC_MTU_LOAD_REQUEST, -750 }, + { OCC_MTU_LOAD, -750 }, + { OCC_MTU_LOAD_REQUEST, -750 }, + { OCC_MTU_LOAD, -750 }, + + { OCC_MTU_LOAD_REQUEST, -500 }, + { OCC_MTU_LOAD, -500 }, + { OCC_MTU_LOAD_REQUEST, -500 }, + { OCC_MTU_LOAD, -500 }, + { OCC_MTU_LOAD_REQUEST, -500 }, + { OCC_MTU_LOAD, -500 }, + + { OCC_MTU_LOAD_REQUEST, -400 }, + { OCC_MTU_LOAD, -400 }, + { OCC_MTU_LOAD_REQUEST, -400 }, + { OCC_MTU_LOAD, -400 }, + { OCC_MTU_LOAD_REQUEST, -400 }, + { OCC_MTU_LOAD, -400 }, + + { OCC_MTU_LOAD_REQUEST, -300 }, + { OCC_MTU_LOAD, -300 }, + { OCC_MTU_LOAD_REQUEST, -300 }, + { OCC_MTU_LOAD, -300 }, + { OCC_MTU_LOAD_REQUEST, -300 }, + { OCC_MTU_LOAD, -300 }, + + { OCC_MTU_LOAD_REQUEST, -200 }, + { OCC_MTU_LOAD, -200 }, + { OCC_MTU_LOAD_REQUEST, -200 }, + { OCC_MTU_LOAD, -200 }, + { OCC_MTU_LOAD_REQUEST, -200 }, + { OCC_MTU_LOAD, -200 }, + + { OCC_MTU_LOAD_REQUEST, -150 }, + { OCC_MTU_LOAD, -150 }, + { OCC_MTU_LOAD_REQUEST, -150 }, + { OCC_MTU_LOAD, -150 }, + { OCC_MTU_LOAD_REQUEST, -150 }, + { OCC_MTU_LOAD, -150 }, + + { OCC_MTU_LOAD_REQUEST, -100 }, + { OCC_MTU_LOAD, -100 }, + { OCC_MTU_LOAD_REQUEST, -100 }, + { OCC_MTU_LOAD, -100 }, + { OCC_MTU_LOAD_REQUEST, -100 }, + { OCC_MTU_LOAD, -100 }, + + { OCC_MTU_LOAD_REQUEST, -50 }, + { OCC_MTU_LOAD, -50 }, + { OCC_MTU_LOAD_REQUEST, -50 }, + { OCC_MTU_LOAD, -50 }, + { OCC_MTU_LOAD_REQUEST, -50 }, + { OCC_MTU_LOAD, -50 }, + + { OCC_MTU_LOAD_REQUEST, 0 }, + { OCC_MTU_LOAD, 0 }, + { OCC_MTU_LOAD_REQUEST, 0 }, + { OCC_MTU_LOAD, 0 }, + { OCC_MTU_LOAD_REQUEST, 0 }, + { OCC_MTU_LOAD, 0 }, + + { OCC_MTU_REQUEST, 0 }, + { OCC_MTU_REQUEST, 0 }, + { OCC_MTU_REQUEST, 0 }, + { OCC_MTU_REQUEST, 0 }, + { OCC_MTU_REQUEST, 0 }, + { OCC_MTU_REQUEST, 0 }, + { OCC_MTU_REQUEST, 0 }, + { OCC_MTU_REQUEST, 0 }, + { OCC_MTU_REQUEST, 0 }, + { OCC_MTU_REQUEST, 0 }, + + { -1, 0 } }; void @@ -155,15 +153,12 @@ check_send_occ_req_dowork(struct context *c) */ msg(D_SHOW_OCC, "NOTE: failed to obtain options consistency info from peer -- " - "this could occur if the remote peer is running a version of " - PACKAGE_NAME - " before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent " - PACKAGE_NAME + "this could occur if the remote peer is running a version of " PACKAGE_NAME + " before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent " PACKAGE_NAME " from running (" counter_format " bytes received from peer, " counter_format " bytes authenticated data channel traffic) -- you can disable the options consistency " "check with --disable-occ.", - c->c2.link_read_bytes, - c->c2.link_read_bytes_auth); + c->c2.link_read_bytes, c->c2.link_read_bytes_auth); } event_timeout_clear(&c->c2.occ_interval); } @@ -196,16 +191,17 @@ check_send_occ_load_test_dowork(struct context *c) if (entry->op >= 0) { c->c2.occ_op = entry->op; - size_t payload_size = frame_calculate_payload_size(&c->c2.frame, - &c->options, &c->c1.ks.key_type); - size_t header_size = frame_calculate_protocol_header_size(&c->c1.ks.key_type, &c->options, false); + size_t payload_size = + frame_calculate_payload_size(&c->c2.frame, &c->options, &c->c1.ks.key_type); + size_t header_size = + frame_calculate_protocol_header_size(&c->c1.ks.key_type, &c->options, false); c->c2.occ_mtu_load_size = payload_size + header_size; } else { - msg(M_INFO, - "NOTE: failed to empirically measure MTU (requires " PACKAGE_NAME " 1.5 or higher at other end of connection)."); + msg(M_INFO, "NOTE: failed to empirically measure MTU (requires " PACKAGE_NAME + " 1.5 or higher at other end of connection)."); event_timeout_clear(&c->c2.occ_mtu_load_test_interval); c->c2.occ_mtu_load_n_tries = 0; } @@ -308,10 +304,8 @@ check_send_occ_msg_dowork(struct context *c) proto_hdr = frame_calculate_protocol_header_size(kt, &c->options, false); need_to_add = min_int(c->c2.occ_mtu_load_size, c->c2.frame.buf.payload_size) - - OCC_STRING_SIZE - - sizeof(uint8_t) /* occ opcode */ - - payload_hdr - - proto_hdr; + - OCC_STRING_SIZE - sizeof(uint8_t) /* occ opcode */ + - payload_hdr - proto_hdr; while (need_to_add > 0) { @@ -325,13 +319,8 @@ check_send_occ_msg_dowork(struct context *c) --need_to_add; } dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d,%d)-%d-%d-%d-%d) size=%d", - c->c2.occ_mtu_load_size, - c->c2.frame.buf.payload_size, - OCC_STRING_SIZE, - (int) sizeof(uint8_t), - (int) payload_hdr, - (int) proto_hdr, - BLEN(&c->c2.buf)); + c->c2.occ_mtu_load_size, c->c2.frame.buf.payload_size, OCC_STRING_SIZE, + (int)sizeof(uint8_t), (int)payload_hdr, (int)proto_hdr, BLEN(&c->c2.buf)); doit = true; } break; @@ -387,12 +376,10 @@ process_received_occ_msg(struct context *c) dmsg(D_PACKET_CONTENT, "RECEIVED OCC_REPLY"); if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_remote) { - if (!options_cmp_equal_safe((char *) BPTR(&c->c2.buf), - c->c2.options_string_remote, + if (!options_cmp_equal_safe((char *)BPTR(&c->c2.buf), c->c2.options_string_remote, c->c2.buf.len)) { - options_warning_safe((char *) BPTR(&c->c2.buf), - c->c2.options_string_remote, + options_warning_safe((char *)BPTR(&c->c2.buf), c->c2.options_string_remote, c->c2.buf.len); } } @@ -403,22 +390,20 @@ process_received_occ_msg(struct context *c) dmsg(D_PACKET_CONTENT, "RECEIVED OCC_MTU_REPLY"); c->c2.max_recv_size_remote = buf_read_u16(&c->c2.buf); c->c2.max_send_size_remote = buf_read_u16(&c->c2.buf); - if (c->options.mtu_test - && c->c2.max_recv_size_remote > 0 + if (c->options.mtu_test && c->c2.max_recv_size_remote > 0 && c->c2.max_send_size_remote > 0) { - msg(M_INFO, "NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d]", - c->c2.max_send_size_local, - c->c2.max_recv_size_remote, - c->c2.max_send_size_remote, - c->c2.max_recv_size_local); - if (!c->options.ce.fragment - && (proto_is_dgram(c->options.ce.proto)) + msg(M_INFO, + "NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d]", + c->c2.max_send_size_local, c->c2.max_recv_size_remote, + c->c2.max_send_size_remote, c->c2.max_recv_size_local); + if (!c->options.ce.fragment && (proto_is_dgram(c->options.ce.proto)) && c->c2.max_send_size_local > TUN_MTU_MIN && (c->c2.max_recv_size_remote < c->c2.max_send_size_local || c->c2.max_recv_size_local < c->c2.max_send_size_remote)) { - msg(M_INFO, "NOTE: This connection is unable to accommodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.", + msg(M_INFO, + "NOTE: This connection is unable to accommodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.", c->c2.max_send_size_local); } } diff --git a/src/openvpn/occ.h b/src/openvpn/occ.h index d5f208e0e..369d94e13 100644 --- a/src/openvpn/occ.h +++ b/src/openvpn/occ.h @@ -32,8 +32,8 @@ * OCC (OpenVPN Configuration Control) protocol opcodes. */ -#define OCC_REQUEST 0 /* request options string from peer */ -#define OCC_REPLY 1 /* deliver options string to peer */ +#define OCC_REQUEST 0 /* request options string from peer */ +#define OCC_REPLY 1 /* deliver options string to peer */ /* * Send an OCC_REQUEST once every OCC_INTERVAL @@ -48,11 +48,12 @@ /* * Other OCC protocol opcodes used to estimate the MTU empirically. */ -#define OCC_MTU_LOAD_REQUEST 2 /* Ask peer to send a big packet to us */ -#define OCC_MTU_LOAD 3 /* Send a big packet to peer */ -#define OCC_MTU_REQUEST 4 /* Ask peer to tell us the largest - * packet it has received from us so far */ -#define OCC_MTU_REPLY 5 /* Send largest packet size to peer */ +#define OCC_MTU_LOAD_REQUEST 2 /* Ask peer to send a big packet to us */ +#define OCC_MTU_LOAD 3 /* Send a big packet to peer */ +#define OCC_MTU_REQUEST \ + 4 /* Ask peer to tell us the largest \ + * packet it has received from us so far */ +#define OCC_MTU_REPLY 5 /* Send largest packet size to peer */ /* * Process one command from mtu_load_test_sequence @@ -63,7 +64,7 @@ /* * Send an exit message to remote. */ -#define OCC_EXIT 6 +#define OCC_EXIT 6 /* * Used to conduct a load test command sequence @@ -71,10 +72,10 @@ */ struct mtu_load_test { - int op; /* OCC opcode to send to peer */ - int delta; /* determine packet size to send by using - * this delta against currently - * configured MTU */ + int op; /* OCC opcode to send to peer */ + int delta; /* determine packet size to send by using + * this delta against currently + * configured MTU */ }; extern const uint8_t occ_magic[]; @@ -110,8 +111,7 @@ static inline void check_send_occ_req(struct context *c) { if (event_timeout_defined(&c->c2.occ_interval) - && event_timeout_trigger(&c->c2.occ_interval, - &c->c2.timeval, + && event_timeout_trigger(&c->c2.occ_interval, &c->c2.timeval, (!TO_LINK_DEF(c) && c->c2.occ_op < 0) ? ETT_DEFAULT : 0)) { check_send_occ_req_dowork(c); @@ -125,8 +125,7 @@ static inline void check_send_occ_load_test(struct context *c) { if (event_timeout_defined(&c->c2.occ_mtu_load_test_interval) - && event_timeout_trigger(&c->c2.occ_mtu_load_test_interval, - &c->c2.timeval, + && event_timeout_trigger(&c->c2.occ_mtu_load_test_interval, &c->c2.timeval, (!TO_LINK_DEF(c) && c->c2.occ_op < 0) ? ETT_DEFAULT : 0)) { check_send_occ_load_test_dowork(c); diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 20f612e89..143a3cf63 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -67,15 +67,16 @@ X509_OBJECT_free(X509_OBJECT *obj) } } -#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG -#define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG +#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG +#define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG #endif #if defined(LIBRESSL_VERSION_NUMBER) -#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT +#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT #endif -#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL || defined(OPENSSL_IS_AWSLC) +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL \ + || defined(OPENSSL_IS_AWSLC) #define SSL_get_peer_tmp_key SSL_get_server_tmp_key #endif @@ -85,10 +86,8 @@ X509_OBJECT_free(X509_OBJECT *obj) /* Note that this is not a perfect emulation of the new function but * is good enough for our case of printing certificate details during * handshake */ -static inline -int -EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, - size_t *gname_len) +static inline int +EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len) { const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); if (ec == NULL) @@ -117,13 +116,12 @@ EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_NO_EC) */ #if OPENSSL_VERSION_NUMBER < 0x30000000L -#define EVP_MD_get0_name EVP_MD_name -#define EVP_CIPHER_get0_name EVP_CIPHER_name +#define EVP_MD_get0_name EVP_MD_name +#define EVP_CIPHER_get0_name EVP_CIPHER_name #define EVP_CIPHER_CTX_get_mode EVP_CIPHER_CTX_mode /** Reduce SSL_CTX_new_ex() to SSL_CTX_new() for OpenSSL < 3 */ -#define SSL_CTX_new_ex(libctx, propq, method) \ - SSL_CTX_new((method)) +#define SSL_CTX_new_ex(libctx, propq, method) SSL_CTX_new((method)) /* Some safe typedefs to avoid too many ifdefs */ typedef void OSSL_LIB_CTX; @@ -160,9 +158,7 @@ EVP_MD_free(const EVP_MD *md) } static inline unsigned long -ERR_get_error_all(const char **file, int *line, - const char **func, - const char **data, int *flags) +ERR_get_error_all(const char **file, int *line, const char **func, const char **data, int *flags) { static const char *empty = ""; *func = empty; @@ -172,13 +168,13 @@ ERR_get_error_all(const char **file, int *line, #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -#if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) +#if OPENSSL_VERSION_NUMBER < 0x30500000 \ + && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) static inline int SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg) { int peer_sig_nid; - if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) - && peer_sig_nid != NID_undef) + if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) && peer_sig_nid != NID_undef) { *sigalg = OBJ_nid2sn(peer_sig_nid); return 1; @@ -194,7 +190,8 @@ SSL_get0_peer_signature_name(const SSL *ssl, const char **sigalg) *sigalg = NULL; return 0; } -#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) */ +#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || \ + LIBRESSL_VERSION_NUMBER > 0x3050400fL) */ #if OPENSSL_VERSION_NUMBER < 0x30200000L && OPENSSL_VERSION_NUMBER >= 0x30000000L static inline const char * diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index 99c420a0d..f1e1f76b3 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -119,8 +119,7 @@ init_early(struct context *c) * printing depends on it */ for (int j = 1; j < MAX_PARMS && c->options.providers.names[j]; j++) { - c->options.providers.providers[j] = - crypto_load_provider(c->options.providers.names[j]); + c->options.providers.providers[j] = crypto_load_provider(c->options.providers.names[j]); } } @@ -129,8 +128,7 @@ uninit_early(struct context *c) { for (int j = 1; j < MAX_PARMS && c->options.providers.providers[j]; j++) { - crypto_unload_provider(c->options.providers.names[j], - c->options.providers.providers[j]); + crypto_unload_provider(c->options.providers.names[j], c->options.providers.providers[j]); } net_ctx_free(&c->net_ctx); } @@ -156,14 +154,15 @@ uninit_early(struct context *c) * @param argc - Commandline argument count. * @param argv - Commandline argument values. */ -static -int +static int openvpn_main(int argc, char *argv[]) { struct context c; #if PEDANTIC - fprintf(stderr, "Sorry, I was built with --enable-pedantic and I am incapable of doing any real work!\n"); + fprintf( + stderr, + "Sorry, I was built with --enable-pedantic and I am incapable of doing any real work!\n"); return 1; #endif @@ -332,15 +331,13 @@ openvpn_main(int argc, char *argv[]) /* pass restart status to management subsystem */ signal_restart_status(c.sig); - } - while (signal_reset(c.sig, SIGUSR1) == SIGUSR1); + } while (signal_reset(c.sig, SIGUSR1) == SIGUSR1); env_set_destroy(c.es); uninit_options(&c.options); gc_reset(&c.gc); uninit_early(&c); - } - while (signal_reset(c.sig, SIGHUP) == SIGHUP); + } while (signal_reset(c.sig, SIGHUP) == SIGHUP); } context_gc_free(&c); @@ -365,7 +362,7 @@ wmain(int argc, wchar_t *wargv[]) int ret; int i; - if ((argv = calloc(argc+1, sizeof(char *))) == NULL) + if ((argv = calloc(argc + 1, sizeof(char *))) == NULL) { return 1; } diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 004cbc76c..cd99cd409 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -69,7 +69,7 @@ struct key_schedule * renegotiation key */ struct key2 original_wrap_keydata; struct key_ctx tls_crypt_v2_server_key; - struct buffer tls_crypt_v2_wkc; /**< Wrapped client key */ + struct buffer tls_crypt_v2_wkc; /**< Wrapped client key */ struct key_ctx auth_token_key; }; @@ -169,10 +169,10 @@ struct context_1 /* persist crypto sequence number to/from file */ struct packet_id_persist pid_persist; - struct tuntap *tuntap; /**< Tun/tap virtual network interface. */ - bool tuntap_owned; /**< Whether the tun/tap interface should - * be cleaned up when this %context is - * cleaned up. */ + struct tuntap *tuntap; /**< Tun/tap virtual network interface. */ + bool tuntap_owned; /**< Whether the tun/tap interface should + * be cleaned up when this %context is + * cleaned up. */ struct route_list *route_list; /**< List of routing information. See the @@ -208,8 +208,7 @@ struct context_1 static inline bool is_cas_pending(enum multi_status cas) { - return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED - || cas == CAS_PENDING_DEFERRED_PARTIAL; + return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED || cas == CAS_PENDING_DEFERRED_PARTIAL; } /** @@ -223,9 +222,9 @@ is_cas_pending(enum multi_status cas) */ struct context_2 { - struct gc_arena gc; /**< Garbage collection arena for - * allocations done in the level 2 scope - * of this context_2 structure. */ + struct gc_arena gc; /**< Garbage collection arena for + * allocations done in the level 2 scope + * of this context_2 structure. */ /* our global wait events */ struct event_set *event_set; @@ -240,13 +239,13 @@ struct context_2 bool link_socket_owned; - const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */ + const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */ - struct link_socket_actual *to_link_addr; /* IP address of remote */ - struct link_socket_actual from; /* address of incoming datagram */ + struct link_socket_actual *to_link_addr; /* IP address of remote */ + struct link_socket_actual from; /* address of incoming datagram */ /* MTU frame parameters */ - struct frame frame; /* Active frame parameters */ + struct frame frame; /* Active frame parameters */ #ifdef ENABLE_FRAGMENT /* Object to handle advanced MTU negotiation and datagram fragmentation */ @@ -297,7 +296,7 @@ struct context_2 char *options_string_local; char *options_string_remote; - int occ_op; /* INIT to -1 */ + int occ_op; /* INIT to -1 */ int occ_n_tries; struct event_timeout occ_interval; @@ -305,11 +304,11 @@ struct context_2 * Keep track of maximum packet size received so far * (of authenticated packets). */ - int original_recv_size; /* temporary */ - int max_recv_size_local; /* max packet size received */ - int max_recv_size_remote; /* max packet size received by remote */ - int max_send_size_local; /* max packet size sent */ - int max_send_size_remote; /* max packet size sent by remote */ + int original_recv_size; /* temporary */ + int max_recv_size_local; /* max packet size received */ + int max_recv_size_remote; /* max packet size received by remote */ + int max_send_size_local; /* max packet size sent */ + int max_send_size_remote; /* max packet size sent by remote */ /* remote wants us to send back a load test packet of this size */ @@ -473,63 +472,67 @@ struct context_2 */ struct context { - struct options options; /**< Options loaded from command line or - * configuration file. */ + struct options options; /**< Options loaded from command line or + * configuration file. */ - bool first_time; /**< True on the first iteration of - * OpenVPN's main loop. */ + bool first_time; /**< True on the first iteration of + * OpenVPN's main loop. */ /* context modes */ -#define CM_P2P 0 /* standalone point-to-point session or client */ -#define CM_TOP 1 /* top level of a multi-client or point-to-multipoint server */ -#define CM_TOP_CLONE 2 /* clone of a CM_TOP context for one thread */ -#define CM_CHILD_UDP 3 /* child context of a CM_TOP or CM_THREAD */ -#define CM_CHILD_TCP 4 /* child context of a CM_TOP or CM_THREAD */ - int mode; /**< Role of this context within the - * OpenVPN process. Valid values are \c - * CM_P2P, \c CM_TOP, \c CM_TOP_CLONE, - * \c CM_CHILD_UDP, and \c CM_CHILD_TCP. */ +#define CM_P2P 0 /* standalone point-to-point session or client */ +#define CM_TOP 1 /* top level of a multi-client or point-to-multipoint server */ +#define CM_TOP_CLONE 2 /* clone of a CM_TOP context for one thread */ +#define CM_CHILD_UDP 3 /* child context of a CM_TOP or CM_THREAD */ +#define CM_CHILD_TCP 4 /* child context of a CM_TOP or CM_THREAD */ + int mode; /**< Role of this context within the + * OpenVPN process. Valid values are \c + * CM_P2P, \c CM_TOP, \c CM_TOP_CLONE, + * \c CM_CHILD_UDP, and \c CM_CHILD_TCP. */ struct multi_context *multi; /**< Pointer to the main P2MP context. * Non-NULL only when mode == CM_TOP. */ - struct gc_arena gc; /**< Garbage collection arena for - * allocations done in the scope of this - * context structure. */ + struct gc_arena gc; /**< Garbage collection arena for + * allocations done in the scope of this + * context structure. */ - struct env_set *es; /**< Set of environment variables. */ + struct env_set *es; /**< Set of environment variables. */ - openvpn_net_ctx_t net_ctx; /**< Networking API opaque context */ + openvpn_net_ctx_t net_ctx; /**< Networking API opaque context */ - struct signal_info *sig; /**< Internal error signaling object. */ + struct signal_info *sig; /**< Internal error signaling object. */ struct plugin_list *plugins; /**< List of plug-ins. */ - bool plugins_owned; /**< Whether the plug-ins should be - * cleaned up when this %context is - * cleaned up. */ + bool plugins_owned; /**< Whether the plug-ins should be + * cleaned up when this %context is + * cleaned up. */ - bool did_we_daemonize; /**< Whether demonization has already - * taken place. */ + bool did_we_daemonize; /**< Whether demonization has already + * taken place. */ struct context_persist persist; /**< Persistent %context. */ - struct context_0 *c0; /**< Level 0 %context. */ - struct context_1 c1; /**< Level 1 %context. */ - struct context_2 c2; /**< Level 2 %context. */ + struct context_0 *c0; /**< Level 0 %context. */ + struct context_1 c1; /**< Level 1 %context. */ + struct context_2 c2; /**< Level 2 %context. */ }; /* * Check for a signal when inside an event loop */ -#define EVENT_LOOP_CHECK_SIGNAL(c, func, arg) \ - if (IS_SIG(c)) \ - { \ - const int brk = func(arg); \ - perf_pop(); \ - if (brk) { \ - break;} \ - else { \ - continue;} \ +#define EVENT_LOOP_CHECK_SIGNAL(c, func, arg) \ + if (IS_SIG(c)) \ + { \ + const int brk = func(arg); \ + perf_pop(); \ + if (brk) \ + { \ + break; \ + } \ + else \ + { \ + continue; \ + } \ } /* @@ -537,14 +540,15 @@ struct context * have been compiled in. */ -#define TLS_MODE(c) ((c)->c2.tls_multi != NULL) -#define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0) -#define PROTO_DUMP(buf, gc) protocol_dump((buf), \ - PROTO_DUMP_FLAGS \ - |(c->c2.tls_multi ? PD_TLS : 0) \ - |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \ - |(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \ - gc) +#define TLS_MODE(c) ((c)->c2.tls_multi != NULL) +#define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA | PD_VERBOSE) : 0) +#define PROTO_DUMP(buf, gc) \ + protocol_dump( \ + (buf), \ + PROTO_DUMP_FLAGS | (c->c2.tls_multi ? PD_TLS : 0) \ + | (c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \ + | (c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \ + gc) /* this represents "disabled peer-id" */ #define MAX_PEER_ID 0xFFFFFF diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 67139b8b3..672b9545a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -67,8 +67,7 @@ #include "memdbg.h" #include "options_util.h" -const char title_string[] = - PACKAGE_STRING +const char title_string[] = PACKAGE_STRING #ifdef CONFIGURE_GIT_REVISION " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]" #endif @@ -114,7 +113,7 @@ const char title_string[] = #ifdef CONFIGURE_GIT_REVISION " built on " __DATE__ #endif -; + ; #ifndef ENABLE_SMALL @@ -698,7 +697,7 @@ static const char usage_message[] = " cache until token is removed.\n" "--pkcs11-id-management : Acquire identity from management interface.\n" "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n" -#endif /* ENABLE_PKCS11 */ +#endif /* ENABLE_PKCS11 */ "\n" "SSL Library information:\n" "--show-ciphers : Show cipher algorithms to use with --cipher option.\n" @@ -787,13 +786,13 @@ static const char usage_message[] = "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n" #endif " --verb option can be added *BEFORE* this.\n" -#endif /* ENABLE_PKCS11 */ +#endif /* ENABLE_PKCS11 */ "\n" "General Standalone Options:\n" #ifdef ENABLE_DEBUG "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n" #endif -; + ; #endif /* !ENABLE_SMALL */ @@ -894,7 +893,7 @@ init_options(struct options *o, const bool init_gc) #endif #ifdef ENABLE_PKCS11 o->pkcs11_pin_cache_period = -1; -#endif /* ENABLE_PKCS11 */ +#endif /* ENABLE_PKCS11 */ /* P2MP server context features */ o->auth_token_generate = false; @@ -909,7 +908,7 @@ init_options(struct options *o, const bool init_gc) /* Error out if we can't find a valid temporary directory, which should * be very unlikely. */ msg(M_USAGE, "Could not find a suitable temporary directory." - " (GetTempPath() failed). Consider using --tmp-dir"); + " (GetTempPath() failed). Consider using --tmp-dir"); } #else /* ifdef _WIN32 */ /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */ @@ -972,23 +971,19 @@ pull_filter_type_name(int type) } #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value)) -#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'") -#define SHOW_STR_INLINE(var) SHOW_PARM(var, \ - o->var ## _inline ? "[INLINE]" : \ - (o->var ? o->var : "[UNDEF]"), \ - "'%s'") -#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d") -#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u") -#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64) -#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x") -#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s"); +#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'") +#define SHOW_STR_INLINE(var) \ + SHOW_PARM(var, o->var##_inline ? "[INLINE]" : (o->var ? o->var : "[UNDEF]"), "'%s'") +#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d") +#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u") +#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64) +#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x") +#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s"); #endif /* ifndef ENABLE_SMALL */ static void -setenv_connection_entry(struct env_set *es, - const struct connection_entry *e, - const int i) +setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i) { setenv_str_i(es, "remote", e->remote, i); setenv_str_i(es, "remote_port", e->remote_port, i); @@ -1006,9 +1001,7 @@ setenv_connection_entry(struct env_set *es, } static void -setenv_local_entry(struct env_set *es, - const struct local_entry *e, - const int i) +setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i) { setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i); setenv_str_i(es, "local", e->local, i); @@ -1030,7 +1023,7 @@ setenv_settings(struct env_set *es, const struct options *o) int i; for (i = 0; i < o->connection_list->len; ++i) { - setenv_connection_entry(es, o->connection_list->array[i], i+1); + setenv_connection_entry(es, o->connection_list->array[i], i + 1); } } else @@ -1042,7 +1035,7 @@ setenv_settings(struct env_set *es, const struct options *o) { for (int i = 0; i < o->ce.local_list->len; i++) { - setenv_local_entry(es, o->ce.local_list->array[i], i+1); + setenv_local_entry(es, o->ce.local_list->array[i], i + 1); } } } @@ -1087,12 +1080,12 @@ delete_all_dhcp_fo(struct options *o, struct env_item **list) for (current = *list, prev = NULL; current != NULL; current = current->next) { char *tmp_value = NULL; - if (!strncmp(current->string, "foreign_option_", sizeof("foreign_option_")-1)) + if (!strncmp(current->string, "foreign_option_", sizeof("foreign_option_") - 1)) { tmp_value = strchr(current->string, '='); if (tmp_value && ++tmp_value) { - if (!strncmp(tmp_value, "dhcp-option ", sizeof("dhcp-option ")-1)) + if (!strncmp(tmp_value, "dhcp-option ", sizeof("dhcp-option ") - 1)) { if (prev) { @@ -1156,18 +1149,18 @@ get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc) } static bool -ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec ) +ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec) { struct in6_addr t_addr; unsigned int t_bits; - return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN ); + return get_ipv6_addr(ipv6_prefix_spec, &t_addr, &t_bits, M_WARN); } static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc) { - char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc); + char *ret = (char *)gc_malloc(strlen(src) + 1, true, gc); char *dest = ret; char c; @@ -1179,8 +1172,7 @@ string_substitute(const char *src, int from, int to, struct gc_arena *gc) c = to; } *dest++ = c; - } - while (c); + } while (c); return ret; } @@ -1208,9 +1200,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren while (*cp && i < nbytes) { /* valid segments consist of exactly two hex digits, then ':' or EOS */ - if (!isxdigit(cp[0]) - || !isxdigit(cp[1]) - || (cp[2] != ':' && cp[2] != '\0') + if (!isxdigit(cp[0]) || !isxdigit(cp[1]) || (cp[2] != ':' && cp[2] != '\0') || sscanf(cp, "%x", &byte) != 1) { msg(msglevel, "format error in hash fingerprint: %s", str); @@ -1228,7 +1218,8 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren } if (i < nbytes) { - msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str); + msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, + str); } else if (term != '\0') { @@ -1248,8 +1239,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren * @param gc The returned list items will be allocated in this gc */ static struct verify_hash_list * -parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, - struct gc_arena *gc) +parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc) { struct gc_arena gc_temp = gc_new(); char *lines = string_alloc(str, &gc_temp); @@ -1270,8 +1260,7 @@ parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, continue; } - struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes, - msglevel, gc); + struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes, msglevel, gc); if (!hash) { @@ -1296,7 +1285,7 @@ show_dhcp_option_list(const char *name, const char *const *array, int len) int i; for (i = 0; i < len; ++i) { - msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] ); + msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i]); } } @@ -1307,10 +1296,7 @@ show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len) int i; for (i = 0; i < len; ++i) { - msg(D_SHOW_PARMS, " %s[%d] = %s", - name, - i, - print_in_addr_t(array[i], 0, &gc)); + msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, print_in_addr_t(array[i], 0, &gc)); } gc_free(&gc); } @@ -1356,14 +1342,13 @@ dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, i } } static void -dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel) +dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, + int msglevel) { if (*len >= N_DHCP_ADDR) { - msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified", - name, - N_DHCP_ADDR, - name); + msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified", name, + N_DHCP_ADDR, name); } else { @@ -1408,12 +1393,15 @@ show_p2mp_parms(const struct options *o) msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc)); msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc)); - msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) ); + msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc)); SHOW_INT(server_netbits_ipv6); msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc)); - msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc)); - msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc)); - msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc)); + msg(D_SHOW_PARMS, " server_bridge_netmask = %s", + print_in_addr_t(o->server_bridge_netmask, 0, &gc)); + msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", + print_in_addr_t(o->server_bridge_pool_start, 0, &gc)); + msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", + print_in_addr_t(o->server_bridge_pool_end, 0, &gc)); if (o->push_list.head) { const struct push_entry *e = o->push_list.head; @@ -1427,13 +1415,16 @@ show_p2mp_parms(const struct options *o) } } SHOW_BOOL(ifconfig_pool_defined); - msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc)); + msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", + print_in_addr_t(o->ifconfig_pool_start, 0, &gc)); msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc)); - msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc)); + msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", + print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc)); SHOW_STR(ifconfig_pool_persist_filename); SHOW_INT(ifconfig_pool_persist_refresh_freq); SHOW_BOOL(ifconfig_ipv6_pool_defined); - msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc)); + msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", + print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc)); SHOW_INT(ifconfig_ipv6_pool_netbits); SHOW_INT(n_bcast_buf); SHOW_INT(tcp_queue_limit); @@ -1447,11 +1438,15 @@ show_p2mp_parms(const struct options *o) SHOW_BOOL(ccd_exclusive); SHOW_STR(tmp_dir); SHOW_BOOL(push_ifconfig_defined); - msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc)); - msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc)); + msg(D_SHOW_PARMS, " push_ifconfig_local = %s", + print_in_addr_t(o->push_ifconfig_local, 0, &gc)); + msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", + print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc)); SHOW_BOOL(push_ifconfig_ipv6_defined); - msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits ); - msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc)); + msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", + print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits); + msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", + print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc)); SHOW_BOOL(enable_c2c); SHOW_BOOL(duplicate_cn); SHOW_INT(cf_max); @@ -1484,16 +1479,13 @@ show_p2mp_parms(const struct options *o) #endif /* ! ENABLE_SMALL */ static void -option_iroute(struct options *o, - const char *network_str, - const char *netmask_str, - int msglevel) +option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel) { struct iroute *ir; ALLOC_OBJ_GC(ir, struct iroute, &o->gc); ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL); - ir->netbits = 32; /* host route if no netmask given */ + ir->netbits = 32; /* host route if no netmask given */ if (netmask_str) { @@ -1502,8 +1494,7 @@ option_iroute(struct options *o, if (ir->netbits < 0) { - msg(msglevel, "in --iroute %s %s : Bad network/subnet specification", - network_str, + msg(msglevel, "in --iroute %s %s : Bad network/subnet specification", network_str, netmask_str); return; } @@ -1514,18 +1505,15 @@ option_iroute(struct options *o, } static void -option_iroute_ipv6(struct options *o, - const char *prefix_str, - int msglevel) +option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel) { struct iroute_ipv6 *ir; ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc); - if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel )) + if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel)) { - msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", - prefix_str); + msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str); return; } @@ -1548,17 +1536,16 @@ show_http_proxy_options(const struct http_proxy_options *o) SHOW_BOOL(nocache); SHOW_STR(http_version); SHOW_STR(user_agent); - for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++) + for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++) { if (o->custom_headers[i].content) { - msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, - o->custom_headers[i].name, o->custom_headers[i].content); + msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, o->custom_headers[i].name, + o->custom_headers[i].content); } else { - msg(D_SHOW_PARMS, " custom_header[%d] = %s", i, - o->custom_headers[i].name); + msg(D_SHOW_PARMS, " custom_header[%d] = %s", i, o->custom_headers[i].name); } } msg(D_SHOW_PARMS, "END http_proxy"); @@ -1615,7 +1602,8 @@ show_connection_entry(const struct connection_entry *o) for (int i = 0; i < o->local_list->len; i++) { msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local, - o->local_list->array[i]->port, proto2ascii(o->local_list->array[i]->proto, o->af, false)); + o->local_list->array[i]->port, + proto2ascii(o->local_list->array[i]->proto, o->af, false)); } SHOW_STR(remote); SHOW_STR(remote_port); @@ -1652,8 +1640,7 @@ show_connection_entry(const struct connection_entry *o) SHOW_INT(explicit_exit_notification); SHOW_STR_INLINE(tls_auth_file); - SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), - "%s"); + SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s"); SHOW_STR_INLINE(tls_crypt_file); SHOW_STR_INLINE(tls_crypt_v2_file); } @@ -1908,7 +1895,7 @@ show_settings(const struct options *o) SHOW_INT(ns_cert_type); { int i; - for (i = 0; iverify_hash; - int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH : - SHA256_DIGEST_LENGTH; + int digest_len = + (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH : SHA256_DIGEST_LENGTH; while (hl) { - char *s = format_hex_ex(hl->hash, digest_len, 0, - 1, ":", &gc); + char *s = format_hex_ex(hl->hash, digest_len, 0, 1, ":", &gc); SHOW_PARM(verify_hash, s, "%s"); hl = hl->next; } @@ -1951,36 +1937,38 @@ show_settings(const struct options *o) #ifdef ENABLE_PKCS11 { int i; - for (i = 0; ipkcs11_providers[i] != NULL; i++) + for (i = 0; i < MAX_PARMS && o->pkcs11_providers[i] != NULL; i++) { SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s"); } } { int i; - for (i = 0; ipkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s"); + SHOW_PARM(pkcs11_protected_authentication, + o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s"); } } { int i; - for (i = 0; ipkcs11_private_mode[i], "%08x"); } } { int i; - for (i = 0; ipkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s"); + SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", + "%s"); } } SHOW_INT(pkcs11_pin_cache_period); SHOW_STR(pkcs11_id); SHOW_BOOL(pkcs11_id_management); -#endif /* ENABLE_PKCS11 */ +#endif /* ENABLE_PKCS11 */ show_p2mp_parms(o); @@ -2001,9 +1989,7 @@ show_settings(const struct options *o) #ifdef ENABLE_MANAGEMENT static struct http_proxy_options * -parse_http_proxy_override(const char *server, - const char *port, - const char *flags, +parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc) { if (server && port) @@ -2058,7 +2044,8 @@ options_postprocess_http_proxy_override(struct options *o) } else { - msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined"); + msg(M_WARN, + "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined"); } } @@ -2075,8 +2062,7 @@ alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc) } static struct local_entry * -alloc_local_entry(struct connection_entry *ce, const int msglevel, - struct gc_arena *gc) +alloc_local_entry(struct connection_entry *ce, const int msglevel, struct gc_arena *gc) { struct local_list *l = alloc_local_list_if_undef(ce, gc); struct local_entry *e; @@ -2089,7 +2075,9 @@ alloc_local_entry(struct connection_entry *ce, const int msglevel, struct local_entry **new_array = gc_realloc(l->array, new_cap * elem_size, gc); if (!new_array) { - msg(msglevel, "Unable to process more local options: out of memory. Number of entries = %d", l->len); + msg(msglevel, + "Unable to process more local options: out of memory. Number of entries = %d", + l->len); return NULL; } @@ -2123,10 +2111,13 @@ alloc_connection_entry(struct options *options, const int msglevel) if (l->len == l->capacity) { int capacity = l->capacity + CONNECTION_LIST_SIZE; - struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc); + struct connection_entry **ce = + gc_realloc(l->array, capacity * sizeof(struct connection_entry *), &options->gc); if (ce == NULL) { - msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len); + msg(msglevel, + "Unable to process more connection options: out of memory. Number of entries = %d", + l->len); return NULL; } l->array = ce; @@ -2156,10 +2147,13 @@ alloc_remote_entry(struct options *options, const int msglevel) if (l->len == l->capacity) { int capacity = l->capacity + CONNECTION_LIST_SIZE; - struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc); + struct remote_entry **re = + gc_realloc(l->array, capacity * sizeof(struct remote_entry *), &options->gc); if (re == NULL) { - msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len); + msg(msglevel, + "Unable to process more remote options: out of memory. Number of entries = %d", + l->len); return NULL; } l->array = re; @@ -2223,8 +2217,7 @@ connection_entry_load_re(struct connection_entry *ce, const struct remote_entry } static void -connection_entry_preload_key(const char **key_file, bool *key_inline, - struct gc_arena *gc) +connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc) { if (key_file && *key_file && !(*key_inline)) { @@ -2234,7 +2227,7 @@ connection_entry_preload_key(const char **key_file, bool *key_inline, msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file); } - *key_file = (const char *) in.data; + *key_file = (const char *)in.data; *key_inline = true; } } @@ -2249,13 +2242,11 @@ check_ca_required(const struct options *options) } #endif - if (options->verify_hash_no_ca - || options->pkcs12_file - || options->ca_file + if (options->verify_hash_no_ca || options->pkcs12_file || options->ca_file #ifndef ENABLE_CRYPTO_MBEDTLS || options->ca_path #endif - ) + ) { return; } @@ -2268,14 +2259,19 @@ check_ca_required(const struct options *options) msg(M_USAGE, "%s", str); } -#define MUST_BE_UNDEF(parm, parm_name) \ - if (options->parm != defaults.parm) { msg(M_USAGE, use_err, parm_name); } +#define MUST_BE_UNDEF(parm, parm_name) \ + if (options->parm != defaults.parm) \ + { \ + msg(M_USAGE, use_err, parm_name); \ + } #define MUST_BE_FALSE(condition, parm_name) \ - if (condition) { msg(M_USAGE, use_err, parm_name); } + if (condition) \ + { \ + msg(M_USAGE, use_err, parm_name); \ + } static void -options_postprocess_verify_ce(const struct options *options, - const struct connection_entry *ce) +options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce) { struct options defaults; int dev = DEV_TYPE_UNDEF; @@ -2303,9 +2299,8 @@ options_postprocess_verify_ce(const struct options *options, */ if (ce->proto == PROTO_TCP) { - msg(M_USAGE, - "--proto tcp is ambiguous in this context. Please specify " - "--proto tcp-server or --proto tcp-client"); + msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify " + "--proto tcp-server or --proto tcp-client"); } /* @@ -2345,16 +2340,13 @@ options_postprocess_verify_ce(const struct options *options, if (string_defined_equal(ce->remote, options->ifconfig_local) || string_defined_equal(ce->remote, options->ifconfig_remote_netmask)) { - msg(M_USAGE, - "--local and --remote addresses must be distinct from --ifconfig " - "addresses"); + msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig " + "addresses"); } - if (string_defined_equal(options->ifconfig_local, - options->ifconfig_remote_netmask)) + if (string_defined_equal(options->ifconfig_local, options->ifconfig_remote_netmask)) { - msg(M_USAGE, - "local and remote/netmask --ifconfig addresses must be different"); + msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different"); } if (ce->bind_defined && !ce->bind_local) @@ -2364,8 +2356,7 @@ options_postprocess_verify_ce(const struct options *options, if (ce->local_port_defined && !ce->bind_local) { - msg(M_USAGE, - "--lport and --nobind don't make sense when used together"); + msg(M_USAGE, "--lport and --nobind don't make sense when used together"); } if (!ce->remote && !ce->bind_local) @@ -2377,8 +2368,7 @@ options_postprocess_verify_ce(const struct options *options, { struct local_entry *le = ce->local_list->array[i]; - if (proto_is_net(le->proto) - && string_defined_equal(le->local, ce->remote) + if (proto_is_net(le->proto) && string_defined_equal(le->local, ce->remote) && string_defined_equal(le->port, ce->remote_port)) { msg(M_USAGE, "--remote and one of the --local addresses are the same"); @@ -2404,7 +2394,8 @@ options_postprocess_verify_ce(const struct options *options, && (options->management_flags || options->management_log_history_cache != defaults.management_log_history_cache)) { - msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified"); + msg(M_USAGE, + "--management is not specified, however one or more options which modify the behavior of --management were specified"); } if ((options->management_client_user || options->management_client_group) @@ -2413,24 +2404,21 @@ options_postprocess_verify_ce(const struct options *options, msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); } - if (options->management_addr - && !(options->management_flags & MF_UNIX_SOCK) + if (options->management_addr && !(options->management_flags & MF_UNIX_SOCK) && (!options->management_user_pass)) { msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " - "passwords is STRONGLY discouraged and considered insecure"); + "passwords is STRONGLY discouraged and considered insecure"); } #endif /* ifdef ENABLE_MANAGEMENT */ #if !defined(HAVE_XKEY_PROVIDER) - if ((tls_version_max() >= TLS_VER_1_3) - && (options->management_flags & MF_EXTERNAL_KEY) - && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING)) - ) + if ((tls_version_max() >= TLS_VER_1_3) && (options->management_flags & MF_EXTERNAL_KEY) + && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))) { msg(M_FATAL, "management-external-key with TLS 1.3 or later requires " - "nopadding argument/support"); + "nopadding argument/support"); } #endif /* @@ -2438,7 +2426,8 @@ options_postprocess_verify_ce(const struct options *options, */ #ifdef _WIN32 - if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask))) + if (dev == DEV_TYPE_TUN + && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask))) { msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used"); } @@ -2454,14 +2443,13 @@ options_postprocess_verify_ce(const struct options *options, const char *prefix = "Some --dhcp-option or --dns options require DHCP server"; if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6) { - msg(M_USAGE, "%s, which is not supported by the selected %s driver", - prefix, print_tun_backend_driver(options->windows_driver)); + msg(M_USAGE, "%s, which is not supported by the selected %s driver", prefix, + print_tun_backend_driver(options->windows_driver)); } else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE) { - msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive", - prefix); + msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive", prefix); } } #endif /* ifdef _WIN32 */ @@ -2484,21 +2472,18 @@ options_postprocess_verify_ce(const struct options *options, if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT) { - msg(M_USAGE, - "--http-proxy MUST be used in TCP Client mode (i.e. --proto " - "tcp-client)"); + msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto " + "tcp-client)"); } if ((ce->http_proxy_options) && !ce->http_proxy_options->server) { - msg(M_USAGE, - "--http-proxy not specified but other http proxy options present"); + msg(M_USAGE, "--http-proxy not specified but other http proxy options present"); } if (ce->http_proxy_options && ce->socks_proxy_server) { - msg(M_USAGE, - "--http-proxy can not be used together with --socks-proxy"); + msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy"); } if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER) @@ -2518,7 +2503,8 @@ options_postprocess_verify_ce(const struct options *options, { const char use_err[] = "--%s cannot be used with --mode server."; -#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \ +#define USAGE_VALID_SERVER_PROTOS \ + "--mode server currently only supports " \ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" #ifdef TARGET_ANDROID msg(M_FATAL, "--mode server not supported on Android"); @@ -2541,7 +2527,7 @@ options_postprocess_verify_ce(const struct options *options, && (ce->proto != PROTO_TCP_SERVER)) { msg(M_USAGE, "--port-share only works in TCP server mode " - "(--proto values of tcp-server, tcp4-server, or tcp6-server)"); + "(--proto values of tcp-server, tcp4-server, or tcp6-server)"); } #endif if (!options->tls_server) @@ -2555,8 +2541,7 @@ options_postprocess_verify_ce(const struct options *options, /* blocks force to have a remote embedded, so we check * for the --remote and bail out if it is present */ - if (options->connection_list->len >1 - || options->connection_list->array[0]->remote) + if (options->connection_list->len > 1 || options->connection_list->array[0]->remote) { msg(M_USAGE, " cannot be used with --mode server"); } @@ -2564,9 +2549,8 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(shaper, "shaper"); if (options->ipchange) { - msg(M_USAGE, - "--ipchange cannot be used with --mode server (use " - "--client-connect instead)"); + msg(M_USAGE, "--ipchange cannot be used with --mode server (use " + "--client-connect instead)"); } if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER)) { @@ -2574,20 +2558,23 @@ options_postprocess_verify_ce(const struct options *options, } if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per)) { - msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead."); + msg(M_USAGE, + "--connect-freq only works with --mode server --proto udp. Try --max-clients instead."); } - if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask) + if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) + && options->ifconfig_pool_netmask) { - msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode"); + msg(M_USAGE, + "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode"); } if (options->routes && (options->routes->flags & RG_ENABLE)) { - msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)"); + msg(M_USAGE, + "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)"); } MUST_BE_UNDEF(route_delay_defined, "route-delay"); MUST_BE_UNDEF(up_delay, "up-delay"); - if (!options->ifconfig_pool_defined - && !options->ifconfig_ipv6_pool_defined + if (!options->ifconfig_pool_defined && !options->ifconfig_ipv6_pool_defined && options->ifconfig_pool_persist_filename) { msg(M_USAGE, @@ -2600,7 +2587,8 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing"); if (options->auth_user_pass_file) { - msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)"); + msg(M_USAGE, + "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)"); } if (options->ccd_exclusive && !options->client_config_dir) { @@ -2609,24 +2597,24 @@ options_postprocess_verify_ce(const struct options *options, if (options->auth_token_generate && !options->renegotiate_seconds) { msg(M_USAGE, "--auth-gen-token needs a non-infinite " - "--renegotiate_seconds setting"); + "--renegotiate_seconds setting"); } if (options->auth_token_generate && options->auth_token_renewal && options->auth_token_renewal < 2 * options->handshake_window) { - msg(M_USAGE, "--auth-gen-token renewal time needs to be at least " + msg(M_USAGE, + "--auth-gen-token renewal time needs to be at least " " two times --hand-window (%d).", options->handshake_window); - } - if (!options->auth_user_pass_verify_script - && !PLUGIN_OPTION_LIST(options) + if (!options->auth_user_pass_verify_script && !PLUGIN_OPTION_LIST(options) && !MAN_CLIENT_AUTH_ENABLED(options)) { - const char *use_err = "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin"; + const char *use_err = + "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin"; MUST_BE_FALSE(options->ssl_flags - & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL), + & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL), "verify-client-cert none|optional"); MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name"); @@ -2668,7 +2656,7 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(cf_max, "connect-freq"); MUST_BE_UNDEF(cf_per, "connect-freq"); MUST_BE_FALSE(options->ssl_flags - & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL), + & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL), "verify-client-cert"); MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name"); MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional"); @@ -2676,15 +2664,16 @@ options_postprocess_verify_ce(const struct options *options, if (options->server_flags & SF_TCP_NODELAY_HELPER) { msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not " - "affect the server. To have TCP_NODELAY in both direction use " - "tcp-nodelay in the server configuration instead."); + "affect the server. To have TCP_NODELAY in both direction use " + "tcp-nodelay in the server configuration instead."); } MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify"); MUST_BE_UNDEF(auth_token_generate, "auth-gen-token"); #if PORT_SHARE if (options->port_share_host || options->port_share_port) { - msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)"); + msg(M_USAGE, + "--port-share requires TCP server mode (--mode server --proto tcp-server)"); } #endif MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check"); @@ -2697,8 +2686,7 @@ options_postprocess_verify_ce(const struct options *options, /* * SSL/TLS mode sanity checks. */ - if (options->tls_server + options->tls_client - + (options->shared_secret_file != NULL) > 1) + if (options->tls_server + options->tls_client + (options->shared_secret_file != NULL) > 1) { msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret"); } @@ -2712,29 +2700,26 @@ options_postprocess_verify_ce(const struct options *options, } msg(msglevel, "DEPRECATION: No tls-client or tls-server option in " - "configuration detected. OpenVPN 2.8 will remove the " - "functionality to run a VPN without TLS. " - "See the examples section in the manual page for " - "examples of a similar quick setup with peer-fingerprint. " - "OpenVPN 2.7 allows using this configuration when using " - "--allow-deprecated-insecure-static-crypto but you should move " - "to a proper configuration using TLS as soon as possible." - ); + "configuration detected. OpenVPN 2.8 will remove the " + "functionality to run a VPN without TLS. " + "See the examples section in the manual page for " + "examples of a similar quick setup with peer-fingerprint. " + "OpenVPN 2.7 allows using this configuration when using " + "--allow-deprecated-insecure-static-crypto but you should move " + "to a proper configuration using TLS as soon as possible."); } - if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) + if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL)) { msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " - "--verify-client-cert none|optional " - "may accept clients which do not present a certificate"); + "--verify-client-cert none|optional " + "may accept clients which do not present a certificate"); } const int tls_version_max = - (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) - & SSLF_TLS_VERSION_MAX_MASK; + (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; const int tls_version_min = - (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) - & SSLF_TLS_VERSION_MIN_MASK; + (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; if (tls_version_max > 0 && tls_version_max < tls_version_min) { @@ -2751,20 +2736,24 @@ options_postprocess_verify_ce(const struct options *options, } else if (!options->pkcs11_providers[0] && options->pkcs11_id_management) { - msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified"); + msg(M_WARN, + "Option pkcs11-id-management is ignored as no pkcs11-providers are specified"); } if (options->pkcs11_providers[0]) { if (options->pkcs11_id_management && options->pkcs11_id != NULL) { - msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified."); + msg(M_USAGE, + "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified."); } if (!options->pkcs11_id_management && options->pkcs11_id == NULL) { - msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified."); + msg(M_USAGE, + "Parameter --pkcs11-id or --pkcs11-id-management should be specified."); } - const char use_err[] = "Parameter --%s cannot be used when --pkcs11-provider is also specified."; + const char use_err[] = + "Parameter --%s cannot be used when --pkcs11-provider is also specified."; MUST_BE_UNDEF(cert_file, "cert"); MUST_BE_UNDEF(priv_key_file, "key"); MUST_BE_UNDEF(pkcs12_file, "pkcs12"); @@ -2777,9 +2766,10 @@ options_postprocess_verify_ce(const struct options *options, else #endif /* ifdef ENABLE_PKCS11 */ #ifdef ENABLE_CRYPTOAPI - if (options->cryptoapi_cert) + if (options->cryptoapi_cert) { - const char use_err[] = "Parameter --%s cannot be used when --cryptoapicert is also specified."; + const char use_err[] = + "Parameter --%s cannot be used when --cryptoapicert is also specified."; MUST_BE_UNDEF(cert_file, "cert"); MUST_BE_UNDEF(priv_key_file, "key"); MUST_BE_UNDEF(pkcs12_file, "pkcs12"); @@ -2788,7 +2778,7 @@ options_postprocess_verify_ce(const struct options *options, } else #endif - if (options->pkcs12_file) + if (options->pkcs12_file) { #ifdef ENABLE_CRYPTO_MBEDTLS msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN."); @@ -2799,7 +2789,7 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(priv_key_file, "key"); MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key"); MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert"); -#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ +#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ } else /* cert/key from none of pkcs11, pkcs12, cryptoapi */ { @@ -2815,24 +2805,25 @@ options_postprocess_verify_ce(const struct options *options, } else if (!(options->management_flags & MF_EXTERNAL_KEY)) { - msg(M_USAGE, "--management-external-cert must be used with --management-external-key"); + msg(M_USAGE, + "--management-external-cert must be used with --management-external-key"); } } if (pull) { - const int sum = ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) - + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); + + ((options->priv_key_file != NULL) + || (options->management_flags & MF_EXTERNAL_KEY)); if (sum == 0) { if (!options->auth_user_pass_file) { msg(M_USAGE, "No client-side authentication method is " - "specified. You must use either " - "--cert/--key, --pkcs12, or " - "--auth-user-pass"); + "specified. You must use either " + "--cert/--key, --pkcs12, or " + "--auth-user-pass"); } } else if (sum != 2) @@ -2844,11 +2835,13 @@ options_postprocess_verify_ce(const struct options *options, { if (!(options->management_flags & MF_EXTERNAL_CERT)) { - notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); + notnull(options->cert_file, + "certificate file (--cert) or PKCS#12 file (--pkcs12)"); } if (!(options->management_flags & MF_EXTERNAL_KEY)) { - notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); + notnull(options->priv_key_file, + "private key file (--key) or PKCS#12 file (--pkcs12)"); } } } @@ -2859,7 +2852,8 @@ options_postprocess_verify_ce(const struct options *options, if (options->tls_client && ce->tls_crypt_v2_file && (ce->tls_auth_file || ce->tls_crypt_file)) { - msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode"); + msg(M_USAGE, + "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode"); } } else @@ -2988,12 +2982,12 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) if (ce->af == AF_INET6) { msg(M_INFO, "WARNING: '--proto udp6' is not compatible with " - "'--socks-proxy' today. Forcing IPv4 mode." ); + "'--socks-proxy' today. Forcing IPv4 mode."); } else { msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not " - "work correctly with '--socks-proxy' today. Forcing IPv4." ); + "work correctly with '--socks-proxy' today. Forcing IPv4."); } ce->af = AF_INET; } @@ -3027,7 +3021,7 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } else #endif - if (ce->tun_mtu_defined) + if (ce->tun_mtu_defined) { if (o->ce.tun_mtu == TUN_MTU_DEFAULT) { @@ -3070,12 +3064,9 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) /* Pre-cache tls-auth/crypt(-v2) key file if * keys were not already embedded in the config file. */ - connection_entry_preload_key(&ce->tls_auth_file, - &ce->tls_auth_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_file, - &ce->tls_crypt_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_v2_file, - &ce->tls_crypt_v2_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_auth_file, &ce->tls_auth_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_file, &ce->tls_crypt_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_v2_file, &ce->tls_crypt_v2_file_inline, &o->gc); if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) @@ -3106,10 +3097,8 @@ options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *l static void remap_redirect_gateway_flags(struct options *opt) { - if (opt->routes - && opt->route_method == ROUTE_METHOD_SERVICE - && opt->routes->flags & RG_REROUTE_GW - && !(opt->routes->flags & RG_DEF1)) + if (opt->routes && opt->route_method == ROUTE_METHOD_SERVICE + && opt->routes->flags & RG_REROUTE_GW && !(opt->routes->flags & RG_DEF1)) { msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)"); opt->routes->flags |= RG_DEF1; @@ -3288,8 +3277,7 @@ options_postprocess_mutate_invariant(struct options *options) /* If p11-kit is present on the system then load its p11-kit-proxy.so * by default if the user asks for PKCS#11 without otherwise specifying * the module to use. */ - if (!options->pkcs11_providers[0] - && (options->pkcs11_id || options->pkcs11_id_management)) + if (!options->pkcs11_providers[0] && (options->pkcs11_id || options->pkcs11_id_management)) { options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE; } @@ -3317,8 +3305,8 @@ options_postprocess_verify(const struct options *o) if (dco_enabled(o) && o->enable_c2c) { msg(M_WARN, "Note: --client-to-client has no effect when using data " - "channel offload: packets are always sent to the VPN " - "interface and then routed based on the system routing table"); + "channel offload: packets are always sent to the VPN " + "interface and then routed based on the system routing table"); } } @@ -3348,17 +3336,19 @@ options_postprocess_cipher(struct options *o) * parts of OpenVPN assert that the ciphername is set */ o->ciphername = "BF-CBC"; - msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 " + msg(M_INFO, + "Note: --cipher is not set. OpenVPN versions before 2.5 " "defaulted to BF-CBC as fallback when cipher negotiation " "failed in this case. If you need this fallback please add " "'--data-ciphers-fallback BF-CBC' to your configuration " "and/or add BF-CBC to --data-ciphers. E.g. " - "--data-ciphers %s:BF-CBC", o->ncp_ciphers_conf); + "--data-ciphers %s:BF-CBC", + o->ncp_ciphers_conf); } - else if (!o->enable_ncp_fallback - && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers)) + else if (!o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers)) { - msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in " + msg(M_WARN, + "DEPRECATED OPTION: --cipher set to '%s' but missing in " "--data-ciphers (%s). OpenVPN ignores --cipher for cipher " "negotiations. ", o->ciphername, o->ncp_ciphers_conf); @@ -3394,12 +3384,10 @@ static void options_set_backwards_compatible_options(struct options *o) { /* TLS min version is not set */ - int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) - & SSLF_TLS_VERSION_MIN_MASK; + int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; if (tls_ver_min == 0) { - int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) - & SSLF_TLS_VERSION_MAX_MASK; + int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; if (need_compatibility_before(o, 20307)) { /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */ @@ -3455,7 +3443,7 @@ options_set_backwards_compatible_options(struct options *o) o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; } } -#else /* ifdef USE_COMP */ +#else /* ifdef USE_COMP */ o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; #endif } @@ -3466,17 +3454,16 @@ options_process_mutate_prf(struct options *o) if (!check_tls_prf_working()) { msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not " - "supported by the TLS library. Your system does not support this " - "calculation anymore or your security policy (e.g. FIPS 140-2) " - "forbids it. Connections will only work with peers running " - "OpenVPN 2.6.0 or higher)"); + "supported by the TLS library. Your system does not support this " + "calculation anymore or your security policy (e.g. FIPS 140-2) " + "forbids it. Connections will only work with peers running " + "OpenVPN 2.6.0 or higher)"); if (o->mode == MODE_SERVER) { msg(M_WARN, "Automatically enabling option " - "--force-tls-key-material-export"); + "--force-tls-key-material-export"); o->force_key_material_export = true; } - } } @@ -3521,9 +3508,9 @@ tuntap_options_postprocess_dns(struct options *o) #if defined(_WIN32) if (tt->ip_win32_type != IPW32_SET_DHCP_MASQ && tt->ip_win32_type != IPW32_SET_ADAPTIVE) { - return; /* Not in DHCP mode */ + return; /* Not in DHCP mode */ } -#endif /* if defined(_WIN32) */ +#endif /* if defined(_WIN32) */ /* Copy --dns options to tuntap_options */ @@ -3559,8 +3546,7 @@ tuntap_options_postprocess_dns(struct options *o) } } if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN) - || (s->dnssec && s->dnssec != DNS_SECURITY_NO) - || non_standard_server_port) + || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port) { /* Skip servers requiring unsupported config to be set */ s = s->next; @@ -3593,7 +3579,7 @@ tuntap_options_postprocess_dns(struct options *o) } } -#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ +#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ /** * @brief Postprocess DNS related settings @@ -3715,8 +3701,7 @@ dhcp_options_postprocess_dns(struct options *o, struct env_set *es) } } if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN) - || (s->dnssec && s->dnssec != DNS_SECURITY_NO) - || non_standard_server_port) + || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port) { /* Skip servers requiring unsupported config to be set */ s = s->next; @@ -3852,7 +3837,7 @@ options_postprocess_mutate(struct options *o, struct env_set *es) { /* DH file is only meaningful in a tls-server context. */ msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only " - "include this in your server configuration"); + "include this in your server configuration"); o->dh_file = NULL; } #if ENABLE_MANAGEMENT @@ -3861,25 +3846,23 @@ options_postprocess_mutate(struct options *o, struct env_set *es) options_postprocess_http_proxy_override(o); } #endif - if (!o->ca_file && !o->ca_path && o->verify_hash - && o->verify_hash_depth == 0) + if (!o->ca_file && !o->ca_path && o->verify_hash && o->verify_hash_depth == 0) { msg(M_INFO, "Using certificate fingerprint to verify peer (no CA " - "option set). "); + "option set). "); o->verify_hash_no_ca = true; } if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP) { msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are " - "incompatible with each other."); + "incompatible with each other."); } if (dco_enabled(o)) { /* check if any option should force disabling DCO */ - o->disable_dco = !dco_check_option(D_DCO, o) - || !dco_check_startup_option(D_DCO, o); + o->disable_dco = !dco_check_option(D_DCO, o) || !dco_check_startup_option(D_DCO, o); } #ifdef USE_COMP if (dco_enabled(o)) @@ -3897,7 +3880,8 @@ options_postprocess_mutate(struct options *o, struct env_set *es) { if (o->windows_driver == DRIVER_DCO) { - msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled"); + msg(M_WARN, + "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled"); o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6; } else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED) @@ -3909,7 +3893,7 @@ options_postprocess_mutate(struct options *o, struct env_set *es) if (dco_enabled(o) && o->dev_node) { msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using " - "data channel offload"); + "data channel offload"); o->dev_node = NULL; } #endif /* _WIN32 */ @@ -3947,14 +3931,14 @@ options_postprocess_mutate(struct options *o, struct env_set *es) * Check file/directory sanity * */ -#ifndef ENABLE_SMALL /* Expect people using the stripped down version to know what they do */ +#ifndef ENABLE_SMALL /* Expect people using the stripped down version to know what they do */ -#define CHKACC_FILE (1<<0) /**< Check for a file/directory presence */ -#define CHKACC_DIRPATH (1<<1) /**< Check for directory presence where a file should reside */ -#define CHKACC_FILEXSTWR (1<<2) /**< If file exists, is it writable? */ -#define CHKACC_ACPTSTDIN (1<<3) /**< If filename is stdin, it's allowed and "exists" */ -#define CHKACC_PRIVATE (1<<4) /**< Warn if this (private) file is group/others accessible */ -#define CHKACC_ACCEPT_URI (1<<5) /**< Do not check URIs, unless they start with file: */ +#define CHKACC_FILE (1 << 0) /**< Check for a file/directory presence */ +#define CHKACC_DIRPATH (1 << 1) /**< Check for directory presence where a file should reside */ +#define CHKACC_FILEXSTWR (1 << 2) /**< If file exists, is it writable? */ +#define CHKACC_ACPTSTDIN (1 << 3) /**< If filename is stdin, it's allowed and "exists" */ +#define CHKACC_PRIVATE (1 << 4) /**< Warn if this (private) file is group/others accessible */ +#define CHKACC_ACCEPT_URI (1 << 5) /**< Do not check URIs, unless they start with file: */ static bool check_file_access(const int type, const char *file, const int mode, const char *opt) @@ -3970,7 +3954,7 @@ check_file_access(const int type, const char *file, const int mode, const char * /* If stdin is allowed and the file name is 'stdin', then do no * further checks as stdin is always available */ - if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") ) + if ((type & CHKACC_ACPTSTDIN) && streq(file, "stdin")) { return false; } @@ -3993,10 +3977,11 @@ check_file_access(const int type, const char *file, const int mode, const char * /* Is the directory path leading to the given file accessible? */ if (type & CHKACC_DIRPATH) { - char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */ + char *fullpath = + string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */ char *dirpath = dirname(fullpath); - if (platform_access(dirpath, mode|X_OK) != 0) + if (platform_access(dirpath, mode | X_OK) != 0) { errcode = errno; } @@ -4004,13 +3989,13 @@ check_file_access(const int type, const char *file, const int mode, const char * } /* Is the file itself accessible? */ - if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) ) + if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0)) { errcode = errno; } /* If the file exists and is accessible, is it writable? */ - if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) ) + if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0)) { if (platform_access(file, W_OK) != 0) { @@ -4029,7 +4014,7 @@ check_file_access(const int type, const char *file, const int mode, const char * #ifndef _WIN32 else { - if (st.st_mode & (S_IRWXG|S_IRWXO)) + if (st.st_mode & (S_IRWXG | S_IRWXO)) { msg(M_WARN, "WARNING: file '%s' is group or others accessible", file); } @@ -4052,7 +4037,8 @@ check_file_access(const int type, const char *file, const int mode, const char * * otherwise it will look for the file inside the given chroot directory instead. */ static bool -check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt) +check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, + const char *opt) { bool ret = false; @@ -4085,9 +4071,8 @@ check_file_access_chroot(const char *chroot, const int type, const char *file, c * the file is inline (and therefore there is no access to check) */ static bool -check_file_access_chroot_inline(bool is_inline, const char *chroot, - const int type, const char *file, - const int mode, const char *opt) +check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, + const char *file, const int mode, const char *opt) { if (is_inline) { @@ -4102,8 +4087,8 @@ check_file_access_chroot_inline(bool is_inline, const char *chroot, * is inline (and therefore there is no access to check) */ static bool -check_file_access_inline(bool is_inline, const int type, const char *file, - const int mode, const char *opt) +check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, + const char *opt) { if (is_inline) { @@ -4156,8 +4141,7 @@ check_cmd_access(const char *command, const char *opt, const char *chroot) } else { - msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.", - opt, command); + msg(M_NOPREFIX | M_OPTERR, "%s fails with '%s': No path to executable.", opt, command); return_code = true; } @@ -4176,55 +4160,51 @@ options_postprocess_filechecks(struct options *options) bool errs = false; /* ** SSL/TLS/crypto related files ** */ - errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, - options->dh_file, R_OK, "--dh"); + errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK, + "--dh"); if (!options->verify_hash_no_ca) { - errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, - options->ca_file, R_OK, "--ca"); + errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, options->ca_file, + R_OK, "--ca"); } - errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, - options->ca_path, R_OK, "--capath"); + errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, + "--capath"); - errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE|CHKACC_ACCEPT_URI, + errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE | CHKACC_ACCEPT_URI, options->cert_file, R_OK, "--cert"); errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE, - options->extra_certs_file, R_OK, - "--extra-certs"); + options->extra_certs_file, R_OK, "--extra-certs"); if (!(options->management_flags & MF_EXTERNAL_KEY)) { errs |= check_file_access_inline(options->priv_key_file_inline, - CHKACC_FILE|CHKACC_PRIVATE|CHKACC_ACCEPT_URI, + CHKACC_FILE | CHKACC_PRIVATE | CHKACC_ACCEPT_URI, options->priv_key_file, R_OK, "--key"); } - errs |= check_file_access_inline(options->pkcs12_file_inline, - CHKACC_FILE|CHKACC_PRIVATE, + errs |= check_file_access_inline(options->pkcs12_file_inline, CHKACC_FILE | CHKACC_PRIVATE, options->pkcs12_file, R_OK, "--pkcs12"); if (options->ssl_flags & SSLF_CRL_VERIFY_DIR) { - errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, - options->crl_file, R_OK|X_OK, - "--crl-verify directory"); + errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file, + R_OK | X_OK, "--crl-verify directory"); } else { - errs |= check_file_access_chroot_inline(options->crl_file_inline, - options->chroot_dir, - CHKACC_FILE, options->crl_file, - R_OK, "--crl-verify"); + errs |= + check_file_access_chroot_inline(options->crl_file_inline, options->chroot_dir, + CHKACC_FILE, options->crl_file, R_OK, "--crl-verify"); } if (options->tls_export_peer_cert_dir) { - errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, - options->tls_export_peer_cert_dir, - W_OK, "--tls-export-cert"); + errs |= + check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_dir, W_OK, "--tls-export-cert"); } ASSERT(options->connection_list); @@ -4232,55 +4212,46 @@ options_postprocess_filechecks(struct options *options) { struct connection_entry *ce = options->connection_list->array[i]; - errs |= check_file_access_inline(ce->tls_auth_file_inline, - CHKACC_FILE|CHKACC_PRIVATE, - ce->tls_auth_file, R_OK, - "--tls-auth"); - errs |= check_file_access_inline(ce->tls_crypt_file_inline, - CHKACC_FILE|CHKACC_PRIVATE, - ce->tls_crypt_file, R_OK, - "--tls-crypt"); - errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline, - CHKACC_FILE|CHKACC_PRIVATE, - ce->tls_crypt_v2_file, R_OK, - "--tls-crypt-v2"); + errs |= check_file_access_inline(ce->tls_auth_file_inline, CHKACC_FILE | CHKACC_PRIVATE, + ce->tls_auth_file, R_OK, "--tls-auth"); + errs |= check_file_access_inline(ce->tls_crypt_file_inline, CHKACC_FILE | CHKACC_PRIVATE, + ce->tls_crypt_file, R_OK, "--tls-crypt"); + errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline, CHKACC_FILE | CHKACC_PRIVATE, + ce->tls_crypt_v2_file, R_OK, "--tls-crypt-v2"); } - errs |= check_file_access_inline(options->shared_secret_file_inline, - CHKACC_FILE|CHKACC_PRIVATE, - options->shared_secret_file, R_OK, - "--secret"); + errs |= + check_file_access_inline(options->shared_secret_file_inline, CHKACC_FILE | CHKACC_PRIVATE, + options->shared_secret_file, R_OK, "--secret"); - errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, - options->packet_id_file, R_OK|W_OK, "--replay-persist"); + errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->packet_id_file, + R_OK | W_OK, "--replay-persist"); /* ** Password files ** */ - errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, + errs |= check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE, options->key_pass_file, R_OK, "--askpass"); #ifdef ENABLE_MANAGEMENT - errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, - options->management_user_pass, R_OK, - "--management user/password file"); + errs |= + check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE, + options->management_user_pass, R_OK, "--management user/password file"); #endif /* ENABLE_MANAGEMENT */ errs |= check_file_access_inline(options->auth_user_pass_file_inline, - CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, - options->auth_user_pass_file, R_OK, - "--auth-user-pass"); + CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE, + options->auth_user_pass_file, R_OK, "--auth-user-pass"); /* ** System related ** */ - errs |= check_file_access(CHKACC_FILE, options->chroot_dir, - R_OK|X_OK, "--chroot directory"); - errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid, - R_OK|W_OK, "--writepid"); + errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK | X_OK, "--chroot directory"); + errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->writepid, R_OK | W_OK, + "--writepid"); /* ** Log related ** */ - errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file, - R_OK|W_OK, "--status"); + errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->status_file, R_OK | W_OK, + "--status"); /* ** Config related ** */ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir, - R_OK|X_OK, "--client-config-dir"); + R_OK | X_OK, "--client-config-dir"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir, - R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)"); + R_OK | W_OK | X_OK, "Temporary directory (--tmp-dir)"); if (errs) { @@ -4366,12 +4337,8 @@ options_postprocess_pull(struct options *o, struct env_set *es) * the other end of the connection] */ char * -options_string(const struct options *o, - const struct frame *frame, - struct tuntap *tt, - openvpn_net_ctx_t *ctx, - bool remote, - struct gc_arena *gc) +options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, + openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc) { struct buffer out = alloc_buf(OPTION_LINE_SIZE); bool tt_local = false; @@ -4387,8 +4354,7 @@ options_string(const struct options *o, * cipher (p2p) or have a fallback cipher configured for older non * ncp clients. But not sending it will make even 2.4 complain * about it being missing. So still send it. */ - buf_printf(&out, ",link-mtu %u", - (unsigned int) calc_options_string_link_mtu(o, frame)); + buf_printf(&out, ",link-mtu %u", (unsigned int)calc_options_string_link_mtu(o, frame)); if (o->ce.occ_mtu != 0) { @@ -4399,7 +4365,7 @@ options_string(const struct options *o, buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); } - buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); + buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o); /* send tun_ipv6 only in peer2peer mode - in client/server mode, it @@ -4416,20 +4382,9 @@ options_string(const struct options *o, */ if (!tt) { - tt = init_tun(o->dev, - o->dev_type, - o->topology, - o->ifconfig_local, - o->ifconfig_remote_netmask, - o->ifconfig_ipv6_local, - o->ifconfig_ipv6_netbits, - o->ifconfig_ipv6_remote, - NULL, - NULL, - false, - NULL, - ctx, - NULL); + tt = init_tun(o->dev, o->dev_type, o->topology, o->ifconfig_local, + o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, o->ifconfig_ipv6_netbits, + o->ifconfig_ipv6_remote, NULL, NULL, false, NULL, ctx, NULL); if (tt) { tt_local = true; @@ -4453,7 +4408,8 @@ options_string(const struct options *o, #ifdef USE_COMP if (o->comp.alg != COMP_ALG_UNDEF) { - buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */ + buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression + context is active, not necessarily LZO per-se */ } #endif @@ -4485,10 +4441,7 @@ options_string(const struct options *o, { struct key_type kt; - ASSERT((o->shared_secret_file != NULL) - + (TLS_CLIENT == true) - + (TLS_SERVER == true) - <= 1); + ASSERT((o->shared_secret_file != NULL) + (TLS_CLIENT == true) + (TLS_SERVER == true) <= 1); /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC * to work here in the default configuration */ @@ -4597,8 +4550,7 @@ options_warning(char *actual, const char *expected) } static const char * -options_warning_extract_parm1(const char *option_string, - struct gc_arena *gc_ret) +options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret) { struct gc_arena gc = gc_new(); struct buffer b = string_alloc_buf(option_string, &gc); @@ -4612,24 +4564,16 @@ options_warning_extract_parm1(const char *option_string, } static void -options_warning_safe_scan2(const int msglevel, - const int delim, - const bool report_inconsistent, - const char *p1, - const struct buffer *b2_src, - const char *b1_name, +options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent, + const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name) { /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in * OCC in a future version (because it's not useful). To reduce questions * when interoperating, we no longer printing a warning about it. */ - if (strprefix(p1, "key-method ") - || strprefix(p1, "keydir ") - || strprefix(p1, "proto ") - || streq(p1, "tls-auth") - || strprefix(p1, "tun-ipv6") - || strprefix(p1, "cipher ")) + if (strprefix(p1, "key-method ") || strprefix(p1, "keydir ") || strprefix(p1, "proto ") + || streq(p1, "tls-auth") || strprefix(p1, "tun-ipv6") || strprefix(p1, "cipher ")) { return; } @@ -4656,10 +4600,7 @@ options_warning_safe_scan2(const int msglevel, if (report_inconsistent) { msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'", - safe_print(p1_prefix, &gc), - b1_name, - safe_print(p1, &gc), - b2_name, + safe_print(p1_prefix, &gc), b1_name, safe_print(p1, &gc), b2_name, safe_print(p2, &gc)); } goto done; @@ -4668,11 +4609,7 @@ options_warning_safe_scan2(const int msglevel, } msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'", - safe_print(p1_prefix, &gc), - b1_name, - b2_name, - b1_name, - safe_print(p1, &gc)); + safe_print(p1_prefix, &gc), b1_name, b2_name, b1_name, safe_print(p1, &gc)); done: gc_free(&gc); @@ -4680,13 +4617,9 @@ done: } static void -options_warning_safe_scan1(const int msglevel, - const int delim, - const bool report_inconsistent, - const struct buffer *b1_src, - const struct buffer *b2_src, - const char *b1_name, - const char *b2_name) +options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent, + const struct buffer *b1_src, const struct buffer *b2_src, + const char *b1_name, const char *b2_name) { struct gc_arena gc = gc_new(); struct buffer b = *b1_src; @@ -4694,7 +4627,8 @@ options_warning_safe_scan1(const int msglevel, while (buf_parse(&b, delim, p, OPTION_PARM_SIZE)) { - options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name); + options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, + b2_name); } gc_free(&gc); @@ -4714,13 +4648,9 @@ options_warning_safe_ml(const int msglevel, char *actual, const char *expected, buf_printf(&local, "version %s", expected); buf_printf(&remote, "version %s", actual); - options_warning_safe_scan1(msglevel, ',', true, - &local, &remote, - "local", "remote"); + options_warning_safe_scan1(msglevel, ',', true, &local, &remote, "local", "remote"); - options_warning_safe_scan1(msglevel, ',', false, - &remote, &local, - "remote", "local"); + options_warning_safe_scan1(msglevel, ',', false, &remote, &local, "remote", "local"); } gc_free(&gc); @@ -4759,13 +4689,12 @@ const char * options_string_version(const char *s, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(4, gc); - strncpynt((char *) BPTR(&out), s, 3); + strncpynt((char *)BPTR(&out), s, 3); return BSTR(&out); } char * -options_string_extract_option(const char *options_string, const char *opt_name, - struct gc_arena *gc) +options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc) { char *ret = NULL; const size_t opt_name_len = strlen(opt_name); @@ -4773,14 +4702,14 @@ options_string_extract_option(const char *options_string, const char *opt_name, const char *p = options_string; while (p) { - if (0 == strncmp(p, opt_name, opt_name_len) - && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ') + if (0 == strncmp(p, opt_name, opt_name_len) && strlen(p) > (opt_name_len + 1) + && p[opt_name_len] == ' ') { /* option found, extract value */ - const char *start = &p[opt_name_len+1]; + const char *start = &p[opt_name_len + 1]; const char *end = strchr(p, ','); size_t val_len = end ? end - start : strlen(start); - ret = gc_malloc(val_len+1, true, gc); + ret = gc_malloc(val_len + 1, true, gc); memcpy(ret, start, val_len); break; } @@ -4912,20 +4841,13 @@ usage(void) struct options o; init_options(&o, true); - fprintf(fp, usage_message, - title_string, - o.ce.connect_retry_seconds, - o.ce.connect_retry_seconds_max, - o.ce.local_port, o.ce.remote_port, - TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT, - o.verbosity, - o.authname, - o.replay_window, o.replay_time, - o.tls_timeout, o.renegotiate_seconds, - o.handshake_window, o.transition_window); + fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds, + o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT, + TAP_MTU_EXTRA_DEFAULT, o.verbosity, o.authname, o.replay_window, o.replay_time, + o.tls_timeout, o.renegotiate_seconds, o.handshake_window, o.transition_window); fflush(fp); -#endif /* ENABLE_SMALL */ +#endif /* ENABLE_SMALL */ openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */ } @@ -4933,7 +4855,7 @@ usage(void) void usage_small(void) { - msg(M_WARN|M_NOPREFIX, "Use --help for more information."); + msg(M_WARN | M_NOPREFIX, "Use --help for more information."); openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */ } @@ -4966,8 +4888,7 @@ show_library_versions(const unsigned int flags) #define LZO_LIB_VER_STR "", "" #endif - msg(flags, "library versions: %s%s%s", get_ssl_library_version(), - LZO_LIB_VER_STR); + msg(flags, "library versions: %s%s%s", get_ssl_library_version(), LZO_LIB_VER_STR); #undef LZO_LIB_VER_STR } @@ -4975,20 +4896,20 @@ show_library_versions(const unsigned int flags) static void usage_version(void) { - msg(M_INFO|M_NOPREFIX, "%s", title_string); - show_library_versions( M_INFO|M_NOPREFIX ); + msg(M_INFO | M_NOPREFIX, "%s", title_string); + show_library_versions(M_INFO | M_NOPREFIX); #ifdef _WIN32 - show_windows_version( M_INFO|M_NOPREFIX ); + show_windows_version(M_INFO | M_NOPREFIX); #endif show_dco_version(M_INFO | M_NOPREFIX); - msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); - msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2025 OpenVPN Inc "); + msg(M_INFO | M_NOPREFIX, "Originally developed by James Yonan"); + msg(M_INFO | M_NOPREFIX, "Copyright (C) 2002-2025 OpenVPN Inc "); #ifndef ENABLE_SMALL #ifdef CONFIGURE_DEFINES - msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); + msg(M_INFO | M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); #endif #ifdef CONFIGURE_SPECIAL_BUILD - msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD); + msg(M_INFO | M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD); #endif #endif openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); @@ -5024,7 +4945,7 @@ ping_rec_err(int msglevel) } #endif -#ifdef _WIN32 /* This function is only used when compiling on Windows */ +#ifdef _WIN32 /* This function is only used when compiling on Windows */ static unsigned int atou(const char *str) { @@ -5041,13 +4962,8 @@ space(unsigned char c) } int -parse_line(const char *line, - char *p[], - const int n, - const char *file, - const int line_num, - int msglevel, - struct gc_arena *gc) +parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, + int msglevel, struct gc_arena *gc) { const int STATE_INITIAL = 0; const int STATE_READING_QUOTED_PARM = 1; @@ -5156,9 +5072,13 @@ parse_line(const char *line, if (!(out == '\\' || out == '\"' || space(out))) { #ifdef ENABLE_SMALL - msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num); + msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", + error_prefix, file, line_num); #else - msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num); + msg(msglevel, + "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE + "\\\\static.key\"", + error_prefix, file, line_num); #endif return 0; } @@ -5173,7 +5093,7 @@ parse_line(const char *line, { parm[SIZE(parm) - 1] = 0; msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s", - error_prefix, file, line_num, (int) SIZE(parm), parm); + error_prefix, file, line_num, (int)SIZE(parm), parm); return 0; } parm[parm_len++] = out; @@ -5189,17 +5109,20 @@ parse_line(const char *line, if (state == STATE_READING_QUOTED_PARM) { - msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num); + msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, + line_num); return 0; } if (state == STATE_READING_SQUOTED_PARM) { - msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num); + msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, + file, line_num); return 0; } if (state != STATE_INITIAL) { - msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num); + msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, + file, line_num); return 0; } #if 0 @@ -5223,11 +5146,13 @@ bypass_doubledash(char **p) } } -struct in_src { -#define IS_TYPE_FP 1 +struct in_src +{ +#define IS_TYPE_FP 1 #define IS_TYPE_BUF 2 int type; - union { + union + { FILE *fp; struct buffer *multiline; } u; @@ -5243,7 +5168,7 @@ in_src_get(const struct in_src *is, char *line, const int size) else if (is->type == IS_TYPE_BUF) { bool status = buf_parse(is->u.multiline, '\n', line, size); - if ((int) strlen(line) + 1 < size) + if ((int)strlen(line) + 1 < size) { strcat(line, "\n"); } @@ -5257,11 +5182,10 @@ in_src_get(const struct in_src *is, char *line, const int size) } static char * -read_inline_file(struct in_src *is, const char *close_tag, - int *num_lines, struct gc_arena *gc) +read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc) { char line[OPTION_LINE_SIZE]; - struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE); + struct buffer buf = alloc_buf(8 * OPTION_LINE_SIZE); char *ret; bool endtagfound = false; @@ -5279,7 +5203,7 @@ read_inline_file(struct in_src *is, const char *close_tag, endtagfound = true; break; } - if (!buf_safe(&buf, strlen(line)+1)) + if (!buf_safe(&buf, strlen(line) + 1)) { /* Increase buffer size */ struct buffer buf2 = alloc_buf(buf.capacity * 2); @@ -5309,7 +5233,7 @@ check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc) if (p[0] && !p[1]) { char *arg = p[0]; - if (arg[0] == '<' && arg[strlen(arg)-1] == '>') + if (arg[0] == '<' && arg[strlen(arg) - 1] == '>') { struct buffer close_tag; @@ -5335,8 +5259,7 @@ check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc) } static int -check_inline_file_via_buf(struct buffer *multiline, char *p[], - struct gc_arena *gc) +check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc) { struct in_src is; is.type = IS_TYPE_BUF; @@ -5344,60 +5267,31 @@ check_inline_file_via_buf(struct buffer *multiline, char *p[], return check_inline_file(&is, p, gc); } -static void -add_option(struct options *options, - char *p[], - bool is_inline, - const char *file, - int line, - const int level, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es); +static void add_option(struct options *options, char *p[], bool is_inline, const char *file, + int line, const int level, const int msglevel, + const unsigned int permission_mask, unsigned int *option_types_found, + struct env_set *es); -static void -remove_option(struct context *c, - struct options *options, - char *p[], - bool is_inline, - const char *file, - int line, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es); +static void remove_option(struct context *c, struct options *options, char *p[], bool is_inline, + const char *file, int line, const int msglevel, + const unsigned int permission_mask, unsigned int *option_types_found, + struct env_set *es); -static void -update_option(struct context *c, - struct options *options, - char *p[], - bool is_inline, - const char *file, - int line, - const int level, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es, - unsigned int *update_options_found); +static void update_option(struct context *c, struct options *options, char *p[], bool is_inline, + const char *file, int line, const int level, const int msglevel, + const unsigned int permission_mask, unsigned int *option_types_found, + struct env_set *es, unsigned int *update_options_found); static void -read_config_file(struct options *options, - const char *file, - int level, - const char *top_file, - const int top_line, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es) +read_config_file(struct options *options, const char *file, int level, const char *top_file, + const int top_line, const int msglevel, const unsigned int permission_mask, + unsigned int *option_types_found, struct env_set *es) { const int max_recursive_levels = 10; FILE *fp; int line_num; - char line[OPTION_LINE_SIZE+1]; - char *p[MAX_PARMS+1]; + char line[OPTION_LINE_SIZE + 1]; + char *p[MAX_PARMS + 1]; ++level; if (level <= max_recursive_levels) @@ -5420,7 +5314,8 @@ read_config_file(struct options *options, ++line_num; if (strlen(line) == OPTION_LINE_SIZE) { - msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s", + msg(msglevel, + "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s", file, line_num, OPTION_LINE_SIZE, line); } @@ -5429,13 +5324,13 @@ read_config_file(struct options *options, { offset = 3; } - if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) + if (parse_line(line + offset, p, SIZE(p) - 1, file, line_num, msglevel, + &options->gc)) { bypass_doubledash(&p[0]); int lines_inline = check_inline_file_via_fp(fp, p, &options->gc); - add_option(options, p, lines_inline, file, line_num, level, - msglevel, permission_mask, option_types_found, - es); + add_option(options, p, lines_inline, file, line_num, level, msglevel, + permission_mask, option_types_found, es); line_num += lines_inline; } } @@ -5446,25 +5341,24 @@ read_config_file(struct options *options, } else { - msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file); + msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, + file); } } else { - msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file); + msg(msglevel, + "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", + top_file, top_line, file); } secure_memzero(line, sizeof(line)); CLEAR(p); } static void -read_config_string(const char *prefix, - struct options *options, - const char *config, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es) +read_config_string(const char *prefix, struct options *options, const char *config, + const int msglevel, const unsigned int permission_mask, + unsigned int *option_types_found, struct env_set *es) { char line[OPTION_LINE_SIZE]; struct buffer multiline; @@ -5474,15 +5368,15 @@ read_config_string(const char *prefix, while (buf_parse(&multiline, '\n', line, sizeof(line))) { - char *p[MAX_PARMS+1]; + char *p[MAX_PARMS + 1]; CLEAR(p); ++line_num; - if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc)) + if (parse_line(line, p, SIZE(p) - 1, prefix, line_num, msglevel, &options->gc)) { bypass_doubledash(&p[0]); int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc); - add_option(options, p, lines_inline, prefix, line_num, 0, msglevel, - permission_mask, option_types_found, es); + add_option(options, p, lines_inline, prefix, line_num, 0, msglevel, permission_mask, + option_types_found, es); line_num += lines_inline; } CLEAR(p); @@ -5491,13 +5385,8 @@ read_config_string(const char *prefix, } void -parse_argv(struct options *options, - const int argc, - char *argv[], - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es) +parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, + const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { /* usage message */ if (argc <= 1) @@ -5508,24 +5397,26 @@ parse_argv(struct options *options, /* config filename specified only? */ if (argc == 2 && strncmp(argv[1], "--", 2)) { - char *p[MAX_PARMS+1]; + char *p[MAX_PARMS + 1]; CLEAR(p); p[0] = "config"; p[1] = argv[1]; - add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, - option_types_found, es); + add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, option_types_found, + es); } else { /* parse command line */ for (int i = 1; i < argc; ++i) { - char *p[MAX_PARMS+1]; + char *p[MAX_PARMS + 1]; CLEAR(p); p[0] = argv[i]; if (strncmp(p[0], "--", 2)) { - msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]); + msg(msglevel, + "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", + p[0]); } else { @@ -5548,31 +5439,27 @@ parse_argv(struct options *options, } } } - add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, - option_types_found, es); + add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, option_types_found, + es); i += j - 1; } } } bool -apply_push_options(struct context *c, - struct options *options, - struct buffer *buf, - unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es, - bool is_update) +apply_push_options(struct context *c, struct options *options, struct buffer *buf, + unsigned int permission_mask, unsigned int *option_types_found, + struct env_set *es, bool is_update) { char line[OPTION_PARM_SIZE]; int line_num = 0; const char *file = "[PUSH-OPTIONS]"; - const int msglevel = D_PUSH_ERRORS|M_OPTERR; + const int msglevel = D_PUSH_ERRORS | M_OPTERR; unsigned int update_options_found = 0; while (buf_parse(buf, ',', line, sizeof(line))) { - char *p[MAX_PARMS+1]; + char *p[MAX_PARMS + 1]; CLEAR(p); ++line_num; unsigned int push_update_option_flags = 0; @@ -5602,22 +5489,22 @@ apply_push_options(struct context *c, return false; /* Cause push/pull error and stop push processing */ } - if (parse_line(&line[i], p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) + if (parse_line(&line[i], p, SIZE(p) - 1, file, line_num, msglevel, &options->gc)) { if (!is_update) { - add_option(options, p, false, file, line_num, 0, msglevel, - permission_mask, option_types_found, es); + add_option(options, p, false, file, line_num, 0, msglevel, permission_mask, + option_types_found, es); } else if (push_update_option_flags & PUSH_OPT_TO_REMOVE) { - remove_option(c, options, p, false, file, line_num, msglevel, - permission_mask, option_types_found, es); + remove_option(c, options, p, false, file, line_num, msglevel, permission_mask, + option_types_found, es); } else { - update_option(c, options, p, false, file, line_num, 0, msglevel, - permission_mask, option_types_found, es, &update_options_found); + update_option(c, options, p, false, file, line_num, 0, msglevel, permission_mask, + option_types_found, es, &update_options_found); } } } @@ -5625,54 +5512,37 @@ apply_push_options(struct context *c, } void -options_server_import(struct options *o, - const char *filename, - int msglevel, - unsigned int permission_mask, - unsigned int *option_types_found, +options_server_import(struct options *o, const char *filename, int msglevel, + unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename); - read_config_file(o, - filename, - 0, - filename, - 0, - msglevel, - permission_mask, - option_types_found, + read_config_file(o, filename, 0, filename, 0, msglevel, permission_mask, option_types_found, es); } void -options_string_import(struct options *options, - const char *config, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, +options_string_import(struct options *options, const char *config, const int msglevel, + const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { - read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es); + read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, + option_types_found, es); } -#define VERIFY_PERMISSION(mask) { \ - if (!verify_permission(p[0], file, line, (mask), permission_mask, \ - option_types_found, msglevel, options, is_inline)) \ - { \ - goto err; \ - } \ -} +#define VERIFY_PERMISSION(mask) \ + { \ + if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, \ + msglevel, options, is_inline)) \ + { \ + goto err; \ + } \ + } static bool -verify_permission(const char *name, - const char *file, - int line, - const unsigned int type, - const unsigned int allowed, - unsigned int *found, - const int msglevel, - struct options *options, - bool is_inline) +verify_permission(const char *name, const char *file, int line, const unsigned int type, + const unsigned int allowed, unsigned int *found, const int msglevel, + struct options *options, bool is_inline) { if (!(type & allowed)) { @@ -5682,8 +5552,7 @@ verify_permission(const char *name, if (is_inline && !(type & OPT_P_INLINE)) { - msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name, - file, line); + msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name, file, line); return false; } @@ -5700,12 +5569,12 @@ verify_permission(const char *name, * connection_list */ - if ((type & OPT_P_CONNECTION) && options->connection_list - && !(allowed & OPT_P_PULL_MODE)) + if ((type & OPT_P_CONNECTION) && options->connection_list && !(allowed & OPT_P_PULL_MODE)) { if (file) { - msg(M_WARN, "Option '%s' in %s:%d is ignored by previous blocks ", name, file, line); + msg(M_WARN, "Option '%s' in %s:%d is ignored by previous blocks ", name, + file, line); } else { @@ -5721,13 +5590,10 @@ verify_permission(const char *name, * many parameters. */ -#define NM_QUOTE_HINT (1<<0) +#define NM_QUOTE_HINT (1 << 0) static bool -no_more_than_n_args(const int msglevel, - char *p[], - const int max, - const unsigned int flags) +no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags) { const int len = string_array_len((const char **)p); @@ -5738,11 +5604,11 @@ no_more_than_n_args(const int msglevel, if (len > max) { - msg(msglevel, "the --%s directive should have at most %d parameter%s.%s", - p[0], - max - 1, + msg(msglevel, "the --%s directive should have at most %d parameter%s.%s", p[0], max - 1, max >= 3 ? "s" : "", - (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : ""); + (flags & NM_QUOTE_HINT) + ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." + : ""); return false; } else @@ -5758,10 +5624,10 @@ msglevel_forward_compatible(struct options *options, const int msglevel) } #define RESET_OPTION_ROUTES(option_ptr, field) \ - if (option_ptr) \ - { \ - option_ptr->field = NULL; \ - option_ptr->flags = 0; \ + if (option_ptr) \ + { \ + option_ptr->field = NULL; \ + option_ptr->flags = 0; \ } /** @@ -5780,20 +5646,14 @@ msglevel_forward_compatible(struct options *options, const int msglevel) * @param line The line number where the function is called. * @param msglevel The message level. * @param permission_mask The permission mask used by VERIFY_PERMISSION(). - * @param option_types_found A pointer to the variable where the flags corresponding to the options found are stored. + * @param option_types_found A pointer to the variable where the flags corresponding to the options + * found are stored. * @param es The environment set structure. */ static void -remove_option(struct context *c, - struct options *options, - char *p[], - bool is_inline, - const char *file, - int line, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es) +remove_option(struct context *c, struct options *options, char *p[], bool is_inline, + const char *file, int line, const int msglevel, const unsigned int permission_mask, + unsigned int *option_types_found, struct env_set *es) { int msglevel_fc = msglevel_forward_compatible(options, msglevel); @@ -5815,9 +5675,8 @@ remove_option(struct context *c, VERIFY_PERMISSION(OPT_P_ROUTE); if (c->c1.route_list) { - delete_routes_v4(c->c1.route_list, c->c1.tuntap, - ROUTE_OPTION_FLAGS(&c->options), - es, &c->net_ctx); + delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), es, + &c->net_ctx); RESET_OPTION_ROUTES(options->routes, routes); } } @@ -5826,8 +5685,7 @@ remove_option(struct context *c, VERIFY_PERMISSION(OPT_P_ROUTE); if (c->c1.route_ipv6_list) { - delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap, - ROUTE_OPTION_FLAGS(&c->options), + delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), es, &c->net_ctx); RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6); } @@ -5874,7 +5732,7 @@ remove_option(struct context *c, } else if (streq(p[0], "tun-mtu") && !p[1]) { - VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION); options->ce.tun_mtu = TUN_MTU_DEFAULT; options->ce.tun_mtu_defined = false; options->ce.occ_mtu = 0; @@ -5942,7 +5800,9 @@ remove_option(struct context *c, break; } } - msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line, p[0], PACKAGE_VERSION); + msg(msglevel_unknown, + "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line, + p[0], PACKAGE_VERSION); } return; err: @@ -5956,7 +5816,8 @@ check_route_option(struct options *options, char *p[], const int msglevel, bool rol_check_alloc(options); if (pull_mode) { - if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */ + if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) + && !is_special_addr(p[1])) /* FQDN -- may be DNS name */ { msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]); return false; @@ -5966,7 +5827,8 @@ check_route_option(struct options *options, char *p[], const int msglevel, bool msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]); return false; } - if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */ + if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) + && !is_special_addr(p[3])) /* FQDN -- may be DNS name */ { msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]); return false; @@ -6002,7 +5864,8 @@ check_dns_option(struct options *options, char *p[], const int msglevel, bool pu { if (streq(p[1], "search-domains") && p[2]) { - dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc); + dns_domain_list_append(&options->dns_options.search_domains, &p[2], + &options->dns_options.gc); } else if (streq(p[1], "server") && p[2] && p[3] && p[4]) { @@ -6013,7 +5876,8 @@ check_dns_option(struct options *options, char *p[], const int msglevel, bool pu return false; } - struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc); + struct dns_server *server = + dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc); if (streq(p[3], "address") && p[4]) { @@ -6021,7 +5885,8 @@ check_dns_option(struct options *options, char *p[], const int msglevel, bool pu { if (!dns_server_addr_parse(server, p[i])) { - msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]); + msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", + priority, p[i]); return false; } } @@ -6076,7 +5941,9 @@ check_dns_option(struct options *options, char *p[], const int msglevel, bool pu } else { - msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]); + msg(msglevel, + "--dns server %ld: unknown option type '%s' or missing or unknown parameter", + priority, p[3]); return false; } } @@ -6092,7 +5959,8 @@ check_dns_option(struct options *options, char *p[], const int msglevel, bool pu * @brief Processes an option to update. It first checks whether it has already * received an option of the same type within the same update message. * If the option has already been received, it calls add_option(). - * Otherwise, it deletes all existing values related to that option before calling add_option(). + * Otherwise, it deletes all existing values related to that option before calling + * add_option(). * * @param c The context structure. * @param options A pointer to the options structure. @@ -6103,24 +5971,18 @@ check_dns_option(struct options *options, char *p[], const int msglevel, bool pu * @param level The level of the option. * @param msglevel The message level for logging. * @param permission_mask The permission mask used by VERIFY_PERMISSION(). - * @param option_types_found A pointer to the variable where the flags corresponding to the options found are stored. + * @param option_types_found A pointer to the variable where the flags corresponding to the options + * found are stored. * @param es The environment set structure. - * @param update_options_found A pointer to the variable where the flags corresponding to the update options found are stored, - * used to check if an option of the same type has already been processed by update_option() within the same push-update message. + * @param update_options_found A pointer to the variable where the flags corresponding to the update + * options found are stored, used to check if an option of the same type has already been processed + * by update_option() within the same push-update message. */ static void -update_option(struct context *c, - struct options *options, - char *p[], - bool is_inline, - const char *file, - int line, - const int level, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es, - unsigned int *update_options_found) +update_option(struct context *c, struct options *options, char *p[], bool is_inline, + const char *file, int line, const int level, const int msglevel, + const unsigned int permission_mask, unsigned int *option_types_found, + struct env_set *es, unsigned int *update_options_found) { const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE); ASSERT(MAX_PARMS >= 7); @@ -6136,8 +5998,7 @@ update_option(struct context *c, } if (c->c1.route_list) { - delete_routes_v4(c->c1.route_list, c->c1.tuntap, - ROUTE_OPTION_FLAGS(&c->options), + delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), es, &c->net_ctx); RESET_OPTION_ROUTES(options->routes, routes); } @@ -6156,8 +6017,7 @@ update_option(struct context *c, if (c->c1.route_ipv6_list) { delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap, - ROUTE_OPTION_FLAGS(&c->options), - es, &c->net_ctx); + ROUTE_OPTION_FLAGS(&c->options), es, &c->net_ctx); RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6); } *update_options_found |= OPT_P_U_ROUTE6; @@ -6229,7 +6089,7 @@ update_option(struct context *c, *update_options_found |= OPT_P_U_DHCP; } } -#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ +#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ else if (streq(p[0], "dhcp-option") && p[1] && !p[3]) { if (!(*update_options_found & OPT_P_U_DHCP)) @@ -6240,8 +6100,7 @@ update_option(struct context *c, } } #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */ - add_option(options, p, is_inline, file, line, - level, msglevel, permission_mask, + add_option(options, p, is_inline, file, line, level, msglevel, permission_mask, option_types_found, es); return; err: @@ -6249,16 +6108,15 @@ err: } static void -set_user_script(struct options *options, - const char **script, - const char *new_script, - const char *type, - bool in_chroot) +set_user_script(struct options *options, const char **script, const char *new_script, + const char *type, bool in_chroot) { if (*script) { - msg(M_WARN, "Multiple --%s scripts defined. " - "The previously configured script is overridden.", type); + msg(M_WARN, + "Multiple --%s scripts defined. " + "The previously configured script is overridden.", + type); } *script = new_script; options->user_script_used = true; @@ -6266,14 +6124,12 @@ set_user_script(struct options *options, #ifndef ENABLE_SMALL { char script_name[100]; - snprintf(script_name, sizeof(script_name), - "--%s script", type); + snprintf(script_name, sizeof(script_name), "--%s script", type); if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL))) { msg(M_USAGE, "Please correct this error."); } - } #endif } @@ -6284,9 +6140,9 @@ show_compression_warning(struct compress_options *info) if (comp_non_stub_enabled(info)) { msg(M_WARN, "WARNING: Compression for receiving enabled. " - "Compression has been used in the past to break encryption. " - "Compression support is deprecated and we recommend to disable " - "it completely."); + "Compression has been used in the past to break encryption. " + "Compression support is deprecated and we recommend to disable " + "it completely."); } } @@ -6306,16 +6162,9 @@ key_is_external(const struct options *options) } static void -add_option(struct options *options, - char *p[], - bool is_inline, - const char *file, - int line, - const int level, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es) +add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, + const int level, const int msglevel, const unsigned int permission_mask, + unsigned int *option_types_found, struct env_set *es) { struct gc_arena gc = gc_new(); const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE); @@ -6367,7 +6216,8 @@ add_option(struct options *options, options->config = p[1]; } - read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es); + read_config_file(options, p[1], level, file, line, msglevel, permission_mask, + option_types_found, es); } #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) else if (streq(p[0], "show-gateway") && !p[2]) @@ -6420,9 +6270,7 @@ add_option(struct options *options, * can potentially include security-sensitive strings */ if (p[1] && strncmp(p[1], "msg", 3) == 0) { - msg(M_INFO, "%s:%s", - pull_mode ? "ECHO-PULL" : "ECHO", - BSTR(&string)); + msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO", BSTR(&string)); } #ifdef ENABLE_MANAGEMENT if (management) @@ -6537,8 +6385,7 @@ add_option(struct options *options, * When no option is present, assume that only PKCS1 * padding is supported */ - if (!(options->management_flags - &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD))) + if (!(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD))) { options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD; } @@ -6615,7 +6462,8 @@ add_option(struct options *options, else if (streq(p[0], "windows-driver") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); - msg(M_WARN, "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. " + msg(M_WARN, + "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. " "If incompatible options are used, OpenVPN will fall back to tap-windows6. Wintun support has been removed."); } #endif @@ -6650,7 +6498,8 @@ add_option(struct options *options, { if (!pull_mode) { - msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore."); + msg(M_WARN, + "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore."); } } #ifdef ENABLE_IPROUTE @@ -6663,7 +6512,8 @@ add_option(struct options *options, else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION(OPT_P_UP); - if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */ + if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) + && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */ { options->ifconfig_local = p[1]; options->ifconfig_remote_netmask = p[2]; @@ -6679,12 +6529,12 @@ add_option(struct options *options, unsigned int netbits; VERIFY_PERMISSION(OPT_P_UP); - if (get_ipv6_addr( p[1], NULL, &netbits, msglevel ) - && ipv6_addr_safe( p[2] ) ) + if (get_ipv6_addr(p[1], NULL, &netbits, msglevel) && ipv6_addr_safe(p[2])) { if (netbits < 64 || netbits > 124) { - msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits ); + msg(msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", + netbits); goto err; } @@ -6712,7 +6562,7 @@ add_option(struct options *options, { struct local_entry *e; - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); e = alloc_local_entry(&options->ce, M_USAGE, &options->gc); ASSERT(e); @@ -6742,7 +6592,7 @@ add_option(struct options *options, } else if (streq(p[0], "connection") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); if (is_inline) { struct options sub; @@ -6750,11 +6600,12 @@ add_option(struct options *options, init_options(&sub, true); sub.ce = options->ce; - read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel, - OPT_P_CONNECTION, option_types_found, es); + read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel, OPT_P_CONNECTION, + option_types_found, es); if (!sub.ce.remote) { - msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive"); + msg(msglevel, + "Each 'connection' block must contain exactly one 'remote' directive"); uninit_options(&sub); goto err; } @@ -6785,16 +6636,14 @@ add_option(struct options *options, } /* add number of options already ignored */ - for (i = 0; options->ignore_unknown_option - && options->ignore_unknown_option[i]; i++) + for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++) { numignored++; } /* Allocate array */ - ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc); - for (i = 0; options->ignore_unknown_option - && options->ignore_unknown_option[i]; i++) + ALLOC_ARRAY_GC(ignore, const char *, numignored + 1, &options->gc); + for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++) { ignore[i] = options->ignore_unknown_option[i]; } @@ -6804,9 +6653,9 @@ add_option(struct options *options, for (j = 1; p[j]; j++) { /* Allow the user to specify ignore-unknown-option --opt too */ - if (p[j][0]=='-' && p[j][1]=='-') + if (p[j][0] == '-' && p[j][1] == '-') { - options->ignore_unknown_option[i] = (p[j]+2); + options->ignore_unknown_option[i] = (p[j] + 2); } else { @@ -6835,7 +6684,7 @@ add_option(struct options *options, re.proto = -1; re.af = 0; - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); re.remote = p[1]; if (p[2]) { @@ -6846,9 +6695,7 @@ add_option(struct options *options, const sa_family_t af = ascii2af(p[3]); if (proto < 0) { - msg(msglevel, - "remote: bad protocol associated with host %s: '%s'", - p[1], p[3]); + msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]); goto err; } re.proto = proto; @@ -6894,7 +6741,7 @@ add_option(struct options *options, } else if (streq(p[0], "connect-retry") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel); /* * Limit the base value of retry wait interval to 16 bits to avoid @@ -6913,15 +6760,15 @@ add_option(struct options *options, max_int(positive_atoi(p[2], msglevel), options->ce.connect_retry_seconds); } } - else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout")) - && p[1] && !p[2]) + else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout")) && p[1] + && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); options->ce.connect_timeout = positive_atoi(p[1], msglevel); } else if (streq(p[0], "connect-retry-max") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); options->connect_retry_max = positive_atoi(p[1], msglevel); } else if (streq(p[0], "ipchange") && p[1]) @@ -6931,14 +6778,12 @@ add_option(struct options *options, { goto err; } - set_user_script(options, - &options->ipchange, - string_substitute(p[1], ',', ' ', &options->gc), - "ipchange", true); + set_user_script(options, &options->ipchange, + string_substitute(p[1], ',', ' ', &options->gc), "ipchange", true); } else if (streq(p[0], "float") && !p[1]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); options->ce.remote_float = true; } #ifdef ENABLE_DEBUG @@ -7026,7 +6871,9 @@ add_option(struct options *options, { if (!didit) { - msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]); + msg(M_WARN, + "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", + p[1]); goto err; } } @@ -7088,7 +6935,8 @@ add_option(struct options *options, /* Warn when a debug verbosity is supplied when built without debug support */ if (options->verbosity >= 7) { - msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.", + msg(M_WARN, + "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.", options->verbosity); } #endif @@ -7144,13 +6992,13 @@ add_option(struct options *options, } else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION); options->ce.link_mtu = positive_atoi(p[1], msglevel); options->ce.link_mtu_defined = true; } else if (streq(p[0], "tun-mtu") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION); options->ce.tun_mtu = positive_atoi(p[1], msglevel); options->ce.tun_mtu_defined = true; if (p[2]) @@ -7164,7 +7012,7 @@ add_option(struct options *options, } else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION); int max_mtu = positive_atoi(p[1], msglevel); if (max_mtu < 68 || max_mtu > 65536) { @@ -7177,22 +7025,23 @@ add_option(struct options *options, } else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION); options->ce.tun_mtu_extra = positive_atoi(p[1], msglevel); options->ce.tun_mtu_extra_defined = true; } else if (streq(p[0], "max-packet-size") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION); int maxmtu = positive_atoi(p[1], msglevel); options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE); if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE) { - msg(M_WARN, "Note: max-packet-size value outside of allowed " + msg(M_WARN, + "Note: max-packet-size value outside of allowed " "control channel packet size (%d to %d), will use %d " - "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE, - options->ce.tls_mtu); + "instead.", + TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE, options->ce.tls_mtu); } /* also set mssfix maxmtu mtu */ @@ -7203,13 +7052,13 @@ add_option(struct options *options, #ifdef ENABLE_FRAGMENT else if (streq(p[0], "mtu-dynamic")) { - VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION); msg(msglevel, "--mtu-dynamic has been replaced by --fragment"); goto err; } else if (streq(p[0], "fragment") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION); options->ce.fragment = positive_atoi(p[1], msglevel); if (options->ce.fragment < 68) @@ -7230,7 +7079,7 @@ add_option(struct options *options, #endif /* ifdef ENABLE_FRAGMENT */ else if (streq(p[0], "mtu-disc") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION); options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]); } else if (streq(p[0], "mtu-test") && !p[1]) @@ -7301,20 +7150,19 @@ add_option(struct options *options, shaper = atoi_warn(p[1], msglevel); if (shaper < SHAPER_MIN || shaper > SHAPER_MAX) { - msg(msglevel, "Bad shaper value, must be between %d and %d", - SHAPER_MIN, SHAPER_MAX); + msg(msglevel, "Bad shaper value, must be between %d and %d", SHAPER_MIN, SHAPER_MAX); goto err; } options->shaper = shaper; } else if (streq(p[0], "port") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); options->ce.local_port = options->ce.remote_port = p[1]; } else if (streq(p[0], "lport") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); /* only trigger bind() if port is not 0 (or --local is used) */ if (!streq(p[1], "0")) @@ -7325,22 +7173,21 @@ add_option(struct options *options, } else if (streq(p[0], "rport") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); options->ce.remote_port = p[1]; } else if (streq(p[0], "bind") && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); options->ce.bind_defined = true; if (p[1] && streq(p[1], "ipv6only")) { options->ce.bind_ipv6_only = true; } - } else if (streq(p[0], "nobind") && !p[1]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); options->ce.bind_local = false; } else if (streq(p[0], "fast-io") && !p[1]) @@ -7358,11 +7205,12 @@ add_option(struct options *options, options->inactivity_minimum_bytes = (val < 0) ? 0 : val; if (options->inactivity_minimum_bytes > INT_MAX) { - msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value" + msg(M_WARN, + "WARNING: '--inactive' with a 'bytes' value" " >2 Gbyte was silently ignored in older versions. If " " your VPN exits unexpectedly with 'Inactivity timeout'" " in %d seconds, revisit this value.", - options->inactivity_timeout ); + options->inactivity_timeout); } } } @@ -7375,14 +7223,12 @@ add_option(struct options *options, { int proto; sa_family_t af; - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); proto = ascii2proto(p[1]); af = ascii2af(p[1]); if (proto < 0) { - msg(msglevel, - "Bad protocol: '%s'. Allowed protocols with --proto option: %s", - p[1], + msg(msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", p[1], proto2ascii_all(&gc)); goto err; } @@ -7405,7 +7251,7 @@ add_option(struct options *options, { struct http_proxy_options *ho; - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); { if (!p[2]) @@ -7451,29 +7297,30 @@ add_option(struct options *options, else if (streq(p[0], "http-proxy-user-pass") && p[1]) { struct http_proxy_options *ho; - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc); ho->auth_file_up = p[1]; ho->inline_creds = is_inline; } else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry")) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: " - "In OpenVPN 2.4 proxy connection retries are handled like regular connections. " - "Use connect-retry-max 1 to get a similar behavior as before."); + "In OpenVPN 2.4 proxy connection retries are handled like regular connections. " + "Use connect-retry-max 1 to get a similar behavior as before."); } else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); - msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a " + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); + msg(M_WARN, + "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a " "server is established is managed with a single timeout set by connect-timeout"); } else if (streq(p[0], "http-proxy-option") && p[1] && !p[4]) { struct http_proxy_options *ho; - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc); if (streq(p[1], "VERSION") && p[2] && !p[3]) @@ -7503,7 +7350,8 @@ add_option(struct options *options, } if (!custom_header) { - msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]); + msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", + MAX_CUSTOM_HTTP_HEADER, p[1]); } else { @@ -7520,7 +7368,7 @@ add_option(struct options *options, } else if (streq(p[0], "socks-proxy") && p[1] && !p[4]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); if (p[2]) { @@ -7563,7 +7411,7 @@ add_option(struct options *options, } else if (streq(p[0], "explicit-exit-notify") && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_EXPLICIT_NOTIFY); if (p[1]) { options->ce.explicit_exit_notification = positive_atoi(p[1], msglevel); @@ -7582,7 +7430,7 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_PERSIST); msg(M_WARN, "DEPRECATED: --persist-key option ignored. " - "Keys are now always persisted across restarts. "); + "Keys are now always persisted across restarts. "); } else if (streq(p[0], "persist-local-ip") && !p[1]) { @@ -7615,7 +7463,8 @@ add_option(struct options *options, { goto err; } - add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4], options->route_default_table_id); + add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4], + options->route_default_table_id); } else if (streq(p[0], "route-ipv6") && p[1] && !p[4]) { @@ -7624,14 +7473,15 @@ add_option(struct options *options, { goto err; } - add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3], options->route_default_table_id); + add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3], + options->route_default_table_id); } else if (streq(p[0], "max-routes") && !p[2]) { msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. " - "The number of routes is unlimited as of OpenVPN 2.4. " - "This option will be removed in a future version, " - "please remove it from your configuration."); + "The number of routes is unlimited as of OpenVPN 2.4. " + "This option will be removed in a future version, " + "please remove it from your configuration."); } else if (streq(p[0], "route-gateway") && p[1] && !p[2]) { @@ -7642,7 +7492,8 @@ add_option(struct options *options, } else { - if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */ + if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) + || is_special_addr(p[1])) /* FQDN -- may be DNS name */ { options->route_default_gateway = p[1]; } @@ -7703,10 +7554,7 @@ add_option(struct options *options, { goto err; } - set_user_script(options, - &options->route_predown_script, - p[1], - "route-pre-down", true); + set_user_script(options, &options->route_predown_script, p[1], "route-pre-down", true); } else if (streq(p[0], "route-noexec") && !p[1]) { @@ -7757,11 +7605,10 @@ add_option(struct options *options, if (options->routes->flags & RG_ENABLE) { - msg(M_WARN, - "WARNING: You have specified redirect-gateway and " - "redirect-private at the same time (or the same option " - "multiple times). This is not well supported and may lead to " - "unexpected results"); + msg(M_WARN, "WARNING: You have specified redirect-gateway and " + "redirect-private at the same time (or the same option " + "multiple times). This is not well supported and may lead to " + "unexpected results"); } options->routes->flags |= RG_ENABLE; @@ -7861,8 +7708,7 @@ add_option(struct options *options, unsigned int major, minor, patch; if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3)) { - msg(msglevel, "cannot parse version number for --compat-mode: %s", - p[1]); + msg(msglevel, "cannot parse version number for --compat-mode: %s", p[1]); goto err; } @@ -7880,14 +7726,13 @@ add_option(struct options *options, } else if (streq(p[0], "mssfix") && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); if (p[1]) { int mssfix = positive_atoi(p[1], msglevel); /* can be 0, but otherwise it needs to be high enough so we can * substract room for headers. */ - if (mssfix != 0 - && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX)) + if (mssfix != 0 && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX)) { msg(msglevel, "--mssfix value '%s' is invalid", p[1]); goto err; @@ -7963,15 +7808,14 @@ add_option(struct options *options, unsigned int netbits = 0; VERIFY_PERMISSION(OPT_P_GENERAL); - if (!get_ipv6_addr(p[1], &network, &netbits, lev) ) + if (!get_ipv6_addr(p[1], &network, &netbits, lev)) { msg(msglevel, "error parsing --server-ipv6 parameter"); goto err; } if (netbits < 64 || netbits > 124) { - msg(msglevel, - "--server-ipv6 settings: network must be between /64 and /124 (not /%d)", + msg(msglevel, "--server-ipv6 settings: network must be between /64 and /124 (not /%d)", netbits); goto err; @@ -8076,7 +7920,7 @@ add_option(struct options *options, unsigned int netbits = 0; VERIFY_PERMISSION(OPT_P_GENERAL); - if (!get_ipv6_addr(p[1], &network, &netbits, lev ) ) + if (!get_ipv6_addr(p[1], &network, &netbits, lev)) { msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters"); goto err; @@ -8165,7 +8009,8 @@ add_option(struct options *options, else if (streq(p[0], "client-cert-not-required") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead"); + msg(M_FATAL, + "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead"); } else if (streq(p[0], "verify-client-cert") && !p[2]) { @@ -8186,7 +8031,8 @@ add_option(struct options *options, } else if (!streq(p[1], "require")) { - msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'"); + msg(msglevel, + "parameter to --verify-client-cert must be 'none', 'optional' or 'require'"); goto err; } } @@ -8205,7 +8051,7 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_GENERAL); msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed " - "in OpenVPN 2.7"); + "in OpenVPN 2.7"); options->ssl_flags |= SSLF_OPT_VERIFY; } else if (streq(p[0], "auth-user-pass-verify") && p[1]) @@ -8227,18 +8073,19 @@ add_option(struct options *options, } else { - msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'"); + msg(msglevel, + "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'"); goto err; } } else { - msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')"); + msg(msglevel, + "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')"); goto err; } - set_user_script(options, - &options->auth_user_pass_verify_script, - p[1], "auth-user-pass-verify", true); + set_user_script(options, &options->auth_user_pass_verify_script, p[1], + "auth-user-pass-verify", true); } else if (streq(p[0], "auth-gen-token")) { @@ -8262,14 +8109,12 @@ add_option(struct options *options, msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i); } } - } else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); options->auth_token_secret_file = p[1]; options->auth_token_secret_file_inline = is_inline; - } else if (streq(p[0], "client-connect") && p[1]) { @@ -8278,8 +8123,7 @@ add_option(struct options *options, { goto err; } - set_user_script(options, &options->client_connect_script, - p[1], "client-connect", true); + set_user_script(options, &options->client_connect_script, p[1], "client-connect", true); } else if (streq(p[0], "client-crresponse") && p[1]) { @@ -8288,8 +8132,8 @@ add_option(struct options *options, { goto err; } - set_user_script(options, &options->client_crresponse_script, - p[1], "client-crresponse", true); + set_user_script(options, &options->client_crresponse_script, p[1], "client-crresponse", + true); } else if (streq(p[0], "client-disconnect") && p[1]) { @@ -8298,8 +8142,8 @@ add_option(struct options *options, { goto err; } - set_user_script(options, &options->client_disconnect_script, - p[1], "client-disconnect", true); + set_user_script(options, &options->client_disconnect_script, p[1], "client-disconnect", + true); } else if (streq(p[0], "learn-address") && p[1]) { @@ -8308,8 +8152,7 @@ add_option(struct options *options, { goto err; } - set_user_script(options, &options->learn_address_script, - p[1], "learn-address", true); + set_user_script(options, &options->learn_address_script, p[1], "learn-address", true); } else if (streq(p[0], "tmp-dir") && p[1] && !p[2]) { @@ -8384,8 +8227,8 @@ add_option(struct options *options, in_addr_t local, remote_netmask; VERIFY_PERMISSION(OPT_P_INSTANCE); - local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL); - remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL); + local = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL); + remote_netmask = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[2], 0, NULL, NULL); if (local && remote_netmask) { options->push_ifconfig_defined = true; @@ -8393,7 +8236,8 @@ add_option(struct options *options, options->push_ifconfig_remote_netmask = remote_netmask; if (p[3]) { - options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL); + options->push_ifconfig_local_alias = + getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[3], 0, NULL, NULL); } } else @@ -8407,7 +8251,7 @@ add_option(struct options *options, in_addr_t network, netmask; VERIFY_PERMISSION(OPT_P_GENERAL); - network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL); + network = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL); netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL); if (network && netmask) { @@ -8428,7 +8272,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_INSTANCE); - if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) ) + if (!get_ipv6_addr(p[1], &local, &netbits, msglevel)) { msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses"); goto err; @@ -8436,19 +8280,19 @@ add_option(struct options *options, if (p[2]) { - if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) ) + if (!get_ipv6_addr(p[2], &remote, NULL, msglevel)) { - msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses"); + msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses"); goto err; } } else { if (!options->ifconfig_ipv6_local - || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote, - NULL, msglevel ) ) + || !get_ipv6_addr(options->ifconfig_ipv6_local, &remote, NULL, msglevel)) { - msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set"); + msg(msglevel, + "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set"); goto err; } } @@ -8469,8 +8313,10 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_INSTANCE); if (strlen(p[1]) > USER_PASS_LEN) { - msg(msglevel, "override-username exceeds the maximum length of %d " - "characters", USER_PASS_LEN); + msg(msglevel, + "override-username exceeds the maximum length of %d " + "characters", + USER_PASS_LEN); /* disable the connection since ignoring the request to * set another username might cause serious problems */ @@ -8506,7 +8352,7 @@ add_option(struct options *options, msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1"); goto err; } - options->stale_routes_ageing_time = ageing_time; + options->stale_routes_ageing_time = ageing_time; options->stale_routes_check_interval = check_interval; } @@ -8527,7 +8373,7 @@ add_option(struct options *options, } else if (streq(p[0], "auth-user-pass") && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); if (p[1]) { options->auth_user_pass_file = p[1]; @@ -8568,15 +8414,15 @@ add_option(struct options *options, #ifdef _WIN32 VERIFY_PERMISSION(OPT_P_GENERAL); HANDLE process = GetCurrentProcess(); - HANDLE handle = (HANDLE) ((intptr_t) atoll(p[1])); - if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, - FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) + HANDLE handle = (HANDLE)((intptr_t)atoll(p[1])); + if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, FALSE, + DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { msg(msglevel, "could not duplicate service pipe handle"); goto err; } options->route_method = ROUTE_METHOD_SERVICE; -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ msg(msglevel, "--msg-channel is only supported on Windows"); goto err; #endif @@ -8588,8 +8434,8 @@ add_option(struct options *options, if (streq(p[1], "env")) { msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. " - "This entry will now be ignored. " - "Please remove this entry from your configuration file."); + "This entry will now be ignored. " + "Please remove this entry from your configuration file."); } else { @@ -8626,9 +8472,7 @@ add_option(struct options *options, if (index < 0) { - msg(msglevel, - "Bad --ip-win32 method: '%s'. Allowed methods: %s", - p[1], + msg(msglevel, "Bad --ip-win32 method: '%s'. Allowed methods: %s", p[1], ipset2ascii_all(&gc)); goto err; } @@ -8648,7 +8492,9 @@ add_option(struct options *options, if (!(offset > -256 && offset < 256)) { - msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset); + msg(msglevel, + "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", + offset); goto err; } @@ -8663,7 +8509,9 @@ add_option(struct options *options, lease_time = atoi_warn(p[3], msglevel); if (lease_time < min_lease) { - msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease); + msg(msglevel, + "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", + lease_time, min_lease); goto err; } to->dhcp_lease_time = lease_time; @@ -8803,10 +8651,11 @@ add_option(struct options *options, #endif else { - msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]); + msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", + p[1]); goto err; } -#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ +#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ setenv_foreign_option(options, p[1], p[2], es); #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */ @@ -8821,14 +8670,14 @@ add_option(struct options *options, else if (streq(p[0], "show-adapters") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX); + show_tap_win_adapters(M_INFO | M_NOPREFIX, M_WARN | M_NOPREFIX); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq(p[0], "show-net") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - show_routes(M_INFO|M_NOPREFIX); - show_adapters(M_INFO|M_NOPREFIX); + show_routes(M_INFO | M_NOPREFIX); + show_adapters(M_INFO | M_NOPREFIX); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq(p[0], "show-net-up") && !p[1]) @@ -8977,19 +8826,20 @@ add_option(struct options *options, if (streq(p[1], "no")) { - options->comp.flags = - COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + options->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; if (comp_non_stub_enabled(&options->comp)) { msg(msglevel, "'--allow-compression no' conflicts with " - " enabling compression"); + " enabling compression"); } } else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) { /* Also printed on a push to hint at configuration problems */ - msg(msglevel, "Cannot set allow-compression to '%s' " - "after set to 'no'", p[1]); + msg(msglevel, + "Cannot set allow-compression to '%s' " + "after set to 'no'", + p[1]); goto err; } else if (streq(p[1], "asym")) @@ -8998,15 +8848,18 @@ add_option(struct options *options, } else if (streq(p[1], "yes")) { - msg(M_WARN, "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. " + msg(M_WARN, + "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. " "We will use \"asym\" mode instead. See the manual page for more information."); options->comp.flags |= COMP_F_ALLOW_ASYM; } else { - msg(msglevel, "bad allow-compression option: %s -- " - "must be 'yes', 'no', or 'asym'", p[1]); + msg(msglevel, + "bad allow-compression option: %s -- " + "must be 'yes', 'no', or 'asym'", + p[1]); goto err; } } @@ -9030,7 +8883,8 @@ add_option(struct options *options, */ else if (!(streq(p[1], "yes") || streq(p[1], "adaptive"))) { - msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]); + msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", + p[1]); goto err; } } @@ -9052,7 +8906,7 @@ add_option(struct options *options, if (streq(alg, "stub")) { options->comp.alg = COMP_ALG_STUB; - options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); + options->comp.flags |= (COMP_F_SWAP | COMP_F_ADVERTISE_STUBS_ONLY); } else if (streq(alg, "stub-v2")) { @@ -9105,7 +8959,7 @@ add_option(struct options *options, { int key_direction; - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION); key_direction = ascii2keydirection(msglevel, p[1]); if (key_direction >= 0) @@ -9127,7 +8981,7 @@ add_option(struct options *options, else if (streq(p[0], "secret") && p[1] && !p[3]) { msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated."); - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); options->shared_secret_file = p[1]; options->shared_secret_file_inline = is_inline; if (!is_inline && p[2]) @@ -9149,7 +9003,6 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_GENERAL); options->allow_deprecated_insecure_static_crypto = true; - } else if (streq(p[0], "genkey") && !p[4]) { @@ -9161,8 +9014,7 @@ add_option(struct options *options, } else { - if (streq(p[1], "secret") || streq(p[1], "tls-auth") - || streq(p[1], "tls-crypt")) + if (streq(p[1], "secret") || streq(p[1], "tls-auth") || streq(p[1], "tls-crypt")) { options->genkey_type = GENKEY_SECRET; } @@ -9186,7 +9038,6 @@ add_option(struct options *options, { msg(msglevel, "unknown --genkey type: %s", p[1]); } - } if (p[2]) { @@ -9200,23 +9051,22 @@ add_option(struct options *options, } else if (streq(p[0], "cipher") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE); + VERIFY_PERMISSION(OPT_P_NCP | OPT_P_INSTANCE); options->ciphername = p[1]; } else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE); options->ciphername = p[1]; options->enable_ncp_fallback = true; } - else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) - && p[1] && !p[2]) + else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE); if (streq(p[0], "ncp-ciphers")) { msg(M_INFO, "Note: Treating option '--ncp-ciphers' as " - " '--data-ciphers' (renamed in OpenVPN 2.5)."); + " '--data-ciphers' (renamed in OpenVPN 2.5)."); } options->ncp_ciphers = p[1]; } @@ -9278,7 +9128,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); /* always error out, this breaks the connection */ msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. " - "Update your configuration."); + "Update your configuration."); } else if (streq(p[0], "replay-window") && !p[3]) { @@ -9291,9 +9141,7 @@ add_option(struct options *options, if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK)) { msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d", - replay_window, - MIN_SEQ_BACKTRACK, - MAX_SEQ_BACKTRACK); + replay_window, MIN_SEQ_BACKTRACK, MAX_SEQ_BACKTRACK); goto err; } options->replay_window = replay_window; @@ -9305,10 +9153,9 @@ add_option(struct options *options, replay_time = atoi_warn(p[2], msglevel); if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK)) { - msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d", - replay_time, - MIN_TIME_BACKTRACK, - MAX_TIME_BACKTRACK); + msg(msglevel, + "replay-window time window parameter (%d) must be between %d and %d", + replay_time, MIN_TIME_BACKTRACK, MAX_TIME_BACKTRACK); goto err; } options->replay_time = replay_time; @@ -9377,8 +9224,8 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_GENERAL); msg(M_WARN, "Consider setting groups/curves preference with " - "tls-groups instead of forcing a specific curve with " - "ecdh-curve."); + "tls-groups instead of forcing a specific curve with " + "ecdh-curve."); options->ecdh_curve = p[1]; } else if (streq(p[0], "tls-server") && !p[1]) @@ -9393,7 +9240,7 @@ add_option(struct options *options, } else if (streq(p[0], "ca") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); options->ca_file = p[1]; options->ca_file_inline = is_inline; } @@ -9406,33 +9253,33 @@ add_option(struct options *options, #endif /* ENABLE_CRYPTO_MBEDTLS */ else if (streq(p[0], "dh") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); options->dh_file = p[1]; options->dh_file_inline = is_inline; } else if (streq(p[0], "cert") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); options->cert_file = p[1]; options->cert_file_inline = is_inline; } else if (streq(p[0], "extra-certs") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); options->extra_certs_file = p[1]; options->extra_certs_file_inline = is_inline; } else if ((streq(p[0], "verify-hash") && p[1] && !p[3]) || (streq(p[0], "peer-fingerprint") && p[1] && !p[2])) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); int verify_hash_depth = 0; if (streq(p[0], "verify-hash")) { msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. " - "You should switch to the either use the level 1 certificate as " - "--ca option, use --tls-verify or use --peer-fingerprint"); + "You should switch to the either use the level 1 certificate as " + "--ca option, use --tls-verify or use --peer-fingerprint"); /* verify level 1 cert, i.e. the CA that signed the leaf cert */ verify_hash_depth = 1; } @@ -9443,8 +9290,10 @@ add_option(struct options *options, if (options->verify_hash && options->verify_hash_depth != verify_hash_depth) { - msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and" - " --peer-fingerprint are mutually exclusive", p[0]); + msg(msglevel, + "ERROR: Setting %s not allowed. --verify-hash and" + " --peer-fingerprint are mutually exclusive", + p[0]); goto err; } @@ -9457,15 +9306,16 @@ add_option(struct options *options, } else if (p[2] && !streq(p[2], "SHA256")) { - msg(msglevel, "invalid or unsupported hashing algorithm: %s " - "(only SHA1 and SHA256 are supported)", p[2]); + msg(msglevel, + "invalid or unsupported hashing algorithm: %s " + "(only SHA1 and SHA256 are supported)", + p[2]); goto err; } } struct verify_hash_list *newlist; - newlist = parse_hash_fingerprint_multiline(p[1], digest_len, - msglevel, &options->gc); + newlist = parse_hash_fingerprint_multiline(p[1], digest_len, msglevel, &options->gc); /* Append the new list to the end of our current list */ if (!options->verify_hash) @@ -9494,7 +9344,7 @@ add_option(struct options *options, #endif else if (streq(p[0], "key") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); options->priv_key_file = p[1]; options->priv_key_file_inline = is_inline; } @@ -9517,8 +9367,7 @@ add_option(struct options *options, } #endif - options->ssl_flags &= - ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); + options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT); } else if (streq(p[0], "tls-version-max") && p[1] && !p[2]) @@ -9531,14 +9380,13 @@ add_option(struct options *options, msg(msglevel, "unknown tls-version-max parameter: %s", p[1]); goto err; } - options->ssl_flags &= - ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT); + options->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT); } #ifndef ENABLE_CRYPTO_MBEDTLS else if (streq(p[0], "pkcs12") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); options->pkcs12_file = p[1]; options->pkcs12_file_inline = is_inline; } @@ -9611,10 +9459,9 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->tls_groups = p[1]; } - else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) - || !p[2])) + else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2])) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE); if (p[2] && streq(p[2], "dir")) { options->ssl_flags |= SSLF_CRL_VERIFY_DIR; @@ -9630,8 +9477,7 @@ add_option(struct options *options, goto err; } set_user_script(options, &options->tls_verify, - string_substitute(p[1], ',', ' ', &options->gc), - "tls-verify", true); + string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true); } else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) { @@ -9642,14 +9488,14 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_GENERAL); msg(msglevel, "--compat-names was removed in OpenVPN 2.5. " - "Update your configuration."); + "Update your configuration."); goto err; } else if (streq(p[0], "no-name-remapping") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. " - "Update your configuration."); + "Update your configuration."); goto err; } else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3]) @@ -9708,7 +9554,7 @@ add_option(struct options *options, size_t j; for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { - sscanf(p[j], "%x", &(options->remote_cert_ku[j-1])); + sscanf(p[j], "%x", &(options->remote_cert_ku[j - 1])); } if (j == 1) { @@ -9793,7 +9639,7 @@ add_option(struct options *options, { int key_direction = -1; - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE); if (permission_mask & OPT_P_GENERAL) { @@ -9809,7 +9655,6 @@ add_option(struct options *options, } options->key_direction = key_direction; } - } else if (permission_mask & OPT_P_CONNECTION) { @@ -9830,7 +9675,7 @@ add_option(struct options *options, } else if (streq(p[0], "tls-crypt") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE); if (permission_mask & OPT_P_GENERAL) { options->tls_crypt_file = p[1]; @@ -9844,7 +9689,7 @@ add_option(struct options *options, } else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE); if (permission_mask & OPT_P_GENERAL) { options->tls_crypt_v2_file = p[1]; @@ -9887,19 +9732,19 @@ add_option(struct options *options, { char *s = p[j]; - if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s+4)) + if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s + 4)) { msg(msglevel, "Unsupported x509-username-field extension: %s", s); } - options->x509_username_field[j-1] = p[j]; + options->x509_username_field[j - 1] = p[j]; } } #endif /* ENABLE_X509ALTUSERNAME */ #ifdef ENABLE_PKCS11 else if (streq(p[0], "show-pkcs11-ids") && !p[3]) { - char *provider = p[1]; - bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0 )); + char *provider = p[1]; + bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0)); #ifdef DEFAULT_PKCS11_MODULE if (!provider) @@ -9940,7 +9785,7 @@ add_option(struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { - options->pkcs11_providers[j-1] = p[j]; + options->pkcs11_providers[j - 1] = p[j]; } } else if (streq(p[0], "pkcs11-protected-authentication")) @@ -9951,7 +9796,8 @@ add_option(struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { - options->pkcs11_protected_authentication[j-1] = atoi_warn(p[j], msglevel) != 0 ? 1 : 0; + options->pkcs11_protected_authentication[j - 1] = + atoi_warn(p[j], msglevel) != 0 ? 1 : 0; } } else if (streq(p[0], "pkcs11-private-mode") && p[1]) @@ -9962,7 +9808,7 @@ add_option(struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { - sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1])); + sscanf(p[j], "%x", &(options->pkcs11_private_mode[j - 1])); } } else if (streq(p[0], "pkcs11-cert-private")) @@ -9973,7 +9819,7 @@ add_option(struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { - options->pkcs11_cert_private[j-1] = (bool) (atoi_warn(p[j], msglevel)); + options->pkcs11_cert_private[j - 1] = (bool)(atoi_warn(p[j], msglevel)); } } else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2]) @@ -10019,13 +9865,13 @@ add_option(struct options *options, if (strncmp(p[1], "EXPORTER", 8)) { msg(msglevel, "Keying material exporter label must begin with " - "\"EXPORTER\""); + "\"EXPORTER\""); goto err; } if (streq(p[1], EXPORT_KEY_DATA_LABEL)) { - msg(msglevel, "Keying material exporter label must not be '" - EXPORT_KEY_DATA_LABEL "'."); + msg(msglevel, + "Keying material exporter label must not be '" EXPORT_KEY_DATA_LABEL "'."); } if (ekm_length < 16 || ekm_length > 4095) { @@ -10069,13 +9915,12 @@ add_option(struct options *options, } else if (streq(p[0], "vlan-pvid") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); + VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE); options->vlan_pvid = positive_atoi(p[1], msglevel); if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID || options->vlan_pvid > OPENVPN_8021Q_MAX_VID) { - msg(msglevel, - "the parameter of --vlan-pvid parameters must be >= %u and <= %u", + msg(msglevel, "the parameter of --vlan-pvid parameters must be >= %u and <= %u", OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID); goto err; } @@ -10096,11 +9941,14 @@ add_option(struct options *options, } if (file) { - msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION); + msg(msglevel_unknown, + "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, + line, p[0], PACKAGE_VERSION); } else { - msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION); + msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", + p[0], PACKAGE_VERSION); } } err: diff --git a/src/openvpn/options.h b/src/openvpn/options.h index dbd50f0c0..51468ddc0 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -121,33 +121,34 @@ struct connection_entry const char *socks_proxy_port; const char *socks_proxy_authfile; - int tun_mtu; /* MTU of tun device */ - int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */ - int tun_mtu_max; /* maximum MTU that can be pushed */ + int tun_mtu; /* MTU of tun device */ + int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */ + int tun_mtu_max; /* maximum MTU that can be pushed */ bool tun_mtu_defined; /* true if user overriding parm with command line option */ int tun_mtu_extra; bool tun_mtu_extra_defined; - int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */ + int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */ bool link_mtu_defined; /* true if user overriding parm with command line option */ - int tls_mtu; /* Maximum MTU for the control channel messages */ + int tls_mtu; /* Maximum MTU for the control channel messages */ /* Advanced MTU negotiation and datagram fragmentation options */ int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */ - int fragment; /* internal fragmentation size */ - bool fragment_encap; /* true if --fragment had the "mtu" parameter to - * include overhead from IP and TCP/UDP encapsulation */ - int mssfix; /* Upper bound on TCP MSS */ - bool mssfix_default; /* true if --mssfix should use the default parameters */ - bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include - * overhead from IP and TCP/UDP encapsulation */ - bool mssfix_fixed; /* use the mssfix value without any encapsulation adjustments */ + int fragment; /* internal fragmentation size */ + bool fragment_encap; /* true if --fragment had the "mtu" parameter to + * include overhead from IP and TCP/UDP encapsulation */ + int mssfix; /* Upper bound on TCP MSS */ + bool mssfix_default; /* true if --mssfix should use the default parameters */ + bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include + * overhead from IP and TCP/UDP encapsulation */ + bool mssfix_fixed; /* use the mssfix value without any encapsulation adjustments */ - int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */ + int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or + [RESTART] message */ -#define CE_DISABLED (1<<0) -#define CE_MAN_QUERY_PROXY (1<<1) +#define CE_DISABLED (1 << 0) +#define CE_MAN_QUERY_PROXY (1 << 1) #define CE_MAN_QUERY_REMOTE_UNDEF 0 #define CE_MAN_QUERY_REMOTE_QUERY 1 #define CE_MAN_QUERY_REMOTE_ACCEPT 2 @@ -230,7 +231,8 @@ struct remote_host_store char port[RH_PORT_LEN]; }; -enum genkey_type { +enum genkey_type +{ GENKEY_SECRET, GENKEY_TLS_CRYPTV2_CLIENT, GENKEY_TLS_CRYPTV2_SERVER, @@ -337,32 +339,32 @@ struct options bool mlock; - int keepalive_ping; /* a proxy for ping/ping-restart */ + int keepalive_ping; /* a proxy for ping/ping-restart */ int keepalive_timeout; - int inactivity_timeout; /* --inactive */ + int inactivity_timeout; /* --inactive */ int64_t inactivity_minimum_bytes; - int session_timeout; /* Force-kill session after n seconds */ + int session_timeout; /* Force-kill session after n seconds */ - int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */ - int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */ - bool ping_timer_remote; /* Run ping timer only if we have a remote address */ + int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */ + int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */ + bool ping_timer_remote; /* Run ping timer only if we have a remote address */ #define PING_UNDEF 0 #define PING_EXIT 1 #define PING_RESTART 2 int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */ - bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */ - bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */ - bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */ + bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */ + bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */ + bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */ #if PASSTOS_CAPABILITY bool passtos; #endif - int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */ + int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */ bool resolve_in_advance; const char *ip_remote_hint; @@ -433,7 +435,7 @@ struct options int route_delay_window; bool route_delay_defined; struct route_option_list *routes; - struct route_ipv6_option_list *routes_ipv6; /* IPv6 */ + struct route_ipv6_option_list *routes_ipv6; /* IPv6 */ bool block_ipv6; bool route_nopull; bool route_gateway_via_dhcp; @@ -468,13 +470,13 @@ struct options bool server_defined; in_addr_t server_network; in_addr_t server_netmask; - bool server_ipv6_defined; /* IPv6 */ - struct in6_addr server_network_ipv6; /* IPv6 */ - unsigned int server_netbits_ipv6; /* IPv6 */ + bool server_ipv6_defined; /* IPv6 */ + struct in6_addr server_network_ipv6; /* IPv6 */ + unsigned int server_netbits_ipv6; /* IPv6 */ -#define SF_NOPOOL (1<<0) -#define SF_TCP_NODELAY_HELPER (1<<1) -#define SF_NO_PUSH_ROUTE_GATEWAY (1<<2) +#define SF_NOPOOL (1 << 0) +#define SF_TCP_NODELAY_HELPER (1 << 1) +#define SF_NO_PUSH_ROUTE_GATEWAY (1 << 2) unsigned int server_flags; bool server_bridge_proxy_dhcp; @@ -493,9 +495,9 @@ struct options const char *ifconfig_pool_persist_filename; int ifconfig_pool_persist_refresh_freq; - bool ifconfig_ipv6_pool_defined; /* IPv6 */ - struct in6_addr ifconfig_ipv6_pool_base; /* IPv6 */ - int ifconfig_ipv6_pool_netbits; /* IPv6 */ + bool ifconfig_ipv6_pool_defined; /* IPv6 */ + struct in6_addr ifconfig_ipv6_pool_base; /* IPv6 */ + int ifconfig_ipv6_pool_netbits; /* IPv6 */ int real_hash_size; int virtual_hash_size; @@ -510,7 +512,7 @@ struct options int n_bcast_buf; int tcp_queue_limit; struct iroute *iroutes; - struct iroute_ipv6 *iroutes_ipv6; /* IPv6 */ + struct iroute_ipv6 *iroutes_ipv6; /* IPv6 */ bool push_ifconfig_defined; in_addr_t push_ifconfig_local; in_addr_t push_ifconfig_remote_netmask; @@ -518,12 +520,12 @@ struct options bool push_ifconfig_constraint_defined; in_addr_t push_ifconfig_constraint_network; in_addr_t push_ifconfig_constraint_netmask; - bool push_ifconfig_ipv4_blocked; /* IPv4 */ - bool push_ifconfig_ipv6_defined; /* IPv6 */ - struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */ - int push_ifconfig_ipv6_netbits; /* IPv6 */ - struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */ - bool push_ifconfig_ipv6_blocked; /* IPv6 */ + bool push_ifconfig_ipv4_blocked; /* IPv4 */ + bool push_ifconfig_ipv6_defined; /* IPv6 */ + struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */ + int push_ifconfig_ipv6_netbits; /* IPv6 */ + struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */ + bool push_ifconfig_ipv6_blocked; /* IPv6 */ bool enable_c2c; bool duplicate_cn; @@ -572,8 +574,8 @@ struct options bool allow_deprecated_insecure_static_crypto; int key_direction; const char *ciphername; - bool enable_ncp_fallback; /**< If defined fall back to - * ciphername if NCP fails */ + bool enable_ncp_fallback; /**< If defined fall back to + * ciphername if NCP fails */ /** The original ncp_ciphers specified by the user in the configuration*/ const char *ncp_ciphers_conf; const char *ncp_ciphers; @@ -727,40 +729,40 @@ struct options /* * Option classes. */ -#define OPT_P_GENERAL (1<<0) -#define OPT_P_UP (1<<1) -#define OPT_P_ROUTE (1<<2) -#define OPT_P_DHCPDNS (1<<3) /* includes ip windows options like */ -#define OPT_P_SCRIPT (1<<4) -#define OPT_P_SETENV (1<<5) -#define OPT_P_SHAPER (1<<6) -#define OPT_P_TIMER (1<<7) -#define OPT_P_PERSIST (1<<8) -#define OPT_P_PERSIST_IP (1<<9) -#define OPT_P_COMP (1<<10) /* TODO */ -#define OPT_P_MESSAGES (1<<11) -#define OPT_P_NCP (1<<12) /**< Negotiable crypto parameters */ -#define OPT_P_TLS_PARMS (1<<13) /* TODO */ -#define OPT_P_MTU (1<<14) /* TODO */ -#define OPT_P_NICE (1<<15) -#define OPT_P_PUSH (1<<16) -#define OPT_P_INSTANCE (1<<17) /**< allowed in ccd, client-connect etc*/ -#define OPT_P_CONFIG (1<<18) -#define OPT_P_EXPLICIT_NOTIFY (1<<19) -#define OPT_P_ECHO (1<<20) -#define OPT_P_INHERIT (1<<21) -#define OPT_P_ROUTE_EXTRAS (1<<22) -#define OPT_P_PULL_MODE (1<<23) -#define OPT_P_PLUGIN (1<<24) -#define OPT_P_SOCKBUF (1<<25) -#define OPT_P_SOCKFLAGS (1<<26) -#define OPT_P_CONNECTION (1<<27) -#define OPT_P_PEER_ID (1<<28) -#define OPT_P_INLINE (1<<29) -#define OPT_P_PUSH_MTU (1<<30) -#define OPT_P_ROUTE_TABLE (1<<31) - -#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE)) +#define OPT_P_GENERAL (1 << 0) +#define OPT_P_UP (1 << 1) +#define OPT_P_ROUTE (1 << 2) +#define OPT_P_DHCPDNS (1 << 3) /* includes ip windows options like */ +#define OPT_P_SCRIPT (1 << 4) +#define OPT_P_SETENV (1 << 5) +#define OPT_P_SHAPER (1 << 6) +#define OPT_P_TIMER (1 << 7) +#define OPT_P_PERSIST (1 << 8) +#define OPT_P_PERSIST_IP (1 << 9) +#define OPT_P_COMP (1 << 10) /* TODO */ +#define OPT_P_MESSAGES (1 << 11) +#define OPT_P_NCP (1 << 12) /**< Negotiable crypto parameters */ +#define OPT_P_TLS_PARMS (1 << 13) /* TODO */ +#define OPT_P_MTU (1 << 14) /* TODO */ +#define OPT_P_NICE (1 << 15) +#define OPT_P_PUSH (1 << 16) +#define OPT_P_INSTANCE (1 << 17) /**< allowed in ccd, client-connect etc*/ +#define OPT_P_CONFIG (1 << 18) +#define OPT_P_EXPLICIT_NOTIFY (1 << 19) +#define OPT_P_ECHO (1 << 20) +#define OPT_P_INHERIT (1 << 21) +#define OPT_P_ROUTE_EXTRAS (1 << 22) +#define OPT_P_PULL_MODE (1 << 23) +#define OPT_P_PLUGIN (1 << 24) +#define OPT_P_SOCKBUF (1 << 25) +#define OPT_P_SOCKFLAGS (1 << 26) +#define OPT_P_CONNECTION (1 << 27) +#define OPT_P_PEER_ID (1 << 28) +#define OPT_P_INLINE (1 << 29) +#define OPT_P_PUSH_MTU (1 << 30) +#define OPT_P_ROUTE_TABLE (1 << 31) + +#define OPT_P_DEFAULT (~(OPT_P_INSTANCE | OPT_P_PULL_MODE)) #define PULL_DEFINED(opt) ((opt)->pull) #define PUSH_DEFINED(opt) ((opt)->push_list) @@ -796,18 +798,18 @@ struct options /* * some PUSH_UPDATE options */ -#define OPT_P_U_ROUTE (1<<0) -#define OPT_P_U_ROUTE6 (1<<1) -#define OPT_P_U_DNS (1<<2) -#define OPT_P_U_DHCP (1<<3) -#define OPT_P_U_REDIR_GATEWAY (1<<4) +#define OPT_P_U_ROUTE (1 << 0) +#define OPT_P_U_ROUTE6 (1 << 1) +#define OPT_P_U_DNS (1 << 2) +#define OPT_P_U_DHCP (1 << 3) +#define OPT_P_U_REDIR_GATEWAY (1 << 4) struct pull_filter { -#define PUF_TYPE_UNDEF 0 /**< undefined filter type */ -#define PUF_TYPE_ACCEPT 1 /**< filter type to accept a matching option */ -#define PUF_TYPE_IGNORE 2 /**< filter type to ignore a matching option */ -#define PUF_TYPE_REJECT 3 /**< filter type to reject and trigger SIGUSR1 */ +#define PUF_TYPE_UNDEF 0 /**< undefined filter type */ +#define PUF_TYPE_ACCEPT 1 /**< filter type to accept a matching option */ +#define PUF_TYPE_IGNORE 2 /**< filter type to ignore a matching option */ +#define PUF_TYPE_REJECT 3 /**< filter type to reject and trigger SIGUSR1 */ int type; int size; char *pattern; @@ -820,12 +822,8 @@ struct pull_filter_list struct pull_filter *tail; }; -void parse_argv(struct options *options, - const int argc, - char *argv[], - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, +void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, + const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es); void notnull(const char *arg, const char *description); @@ -853,12 +851,8 @@ bool string_defined_equal(const char *s1, const char *s2); const char *options_string_version(const char *s, struct gc_arena *gc); -char *options_string(const struct options *o, - const struct frame *frame, - struct tuntap *tt, - openvpn_net_ctx_t *ctx, - bool remote, - struct gc_arena *gc); +char *options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, + openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc); bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n); @@ -878,8 +872,8 @@ void options_warning(char *actual, const char *expected); * @return gc-allocated value of option with name opt_name if option was found, * or NULL otherwise. */ -char *options_string_extract_option(const char *options_string, - const char *opt_name, struct gc_arena *gc); +char *options_string_extract_option(const char *options_string, const char *opt_name, + struct gc_arena *gc); void options_postprocess(struct options *options, struct env_set *es); @@ -888,34 +882,22 @@ bool options_postprocess_pull(struct options *o, struct env_set *es); void pre_connect_restore(struct options *o, struct gc_arena *gc); -bool apply_push_options(struct context *c, - struct options *options, - struct buffer *buf, - unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es, - bool is_update); +bool apply_push_options(struct context *c, struct options *options, struct buffer *buf, + unsigned int permission_mask, unsigned int *option_types_found, + struct env_set *es, bool is_update); void options_detach(struct options *o); -void options_server_import(struct options *o, - const char *filename, - int msglevel, - unsigned int permission_mask, - unsigned int *option_types_found, +void options_server_import(struct options *o, const char *filename, int msglevel, + unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es); void pre_pull_default(struct options *o); void rol_check_alloc(struct options *options); -int parse_line(const char *line, - char *p[], - const int n, - const char *file, - const int line_num, - int msglevel, - struct gc_arena *gc); +int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, + int msglevel, struct gc_arena *gc); /* * parse/print topology coding @@ -939,11 +921,8 @@ bool auth_retry_set(const int msglevel, const char *option); const char *auth_retry_print(void); -void options_string_import(struct options *options, - const char *config, - const int msglevel, - const unsigned int permission_mask, - unsigned int *option_types_found, +void options_string_import(struct options *options, const char *config, const int msglevel, + const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es); bool key_is_external(const struct options *options); diff --git a/src/openvpn/options_util.c b/src/openvpn/options_util.c index e469c28b9..5251b2113 100644 --- a/src/openvpn/options_util.c +++ b/src/openvpn/options_util.c @@ -124,12 +124,11 @@ positive_atoi(const char *str, int msglevel) if (i < 0 || *endptr != '\0' || i > INT_MAX) { - msg(msglevel, "Cannot parse argument '%s' as non-negative integer", - str); + msg(msglevel, "Cannot parse argument '%s' as non-negative integer", str); i = 0; } - return (int) i; + return (int)i; } int @@ -144,27 +143,17 @@ atoi_warn(const char *str, int msglevel) i = 0; } - return (int) i; + return (int)i; } -static const char *updatable_options[] = { - "block-ipv6", - "block-outside-dns", - "dhcp-option", - "dns", - "ifconfig", - "ifconfig-ipv6", - "push-continuation", - "redirect-gateway", - "redirect-private", - "route", - "route-gateway", - "route-ipv6", - "route-metric", - "topology", - "tun-mtu", - "keepalive" -}; +static const char *updatable_options[] = { "block-ipv6", "block-outside-dns", + "dhcp-option", "dns", + "ifconfig", "ifconfig-ipv6", + "push-continuation", "redirect-gateway", + "redirect-private", "route", + "route-gateway", "route-ipv6", + "route-metric", "topology", + "tun-mtu", "keepalive" }; bool check_push_update_option_flags(char *line, int *i, unsigned int *flags) @@ -196,7 +185,7 @@ check_push_update_option_flags(char *line, int *i, unsigned int *flags) } size_t len = strlen(&line[*i]); - int count = sizeof(updatable_options)/sizeof(char *); + int count = sizeof(updatable_options) / sizeof(char *); for (int j = 0; j < count; ++j) { size_t opt_len = strlen(updatable_options[j]); diff --git a/src/openvpn/options_util.h b/src/openvpn/options_util.h index 23fd78d62..6f81b1ef2 100644 --- a/src/openvpn/options_util.h +++ b/src/openvpn/options_util.h @@ -26,28 +26,24 @@ #include "options.h" -const char * -parse_auth_failed_temp(struct options *o, const char *reason); +const char *parse_auth_failed_temp(struct options *o, const char *reason); /** Checks if the string is a valid integer by checking if it can be * converted to an integer */ -bool -valid_integer(const char *str, bool positive); +bool valid_integer(const char *str, bool positive); /** * Converts a str to a positive number if the string represents a postive * integer number. Otherwise print a warning with msglevel and return 0 */ -int -positive_atoi(const char *str, int msglevel); +int positive_atoi(const char *str, int msglevel); /** * Converts a str to an integer if the string can be represented as an * integer number. Otherwise print a warning with msglevel and return 0 */ -int -atoi_warn(const char *str, int msglevel); +int atoi_warn(const char *str, int msglevel); /** * Filter an option line by all pull filters. @@ -57,9 +53,7 @@ atoi_warn(const char *str, int msglevel); * reject, SIGUSR1 is triggered and the return value is false. * In that case the caller must end the push processing. */ -bool -apply_pull_filter(const struct options *o, - char *line); +bool apply_pull_filter(const struct options *o, char *line); /** * @brief Checks the formatting and validity of options inside push-update messages. @@ -89,7 +83,6 @@ apply_pull_filter(const struct options *o, * - The `line` parameter is empty or `NULL`. * - The `?` flag is absent and the option is not updatable. */ -bool -check_push_update_option_flags(char *line, int *i, unsigned int *flags); +bool check_push_update_option_flags(char *line, int *i, unsigned int *flags); #endif /* ifndef OPTIONS_UTIL_H_ */ diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c index d6b9c2c34..717f7495e 100644 --- a/src/openvpn/otime.c +++ b/src/openvpn/otime.c @@ -83,9 +83,7 @@ const char * tv_string(const struct timeval *tv, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); - buf_printf(&out, "[%" PRIi64 "/%ld]", - (int64_t)tv->tv_sec, - (long)tv->tv_usec); + buf_printf(&out, "[%" PRIi64 "/%ld]", (int64_t)tv->tv_sec, (long)tv->tv_usec); return BSTR(&out); } @@ -97,10 +95,7 @@ tv_string(const struct timeval *tv, struct gc_arena *gc) const char * tv_string_abs(const struct timeval *tv, struct gc_arena *gc) { - return time_string((time_t) tv->tv_sec, - (long) tv->tv_usec, - true, - gc); + return time_string((time_t)tv->tv_sec, (long)tv->tv_usec, true, gc); } /* format a time_t as ascii, or use current time if 0 */ @@ -124,9 +119,8 @@ time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc) t = tv.tv_sec; struct tm *tm = localtime(&t); - buf_printf(&out, "%04d-%02d-%02d %02d:%02d:%02d", - tm->tm_year+1900, tm->tm_mon+1, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec); + buf_printf(&out, "%04d-%02d-%02d %02d:%02d:%02d", tm->tm_year + 1900, tm->tm_mon + 1, + tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec); if (show_usec && tv.tv_usec) { @@ -196,9 +190,7 @@ time_test(void) t = time(NULL); gettimeofday(&tv, NULL); #if 1 - msg(M_INFO, "t=%" PRIi64 " s=%" PRIi64 " us=%ld", - (int64_t)t, - (int64_t)tv.tv_sec, + msg(M_INFO, "t=%" PRIi64 " s=%" PRIi64 " us=%ld", (int64_t)t, (int64_t)tv.tv_sec, (long)tv.tv_usec); #endif } diff --git a/src/openvpn/otime.h b/src/openvpn/otime.h index 29e804675..5c700bb35 100644 --- a/src/openvpn/otime.h +++ b/src/openvpn/otime.h @@ -236,7 +236,7 @@ tv_delta(struct timeval *dest, const struct timeval *t1, const struct timeval *t dest->tv_usec = usec; } -#define TV_WITHIN_SIGMA_MAX_SEC 600 +#define TV_WITHIN_SIGMA_MAX_SEC 600 #define TV_WITHIN_SIGMA_MAX_USEC (TV_WITHIN_SIGMA_MAX_SEC * 1000000) /* @@ -259,7 +259,7 @@ interval_earliest_wakeup(interval_t *wakeup, time_t at, time_t current) { if (at > current) { - const interval_t delta = (interval_t) (at - current); + const interval_t delta = (interval_t)(at - current); if (delta < *wakeup) { *wakeup = delta; diff --git a/src/openvpn/ovpn_dco_freebsd.h b/src/openvpn/ovpn_dco_freebsd.h index 7eb643b44..6006b548e 100644 --- a/src/openvpn/ovpn_dco_freebsd.h +++ b/src/openvpn/ovpn_dco_freebsd.h @@ -32,42 +32,46 @@ #include /* Maximum size of an ioctl request. */ -#define OVPN_MAX_REQUEST_SIZE 4096 +#define OVPN_MAX_REQUEST_SIZE 4096 -enum ovpn_notif_type { +enum ovpn_notif_type +{ OVPN_NOTIF_DEL_PEER, OVPN_NOTIF_ROTATE_KEY, OVPN_NOTIF_FLOAT, }; -enum ovpn_del_reason { - OVPN_DEL_REASON_REQUESTED = 0, - OVPN_DEL_REASON_TIMEOUT = 1 +enum ovpn_del_reason +{ + OVPN_DEL_REASON_REQUESTED = 0, + OVPN_DEL_REASON_TIMEOUT = 1 }; -enum ovpn_key_slot { - OVPN_KEY_SLOT_PRIMARY = 0, +enum ovpn_key_slot +{ + OVPN_KEY_SLOT_PRIMARY = 0, OVPN_KEY_SLOT_SECONDARY = 1 }; -enum ovpn_key_cipher { - OVPN_CIPHER_ALG_NONE = 0, - OVPN_CIPHER_ALG_AES_GCM = 1, - OVPN_CIPHER_ALG_CHACHA20_POLY1305 = 2 +enum ovpn_key_cipher +{ + OVPN_CIPHER_ALG_NONE = 0, + OVPN_CIPHER_ALG_AES_GCM = 1, + OVPN_CIPHER_ALG_CHACHA20_POLY1305 = 2 }; -#define OVPN_NEW_PEER _IO('D', 1) -#define OVPN_DEL_PEER _IO('D', 2) -#define OVPN_GET_STATS _IO('D', 3) -#define OVPN_NEW_KEY _IO('D', 4) -#define OVPN_SWAP_KEYS _IO('D', 5) -#define OVPN_DEL_KEY _IO('D', 6) -#define OVPN_SET_PEER _IO('D', 7) -#define OVPN_START_VPN _IO('D', 8) -#define OVPN_SEND_PKT _IO('D', 9) -#define OVPN_POLL_PKT _IO('D', 10) -#define OVPN_GET_PKT _IO('D', 11) -#define OVPN_SET_IFMODE _IO('D', 12) -#define OVPN_GET_PEER_STATS _IO('D', 13) +#define OVPN_NEW_PEER _IO('D', 1) +#define OVPN_DEL_PEER _IO('D', 2) +#define OVPN_GET_STATS _IO('D', 3) +#define OVPN_NEW_KEY _IO('D', 4) +#define OVPN_SWAP_KEYS _IO('D', 5) +#define OVPN_DEL_KEY _IO('D', 6) +#define OVPN_SET_PEER _IO('D', 7) +#define OVPN_START_VPN _IO('D', 8) +#define OVPN_SEND_PKT _IO('D', 9) +#define OVPN_POLL_PKT _IO('D', 10) +#define OVPN_GET_PKT _IO('D', 11) +#define OVPN_SET_IFMODE _IO('D', 12) +#define OVPN_GET_PEER_STATS _IO('D', 13) #endif /* ifndef _NET_IF_OVPN_H_ */ diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index e6ca601bd..09696db2d 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -53,20 +53,15 @@ #define SEQ_EXPIRED ((time_t)1) #ifdef ENABLE_DEBUG -static void packet_id_debug_print(int msglevel, - const struct packet_id_rec *p, - const struct packet_id_net *pin, - const char *message, +static void packet_id_debug_print(int msglevel, const struct packet_id_rec *p, + const struct packet_id_net *pin, const char *message, packet_id_print_type value); #endif /* ENABLE_DEBUG */ static inline void -packet_id_debug(int msglevel, - const struct packet_id_rec *p, - const struct packet_id_net *pin, - const char *message, - uint64_t value) +packet_id_debug(int msglevel, const struct packet_id_rec *p, const struct packet_id_net *pin, + const char *message, uint64_t value) { #ifdef ENABLE_DEBUG if (unlikely(check_debug_level(msglevel))) @@ -77,7 +72,8 @@ packet_id_debug(int msglevel, } static void -packet_id_init_recv(struct packet_id_rec *rec, int seq_backtrack, int time_backtrack, const char *name, int unit) +packet_id_init_recv(struct packet_id_rec *rec, int seq_backtrack, int time_backtrack, + const char *name, int unit) { rec->name = name; rec->unit = unit; @@ -92,10 +88,10 @@ packet_id_init_recv(struct packet_id_rec *rec, int seq_backtrack, int time_backt rec->initialized = true; } void -packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit) +packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, + int unit) { - dmsg(D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d", - seq_backtrack, + dmsg(D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d", seq_backtrack, time_backtrack); ASSERT(p); @@ -118,8 +114,7 @@ packet_id_move_recv(struct packet_id_rec *dest, struct packet_id_rec *src) /* Reinitalise the source */ CLEAR(*src); - packet_id_init_recv(src, dest->seq_backtrack, dest->time_backtrack, - dest->name, dest->unit); + packet_id_init_recv(src, dest->seq_backtrack, dest->time_backtrack, dest->name, dest->unit); } void @@ -145,10 +140,8 @@ packet_id_add(struct packet_id_rec *p, const struct packet_id_net *pin) * If time value increases, start a new sequence list of number * sequence for the new time point. */ - if (!CIRC_LIST_SIZE(p->seq_list) - || pin->time > p->time - || (pin->id >= p->seq_backtrack - && pin->id - p->seq_backtrack > p->id)) + if (!CIRC_LIST_SIZE(p->seq_list) || pin->time > p->time + || (pin->id >= p->seq_backtrack && pin->id - p->seq_backtrack > p->id)) { p->time = pin->time; p->id = 0; @@ -163,15 +156,14 @@ packet_id_add(struct packet_id_rec *p, const struct packet_id_net *pin) #ifdef PID_SIMULATE_BACKTRACK || (get_random() % 64) < 31 #endif - ) + ) { CIRC_LIST_PUSH(p->seq_list, SEQ_UNSEEN); ++p->id; } diff = p->id - pin->id; - if (diff < CIRC_LIST_SIZE(p->seq_list) - && local_now > SEQ_EXPIRED) + if (diff < CIRC_LIST_SIZE(p->seq_list) && local_now > SEQ_EXPIRED) { CIRC_LIST_ITEM(p->seq_list, diff) = local_now; } @@ -220,8 +212,7 @@ packet_id_reap(struct packet_id_rec *p) * it is a replay. */ bool -packet_id_test(struct packet_id_rec *p, - const struct packet_id_net *pin) +packet_id_test(struct packet_id_rec *p, const struct packet_id_net *pin) { uint64_t diff; @@ -257,10 +248,11 @@ packet_id_test(struct packet_id_rec *p, if (diff > p->max_backtrack_stat) { p->max_backtrack_stat = diff; - packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR replay-window backtrack occurred", p->max_backtrack_stat); + packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR replay-window backtrack occurred", + p->max_backtrack_stat); } - if (diff >= (packet_id_type) CIRC_LIST_SIZE(p->seq_list)) + if (diff >= (packet_id_type)CIRC_LIST_SIZE(p->seq_list)) { packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR large diff", diff); return false; @@ -285,7 +277,7 @@ packet_id_test(struct packet_id_rec *p, packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR time backtrack", 0); return false; } - else /* time moved forward */ + else /* time moved forward */ { return true; } @@ -306,7 +298,7 @@ packet_id_test(struct packet_id_rec *p, { return false; } - else /* time moved forward */ + else /* time moved forward */ { return pin->id == 1; } @@ -382,8 +374,7 @@ packet_id_send_update_epoch(struct packet_id_send *p) } bool -packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, - bool prepend) +packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend) { if (!packet_id_send_update(p, long_form)) { @@ -431,8 +422,7 @@ packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struc buf_printf(&out, "[ #" packet_id_format, (packet_id_print_type)pin->id); if (print_timestamp && pin->time) { - buf_printf(&out, " / time = (" packet_id_format ") %s", - (packet_id_print_type)pin->time, + buf_printf(&out, " / time = (" packet_id_format ") %s", (packet_id_print_type)pin->time, time_string(pin->time, 0, false, gc)); } @@ -472,13 +462,10 @@ packet_id_persist_load(struct packet_id_persist *p, const char *filename) if (!packet_id_persist_enabled(p)) { /* open packet-id persist file for both read and write */ - p->fd = platform_open(filename, - O_CREAT | O_RDWR | O_BINARY, - S_IRUSR | S_IWUSR); + p->fd = platform_open(filename, O_CREAT | O_RDWR | O_BINARY, S_IRUSR | S_IWUSR); if (p->fd == -1) { - msg(D_PID_PERSIST | M_ERRNO, - "Cannot open --replay-persist file %s for read/write", + msg(D_PID_PERSIST | M_ERRNO, "Cannot open --replay-persist file %s for read/write", filename); } else @@ -499,14 +486,12 @@ packet_id_persist_load(struct packet_id_persist *p, const char *filename) { p->time = p->time_last_written = image.time; p->id = p->id_last_written = image.id; - dmsg(D_PID_PERSIST_DEBUG, "PID Persist Read from %s: %s", - p->filename, packet_id_persist_print(p, &gc)); + dmsg(D_PID_PERSIST_DEBUG, "PID Persist Read from %s: %s", p->filename, + packet_id_persist_print(p, &gc)); } else if (n == -1) { - msg(D_PID_PERSIST | M_ERRNO, - "Read error on --replay-persist file %s", - p->filename); + msg(D_PID_PERSIST | M_ERRNO, "Read error on --replay-persist file %s", p->filename); } } } @@ -517,8 +502,8 @@ packet_id_persist_load(struct packet_id_persist *p, const char *filename) void packet_id_persist_save(struct packet_id_persist *p) { - if (packet_id_persist_enabled(p) && p->time && (p->time != p->time_last_written - || p->id != p->id_last_written)) + if (packet_id_persist_enabled(p) && p->time + && (p->time != p->time_last_written || p->id != p->id_last_written)) { struct packet_id_persist_file_image image; ssize_t n; @@ -535,20 +520,18 @@ packet_id_persist_save(struct packet_id_persist *p) { p->time_last_written = p->time; p->id_last_written = p->id; - dmsg(D_PID_PERSIST_DEBUG, "PID Persist Write to %s: %s", - p->filename, packet_id_persist_print(p, &gc)); + dmsg(D_PID_PERSIST_DEBUG, "PID Persist Write to %s: %s", p->filename, + packet_id_persist_print(p, &gc)); } else { - msg(D_PID_PERSIST | M_ERRNO, - "Cannot write to --replay-persist file %s", + msg(D_PID_PERSIST | M_ERRNO, "Cannot write to --replay-persist file %s", p->filename); } } else { - msg(D_PID_PERSIST | M_ERRNO, - "Cannot seek to beginning of --replay-persist file %s", + msg(D_PID_PERSIST | M_ERRNO, "Cannot seek to beginning of --replay-persist file %s", p->filename); } gc_free(&gc); @@ -578,8 +561,7 @@ packet_id_persist_print(const struct packet_id_persist *p, struct gc_arena *gc) buf_printf(&out, " #" packet_id_format, (packet_id_print_type)p->id); if (p->time) { - buf_printf(&out, " / time = (" packet_id_format ") %s", - (packet_id_print_type)p->time, + buf_printf(&out, " / time = (" packet_id_format ") %s", (packet_id_print_type)p->time, time_string(p->time, 0, false, gc)); } } @@ -591,11 +573,8 @@ packet_id_persist_print(const struct packet_id_persist *p, struct gc_arena *gc) #ifdef ENABLE_DEBUG static void -packet_id_debug_print(int msglevel, - const struct packet_id_rec *p, - const struct packet_id_net *pin, - const char *message, - packet_id_print_type value) +packet_id_debug_print(int msglevel, const struct packet_id_rec *p, const struct packet_id_net *pin, + const char *message, packet_id_print_type value) { struct gc_arena gc = gc_new(); struct buffer out = alloc_buf_gc(256, &gc); @@ -648,23 +627,13 @@ packet_id_debug_print(int msglevel, buf_printf(&out, " %" PRIi64 ":" packet_id_format, (int64_t)pin->time, pin->id); } - buf_printf(&out, " t=%" PRIi64 "[%d]", - (int64_t)prev_now, - (int)(prev_now - tv.tv_sec)); + buf_printf(&out, " t=%" PRIi64 "[%d]", (int64_t)prev_now, (int)(prev_now - tv.tv_sec)); - buf_printf(&out, " r=[%d,%" PRIu64 ",%d,%" PRIu64 ",%d]", - (int)(p->last_reap - tv.tv_sec), - p->seq_backtrack, - p->time_backtrack, - p->max_backtrack_stat, - (int)p->initialized); + buf_printf(&out, " r=[%d,%" PRIu64 ",%d,%" PRIu64 ",%d]", (int)(p->last_reap - tv.tv_sec), + p->seq_backtrack, p->time_backtrack, p->max_backtrack_stat, (int)p->initialized); if (sl != NULL) { - buf_printf(&out, " sl=[%d,%d,%d,%d]", - sl->x_head, - sl->x_size, - sl->x_cap, - sl->x_sizeof); + buf_printf(&out, " sl=[%d,%d,%d,%d]", sl->x_head, sl->x_size, sl->x_cap, sl->x_sizeof); } @@ -704,7 +673,7 @@ packet_id_write_epoch(struct packet_id_send *p, uint16_t epoch, struct buffer *b /* Highest 16 bits of packet id is the epoch. * * The lower 48 bits are the per-epoch packet id counter. */ - uint64_t net_id = ((uint64_t) epoch) << 48 | p->id; + uint64_t net_id = ((uint64_t)epoch) << 48 | p->id; /* convert to network order. This ensures that the highest bytes * also become the first ones on the wire*/ diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h index 8bb695107..a7eb25619 100644 --- a/src/openvpn/packet_id.h +++ b/src/openvpn/packet_id.h @@ -43,11 +43,11 @@ * These are ephemeral and are never saved to a file. */ typedef uint32_t packet_id_type; -#define PACKET_ID_MAX UINT32_MAX -#define PACKET_ID_EPOCH_MAX 0x0000ffffffffffffull +#define PACKET_ID_MAX UINT32_MAX +#define PACKET_ID_EPOCH_MAX 0x0000ffffffffffffull /** Mask of the bits that contain the 48-bit of the per-epoch packet * counter in the packet id*/ -#define PACKET_ID_MASK 0x0000ffffffffffffull +#define PACKET_ID_MASK 0x0000ffffffffffffull typedef uint32_t net_time_t; /* @@ -81,8 +81,8 @@ typedef uint64_t packet_id_print_type; * sequence number due to packets arriving * out of order. */ -#define MIN_SEQ_BACKTRACK 0 -#define MAX_SEQ_BACKTRACK 65536 +#define MIN_SEQ_BACKTRACK 0 +#define MAX_SEQ_BACKTRACK 65536 #define DEFAULT_SEQ_BACKTRACK 64 /* @@ -90,8 +90,8 @@ typedef uint64_t packet_id_print_type; * seconds due to packets arriving * out of order. */ -#define MIN_TIME_BACKTRACK 0 -#define MAX_TIME_BACKTRACK 600 +#define MIN_TIME_BACKTRACK 0 +#define MAX_TIME_BACKTRACK 600 #define DEFAULT_TIME_BACKTRACK 15 /* @@ -112,14 +112,14 @@ CIRC_LIST(seq_list, time_t); */ struct packet_id_rec { - time_t last_reap; /* last call of packet_id_reap */ - time_t time; /* highest time stamp received */ - uint64_t id; /* highest sequence number received */ - uint64_t seq_backtrack; /* set from --replay-window */ - int time_backtrack; /* set from --replay-window */ - uint64_t max_backtrack_stat; /* maximum backtrack seen so far */ - bool initialized; /* true if packet_id_init was called */ - struct seq_list *seq_list; /* packet-id "memory" */ + time_t last_reap; /* last call of packet_id_reap */ + time_t time; /* highest time stamp received */ + uint64_t id; /* highest sequence number received */ + uint64_t seq_backtrack; /* set from --replay-window */ + int time_backtrack; /* set from --replay-window */ + uint64_t max_backtrack_stat; /* maximum backtrack seen so far */ + bool initialized; /* true if packet_id_init was called */ + struct seq_list *seq_list; /* packet-id "memory" */ const char *name; int unit; }; @@ -132,16 +132,16 @@ struct packet_id_persist { const char *filename; int fd; - time_t time; /* time stamp */ - packet_id_type id; /* sequence number */ + time_t time; /* time stamp */ + packet_id_type id; /* sequence number */ time_t time_last_written; packet_id_type id_last_written; }; struct packet_id_persist_file_image { - time_t time; /* time stamp */ - packet_id_type id; /* sequence number */ + time_t time; /* time stamp */ + packet_id_type id; /* sequence number */ }; /* @@ -201,7 +201,8 @@ struct packet_id struct packet_id_rec rec; }; -void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit); +void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, + int unit); void packet_id_free(struct packet_id *p); @@ -209,16 +210,13 @@ void packet_id_free(struct packet_id *p); * Move the packet id recv structure from \c src to \c dest. \c src will * be reinitialised. \c dest will be freed before the move. */ -void -packet_id_move_recv(struct packet_id_rec *dest, struct packet_id_rec *src); +void packet_id_move_recv(struct packet_id_rec *dest, struct packet_id_rec *src); /* should we accept an incoming packet id ? */ -bool packet_id_test(struct packet_id_rec *p, - const struct packet_id_net *pin); +bool packet_id_test(struct packet_id_rec *p, const struct packet_id_net *pin); /* change our current state to reflect an accepted packet id */ -void packet_id_add(struct packet_id_rec *p, - const struct packet_id_net *pin); +void packet_id_add(struct packet_id_rec *p, const struct packet_id_net *pin); /* expire TIME_BACKTRACK sequence numbers */ void packet_id_reap(struct packet_id_rec *p); @@ -262,8 +260,7 @@ bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_for * * @return true if successful, false otherwise. */ -bool packet_id_write(struct packet_id_send *p, struct buffer *buf, - bool long_form, bool prepend); +bool packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend); /* * Inline functions. @@ -309,7 +306,8 @@ reset_packet_id_send(struct packet_id_send *p) p->id = 0; } -const char *packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc); +const char *packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, + struct gc_arena *gc); static inline int packet_id_size(bool long_form) @@ -340,8 +338,7 @@ packet_id_reap_test(struct packet_id_rec *p) * @param buf buffer to write the packet id/epoch to * @return false if the packet id space is exhausted and cannot be written */ -bool -packet_id_write_epoch(struct packet_id_send *p, uint16_t epoch, struct buffer *buf); +bool packet_id_write_epoch(struct packet_id_send *p, uint16_t epoch, struct buffer *buf); /** * Reads the packet ID containing both the epoch and the per-epoch counter @@ -350,7 +347,6 @@ packet_id_write_epoch(struct packet_id_send *p, uint16_t epoch, struct buffer *b * @param buf buffer to read the packet id from. * @return 0 for an error/invalid id, epoch otherwise */ -uint16_t -packet_id_read_epoch(struct packet_id_net *p, struct buffer *buf); +uint16_t packet_id_read_epoch(struct packet_id_net *p, struct buffer *buf); #endif /* PACKET_ID_H */ diff --git a/src/openvpn/perf.c b/src/openvpn/perf.c index 580e0fe27..51c1a9766 100644 --- a/src/openvpn/perf.c +++ b/src/openvpn/perf.c @@ -35,34 +35,32 @@ #include "memdbg.h" -static const char *metric_names[] = { - "PERF_BIO_READ_PLAINTEXT", - "PERF_BIO_WRITE_PLAINTEXT", - "PERF_BIO_READ_CIPHERTEXT", - "PERF_BIO_WRITE_CIPHERTEXT", - "PERF_TLS_MULTI_PROCESS", - "PERF_IO_WAIT", - "PERF_EVENT_LOOP", - "PERF_MULTI_CREATE_INSTANCE", - "PERF_MULTI_CLOSE_INSTANCE", - "PERF_MULTI_SHOW_STATS", - "PERF_MULTI_BCAST", - "PERF_MULTI_MCAST", - "PERF_SCRIPT", - "PERF_READ_IN_LINK", - "PERF_PROC_IN_LINK", - "PERF_READ_IN_TUN", - "PERF_PROC_IN_TUN", - "PERF_PROC_OUT_LINK", - "PERF_PROC_OUT_TUN", - "PERF_PROC_OUT_TUN_MTCP" -}; +static const char *metric_names[] = { "PERF_BIO_READ_PLAINTEXT", + "PERF_BIO_WRITE_PLAINTEXT", + "PERF_BIO_READ_CIPHERTEXT", + "PERF_BIO_WRITE_CIPHERTEXT", + "PERF_TLS_MULTI_PROCESS", + "PERF_IO_WAIT", + "PERF_EVENT_LOOP", + "PERF_MULTI_CREATE_INSTANCE", + "PERF_MULTI_CLOSE_INSTANCE", + "PERF_MULTI_SHOW_STATS", + "PERF_MULTI_BCAST", + "PERF_MULTI_MCAST", + "PERF_SCRIPT", + "PERF_READ_IN_LINK", + "PERF_PROC_IN_LINK", + "PERF_READ_IN_TUN", + "PERF_PROC_IN_TUN", + "PERF_PROC_OUT_LINK", + "PERF_PROC_OUT_TUN", + "PERF_PROC_OUT_TUN_MTCP" }; struct perf { -#define PS_INITIAL 0 -#define PS_METER_RUNNING 1 -#define PS_METER_INTERRUPTED 2 +#define PS_INITIAL 0 +#define PS_METER_RUNNING 1 +#define PS_METER_INTERRUPTED 2 int state; struct timeval start; @@ -138,8 +136,7 @@ push_perf_index(int pindex) { const int sindex = get_stack_index(0); const int newlen = get_stack_index(1); - if (sindex >= 0 && newlen >= 0 - && pindex >= 0 && pindex < PERF_N) + if (sindex >= 0 && newlen >= 0 && pindex >= 0 && pindex < PERF_N) { int i; for (i = 0; i < sindex; ++i) @@ -147,8 +144,7 @@ push_perf_index(int pindex) if (perf_set.stack[i] == pindex) { perf_print_state(M_INFO); - msg(M_FATAL, "PERF: push_perf_index %s failed", - metric_names [pindex]); + msg(M_FATAL, "PERF: push_perf_index %s failed", metric_names[pindex]); } } @@ -180,9 +176,7 @@ state_must_be(const struct perf *p, const int wanted) { if (p->state != wanted) { - msg(M_FATAL, "PERF: bad state actual=%d wanted=%d", - p->state, - wanted); + msg(M_FATAL, "PERF: bad state actual=%d wanted=%d", p->state, wanted); } } @@ -191,7 +185,7 @@ update_sofar(struct perf *p) { struct timeval current; ASSERT(!gettimeofday(¤t, NULL)); - p->sofar += (double) tv_subtract(¤t, &p->start, 600) / 1000000.0; + p->sofar += (double)tv_subtract(¤t, &p->start, 600) / 1000000.0; tv_clear(&p->start); } @@ -287,7 +281,8 @@ perf_output_results(void) if (p->count > 0.0) { const double mean = p->sum / p->count; - msg(M_INFO, "%s n=%.0f mean=%.3f max=%.3f", metric_names[i], p->count, mean*1000.0, p->max*1000.0); + msg(M_INFO, "%s n=%.0f mean=%.3f max=%.3f", metric_names[i], p->count, mean * 1000.0, + p->max * 1000.0); } } } @@ -303,15 +298,8 @@ perf_print_state(int lev) { const int j = perf_set.stack[i]; const struct perf *p = &perf_set.perf[j]; - msg(lev, "[%d] %s state=%d start=%s sofar=%f sum=%f max=%f count=%f", - i, - metric_names[j], - p->state, - tv_string(&p->start, &gc), - p->sofar, - p->sum, - p->max, - p->count); + msg(lev, "[%d] %s state=%d start=%s sofar=%f sum=%f max=%f count=%f", i, metric_names[j], + p->state, tv_string(&p->start, &gc), p->sofar, p->sum, p->max, p->count); } gc_free(&gc); } diff --git a/src/openvpn/perf.h b/src/openvpn/perf.h index 7b35b5e36..2a178a109 100644 --- a/src/openvpn/perf.h +++ b/src/openvpn/perf.h @@ -34,27 +34,27 @@ /* * Metrics */ -#define PERF_BIO_READ_PLAINTEXT 0 -#define PERF_BIO_WRITE_PLAINTEXT 1 -#define PERF_BIO_READ_CIPHERTEXT 2 -#define PERF_BIO_WRITE_CIPHERTEXT 3 -#define PERF_TLS_MULTI_PROCESS 4 -#define PERF_IO_WAIT 5 -#define PERF_EVENT_LOOP 6 -#define PERF_MULTI_CREATE_INSTANCE 7 -#define PERF_MULTI_CLOSE_INSTANCE 8 -#define PERF_MULTI_SHOW_STATS 9 -#define PERF_MULTI_BCAST 10 -#define PERF_MULTI_MCAST 11 -#define PERF_SCRIPT 12 -#define PERF_READ_IN_LINK 13 -#define PERF_PROC_IN_LINK 14 -#define PERF_READ_IN_TUN 15 -#define PERF_PROC_IN_TUN 16 -#define PERF_PROC_OUT_LINK 17 -#define PERF_PROC_OUT_TUN 18 -#define PERF_PROC_OUT_TUN_MTCP 19 -#define PERF_N 20 +#define PERF_BIO_READ_PLAINTEXT 0 +#define PERF_BIO_WRITE_PLAINTEXT 1 +#define PERF_BIO_READ_CIPHERTEXT 2 +#define PERF_BIO_WRITE_CIPHERTEXT 3 +#define PERF_TLS_MULTI_PROCESS 4 +#define PERF_IO_WAIT 5 +#define PERF_EVENT_LOOP 6 +#define PERF_MULTI_CREATE_INSTANCE 7 +#define PERF_MULTI_CLOSE_INSTANCE 8 +#define PERF_MULTI_SHOW_STATS 9 +#define PERF_MULTI_BCAST 10 +#define PERF_MULTI_MCAST 11 +#define PERF_SCRIPT 12 +#define PERF_READ_IN_LINK 13 +#define PERF_PROC_IN_LINK 14 +#define PERF_READ_IN_TUN 15 +#define PERF_PROC_IN_TUN 16 +#define PERF_PROC_OUT_LINK 17 +#define PERF_PROC_OUT_TUN 18 +#define PERF_PROC_OUT_TUN_MTCP 19 +#define PERF_N 20 #ifdef ENABLE_PERFORMANCE_METRICS @@ -63,7 +63,7 @@ /* * Stack size */ -#define STACK_N 64 +#define STACK_N 64 void perf_push(int type); diff --git a/src/openvpn/ping.c b/src/openvpn/ping.c index 50f255afd..b9c0b9627 100644 --- a/src/openvpn/ping.c +++ b/src/openvpn/ping.c @@ -38,10 +38,8 @@ * * PING_STRING_SIZE must be sizeof (ping_string) */ -const uint8_t ping_string[] = { - 0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb, - 0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48 -}; +const uint8_t ping_string[] = { 0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb, + 0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48 }; void trigger_ping_timeout_signal(struct context *c) @@ -50,8 +48,7 @@ trigger_ping_timeout_signal(struct context *c) switch (c->options.ping_rec_timeout_action) { case PING_EXIT: - msg(M_INFO, "%sInactivity timeout (--ping-exit), exiting", - format_common_name(c, &gc)); + msg(M_INFO, "%sInactivity timeout (--ping-exit), exiting", format_common_name(c, &gc)); register_signal(c->sig, SIGTERM, "ping-exit"); break; diff --git a/src/openvpn/ping.h b/src/openvpn/ping.h index 29ee2f2ff..48d4c0a56 100644 --- a/src/openvpn/ping.h +++ b/src/openvpn/ping.h @@ -29,7 +29,7 @@ /* * Initial default --ping-restart before --pull */ -#define PRE_PULL_INITIAL_PING_RESTART 120 /* in seconds */ +#define PRE_PULL_INITIAL_PING_RESTART 120 /* in seconds */ extern const uint8_t ping_string[]; @@ -59,11 +59,11 @@ static inline void check_ping_restart(struct context *c) { if (c->options.ping_rec_timeout - && event_timeout_trigger(&c->c2.ping_rec_interval, - &c->c2.timeval, + && event_timeout_trigger(&c->c2.ping_rec_interval, &c->c2.timeval, (!c->options.ping_timer_remote || link_socket_actual_defined(&c->c1.link_socket_addrs[0].actual)) - ? ETT_DEFAULT : 15)) + ? ETT_DEFAULT + : 15)) { trigger_ping_timeout_signal(c); } @@ -76,8 +76,7 @@ static inline void check_ping_send(struct context *c) { if (c->options.ping_send_timeout - && event_timeout_trigger(&c->c2.ping_send_interval, - &c->c2.timeval, + && event_timeout_trigger(&c->c2.ping_send_interval, &c->c2.timeval, !TO_LINK_DEF(c) ? ETT_DEFAULT : 1)) { check_ping_send_dowork(c); diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c index 0177b1888..dfc87f6b5 100644 --- a/src/openvpn/pkcs11.c +++ b/src/openvpn/pkcs11.c @@ -39,51 +39,41 @@ #include "console.h" #include "pkcs11_backend.h" -static -time_t +static time_t __mytime(void) { return openvpn_time(NULL); } #if !defined(_WIN32) -static -int +static int __mygettimeofday(struct timeval *tv) { return gettimeofday(tv, NULL); } #endif -static -void +static void __mysleep(const unsigned long usec) { #if defined(_WIN32) - Sleep(usec/1000); + Sleep(usec / 1000); #else usleep(usec); #endif } -static pkcs11h_engine_system_t s_pkcs11h_sys_engine = { - malloc, - free, - __mytime, - __mysleep, +static pkcs11h_engine_system_t s_pkcs11h_sys_engine = { malloc, free, __mytime, __mysleep, #if defined(_WIN32) - NULL + NULL #else - __mygettimeofday + __mygettimeofday #endif }; -static -unsigned -_pkcs11_msg_pkcs112openvpn( - const unsigned flags - ) +static unsigned +_pkcs11_msg_pkcs112openvpn(const unsigned flags) { unsigned openvpn_flags; @@ -121,11 +111,8 @@ _pkcs11_msg_pkcs112openvpn( return openvpn_flags; } -static -unsigned -_pkcs11_msg_openvpn2pkcs11( - const unsigned flags - ) +static unsigned +_pkcs11_msg_openvpn2pkcs11(const unsigned flags) { unsigned pkcs11_flags; @@ -161,33 +148,23 @@ _pkcs11_msg_openvpn2pkcs11( return pkcs11_flags; } -static -void -_pkcs11_openvpn_log( - void *const global_data, - unsigned flags, - const char *const szFormat, - va_list args - ) +static void +_pkcs11_openvpn_log(void *const global_data, unsigned flags, const char *const szFormat, + va_list args) { - char Buffer[10*1024]; + char Buffer[10 * 1024]; (void)global_data; vsnprintf(Buffer, sizeof(Buffer), szFormat, args); - Buffer[sizeof(Buffer)-1] = 0; + Buffer[sizeof(Buffer) - 1] = 0; msg(_pkcs11_msg_pkcs112openvpn(flags), "%s", Buffer); } -static -PKCS11H_BOOL -_pkcs11_openvpn_token_prompt( - void *const global_data, - void *const user_data, - const pkcs11h_token_id_t token, - const unsigned retry - ) +static PKCS11H_BOOL +_pkcs11_openvpn_token_prompt(void *const global_data, void *const user_data, + const pkcs11h_token_id_t token, const unsigned retry) { struct user_pass token_resp; @@ -195,26 +172,16 @@ _pkcs11_openvpn_token_prompt( (void)user_data; (void)retry; - ASSERT(token!=NULL); + ASSERT(token != NULL); CLEAR(token_resp); token_resp.defined = false; token_resp.nocache = true; - snprintf( - token_resp.username, - sizeof(token_resp.username), - "Please insert %s token", - token->label - ); - - if ( - !get_user_pass( - &token_resp, - NULL, - "token-insertion-request", - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL - ) - ) + snprintf(token_resp.username, sizeof(token_resp.username), "Please insert %s token", + token->label); + + if (!get_user_pass(&token_resp, NULL, "token-insertion-request", + GET_USER_PASS_MANAGEMENT | GET_USER_PASS_NEED_OK | GET_USER_PASS_NOFATAL)) { return false; } @@ -224,16 +191,10 @@ _pkcs11_openvpn_token_prompt( } } -static -PKCS11H_BOOL -_pkcs11_openvpn_pin_prompt( - void *const global_data, - void *const user_data, - const pkcs11h_token_id_t token, - const unsigned retry, - char *const pin, - const size_t pin_max - ) +static PKCS11H_BOOL +_pkcs11_openvpn_pin_prompt(void *const global_data, void *const user_data, + const pkcs11h_token_id_t token, const unsigned retry, char *const pin, + const size_t pin_max) { struct user_pass token_pass; char prompt[1024]; @@ -243,21 +204,16 @@ _pkcs11_openvpn_pin_prompt( (void)user_data; (void)retry; - ASSERT(token!=NULL); + ASSERT(token != NULL); snprintf(prompt, sizeof(prompt), "%s token", token->label); token_pass.defined = false; token_pass.nocache = true; - if ( - !get_user_pass( - &token_pass, - NULL, - prompt, - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL - ) - ) + if (!get_user_pass(&token_pass, NULL, prompt, + GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY + | GET_USER_PASS_NOFATAL)) { return false; } @@ -278,21 +234,16 @@ _pkcs11_openvpn_pin_prompt( } bool -pkcs11_initialize( - const bool protected_auth, - const int nPINCachePeriod - ) +pkcs11_initialize(const bool protected_auth, const int nPINCachePeriod) { CK_RV rv = CKR_FUNCTION_FAILED; - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_initialize - entered" - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - entered"); if ((rv = pkcs11h_engine_setSystem(&s_pkcs11h_sys_engine)) != CKR_OK) { - msg(M_FATAL, "PKCS#11: Cannot initialize system engine %ld-'%s'", rv, pkcs11h_getMessage(rv)); + msg(M_FATAL, "PKCS#11: Cannot initialize system engine %ld-'%s'", rv, + pkcs11h_getMessage(rv)); goto cleanup; } @@ -330,7 +281,8 @@ pkcs11_initialize( if ((rv = pkcs11h_setProtectedAuthentication(protected_auth)) != CKR_OK) { - msg(M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage(rv)); + msg(M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, + pkcs11h_getMessage(rv)); goto cleanup; } @@ -343,12 +295,8 @@ pkcs11_initialize( rv = CKR_OK; cleanup: - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_initialize - return %ld-'%s'", - rv, - pkcs11h_getMessage(rv) - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - return %ld-'%s'", rv, + pkcs11h_getMessage(rv)); return rv == CKR_OK; } @@ -356,105 +304,85 @@ cleanup: void pkcs11_terminate(void) { - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_terminate - entered" - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_terminate - entered"); pkcs11h_terminate(); - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_terminate - return" - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_terminate - return"); } bool -pkcs11_addProvider( - const char *const provider, - const bool protected_auth, - const unsigned private_mode, - const bool cert_private - ) +pkcs11_addProvider(const char *const provider, const bool protected_auth, + const unsigned private_mode, const bool cert_private) { CK_RV rv = CKR_OK; - ASSERT(provider!=NULL); + ASSERT(provider != NULL); - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_addProvider - entered - provider='%s', private_mode=%08x", - provider, - private_mode - ); - - msg( - M_INFO, - "PKCS#11: Adding PKCS#11 provider '%s'", - provider - ); - -#if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0)) + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_addProvider - entered - provider='%s', private_mode=%08x", + provider, private_mode); + + msg(M_INFO, "PKCS#11: Adding PKCS#11 provider '%s'", provider); + +#if PKCS11H_VERSION >= ((1 << 16) | (28 << 8) | (0 << 0)) if ((rv = pkcs11h_registerProvider(provider)) != CKR_OK) { - msg(M_WARN, "PKCS#11: Cannot register provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv)); + msg(M_WARN, "PKCS#11: Cannot register provider '%s' %ld-'%s'", provider, rv, + pkcs11h_getMessage(rv)); } else { PKCS11H_BOOL allow_protected_auth = protected_auth; PKCS11H_BOOL cert_is_private = cert_private; - rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOCATION, provider, strlen(provider) + 1); + rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOCATION, provider, + strlen(provider) + 1); if (rv == CKR_OK) { - rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_ALLOW_PROTECTED_AUTH, &allow_protected_auth, sizeof(allow_protected_auth)); + rv = pkcs11h_setProviderProperty(provider, + PKCS11H_PROVIDER_PROPERTY_ALLOW_PROTECTED_AUTH, + &allow_protected_auth, sizeof(allow_protected_auth)); } if (rv == CKR_OK) { - rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE, &private_mode, sizeof(private_mode)); + rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE, + &private_mode, sizeof(private_mode)); } if (rv == CKR_OK) { - rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE, &cert_is_private, sizeof(cert_is_private)); + rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE, + &cert_is_private, sizeof(cert_is_private)); } #if defined(WIN32) && defined(PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS) if (rv == CKR_OK && platform_absolute_pathname(provider)) { - unsigned loader_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS | LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR; - rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS, &loader_flags, sizeof(loader_flags)); + unsigned loader_flags = + LOAD_LIBRARY_SEARCH_DEFAULT_DIRS | LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR; + rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS, + &loader_flags, sizeof(loader_flags)); } #endif if (rv != CKR_OK || (rv = pkcs11h_initializeProvider(provider)) != CKR_OK) { - msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv)); + msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, + pkcs11h_getMessage(rv)); pkcs11h_removeProvider(provider); } } #else /* if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0)) */ - if ( - (rv = pkcs11h_addProvider( - provider, - provider, - protected_auth, - private_mode, - PKCS11H_SLOTEVENT_METHOD_AUTO, - 0, - cert_private - )) != CKR_OK - ) + if ((rv = pkcs11h_addProvider(provider, provider, protected_auth, private_mode, + PKCS11H_SLOTEVENT_METHOD_AUTO, 0, cert_private)) + != CKR_OK) { - msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv)); + msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, + pkcs11h_getMessage(rv)); } #endif /* if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0)) */ - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'", - rv, - pkcs11h_getMessage(rv) - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'", rv, + pkcs11h_getMessage(rv)); return rv == CKR_OK; } @@ -473,20 +401,11 @@ pkcs11_management_id_count(void) CK_RV rv = CKR_OK; int count = 0; - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_management_id_count - entered" - ); - - if ( - (rv = pkcs11h_certificate_enumCertificateIds( - PKCS11H_ENUM_METHOD_CACHE_EXIST, - NULL, - PKCS11H_PROMPT_MASK_ALLOW_ALL, - NULL, - &id_list - )) != CKR_OK - ) + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_count - entered"); + + if ((rv = pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL, + PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL, &id_list)) + != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; @@ -502,21 +421,13 @@ cleanup: pkcs11h_certificate_freeCertificateIdList(id_list); id_list = NULL; - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_management_id_count - return count=%d", - count - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_count - return count=%d", count); return count; } bool -pkcs11_management_id_get( - const int index, - char **id, - char **base64 - ) +pkcs11_management_id_get(const int index, char **id, char **base64) { pkcs11h_certificate_id_list_t id_list = NULL; pkcs11h_certificate_id_list_t entry = NULL; @@ -533,27 +444,17 @@ pkcs11_management_id_get( int count = 0; bool success = false; - ASSERT(id!=NULL); - ASSERT(base64!=NULL); + ASSERT(id != NULL); + ASSERT(base64 != NULL); - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_management_id_get - entered index=%d", - index - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_get - entered index=%d", index); *id = NULL; *base64 = NULL; - if ( - (rv = pkcs11h_certificate_enumCertificateIds( - PKCS11H_ENUM_METHOD_CACHE_EXIST, - NULL, - PKCS11H_PROMPT_MASK_ALLOW_ALL, - NULL, - &id_list - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL, + PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL, &id_list)) + != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; @@ -569,23 +470,16 @@ pkcs11_management_id_get( if (entry == NULL) { - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_management_id_get - no certificate at index=%d", - index - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_get - no certificate at index=%d", + index); goto cleanup; } - if ( - (rv = pkcs11h_certificate_serializeCertificateId( - NULL, - &max, - entry->certificate_id - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_serializeCertificateId(NULL, &max, entry->certificate_id)) + != CKR_OK) { - msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv)); + msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, + pkcs11h_getMessage(rv)); goto cleanup; } @@ -595,39 +489,24 @@ pkcs11_management_id_get( goto cleanup; } - if ( - (rv = pkcs11h_certificate_serializeCertificateId( - internal_id, - &max, - entry->certificate_id - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_serializeCertificateId(internal_id, &max, entry->certificate_id)) + != CKR_OK) { - msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv)); + msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, + pkcs11h_getMessage(rv)); goto cleanup; } - if ( - (rv = pkcs11h_certificate_create( - entry->certificate_id, - NULL, - PKCS11H_PROMPT_MASK_ALLOW_ALL, - PKCS11H_PIN_CACHE_INFINITE, - &certificate - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_create(entry->certificate_id, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, + PKCS11H_PIN_CACHE_INFINITE, &certificate)) + != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } - if ( - (rv = pkcs11h_certificate_getCertificateBlob( - certificate, - NULL, - &certificate_blob_size - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_getCertificateBlob(certificate, NULL, &certificate_blob_size)) + != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; @@ -639,13 +518,9 @@ pkcs11_management_id_get( goto cleanup; } - if ( - (rv = pkcs11h_certificate_getCertificateBlob( - certificate, - certificate_blob, - &certificate_blob_size - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_getCertificateBlob(certificate, certificate_blob, + &certificate_blob_size)) + != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; @@ -677,22 +552,15 @@ cleanup: free(certificate_blob); certificate_blob = NULL; - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: pkcs11_management_id_get - return success=%d, id='%s'", - success ? 1 : 0, - *id - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_get - return success=%d, id='%s'", + success ? 1 : 0, *id); return success; } int -tls_ctx_use_pkcs11( - struct tls_root_ctx *const ssl_ctx, - bool pkcs11_id_management, - const char *const pkcs11_id - ) +tls_ctx_use_pkcs11(struct tls_root_ctx *const ssl_ctx, bool pkcs11_id_management, + const char *const pkcs11_id) { pkcs11h_certificate_id_t certificate_id = NULL; pkcs11h_certificate_t certificate = NULL; @@ -700,16 +568,13 @@ tls_ctx_use_pkcs11( bool ok = false; - ASSERT(ssl_ctx!=NULL); - ASSERT(pkcs11_id_management || pkcs11_id!=NULL); + ASSERT(ssl_ctx != NULL); + ASSERT(pkcs11_id_management || pkcs11_id != NULL); dmsg( D_PKCS11_DEBUG, "PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_id_management=%d, pkcs11_id='%s'", - (void *)ssl_ctx, - pkcs11_id_management ? 1 : 0, - pkcs11_id - ); + (void *)ssl_ctx, pkcs11_id_management ? 1 : 0, pkcs11_id); if (pkcs11_id_management) { @@ -719,30 +584,17 @@ tls_ctx_use_pkcs11( id_resp.defined = false; id_resp.nocache = true; - snprintf( - id_resp.username, - sizeof(id_resp.username), - "Please specify PKCS#11 id to use" - ); - - if ( - !get_user_pass( - &id_resp, - NULL, - "pkcs11-id-request", - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL - ) - ) + snprintf(id_resp.username, sizeof(id_resp.username), "Please specify PKCS#11 id to use"); + + if (!get_user_pass(&id_resp, NULL, "pkcs11-id-request", + GET_USER_PASS_MANAGEMENT | GET_USER_PASS_NEED_STR + | GET_USER_PASS_NOFATAL)) { goto cleanup; } - if ( - (rv = pkcs11h_certificate_deserializeCertificateId( - &certificate_id, - id_resp.password - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_deserializeCertificateId(&certificate_id, id_resp.password)) + != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; @@ -750,38 +602,23 @@ tls_ctx_use_pkcs11( } else { - if ( - (rv = pkcs11h_certificate_deserializeCertificateId( - &certificate_id, - pkcs11_id - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_deserializeCertificateId(&certificate_id, pkcs11_id)) + != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } } - if ( - (rv = pkcs11h_certificate_create( - certificate_id, - NULL, - PKCS11H_PROMPT_MASK_ALLOW_ALL, - PKCS11H_PIN_CACHE_INFINITE, - &certificate - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_create(certificate_id, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, + PKCS11H_PIN_CACHE_INFINITE, &certificate)) + != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } - if ( - (pkcs11_init_tls_session( - certificate, - ssl_ctx - )) - ) + if ((pkcs11_init_tls_session(certificate, ssl_ctx))) { /* Handled by SSL context free */ certificate = NULL; @@ -805,26 +642,15 @@ cleanup: certificate_id = NULL; } - dmsg( - D_PKCS11_DEBUG, - "PKCS#11: tls_ctx_use_pkcs11 - return ok=%d, rv=%ld", - ok ? 1 : 0, - rv - ); + dmsg(D_PKCS11_DEBUG, "PKCS#11: tls_ctx_use_pkcs11 - return ok=%d, rv=%ld", ok ? 1 : 0, rv); return ok ? 1 : 0; } -static -PKCS11H_BOOL -_pkcs11_openvpn_show_pkcs11_ids_pin_prompt( - void *const global_data, - void *const user_data, - const pkcs11h_token_id_t token, - const unsigned retry, - char *const pin, - const size_t pin_max - ) +static PKCS11H_BOOL +_pkcs11_openvpn_show_pkcs11_ids_pin_prompt(void *const global_data, void *const user_data, + const pkcs11h_token_id_t token, const unsigned retry, + char *const pin, const size_t pin_max) { struct gc_arena gc = gc_new(); struct buffer pass_prompt = alloc_buf_gc(128, &gc); @@ -833,11 +659,10 @@ _pkcs11_openvpn_show_pkcs11_ids_pin_prompt( (void)user_data; (void)retry; - ASSERT(token!=NULL); + ASSERT(token != NULL); buf_printf(&pass_prompt, "Please enter '%s' token PIN or 'cancel': ", token->display); - if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt), - pin, pin_max, false)) + if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt), pin, pin_max, false)) { msg(M_FATAL, "Could not retrieve the PIN"); } @@ -855,10 +680,7 @@ _pkcs11_openvpn_show_pkcs11_ids_pin_prompt( } void -show_pkcs11_ids( - const char *const provider, - bool cert_private - ) +show_pkcs11_ids(const char *const provider, bool cert_private) { struct gc_arena gc = gc_new(); pkcs11h_certificate_id_list_t user_certificates = NULL; @@ -881,7 +703,8 @@ show_pkcs11_ids( if ((rv = pkcs11h_setProtectedAuthentication(TRUE)) != CKR_OK) { - msg(M_FATAL, "PKCS#11: Cannot set protected authentication %ld-'%s'", rv, pkcs11h_getMessage(rv)); + msg(M_FATAL, "PKCS#11: Cannot set protected authentication %ld-'%s'", rv, + pkcs11h_getMessage(rv)); goto cleanup; } @@ -897,118 +720,77 @@ show_pkcs11_ids( goto cleanup; } - if ( - (rv = pkcs11h_certificate_enumCertificateIds( - PKCS11H_ENUM_METHOD_CACHE_EXIST, - NULL, - PKCS11H_PROMPT_MASK_ALLOW_ALL, - NULL, - &user_certificates - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL, + PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL, + &user_certificates)) + != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot enumerate certificates %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } - msg( - M_INFO|M_NOPREFIX|M_NOLF, - ( - "\n" - "The following objects are available for use.\n" - "Each object shown below may be used as parameter to\n" - "--pkcs11-id option please remember to use single quote mark.\n" - ) - ); + msg(M_INFO | M_NOPREFIX | M_NOLF, + ("\n" + "The following objects are available for use.\n" + "Each object shown below may be used as parameter to\n" + "--pkcs11-id option please remember to use single quote mark.\n")); for (current = user_certificates; current != NULL; current = current->next) { pkcs11h_certificate_t certificate = NULL; char *dn = NULL; - char serial[1024] = {0}; + char serial[1024] = { 0 }; char *ser = NULL; size_t ser_len = 0; - if ( - (rv = pkcs11h_certificate_serializeCertificateId( - NULL, - &ser_len, - current->certificate_id - )) != CKR_OK - ) + if ((rv = pkcs11h_certificate_serializeCertificateId(NULL, &ser_len, + current->certificate_id)) + != CKR_OK) { - msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); + msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, + pkcs11h_getMessage(rv)); goto cleanup1; } - if ( - rv == CKR_OK - && (ser = (char *)malloc(ser_len)) == NULL - ) + if (rv == CKR_OK && (ser = (char *)malloc(ser_len)) == NULL) { msg(M_FATAL, "PKCS#11: Cannot allocate memory"); goto cleanup1; } - if ( - (rv = pkcs11h_certificate_serializeCertificateId( - ser, - &ser_len, - current->certificate_id - )) != CKR_OK - ) + if ((rv = + pkcs11h_certificate_serializeCertificateId(ser, &ser_len, current->certificate_id)) + != CKR_OK) { - msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); + msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, + pkcs11h_getMessage(rv)); goto cleanup1; } - if ( - (rv = pkcs11h_certificate_create( - current->certificate_id, - NULL, - PKCS11H_PROMPT_MASK_ALLOW_ALL, - PKCS11H_PIN_CACHE_INFINITE, - &certificate - )) - ) + if ((rv = pkcs11h_certificate_create(current->certificate_id, NULL, + PKCS11H_PROMPT_MASK_ALLOW_ALL, + PKCS11H_PIN_CACHE_INFINITE, &certificate))) { msg(M_FATAL, "PKCS#11: Cannot create certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup1; } - if ( - (dn = pkcs11_certificate_dn( - certificate, - &gc - )) == NULL - ) + if ((dn = pkcs11_certificate_dn(certificate, &gc)) == NULL) { goto cleanup1; } - if ( - (pkcs11_certificate_serial( - certificate, - serial, - sizeof(serial) - )) - ) + if ((pkcs11_certificate_serial(certificate, serial, sizeof(serial)))) { goto cleanup1; } - msg( - M_INFO|M_NOPREFIX|M_NOLF, - ( - "\n" - "Certificate\n" - " DN: %s\n" - " Serial: %s\n" - " Serialized id: %s\n" - ), - dn, - serial, - ser - ); + msg(M_INFO | M_NOPREFIX | M_NOLF, + ("\n" + "Certificate\n" + " DN: %s\n" + " Serial: %s\n" + " Serialized id: %s\n"), + dn, serial, ser); cleanup1: diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h index 644d7ce41..d431db119 100644 --- a/src/openvpn/pkcs11.h +++ b/src/openvpn/pkcs11.h @@ -27,49 +27,24 @@ #include "ssl_common.h" -bool -pkcs11_initialize( - const bool fProtectedAuthentication, - const int nPINCachePeriod - ); +bool pkcs11_initialize(const bool fProtectedAuthentication, const int nPINCachePeriod); -void -pkcs11_terminate(void); +void pkcs11_terminate(void); -bool -pkcs11_addProvider( - const char *const provider, - const bool fProtectedAuthentication, - const unsigned private_mode, - const bool fCertIsPrivate - ); +bool pkcs11_addProvider(const char *const provider, const bool fProtectedAuthentication, + const unsigned private_mode, const bool fCertIsPrivate); -int -pkcs11_logout(void); +int pkcs11_logout(void); -int -pkcs11_management_id_count(void); +int pkcs11_management_id_count(void); -bool -pkcs11_management_id_get( - const int index, - char **id, - char **base64 - ); +bool pkcs11_management_id_get(const int index, char **id, char **base64); -int -tls_ctx_use_pkcs11( - struct tls_root_ctx *const ssl_ctx, - bool pkcs11_id_management, - const char *const pkcs11_id - ); +int tls_ctx_use_pkcs11(struct tls_root_ctx *const ssl_ctx, bool pkcs11_id_management, + const char *const pkcs11_id); -void -show_pkcs11_ids( - const char *const provider, - bool cert_private - ); +void show_pkcs11_ids(const char *const provider, bool cert_private); -#endif /* ENABLE_PKCS11 */ +#endif /* ENABLE_PKCS11 */ -#endif /* OPENVPN_PKCS11H_H */ +#endif /* OPENVPN_PKCS11H_H */ diff --git a/src/openvpn/pkcs11_backend.h b/src/openvpn/pkcs11_backend.h index f65ba3f5d..caa073530 100644 --- a/src/openvpn/pkcs11_backend.h +++ b/src/openvpn/pkcs11_backend.h @@ -56,8 +56,7 @@ char *pkcs11_certificate_dn(pkcs11h_certificate_t certificate, struct gc_arena * * * @return 1 on failure, 0 on success */ -int pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, - size_t serial_len); +int pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, size_t serial_len); /** * Load PKCS #11 Certificate's information into the given TLS context @@ -67,8 +66,7 @@ int pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, * * @return 1 on failure, 0 on success */ -int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, - struct tls_root_ctx *const ssl_ctx); +int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx); #endif /* defined(ENABLE_PKCS11) */ #endif /* PKCS11_BACKEND_H_ */ diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c index d1c8957bf..245aa8dbd 100644 --- a/src/openvpn/pkcs11_mbedtls.c +++ b/src/openvpn/pkcs11_mbedtls.c @@ -46,16 +46,14 @@ pkcs11_get_x509_cert(pkcs11h_certificate_t pkcs11_cert, mbedtls_x509_crt *cert) size_t cert_blob_size = 0; bool ret = false; - if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, NULL, - &cert_blob_size) != CKR_OK) + if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, NULL, &cert_blob_size) != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot retrieve certificate object size"); goto cleanup; } check_malloc_return((cert_blob = calloc(1, cert_blob_size))); - if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, cert_blob, - &cert_blob_size) != CKR_OK) + if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, cert_blob, &cert_blob_size) != CKR_OK) { msg(M_WARN, "PKCS#11: Cannot retrieve certificate object"); goto cleanup; @@ -74,16 +72,14 @@ cleanup: } static bool -pkcs11_sign(void *pkcs11_cert, const void *src, size_t src_len, - void *dst, size_t dst_len) +pkcs11_sign(void *pkcs11_cert, const void *src, size_t src_len, void *dst, size_t dst_len) { - return CKR_OK == pkcs11h_certificate_signAny(pkcs11_cert, CKM_RSA_PKCS, - src, src_len, dst, &dst_len); + return CKR_OK + == pkcs11h_certificate_signAny(pkcs11_cert, CKM_RSA_PKCS, src, src_len, dst, &dst_len); } int -pkcs11_init_tls_session(pkcs11h_certificate_t certificate, - struct tls_root_ctx *const ssl_ctx) +pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx) { ASSERT(NULL != ssl_ctx); @@ -130,8 +126,7 @@ cleanup: } int -pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial, - size_t serial_len) +pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial, size_t serial_len) { int ret = 1; mbedtls_x509_crt mbed_crt = { 0 }; diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c index 489aa356b..a912747e2 100644 --- a/src/openvpn/pkcs11_openssl.c +++ b/src/openvpn/pkcs11_openssl.c @@ -43,18 +43,21 @@ #ifdef HAVE_XKEY_PROVIDER static XKEY_EXTERNAL_SIGN_fn xkey_pkcs11h_sign; -#if PKCS11H_VERSION > ((1<<16) | (27<<8)) /* version > 1.27 */ +#if PKCS11H_VERSION > ((1 << 16) | (27 << 8)) /* version > 1.27 */ /* Table linking OpenSSL digest NID with CKM and CKG constants in PKCS#11 */ -#define MD_TYPE(n) {NID_sha ## n, CKM_SHA ## n, CKG_MGF1_SHA ## n} +#define MD_TYPE(n) { NID_sha##n, CKM_SHA##n, CKG_MGF1_SHA##n } static const struct { int nid; unsigned long ckm_id; unsigned long mgf_id; -} mdtypes[] = {MD_TYPE(224), MD_TYPE(256), MD_TYPE(384), MD_TYPE(512), - {NID_sha1, CKM_SHA_1, CKG_MGF1_SHA1}, /* SHA_1 naming is an oddity */ - {NID_undef, 0, 0}}; +} mdtypes[] = { MD_TYPE(224), + MD_TYPE(256), + MD_TYPE(384), + MD_TYPE(512), + { NID_sha1, CKM_SHA_1, CKG_MGF1_SHA1 }, /* SHA_1 naming is an oddity */ + { NID_undef, 0, 0 } }; /* From sigalg, derive parameters for pss signature and fill in pss_params. * Its of type CK_RSA_PKCS_PSS_PARAMS struct with three fields to be filled in: @@ -62,15 +65,13 @@ static const struct * where hashAlg is CKM_SHA256 etc., mgf is CKG_MGF1_SHA256 etc. */ static int -set_pss_params(CK_RSA_PKCS_PSS_PARAMS *pss_params, XKEY_SIGALG sigalg, - pkcs11h_certificate_t cert) +set_pss_params(CK_RSA_PKCS_PSS_PARAMS *pss_params, XKEY_SIGALG sigalg, pkcs11h_certificate_t cert) { int ret = 0; X509 *x509 = NULL; EVP_PKEY *pubkey = NULL; - if ((x509 = pkcs11h_openssl_getX509(cert)) == NULL - || (pubkey = X509_get0_pubkey(x509)) == NULL) + if ((x509 = pkcs11h_openssl_getX509(cert)) == NULL || (pubkey = X509_get0_pubkey(x509)) == NULL) { msg(M_WARN, "PKCS#11: Unable get public key"); goto cleanup; @@ -90,8 +91,10 @@ set_pss_params(CK_RSA_PKCS_PSS_PARAMS *pss_params, XKEY_SIGALG sigalg, const EVP_MD *md = EVP_get_digestbyname(sigalg.mdname); if (!md) { - msg(M_WARN, "WARN: set_pss_params: EVP_get_digestbyname returned NULL " - "for mdname = <%s>", sigalg.mdname); + msg(M_WARN, + "WARN: set_pss_params: EVP_get_digestbyname returned NULL " + "for mdname = <%s>", + sigalg.mdname); goto cleanup; } int mdsize = EVP_MD_get_size(md); @@ -108,14 +111,16 @@ set_pss_params(CK_RSA_PKCS_PSS_PARAMS *pss_params, XKEY_SIGALG sigalg, if (saltlen < 0 || pss_params->hashAlg == 0) { - msg(M_WARN, "WARN: invalid RSA_PKCS1_PSS parameters: saltlen = <%s> " - "mdname = <%s>.", sigalg.saltlen, sigalg.mdname); + msg(M_WARN, + "WARN: invalid RSA_PKCS1_PSS parameters: saltlen = <%s> " + "mdname = <%s>.", + sigalg.saltlen, sigalg.mdname); goto cleanup; } - pss_params->sLen = (unsigned long) saltlen; /* saltlen >= 0 at this point */ + pss_params->sLen = (unsigned long)saltlen; /* saltlen >= 0 at this point */ - msg(D_XKEY, "set_pss_params: sLen = %lu, hashAlg = %lu, mgf = %lu", - pss_params->sLen, pss_params->hashAlg, pss_params->mgf); + msg(D_XKEY, "set_pss_params: sLen = %lu, hashAlg = %lu, mgf = %lu", pss_params->sLen, + pss_params->hashAlg, pss_params->mgf); ret = 1; @@ -138,14 +143,14 @@ cleanup: * is PSS in which case we return an error. */ static CK_RV -pkcs11h_certificate_signAny_ex(const pkcs11h_certificate_t cert, - const CK_MECHANISM *mech, const unsigned char *tbs, - size_t tbslen, unsigned char *sig, size_t *siglen) +pkcs11h_certificate_signAny_ex(const pkcs11h_certificate_t cert, const CK_MECHANISM *mech, + const unsigned char *tbs, size_t tbslen, unsigned char *sig, + size_t *siglen) { if (mech->mechanism == CKM_RSA_PKCS_PSS) { msg(M_NONFATAL, "PKCS#11: Error: PSS padding is not supported by " - "this version of pkcs11-helper library."); + "this version of pkcs11-helper library."); return CKR_MECHANISM_INVALID; } return pkcs11h_certificate_signAny(cert, mech->mechanism, tbs, tbslen, sig, siglen); @@ -158,12 +163,12 @@ pkcs11h_certificate_signAny_ex(const pkcs11h_certificate_t cert, * We support ECDSA, RSA_NO_PADDING, RSA_PKCS1_PADDING, RSA_PKCS_PSS_PADDING */ static int -xkey_pkcs11h_sign(void *handle, unsigned char *sig, - size_t *siglen, const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg) +xkey_pkcs11h_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned char *tbs, + size_t tbslen, XKEY_SIGALG sigalg) { pkcs11h_certificate_t cert = handle; - CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0}; /* default value */ - CK_RSA_PKCS_PSS_PARAMS pss_params = {0}; + CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 }; /* default value */ + CK_RSA_PKCS_PSS_PARAMS pss_params = { 0 }; unsigned char buf[EVP_MAX_MD_SIZE]; size_t buflen = 0; @@ -178,7 +183,7 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig, if (xkey_digest(tbs, tbslen, buf, &buflen, sigalg.mdname)) { tbs = buf; - tbslen = (size_t) buflen; + tbslen = (size_t)buflen; sigalg.op = "Sign"; } else @@ -194,8 +199,7 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig, } else if (!strcmp(sigalg.keytype, "RSA")) { - msg(D_XKEY, "xkey_pkcs11h_sign: signing with RSA key: padmode = %s", - sigalg.padmode); + msg(D_XKEY, "xkey_pkcs11h_sign: signing with RSA key: padmode = %s", sigalg.padmode); if (!strcmp(sigalg.padmode, "none")) { mech.mechanism = CKM_RSA_X_509; @@ -230,11 +234,10 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig, } else { - ASSERT(0); /* coding error -- we couldnt have created any such key */ + ASSERT(0); /* coding error -- we couldnt have created any such key */ } - if (CKR_OK != pkcs11h_certificate_signAny_ex(cert, &mech, - tbs, tbslen, sig, siglen)) + if (CKR_OK != pkcs11h_certificate_signAny_ex(cert, &mech, tbs, tbslen, sig, siglen)) { return 0; } @@ -244,7 +247,7 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig, } /* For EC keys, pkcs11 returns signature as r|s: convert to der encoded */ - int derlen = ecdsa_bin2der(sig, (int) *siglen, siglen_max); + int derlen = ecdsa_bin2der(sig, (int)*siglen, siglen_max); if (derlen <= 0) { @@ -274,8 +277,7 @@ xkey_handle_free(void *handle) * other xkey_load_.. routines */ static int -xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate, - struct tls_root_ctx *const ctx) +xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ctx) { int ret = 0; @@ -326,10 +328,8 @@ cleanup: #endif /* HAVE_XKEY_PROVIDER */ int -pkcs11_init_tls_session(pkcs11h_certificate_t certificate, - struct tls_root_ctx *const ssl_ctx) +pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx) { - #ifdef HAVE_XKEY_PROVIDER return (xkey_load_from_pkcs11h(certificate, ssl_ctx) == 0); /* inverts the return value */ #else @@ -403,7 +403,7 @@ cleanup: openssl_session = NULL; } return ret; -#endif /* ifdef HAVE_XKEY_PROVIDER */ +#endif /* ifdef HAVE_XKEY_PROVIDER */ } char * @@ -429,8 +429,7 @@ cleanup: } int -pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, - size_t serial_len) +pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, size_t serial_len) { X509 *x509 = NULL; BIO *bio = NULL; @@ -450,9 +449,9 @@ pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, } i2a_ASN1_INTEGER(bio, X509_get_serialNumber(x509)); - n = BIO_read(bio, serial, serial_len-1); + n = BIO_read(bio, serial, serial_len - 1); - if (n<0) + if (n < 0) { serial[0] = '\x0'; } diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index 623daaae1..880d14e4b 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -66,8 +66,10 @@ platform_chroot(const char *path) msg(M_ERR, "cd to '%s' failed", top); } msg(M_INFO, "chroot to '%s' and cd to '%s' succeeded", path, top); -#else /* ifdef HAVE_CHROOT */ - msg(M_FATAL, "Sorry but I can't chroot to '%s' because this operating system doesn't appear to support the chroot() system call", path); +#else /* ifdef HAVE_CHROOT */ + msg(M_FATAL, + "Sorry but I can't chroot to '%s' because this operating system doesn't appear to support the chroot() system call", + path); #endif } } @@ -94,8 +96,10 @@ platform_user_get(const char *username, struct platform_state_user *state) } state->username = username; ret = true; -#else /* if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) */ - msg(M_FATAL, "cannot get UID for user %s -- platform lacks getpwname() or setuid() system calls", username); +#else /* if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) */ + msg(M_FATAL, + "cannot get UID for user %s -- platform lacks getpwname() or setuid() system calls", + username); #endif } return ret; @@ -138,8 +142,10 @@ platform_group_get(const char *groupname, struct platform_state_group *state) } state->groupname = groupname; ret = true; -#else /* if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) */ - msg(M_FATAL, "cannot get GID for group %s -- platform lacks getgrnam() or setgid() system calls", groupname); +#else /* if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) */ + msg(M_FATAL, + "cannot get GID for group %s -- platform lacks getgrnam() or setgid() system calls", + groupname); #endif } return ret; @@ -214,8 +220,7 @@ need_keep_caps(struct context *c) */ void platform_user_group_set(const struct platform_state_user *user_state, - const struct platform_state_group *group_state, - struct context *c) + const struct platform_state_group *group_state, struct context *c) { int keep_caps = need_keep_caps(c); unsigned int err_flags = (keep_caps > 0) ? M_FATAL : M_NONFATAL; @@ -258,8 +263,8 @@ platform_user_group_set(const struct platform_state_user *user_state, { /* -4 and -6 mean failure of setuid/gid respectively. * There is no point for us to continue if those failed. */ - msg(M_ERR, "capng_change_id('%s','%s') failed: %d", - user_state->username, group_state->groupname, res); + msg(M_ERR, "capng_change_id('%s','%s') failed: %d", user_state->username, + group_state->groupname, res); } else if (res == -3) { @@ -294,7 +299,7 @@ fallback: { msg(M_ERR, "Clearing KEEPCAPS flag failed"); } -#endif /* HAVE_LIBCAPNG */ +#endif /* HAVE_LIBCAPNG */ if (keep_caps) { @@ -321,7 +326,7 @@ platform_nice(int niceval) { msg(M_INFO, "nice %d succeeded", niceval); } -#else /* ifdef HAVE_NICE */ +#else /* ifdef HAVE_NICE */ msg(M_WARN, "WARNING: nice %d failed (function not implemented)", niceval); #endif } @@ -332,9 +337,9 @@ unsigned int platform_getpid(void) { #ifdef _WIN32 - return (unsigned int) GetCurrentProcessId(); + return (unsigned int)GetCurrentProcessId(); #else - return (unsigned int) getpid(); + return (unsigned int)getpid(); #endif } @@ -354,12 +359,11 @@ platform_mlockall(bool print_msg) else { msg(M_INFO, "mlock: MEMLOCK limit: soft=%ld KB, hard=%ld KB", - ((long int) rl.rlim_cur) / 1024, ((long int) rl.rlim_max) / 1024); - if (rl.rlim_cur < MIN_LOCKED_MEM_MB*1024*1024) + ((long int)rl.rlim_cur) / 1024, ((long int)rl.rlim_max) / 1024); + if (rl.rlim_cur < MIN_LOCKED_MEM_MB * 1024 * 1024) { - msg(M_INFO, "mlock: RLIMIT_MEMLOCK < %d MB, increase limit", - MIN_LOCKED_MEM_MB); - rl.rlim_cur = MIN_LOCKED_MEM_MB*1024*1024; + msg(M_INFO, "mlock: RLIMIT_MEMLOCK < %d MB, increase limit", MIN_LOCKED_MEM_MB); + rl.rlim_cur = MIN_LOCKED_MEM_MB * 1024 * 1024; if (rl.rlim_max < rl.rlim_cur) { rl.rlim_max = rl.rlim_cur; @@ -397,10 +401,10 @@ platform_chdir(const char *dir) res = _wchdir(wide_string(dir, &gc)); gc_free(&gc); return res; -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ #ifdef HAVE_CHDIR return chdir(dir); -#else /* ifdef HAVE_CHDIR */ +#else /* ifdef HAVE_CHDIR */ return -1; #endif #endif @@ -550,9 +554,8 @@ platform_create_temp_file(const char *directory, const char *prefix, struct gc_a { ++attempts; - if (!snprintf(fname, sizeof(fname), fname_fmt, max_prefix_len, - prefix, (unsigned long) get_random(), - (unsigned long) get_random())) + if (!snprintf(fname, sizeof(fname), fname_fmt, max_prefix_len, prefix, + (unsigned long)get_random(), (unsigned long)get_random())) { msg(M_WARN, "ERROR: temporary filename too long"); return NULL; @@ -576,8 +579,7 @@ platform_create_temp_file(const char *directory, const char *prefix, struct gc_a else if (fd == -1 && errno != EEXIST) { /* Something else went wrong, no need to retry. */ - msg(M_WARN | M_ERRNO, "Could not create temporary file '%s'", - retfname); + msg(M_WARN | M_ERRNO, "Could not create temporary file '%s'", retfname); return NULL; } } @@ -590,12 +592,12 @@ platform_create_temp_file(const char *directory, const char *prefix, struct gc_a * Put a directory and filename together. */ const char * -platform_gen_path(const char *directory, const char *filename, - struct gc_arena *gc) +platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc) { #ifdef _WIN32 - const int CC_PATH_RESERVED = CC_LESS_THAN|CC_GREATER_THAN|CC_COLON - |CC_DOUBLE_QUOTE|CC_SLASH|CC_BACKSLASH|CC_PIPE|CC_QUESTION_MARK|CC_ASTERISK; + const int CC_PATH_RESERVED = CC_LESS_THAN | CC_GREATER_THAN | CC_COLON | CC_DOUBLE_QUOTE + | CC_SLASH | CC_BACKSLASH | CC_PIPE | CC_QUESTION_MARK + | CC_ASTERISK; #else const int CC_PATH_RESERVED = CC_SLASH; #endif @@ -607,13 +609,11 @@ platform_gen_path(const char *directory, const char *filename, const char *safe_filename = string_mod_const(filename, CC_PRINT, CC_PATH_RESERVED, '_', gc); - if (safe_filename - && strcmp(safe_filename, ".") - && strcmp(safe_filename, "..") + if (safe_filename && strcmp(safe_filename, ".") && strcmp(safe_filename, "..") #ifdef _WIN32 && win_safe_filename(safe_filename) #endif - ) + ) { const size_t outsize = strlen(safe_filename) + (directory ? strlen(directory) : 0) + 16; struct buffer out = alloc_buf_gc(outsize, gc); @@ -671,14 +671,12 @@ platform_test_file(const char *filename) { if (errno == EACCES) { - msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename); + msg(M_WARN | M_ERRNO, "Could not access file '%s'", filename); } } } - dmsg(D_TEST_FILE, "TEST FILE '%s' [%d]", - filename ? filename : "UNDEF", - ret); + dmsg(D_TEST_FILE, "TEST FILE '%s' [%d]", filename ? filename : "UNDEF", ret); return ret; } diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h index 18ea97df4..f1a2b0186 100644 --- a/src/openvpn/platform.h +++ b/src/openvpn/platform.h @@ -59,7 +59,8 @@ struct context; /* Get/Set UID of process */ -struct platform_state_user { +struct platform_state_user +{ #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) const char *username; uid_t uid; @@ -70,7 +71,8 @@ struct platform_state_user { /* Get/Set GID of process */ -struct platform_state_group { +struct platform_state_group +{ #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) const char *groupname; gid_t gid; @@ -84,8 +86,7 @@ bool platform_user_get(const char *username, struct platform_state_user *state); bool platform_group_get(const char *groupname, struct platform_state_group *state); void platform_user_group_set(const struct platform_state_user *user_state, - const struct platform_state_group *group_state, - struct context *c); + const struct platform_state_group *group_state, struct context *c); /* @@ -116,7 +117,7 @@ void platform_nice(int niceval); unsigned int platform_getpid(void); -void platform_mlockall(bool print_msg); /* Disable paging */ +void platform_mlockall(bool print_msg); /* Disable paging */ int platform_chdir(const char *dir); @@ -152,8 +153,7 @@ const char *platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc); /** Put a directory and filename together. */ -const char *platform_gen_path(const char *directory, const char *filename, - struct gc_arena *gc); +const char *platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc); /** Return true if pathname is absolute. */ bool platform_absolute_pathname(const char *pathname); diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 12912c09e..e65a3bcc2 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -44,7 +44,7 @@ #include "win32.h" #include "memdbg.h" -#define PLUGIN_SYMBOL_REQUIRED (1<<0) +#define PLUGIN_SYMBOL_REQUIRED (1 << 0) /* used only for program aborts */ static struct plugin_common *static_plugin_common = NULL; /* GLOBAL */ @@ -152,7 +152,7 @@ plugin_mask_string(const unsigned int type_mask, struct gc_arena *gc) static inline unsigned int plugin_supported_types(void) { - return ((1<n < MAX_PLUGINS) { @@ -193,7 +192,8 @@ plugin_option_list_print(const struct plugin_option_list *list, int msglevel) for (i = 0; i < list->n; ++i) { const struct plugin_option *o = &list->plugins[i]; - msg(msglevel, " plugin[%d] %s '%s'", i, o->so_pathname, print_argv(o->argv, &gc, PA_BRACKET)); + msg(msglevel, " plugin[%d] %s '%s'", i, o->so_pathname, + print_argv(o->argv, &gc, PA_BRACKET)); } gc_free(&gc); @@ -203,24 +203,28 @@ plugin_option_list_print(const struct plugin_option_list *list, int msglevel) #ifndef _WIN32 static void -libdl_resolve_symbol(void *handle, void **dest, const char *symbol, const char *plugin_name, const unsigned int flags) +libdl_resolve_symbol(void *handle, void **dest, const char *symbol, const char *plugin_name, + const unsigned int flags) { *dest = dlsym(handle, symbol); if ((flags & PLUGIN_SYMBOL_REQUIRED) && !*dest) { - msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin shared object %s: %s", symbol, plugin_name, dlerror()); + msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin shared object %s: %s", + symbol, plugin_name, dlerror()); } } #else /* ifndef _WIN32 */ static void -dll_resolve_symbol(HMODULE module, void **dest, const char *symbol, const char *plugin_name, const unsigned int flags) +dll_resolve_symbol(HMODULE module, void **dest, const char *symbol, const char *plugin_name, + const unsigned int flags) { *dest = GetProcAddress(module, symbol); if ((flags & PLUGIN_SYMBOL_REQUIRED) && !*dest) { - msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin DLL %s", symbol, plugin_name); + msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin DLL %s", symbol, + plugin_name); } } @@ -254,8 +258,7 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) * was parsed. * */ - if (!platform_absolute_pathname(p->so_pathname) - && p->so_pathname[0] != '.') + if (!platform_absolute_pathname(p->so_pathname) && p->so_pathname[0] != '.') { char full[PATH_MAX]; @@ -269,24 +272,29 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) } if (!p->handle) { - msg(M_ERR, "PLUGIN_INIT: could not load plugin shared object %s: %s", p->so_pathname, dlerror()); + msg(M_ERR, "PLUGIN_INIT: could not load plugin shared object %s: %s", p->so_pathname, + dlerror()); } -#define PLUGIN_SYM(var, name, flags) libdl_resolve_symbol(p->handle, (void *)&p->var, name, p->so_pathname, flags) +#define PLUGIN_SYM(var, name, flags) \ + libdl_resolve_symbol(p->handle, (void *)&p->var, name, p->so_pathname, flags) -#else /* ifndef _WIN32 */ +#else /* ifndef _WIN32 */ WCHAR *wpath = wide_string(p->so_pathname, &gc); - WCHAR normalized_plugin_path[MAX_PATH] = {0}; + WCHAR normalized_plugin_path[MAX_PATH] = { 0 }; /* Normalize the plugin path, converting any relative paths to absolute paths. */ if (!GetFullPathNameW(wpath, MAX_PATH, normalized_plugin_path, NULL)) { - msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.", wpath); + msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.", + wpath); } if (!plugin_in_trusted_dir(normalized_plugin_path)) { - msg(M_FATAL, "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.", normalized_plugin_path); + msg(M_FATAL, + "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.", + normalized_plugin_path); } p->module = LoadLibraryW(normalized_plugin_path); @@ -295,7 +303,8 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls", normalized_plugin_path); } -#define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags) +#define PLUGIN_SYM(var, name, flags) \ + dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags) #endif /* ifndef _WIN32 */ @@ -314,12 +323,14 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) if (!p->open1 && !p->open2 && !p->open3) { - msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_open_vX is undefined in plugin: %s", p->so_pathname); + msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_open_vX is undefined in plugin: %s", + p->so_pathname); } if (!p->func1 && !p->func2 && !p->func3) { - msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_func_vX is undefined in plugin: %s", p->so_pathname); + msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_func_vX is undefined in plugin: %s", + p->so_pathname); } /* @@ -330,10 +341,9 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) const int plugin_needs_version = (*p->min_version_required)(); if (plugin_needs_version > OPENVPN_PLUGIN_VERSION) { - msg(M_FATAL, "PLUGIN_INIT: plugin needs interface version %d, but this version of OpenVPN only supports version %d: %s", - plugin_needs_version, - OPENVPN_PLUGIN_VERSION, - p->so_pathname); + msg(M_FATAL, + "PLUGIN_INIT: plugin needs interface version %d, but this version of OpenVPN only supports version %d: %s", + plugin_needs_version, OPENVPN_PLUGIN_VERSION, p->so_pathname); } } @@ -348,7 +358,9 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) if (rel) { - msg(M_WARN, "WARNING: plugin '%s' specified by a relative pathname -- using an absolute pathname would be more secure", p->so_pathname); + msg(M_WARN, + "WARNING: plugin '%s' specified by a relative pathname -- using an absolute pathname would be more secure", + p->so_pathname); } p->initialized = true; @@ -427,9 +439,9 @@ plugin_log(openvpn_plugin_log_flags_t flags, const char *name, const char *forma static struct openvpn_plugin_callbacks callbacks = { plugin_log, plugin_vlog, - secure_memzero, /* plugin_secure_memzero */ - openvpn_base64_encode, /* plugin_base64_encode */ - openvpn_base64_decode, /* plugin_base64_decode */ + secure_memzero, /* plugin_secure_memzero */ + openvpn_base64_encode, /* plugin_base64_encode */ + openvpn_base64_decode, /* plugin_base64_decode */ }; @@ -444,10 +456,8 @@ static struct openvpn_plugin_callbacks callbacks = { #endif static void -plugin_open_item(struct plugin *p, - const struct plugin_option *o, - struct openvpn_plugin_string_list **retlist, - const char **envp, +plugin_open_item(struct plugin *p, const struct plugin_option *o, + struct openvpn_plugin_string_list **retlist, const char **envp, const int init_point) { ASSERT(p->initialized); @@ -471,19 +481,20 @@ plugin_open_item(struct plugin *p, if (p->open3) { struct openvpn_plugin_args_open_in args = { p->plugin_type_mask, - (const char **const) o->argv, - (const char **const) envp, + (const char **const)o->argv, + (const char **const)envp, &callbacks, SSLAPI, PACKAGE_VERSION, OPENVPN_VERSION_MAJOR, OPENVPN_VERSION_MINOR, - _OPENVPN_PATCH_LEVEL}; + _OPENVPN_PATCH_LEVEL }; struct openvpn_plugin_args_open_return retargs; CLEAR(retargs); retargs.return_list = retlist; - if ((*p->open3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs) == OPENVPN_PLUGIN_FUNC_SUCCESS) + if ((*p->open3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs) + == OPENVPN_PLUGIN_FUNC_SUCCESS) { p->plugin_type_mask = retargs.type_mask; p->plugin_handle = retargs.handle; @@ -506,24 +517,20 @@ plugin_open_item(struct plugin *p, ASSERT(0); } - msg(D_PLUGIN, "PLUGIN_INIT: POST %s '%s' intercepted=%s %s", - p->so_pathname, - print_argv(o->argv, &gc, PA_BRACKET), - plugin_mask_string(p->plugin_type_mask, &gc), + msg(D_PLUGIN, "PLUGIN_INIT: POST %s '%s' intercepted=%s %s", p->so_pathname, + print_argv(o->argv, &gc, PA_BRACKET), plugin_mask_string(p->plugin_type_mask, &gc), (retlist && *retlist) ? "[RETLIST]" : ""); if ((p->plugin_type_mask | plugin_supported_types()) != plugin_supported_types()) { - msg(M_FATAL, "PLUGIN_INIT: plugin %s expressed interest in unsupported plugin types: [want=0x%08x, have=0x%08x]", - p->so_pathname, - p->plugin_type_mask, - plugin_supported_types()); + msg(M_FATAL, + "PLUGIN_INIT: plugin %s expressed interest in unsupported plugin types: [want=0x%08x, have=0x%08x]", + p->so_pathname, p->plugin_type_mask, plugin_supported_types()); } if (p->plugin_handle == NULL) { - msg(M_FATAL, "PLUGIN_INIT: plugin initialization function failed: %s", - p->so_pathname); + msg(M_FATAL, "PLUGIN_INIT: plugin initialization function failed: %s", p->so_pathname); } gc_free(&gc); @@ -531,15 +538,9 @@ plugin_open_item(struct plugin *p, } static int -plugin_call_item(const struct plugin *p, - void *per_client_context, - const int type, - const struct argv *av, - struct openvpn_plugin_string_list **retlist, - const char **envp, - int certdepth, - openvpn_x509_cert_t *current_cert - ) +plugin_call_item(const struct plugin *p, void *per_client_context, const int type, + const struct argv *av, struct openvpn_plugin_string_list **retlist, + const char **envp, int certdepth, openvpn_x509_cert_t *current_cert) { int status = OPENVPN_PLUGIN_FUNC_SUCCESS; @@ -563,8 +564,8 @@ plugin_call_item(const struct plugin *p, if (p->func3) { struct openvpn_plugin_args_func_in args = { type, - (const char **const) a.argv, - (const char **const) envp, + (const char **const)a.argv, + (const char **const)envp, p->plugin_handle, per_client_context, (current_cert ? certdepth : -1), @@ -578,7 +579,8 @@ plugin_call_item(const struct plugin *p, } else if (p->func2) { - status = (*p->func2)(p->plugin_handle, type, (const char **)a.argv, envp, per_client_context, retlist); + status = (*p->func2)(p->plugin_handle, type, (const char **)a.argv, envp, + per_client_context, retlist); } else if (p->func1) { @@ -589,17 +591,13 @@ plugin_call_item(const struct plugin *p, ASSERT(0); } - msg(D_PLUGIN, "PLUGIN_CALL: POST %s/%s status=%d", - p->so_pathname, - plugin_type_name(type), + msg(D_PLUGIN, "PLUGIN_CALL: POST %s/%s status=%d", p->so_pathname, plugin_type_name(type), status); if (status == OPENVPN_PLUGIN_FUNC_ERROR) { msg(M_WARN, "PLUGIN_CALL: plugin function %s failed with status %d: %s", - plugin_type_name(type), - status, - p->so_pathname); + plugin_type_name(type), status, p->so_pathname); } argv_free(&a); @@ -652,8 +650,7 @@ plugin_abort_item(const struct plugin *p) } static void -plugin_per_client_init(const struct plugin_common *pc, - struct plugin_per_client *cli, +plugin_per_client_init(const struct plugin_common *pc, struct plugin_per_client *cli, const int init_point) { const int n = pc->n; @@ -662,8 +659,7 @@ plugin_per_client_init(const struct plugin_common *pc, for (i = 0; i < n; ++i) { const struct plugin *p = &pc->plugins[i]; - if (p->plugin_handle - && (init_point < 0 || init_point == p->requested_initialization_point) + if (p->plugin_handle && (init_point < 0 || init_point == p->requested_initialization_point) && p->client_constructor) { cli->per_client_context[i] = (*p->client_constructor)(p->plugin_handle); @@ -711,8 +707,7 @@ plugin_common_init(const struct plugin_option_list *list) for (i = 0; i < list->n; ++i) { - plugin_init_item(&pc->plugins[i], - &list->plugins[i]); + plugin_init_item(&pc->plugins[i], &list->plugins[i]); pc->n = i + 1; } @@ -721,11 +716,8 @@ plugin_common_init(const struct plugin_option_list *list) } static void -plugin_common_open(struct plugin_common *pc, - const struct plugin_option_list *list, - struct plugin_return *pr, - const struct env_set *es, - const int init_point) +plugin_common_open(struct plugin_common *pc, const struct plugin_option_list *list, + struct plugin_return *pr, const struct env_set *es, const int init_point) { struct gc_arena gc = gc_new(); int i; @@ -740,10 +732,7 @@ plugin_common_open(struct plugin_common *pc, for (i = 0; i < pc->n; ++i) { - plugin_open_item(&pc->plugins[i], - &list->plugins[i], - pr ? &pr->list[i] : NULL, - envp, + plugin_open_item(&pc->plugins[i], &list->plugins[i], pr ? &pr->list[i] : NULL, envp, init_point); } @@ -782,25 +771,17 @@ plugin_list_init(const struct plugin_option_list *list) } void -plugin_list_open(struct plugin_list *pl, - const struct plugin_option_list *list, - struct plugin_return *pr, - const struct env_set *es, - const int init_point) +plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, + struct plugin_return *pr, const struct env_set *es, const int init_point) { plugin_common_open(pl->common, list, pr, es, init_point); plugin_per_client_init(pl->common, &pl->per_client, init_point); } int -plugin_call_ssl(const struct plugin_list *pl, - const int type, - const struct argv *av, - struct plugin_return *pr, - struct env_set *es, - int certdepth, - openvpn_x509_cert_t *current_cert - ) +plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av, + struct plugin_return *pr, struct env_set *es, int certdepth, + openvpn_x509_cert_t *current_cert) { if (pr) { @@ -821,23 +802,16 @@ plugin_call_ssl(const struct plugin_list *pl, for (i = 0; i < n; ++i) { - const int status = plugin_call_item(&pl->common->plugins[i], - pl->per_client.per_client_context[i], - type, - av, - pr ? &pr->list[i] : NULL, - envp, - certdepth, - current_cert - ); + const int status = + plugin_call_item(&pl->common->plugins[i], pl->per_client.per_client_context[i], + type, av, pr ? &pr->list[i] : NULL, envp, certdepth, current_cert); switch (status) { case OPENVPN_PLUGIN_FUNC_SUCCESS: break; case OPENVPN_PLUGIN_FUNC_DEFERRED: - if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) - && deferred_auth_done) + if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) && deferred_auth_done) { /* * Do not allow deferred auth if a deferred auth has @@ -854,13 +828,12 @@ plugin_call_ssl(const struct plugin_list *pl, * error, we bail out and exit the OpenVPN process. */ error = true; - msg(M_FATAL, - "Exiting due to multiple authentication plug-ins " - "performing deferred authentication. Only one " - "authentication plug-in doing deferred auth is " - "allowed. Ignoring the result and stopping now, " - "the current authentication result is not to be " - "trusted."); + msg(M_FATAL, "Exiting due to multiple authentication plug-ins " + "performing deferred authentication. Only one " + "authentication plug-in doing deferred auth is " + "allowed. Ignoring the result and stopping now, " + "the current authentication result is not to be " + "trusted."); break; } deferred_auth_done = true; @@ -996,8 +969,7 @@ openvpn_plugin_string_list_find(struct openvpn_plugin_string_list *l, const char } void -plugin_return_get_column(const struct plugin_return *src, - struct plugin_return *dest, +plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname) { int i; @@ -1035,10 +1007,7 @@ plugin_return_print(const int msglevel, const char *prefix, const struct plugin_ msg(msglevel, "PLUGIN #%d (%s)", i, prefix); while (l) { - msg(msglevel, "[%d] '%s' -> '%s'\n", - ++count, - l->name, - l->value); + msg(msglevel, "[%d] '%s' -> '%s'\n", ++count, l->name, l->value); l = l->next; } } diff --git a/src/openvpn/plugin.h b/src/openvpn/plugin.h index b44cf0d63..63999b667 100644 --- a/src/openvpn/plugin.h +++ b/src/openvpn/plugin.h @@ -41,17 +41,20 @@ #define MAX_PLUGINS 16 -struct plugin_option { +struct plugin_option +{ const char *so_pathname; const char **argv; }; -struct plugin_option_list { +struct plugin_option_list +{ int n; struct plugin_option plugins[MAX_PLUGINS]; }; -struct plugin { +struct plugin +{ bool initialized; const char *so_pathname; unsigned int plugin_type_mask; @@ -105,8 +108,7 @@ struct plugin_return struct plugin_option_list *plugin_option_list_new(struct gc_arena *gc); -bool plugin_option_list_add(struct plugin_option_list *list, char **p, - struct gc_arena *gc); +bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc); #ifndef ENABLE_SMALL void plugin_option_list_print(const struct plugin_option_list *list, int msglevel); @@ -115,29 +117,20 @@ void plugin_option_list_print(const struct plugin_option_list *list, int msgleve struct plugin_list *plugin_list_init(const struct plugin_option_list *list); -void plugin_list_open(struct plugin_list *pl, - const struct plugin_option_list *list, - struct plugin_return *pr, - const struct env_set *es, - const int init_point); +void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, + struct plugin_return *pr, const struct env_set *es, const int init_point); struct plugin_list *plugin_list_inherit(const struct plugin_list *src); -int plugin_call_ssl(const struct plugin_list *pl, - const int type, - const struct argv *av, - struct plugin_return *pr, - struct env_set *es, - int current_cert_depth, - openvpn_x509_cert_t *current_cert - ); +int plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av, + struct plugin_return *pr, struct env_set *es, int current_cert_depth, + openvpn_x509_cert_t *current_cert); void plugin_list_close(struct plugin_list *pl); bool plugin_defined(const struct plugin_list *pl, const int type); -void plugin_return_get_column(const struct plugin_return *src, - struct plugin_return *dest, +void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname); void plugin_return_free(struct plugin_return *pr); @@ -173,8 +166,14 @@ plugin_return_init(struct plugin_return *pr) } #else /* ifdef ENABLE_PLUGIN */ -struct plugin_list { int dummy; }; -struct plugin_return { int dummy; }; +struct plugin_list +{ + int dummy; +}; +struct plugin_return +{ + int dummy; +}; static inline bool plugin_defined(const struct plugin_list *pl, const int type) @@ -183,14 +182,9 @@ plugin_defined(const struct plugin_list *pl, const int type) } static inline int -plugin_call_ssl(const struct plugin_list *pl, - const int type, - const struct argv *av, - struct plugin_return *pr, - struct env_set *es, - int current_cert_depth, - openvpn_x509_cert_t *current_cert - ) +plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av, + struct plugin_return *pr, struct env_set *es, int current_cert_depth, + openvpn_x509_cert_t *current_cert) { return 0; } @@ -198,11 +192,8 @@ plugin_call_ssl(const struct plugin_list *pl, #endif /* ENABLE_PLUGIN */ static inline int -plugin_call(const struct plugin_list *pl, - const int type, - const struct argv *av, - struct plugin_return *pr, - struct env_set *es) +plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, + struct plugin_return *pr, struct env_set *es) { return plugin_call_ssl(pl, type, av, pr, es, -1, NULL); } diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c index bfa43ece1..898a04527 100644 --- a/src/openvpn/pool.c +++ b/src/openvpn/pool.c @@ -89,14 +89,11 @@ ifconfig_pool_find(struct ifconfig_pool *pool, const char *common_name) * Keep track of a possible allocation to us * from an earlier session. */ - if (previous_usage < 0 - && common_name - && ipe->common_name + if (previous_usage < 0 && common_name && ipe->common_name && !strcmp(common_name, ipe->common_name)) { previous_usage = i; } - } } @@ -125,16 +122,14 @@ ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_a if (start > end) { msg(msglevel, "--ifconfig-pool start IP [%s] is greater than end IP [%s]", - print_in_addr_t(start, 0, &gc), - print_in_addr_t(end, 0, &gc)); + print_in_addr_t(start, 0, &gc), print_in_addr_t(end, 0, &gc)); ret = false; } if (end - start >= IFCONFIG_POOL_MAX) { - msg(msglevel, "--ifconfig-pool address range is too large [%s -> %s]. Current maximum is %d addresses, as defined by IFCONFIG_POOL_MAX variable.", - print_in_addr_t(start, 0, &gc), - print_in_addr_t(end, 0, &gc), - IFCONFIG_POOL_MAX); + msg(msglevel, + "--ifconfig-pool address range is too large [%s -> %s]. Current maximum is %d addresses, as defined by IFCONFIG_POOL_MAX variable.", + print_in_addr_t(start, 0, &gc), print_in_addr_t(end, 0, &gc), IFCONFIG_POOL_MAX); ret = false; } gc_free(&gc); @@ -142,10 +137,9 @@ ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_a } struct ifconfig_pool * -ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, - in_addr_t end, const bool duplicate_cn, - const bool ipv6_pool, const struct in6_addr ipv6_base, - const int ipv6_netbits ) +ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, + const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, + const int ipv6_netbits) { struct gc_arena gc = gc_new(); struct ifconfig_pool *pool = NULL; @@ -179,8 +173,7 @@ ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, if (pool_ipv4_size < 2) { - msg(M_FATAL, "IPv4 pool size is too small (%d), must be at least 2", - pool_ipv4_size); + msg(M_FATAL, "IPv4 pool size is too small (%d), must be at least 2", pool_ipv4_size); } msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv4: base=%s size=%d", @@ -198,10 +191,8 @@ ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, * 4 bytes, therefore we can just extract that and use it as base in * integer form */ - uint32_t base = (ipv6_base.s6_addr[12] << 24) - | (ipv6_base.s6_addr[13] << 16) - | (ipv6_base.s6_addr[14] << 8) - | ipv6_base.s6_addr[15]; + uint32_t base = (ipv6_base.s6_addr[12] << 24) | (ipv6_base.s6_addr[13] << 16) + | (ipv6_base.s6_addr[14] << 8) | ipv6_base.s6_addr[15]; /* some bits of the last 4 bytes may still be part of the network * portion of the address, therefore we need to set them to 0 */ @@ -214,7 +205,7 @@ ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, * the following operation first computes mask=0x3fffff and then * uses mask to extract the wanted bits from base */ - uint32_t mask = (1 << (128 - ipv6_netbits) ) - 1; + uint32_t mask = (1 << (128 - ipv6_netbits)) - 1; base &= mask; } @@ -232,24 +223,21 @@ ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, if (base == 0) { msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: incrementing pool start " - "to avoid ::0 assignment"); + "to avoid ::0 assignment"); base++; pool->ipv6.base.s6_addr[15]++; } - pool_ipv6_size = ipv6_netbits >= 112 - ? (1 << (128 - ipv6_netbits)) - base - : IFCONFIG_POOL_MAX; + pool_ipv6_size = + ipv6_netbits >= 112 ? (1 << (128 - ipv6_netbits)) - base : IFCONFIG_POOL_MAX; if (pool_ipv6_size < 2) { - msg(M_FATAL, "IPv6 pool size is too small (%d), must be at least 2", - pool_ipv6_size); + msg(M_FATAL, "IPv6 pool size is too small (%d), must be at least 2", pool_ipv6_size); } msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: base=%s size=%d netbits=%d", - print_in6_addr(pool->ipv6.base, 0, &gc), pool_ipv6_size, - ipv6_netbits); + print_in6_addr(pool->ipv6.base, 0, &gc), pool_ipv6_size, ipv6_netbits); /* if there is no v4 pool, or the v6 pool is smaller, use * v6 pool size as "unified pool size" @@ -264,16 +252,20 @@ ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, { if (pool_ipv4_size < pool_ipv6_size) { - msg(M_INFO, "NOTE: IPv4 pool size is %d, IPv6 pool size is %d. " + msg(M_INFO, + "NOTE: IPv4 pool size is %d, IPv6 pool size is %d. " "IPv4 pool size limits the number of clients that can be " - "served from the pool", pool_ipv4_size, pool_ipv6_size); + "served from the pool", + pool_ipv4_size, pool_ipv6_size); } else if (pool_ipv4_size > pool_ipv6_size) { - msg(M_WARN, "WARNING: IPv4 pool size is %d, IPv6 pool size is %d. " + msg(M_WARN, + "WARNING: IPv4 pool size is %d, IPv6 pool size is %d. " "IPv6 pool size limits the number of clients that can be " "served from the pool. This is likely a MISTAKE - please check " - "your configuration", pool_ipv4_size, pool_ipv6_size); + "your configuration", + pool_ipv4_size, pool_ipv6_size); } } @@ -302,7 +294,8 @@ ifconfig_pool_free(struct ifconfig_pool *pool) } ifconfig_pool_handle -ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name) +ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, + struct in6_addr *remote_ipv6, const char *common_name) { int i; @@ -402,8 +395,7 @@ ifconfig_pool_ip_base_to_handle(const struct ifconfig_pool *pool, const in_addr_ } static ifconfig_pool_handle -ifconfig_pool_ipv6_base_to_handle(const struct ifconfig_pool *pool, - const struct in6_addr *in_addr) +ifconfig_pool_ipv6_base_to_handle(const struct ifconfig_pool *pool, const struct in6_addr *in_addr) { ifconfig_pool_handle ret; uint32_t base, addr; @@ -422,14 +414,10 @@ ifconfig_pool_ipv6_base_to_handle(const struct ifconfig_pool *pool, } } - base = (pool->ipv6.base.s6_addr[12] << 24) - | (pool->ipv6.base.s6_addr[13] << 16) - | (pool->ipv6.base.s6_addr[14] << 8) - | pool->ipv6.base.s6_addr[15]; + base = (pool->ipv6.base.s6_addr[12] << 24) | (pool->ipv6.base.s6_addr[13] << 16) + | (pool->ipv6.base.s6_addr[14] << 8) | pool->ipv6.base.s6_addr[15]; - addr = (in_addr->s6_addr[12] << 24) - | (in_addr->s6_addr[13] << 16) - | (in_addr->s6_addr[14] << 8) + addr = (in_addr->s6_addr[12] << 24) | (in_addr->s6_addr[13] << 16) | (in_addr->s6_addr[14] << 8) | in_addr->s6_addr[15]; ret = addr - base; @@ -478,14 +466,14 @@ ifconfig_pool_handle_to_ipv6_base(const struct ifconfig_pool *pool, ifconfig_poo /* IPv6 pools are always INDIV (--linear) */ if (pool->ipv6.enabled && hand >= 0 && hand < pool->size) { - ret = add_in6_addr( pool->ipv6.base, hand ); + ret = add_in6_addr(pool->ipv6.base, hand); } return ret; } static void -ifconfig_pool_set(struct ifconfig_pool *pool, const char *cn, - ifconfig_pool_handle h, const bool fixed) +ifconfig_pool_set(struct ifconfig_pool *pool, const char *cn, ifconfig_pool_handle h, + const bool fixed) { struct ifconfig_pool_entry *e = &pool->list[h]; ifconfig_pool_entry_free(e, true); @@ -557,7 +545,8 @@ ifconfig_pool_persist_init(const char *filename, int refresh_freq) if (refresh_freq > 0) { ret->fixed = false; - ret->file = status_open(filename, refresh_freq, -1, NULL, STATUS_OUTPUT_READ|STATUS_OUTPUT_WRITE); + ret->file = + status_open(filename, refresh_freq, -1, NULL, STATUS_OUTPUT_READ | STATUS_OUTPUT_WRITE); } else { @@ -640,8 +629,7 @@ ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool * * - CN,IP4 * - CN,,IP6 */ - if (!buf_parse(&in, ',', cn_buf, buf_size) - || !buf_parse(&in, ',', ip_buf, buf_size)) + if (!buf_parse(&in, ',', cn_buf, buf_size) || !buf_parse(&in, ',', ip_buf, buf_size)) { continue; } @@ -651,22 +639,18 @@ ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool * if (strlen(ip_buf) > 0) { bool v4_ok = true; - in_addr_t addr = getaddr(GETADDR_HOST_ORDER, ip_buf, 0, &v4_ok, - NULL); + in_addr_t addr = getaddr(GETADDR_HOST_ORDER, ip_buf, 0, &v4_ok, NULL); if (!v4_ok) { - msg(M_WARN, "pool: invalid IPv4 (%s) for CN=%s", ip_buf, - cn_buf); + msg(M_WARN, "pool: invalid IPv4 (%s) for CN=%s", ip_buf, cn_buf); } else { h = ifconfig_pool_ip_base_to_handle(pool, addr); if (h < 0) { - msg(M_WARN, - "pool: IPv4 (%s) out of pool range for CN=%s", - ip_buf, cn_buf); + msg(M_WARN, "pool: IPv4 (%s) out of pool range for CN=%s", ip_buf, cn_buf); } } } @@ -677,17 +661,14 @@ ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool * if (!get_ipv6_addr(ip6_buf, &addr6, NULL, M_WARN)) { - msg(M_WARN, "pool: invalid IPv6 (%s) for CN=%s", ip6_buf, - cn_buf); + msg(M_WARN, "pool: invalid IPv6 (%s) for CN=%s", ip6_buf, cn_buf); } else { h6 = ifconfig_pool_ipv6_base_to_handle(pool, &addr6); if (h6 < 0) { - msg(M_WARN, - "pool: IPv6 (%s) out of pool range for CN=%s", - ip6_buf, cn_buf); + msg(M_WARN, "pool: IPv6 (%s) out of pool range for CN=%s", ip6_buf, cn_buf); } /* Rely on IPv6 if no IPv4 was provided or the one provided @@ -707,8 +688,7 @@ ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool * */ if ((h6 >= 0) && (h != h6)) { - msg(M_WARN, - "pool: IPv4 (%s) and IPv6 (%s) have different offsets! Relying on IPv4", + msg(M_WARN, "pool: IPv4 (%s) and IPv6 (%s) have different offsets! Relying on IPv4", ip_buf, ip6_buf); } @@ -759,7 +739,7 @@ ifconfig_pool_test(in_addr_t start, in_addr_t end) CLEAR(array); msg(M_INFO | M_NOPREFIX, "************ 1"); - for (i = 0; i < (int) SIZE(array); ++i) + for (i = 0; i < (int)SIZE(array); ++i) { char *cn; ifconfig_pool_handle h; @@ -777,15 +757,12 @@ ifconfig_pool_test(in_addr_t start, in_addr_t end) break; } msg(M_INFO | M_NOPREFIX, "IFCONFIG_POOL TEST pass 1: l=%s r=%s cn=%s", - print_in_addr_t(local, 0, &gc), - print_in_addr_t(remote, 0, &gc), - cn); + print_in_addr_t(local, 0, &gc), print_in_addr_t(remote, 0, &gc), cn); array[i] = h; - } msg(M_INFO | M_NOPREFIX, "************* 2"); - for (i = (int) SIZE(array) / 16; i < (int) SIZE(array) / 8; ++i) + for (i = (int)SIZE(array) / 16; i < (int)SIZE(array) / 8; ++i) { msg(M_INFO, "Attempt to release %d cn=%s", array[i], p->list[i].common_name); if (!ifconfig_pool_release(p, array[i])) @@ -798,13 +775,13 @@ ifconfig_pool_test(in_addr_t start, in_addr_t end) CLEAR(array); msg(M_INFO | M_NOPREFIX, "**************** 3"); - for (i = 0; i < (int) SIZE(array); ++i) + for (i = 0; i < (int)SIZE(array); ++i) { char *cn; ifconfig_pool_handle h; in_addr_t local, remote; char buf[256]; - snprintf(buf, sizeof(buf), "common-name-%d", i+24); + snprintf(buf, sizeof(buf), "common-name-%d", i + 24); #ifdef DUP_CN cn = NULL; #else @@ -816,11 +793,8 @@ ifconfig_pool_test(in_addr_t start, in_addr_t end) break; } msg(M_INFO | M_NOPREFIX, "IFCONFIG_POOL TEST pass 3: l=%s r=%s cn=%s", - print_in_addr_t(local, 0, &gc), - print_in_addr_t(remote, 0, &gc), - cn); + print_in_addr_t(local, 0, &gc), print_in_addr_t(remote, 0, &gc), cn); array[i] = h; - } ifconfig_pool_free(p); diff --git a/src/openvpn/pool.h b/src/openvpn/pool.h index 9f50ca9eb..6cecef0a0 100644 --- a/src/openvpn/pool.h +++ b/src/openvpn/pool.h @@ -29,7 +29,7 @@ #include "status.h" #define IFCONFIG_POOL_MAX 65536 -#define IFCONFIG_POOL_MIN_NETBITS 16 +#define IFCONFIG_POOL_MIN_NETBITS 16 enum pool_type { @@ -48,12 +48,14 @@ struct ifconfig_pool_entry struct ifconfig_pool { bool duplicate_cn; - struct { + struct + { bool enabled; enum pool_type type; in_addr_t base; } ipv4; - struct { + struct + { bool enabled; struct in6_addr base; } ipv6; @@ -69,18 +71,18 @@ struct ifconfig_pool_persist typedef int ifconfig_pool_handle; -struct ifconfig_pool *ifconfig_pool_init(const bool ipv4_pool, - enum pool_type type, in_addr_t start, +struct ifconfig_pool *ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, - const bool ipv6_pool, - const struct in6_addr ipv6_base, + const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits); void ifconfig_pool_free(struct ifconfig_pool *pool); bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end); -ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name); +ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, + in_addr_t *remote, struct in6_addr *remote_ipv6, + const char *common_name); bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard); diff --git a/src/openvpn/proto.c b/src/openvpn/proto.c index 48206021e..34b33787c 100644 --- a/src/openvpn/proto.c +++ b/src/openvpn/proto.c @@ -54,8 +54,7 @@ is_ipv_X(int tunnel_type, struct buffer *buf, int ip_ver) else if (tunnel_type == DEV_TYPE_TAP) { const struct openvpn_ethhdr *eh; - if (BLEN(buf) < (sizeof(struct openvpn_ethhdr) - + sizeof(struct openvpn_iphdr))) + if (BLEN(buf) < (sizeof(struct openvpn_ethhdr) + sizeof(struct openvpn_iphdr))) { return false; } @@ -71,8 +70,7 @@ is_ipv_X(int tunnel_type, struct buffer *buf, int ip_ver) if (proto == htons(OPENVPN_ETH_P_8021Q)) { const struct openvpn_8021qhdr *evh; - if (BLEN(buf) < (sizeof(struct openvpn_ethhdr) - + sizeof(struct openvpn_iphdr))) + if (BLEN(buf) < (sizeof(struct openvpn_ethhdr) + sizeof(struct openvpn_iphdr))) { return false; } @@ -109,12 +107,12 @@ is_ipv_X(int tunnel_type, struct buffer *buf, int ip_ver) bool is_ipv4(int tunnel_type, struct buffer *buf) { - return is_ipv_X( tunnel_type, buf, 4 ); + return is_ipv_X(tunnel_type, buf, 4); } bool is_ipv6(int tunnel_type, struct buffer *buf) { - return is_ipv_X( tunnel_type, buf, 6 ); + return is_ipv_X(tunnel_type, buf, 6); } @@ -131,9 +129,8 @@ ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, */ for (int i = 0; i < len_payload; i += 2) { - sum += (uint16_t)(((payload[i] << 8) & 0xFF00) - +((i + 1 < len_payload) ? (payload[i + 1] & 0xFF) : 0)); - + sum += (uint16_t)(((payload[i] << 8) & 0xFF00) + + ((i + 1 < len_payload) ? (payload[i + 1] & 0xFF) : 0)); } /* @@ -143,7 +140,6 @@ ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, for (int i = 0; i < addr_len; i += 2) { sum += (uint16_t)((src_addr[i] << 8) & 0xFF00) + (src_addr[i + 1] & 0xFF); - } for (int i = 0; i < addr_len; i += 2) { @@ -166,17 +162,14 @@ ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, } /* Take the one's complement of sum */ - return ((uint16_t) ~sum); + return ((uint16_t)~sum); } #ifdef PACKET_TRUNCATION_CHECK void -ipv4_packet_size_verify(const uint8_t *data, - const int size, - const int tunnel_type, - const char *prefix, - counter_type *errors) +ipv4_packet_size_verify(const uint8_t *data, const int size, const int tunnel_type, + const char *prefix, counter_type *errors) { if (size > 0) { @@ -192,13 +185,13 @@ ipv4_packet_size_verify(const uint8_t *data, const char *msgstr = "PACKET SIZE INFO"; unsigned int msglevel = D_PACKET_TRUNC_DEBUG; - if (BLEN(&buf) < (int) sizeof(struct openvpn_iphdr)) + if (BLEN(&buf) < (int)sizeof(struct openvpn_iphdr)) { return; } verify_align_4(&buf); - pip = (struct openvpn_iphdr *) BPTR(&buf); + pip = (struct openvpn_iphdr *)BPTR(&buf); hlen = OPENVPN_IPH_GET_LEN(pip->version_len); totlen = ntohs(pip->tot_len); @@ -213,13 +206,8 @@ ipv4_packet_size_verify(const uint8_t *data, } } - msg(msglevel, "%s %s: size=%d totlen=%d hlen=%d errcount=" counter_format, - msgstr, - prefix, - BLEN(&buf), - totlen, - hlen, - errors ? *errors : (counter_type)0); + msg(msglevel, "%s %s: size=%d totlen=%d hlen=%d errcount=" counter_format, msgstr, + prefix, BLEN(&buf), totlen, hlen, errors ? *errors : (counter_type)0); } } } diff --git a/src/openvpn/proto.h b/src/openvpn/proto.h index 0942c111a..62157fa62 100644 --- a/src/openvpn/proto.h +++ b/src/openvpn/proto.h @@ -32,15 +32,15 @@ * Tunnel types */ #define DEV_TYPE_UNDEF 0 -#define DEV_TYPE_TUN 2 /* point-to-point IP tunnel */ -#define DEV_TYPE_TAP 3 /* ethernet (802.3) tunnel */ +#define DEV_TYPE_TUN 2 /* point-to-point IP tunnel */ +#define DEV_TYPE_TAP 3 /* ethernet (802.3) tunnel */ /* TUN topologies */ -#define TOP_UNDEF 0 -#define TOP_NET30 1 -#define TOP_P2P 2 -#define TOP_SUBNET 3 +#define TOP_UNDEF 0 +#define TOP_NET30 1 +#define TOP_P2P 2 +#define TOP_SUBNET 3 /* * IP and Ethernet protocol structs. For portability, @@ -49,46 +49,45 @@ * native structs. */ -#define OPENVPN_ETH_ALEN 6 /* ethernet address length */ +#define OPENVPN_ETH_ALEN 6 /* ethernet address length */ struct openvpn_ethhdr { uint8_t dest[OPENVPN_ETH_ALEN]; /* destination ethernet addr */ uint8_t source[OPENVPN_ETH_ALEN]; /* source ethernet addr */ -#define OPENVPN_ETH_P_IPV4 0x0800 /* IPv4 protocol */ -#define OPENVPN_ETH_P_IPV6 0x86DD /* IPv6 protocol */ -#define OPENVPN_ETH_P_ARP 0x0806 /* ARP protocol */ -#define OPENVPN_ETH_P_8021Q 0x8100 /* 802.1Q protocol */ +#define OPENVPN_ETH_P_IPV4 0x0800 /* IPv4 protocol */ +#define OPENVPN_ETH_P_IPV6 0x86DD /* IPv6 protocol */ +#define OPENVPN_ETH_P_ARP 0x0806 /* ARP protocol */ +#define OPENVPN_ETH_P_8021Q 0x8100 /* 802.1Q protocol */ uint16_t proto; /* packet type ID field */ }; struct openvpn_8021qhdr { - uint8_t dest[OPENVPN_ETH_ALEN]; /* destination ethernet addr */ - uint8_t source[OPENVPN_ETH_ALEN]; /* source ethernet addr */ + uint8_t dest[OPENVPN_ETH_ALEN]; /* destination ethernet addr */ + uint8_t source[OPENVPN_ETH_ALEN]; /* source ethernet addr */ - uint16_t tpid; /* 802.1Q Tag Protocol Identifier */ + uint16_t tpid; /* 802.1Q Tag Protocol Identifier */ #define OPENVPN_8021Q_MASK_PCP htons(0xE000) /* mask PCP out of pcp_cfi_vid */ #define OPENVPN_8021Q_MASK_CFI htons(0x1000) /* mask CFI out of pcp_cfi_vid */ #define OPENVPN_8021Q_MASK_VID htons(0x0FFF) /* mask VID out of pcp_cfi_vid */ - uint16_t pcp_cfi_vid; /* bit fields, see IEEE 802.1Q */ - uint16_t proto; /* contained packet type ID field */ + uint16_t pcp_cfi_vid; /* bit fields, see IEEE 802.1Q */ + uint16_t proto; /* contained packet type ID field */ }; /* * Size difference between a regular Ethernet II header and an Ethernet II * header with additional IEEE 802.1Q tagging. */ -#define SIZE_ETH_TO_8021Q_HDR (sizeof(struct openvpn_8021qhdr) \ - - sizeof(struct openvpn_ethhdr)) +#define SIZE_ETH_TO_8021Q_HDR (sizeof(struct openvpn_8021qhdr) - sizeof(struct openvpn_ethhdr)) /** Version of IN6_ARE_ADDR_EQUAL that is guaranteed to work for * unaligned access. E.g. Linux uses 32bit compares which are * not safe if the struct is unaligned. */ -#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b) \ - (memcmp(a, b, sizeof(struct in6_addr)) == 0) +#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b) (memcmp(a, b, sizeof(struct in6_addr)) == 0) -struct openvpn_iphdr { +struct openvpn_iphdr +{ #define OPENVPN_IPH_GET_VER(v) (((v) >> 4) & 0x0F) #define OPENVPN_IPH_GET_LEN(v) (((v) & 0x0F) << 2) uint8_t version_len; @@ -102,9 +101,9 @@ struct openvpn_iphdr { uint8_t ttl; -#define OPENVPN_IPPROTO_IGMP 2 /* IGMP protocol */ -#define OPENVPN_IPPROTO_TCP 6 /* TCP protocol */ -#define OPENVPN_IPPROTO_UDP 17 /* UDP protocol */ +#define OPENVPN_IPPROTO_IGMP 2 /* IGMP protocol */ +#define OPENVPN_IPPROTO_TCP 6 /* TCP protocol */ +#define OPENVPN_IPPROTO_UDP 17 /* UDP protocol */ #define OPENVPN_IPPROTO_ICMPV6 58 /* ICMPV6 protocol */ uint8_t protocol; @@ -117,31 +116,33 @@ struct openvpn_iphdr { /* * IPv6 header */ -struct openvpn_ipv6hdr { +struct openvpn_ipv6hdr +{ uint8_t version_prio; uint8_t flow_lbl[3]; uint16_t payload_len; uint8_t nexthdr; uint8_t hop_limit; - struct in6_addr saddr; - struct in6_addr daddr; + struct in6_addr saddr; + struct in6_addr daddr; }; /* * ICMPv6 header */ -struct openvpn_icmp6hdr { -#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE 1 -#define OPENVPN_ND_ROUTER_SOLICIT 133 -#define OPENVPN_ND_ROUTER_ADVERT 134 -#define OPENVPN_ND_NEIGHBOR_SOLICIT 135 -#define OPENVPN_ND_NEIGHBOR_ADVERT 136 -#define OPENVPN_ND_INVERSE_SOLICIT 141 -#define OPENVPN_ND_INVERSE_ADVERT 142 +struct openvpn_icmp6hdr +{ +#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE 1 +#define OPENVPN_ND_ROUTER_SOLICIT 133 +#define OPENVPN_ND_ROUTER_ADVERT 134 +#define OPENVPN_ND_NEIGHBOR_SOLICIT 135 +#define OPENVPN_ND_NEIGHBOR_ADVERT 136 +#define OPENVPN_ND_INVERSE_SOLICIT 141 +#define OPENVPN_ND_INVERSE_ADVERT 142 uint8_t icmp6_type; -#define OPENVPN_ICMP6_DU_NOROUTE 0 -#define OPENVPN_ICMP6_DU_COMMUNICATION_PROHIBTED 1 +#define OPENVPN_ICMP6_DU_NOROUTE 0 +#define OPENVPN_ICMP6_DU_COMMUNICATION_PROHIBTED 1 uint8_t icmp6_code; uint16_t icmp6_cksum; uint8_t icmp6_dataun[4]; @@ -150,7 +151,8 @@ struct openvpn_icmp6hdr { /* * UDP header */ -struct openvpn_udphdr { +struct openvpn_udphdr +{ uint16_t source; uint16_t dest; uint16_t len; @@ -160,23 +162,24 @@ struct openvpn_udphdr { /* * TCP header, per RFC 793. */ -struct openvpn_tcphdr { - uint16_t source; /* source port */ - uint16_t dest; /* destination port */ - uint32_t seq; /* sequence number */ - uint32_t ack_seq; /* acknowledgement number */ +struct openvpn_tcphdr +{ + uint16_t source; /* source port */ + uint16_t dest; /* destination port */ + uint32_t seq; /* sequence number */ + uint32_t ack_seq; /* acknowledgement number */ #define OPENVPN_TCPH_GET_DOFF(d) (((d) & 0xF0) >> 2) uint8_t doff_res; -#define OPENVPN_TCPH_FIN_MASK (1<<0) -#define OPENVPN_TCPH_SYN_MASK (1<<1) -#define OPENVPN_TCPH_RST_MASK (1<<2) -#define OPENVPN_TCPH_PSH_MASK (1<<3) -#define OPENVPN_TCPH_ACK_MASK (1<<4) -#define OPENVPN_TCPH_URG_MASK (1<<5) -#define OPENVPN_TCPH_ECE_MASK (1<<6) -#define OPENVPN_TCPH_CWR_MASK (1<<7) +#define OPENVPN_TCPH_FIN_MASK (1 << 0) +#define OPENVPN_TCPH_SYN_MASK (1 << 1) +#define OPENVPN_TCPH_RST_MASK (1 << 2) +#define OPENVPN_TCPH_PSH_MASK (1 << 3) +#define OPENVPN_TCPH_ACK_MASK (1 << 4) +#define OPENVPN_TCPH_URG_MASK (1 << 5) +#define OPENVPN_TCPH_ECE_MASK (1 << 6) +#define OPENVPN_TCPH_CWR_MASK (1 << 7) uint8_t flags; uint16_t window; @@ -189,9 +192,11 @@ struct openvpn_tcphdr { #define OPENVPN_TCPOPT_MAXSEG 2 #define OPENVPN_TCPOLEN_MAXSEG 4 -struct ip_tcp_udp_hdr { +struct ip_tcp_udp_hdr +{ struct openvpn_iphdr ip; - union { + union + { struct openvpn_tcphdr tcp; struct openvpn_udphdr udp; } u; @@ -207,30 +212,36 @@ struct ip_tcp_udp_hdr { * subtracting out new words), and "cksum" * is the checksum value to be updated. */ -#define ADJUST_CHECKSUM(acc, cksum) { \ - int _acc = acc; \ - _acc += (cksum); \ - if (_acc < 0) { \ - _acc = -_acc; \ +#define ADJUST_CHECKSUM(acc, cksum) \ + { \ + int _acc = acc; \ + _acc += (cksum); \ + if (_acc < 0) \ + { \ + _acc = -_acc; \ _acc = (_acc >> 16) + (_acc & 0xffff); \ - _acc += _acc >> 16; \ - (cksum) = (uint16_t) ~_acc; \ - } else { \ + _acc += _acc >> 16; \ + (cksum) = (uint16_t)~_acc; \ + } \ + else \ + { \ _acc = (_acc >> 16) + (_acc & 0xffff); \ - _acc += _acc >> 16; \ - (cksum) = (uint16_t) _acc; \ - } \ -} + _acc += _acc >> 16; \ + (cksum) = (uint16_t)_acc; \ + } \ + } -#define ADD_CHECKSUM_32(acc, u32) { \ - acc += (u32) & 0xffff; \ - acc += (u32) >> 16; \ -} +#define ADD_CHECKSUM_32(acc, u32) \ + { \ + acc += (u32) & 0xffff; \ + acc += (u32) >> 16; \ + } -#define SUB_CHECKSUM_32(acc, u32) { \ - acc -= (u32) & 0xffff; \ - acc -= (u32) >> 16; \ -} +#define SUB_CHECKSUM_32(acc, u32) \ + { \ + acc -= (u32) & 0xffff; \ + acc -= (u32) >> 16; \ + } /* * This returns an ip protocol version of packet inside tun @@ -245,7 +256,7 @@ get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset) if (tunnel_type == DEV_TYPE_TUN) { *ip_hdr_offset = 0; - if (likely(BLEN(buf) >= (int) sizeof(struct openvpn_iphdr))) + if (likely(BLEN(buf) >= (int)sizeof(struct openvpn_iphdr))) { ip_ver = OPENVPN_IPH_GET_VER(*BPTR(buf)); } @@ -256,7 +267,7 @@ get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset) /* for tap get ip version from eth header */ if (likely(BLEN(buf) >= *ip_hdr_offset)) { - const struct openvpn_ethhdr *eh = (const struct openvpn_ethhdr *) BPTR(buf); + const struct openvpn_ethhdr *eh = (const struct openvpn_ethhdr *)BPTR(buf); uint16_t proto = ntohs(eh->proto); if (proto == OPENVPN_ETH_P_IPV6) { @@ -293,17 +304,12 @@ bool is_ipv6(int tunnel_type, struct buffer *buf); * @param proto next - header or IP protocol of the packet * @return The calculated checksum in host order */ -uint16_t -ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, - const uint8_t *src_addr, const uint8_t *dest_addr, const int proto); +uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, + const uint8_t *src_addr, const uint8_t *dest_addr, const int proto); #ifdef PACKET_TRUNCATION_CHECK -void ipv4_packet_size_verify(const uint8_t *data, - const int size, - const int tunnel_type, - const char - *prefix, - counter_type *errors); +void ipv4_packet_size_verify(const uint8_t *data, const int size, const int tunnel_type, + const char *prefix, counter_type *errors); #endif diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 393abb442..054cc79af 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -39,11 +39,10 @@ #include "memdbg.h" #include "forward.h" -#define UP_TYPE_PROXY "HTTP Proxy" +#define UP_TYPE_PROXY "HTTP Proxy" struct http_proxy_options * -init_http_proxy_options_once(struct http_proxy_options **hpo, - struct gc_arena *gc) +init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc) { if (!*hpo) { @@ -59,13 +58,8 @@ init_http_proxy_options_once(struct http_proxy_options **hpo, static struct user_pass static_proxy_user_pass; static bool -recv_line(socket_descriptor_t sd, - char *buf, - int len, - const int timeout_sec, - const bool verbose, - struct buffer *lookahead, - volatile int *signal_received) +recv_line(socket_descriptor_t sd, char *buf, int len, const int timeout_sec, const bool verbose, + struct buffer *lookahead, volatile int *signal_received) { struct buffer la; int lastc = 0; @@ -161,7 +155,8 @@ recv_line(socket_descriptor_t sd, { if (verbose) { - msg(D_LINK_ERRORS | M_ERRNO, "recv_line: Non-ASCII character (%d) read on recv()", (int)c); + msg(D_LINK_ERRORS | M_ERRNO, + "recv_line: Non-ASCII character (%d) read on recv()", (int)c); } *lookahead = la; return false; @@ -190,11 +185,10 @@ error: } static bool -send_line(socket_descriptor_t sd, - const char *buf) +send_line(socket_descriptor_t sd, const char *buf) { const ssize_t size = send(sd, buf, strlen(buf), MSG_NOSIGNAL); - if (size != (ssize_t) strlen(buf)) + if (size != (ssize_t)strlen(buf)) { msg(D_LINK_ERRORS | M_ERRNO, "send_line: TCP port write failed on send()"); return false; @@ -203,8 +197,7 @@ send_line(socket_descriptor_t sd, } static bool -send_line_crlf(socket_descriptor_t sd, - const char *src) +send_line_crlf(socket_descriptor_t sd, const char *src) { bool ret; @@ -228,7 +221,7 @@ make_base64_string2(const uint8_t *str, int src_len, struct gc_arena *gc) uint8_t *ret = NULL; char *b64out = NULL; ASSERT(openvpn_base64_encode((const void *)str, src_len, &b64out) >= 0); - ret = (uint8_t *) string_alloc(b64out, gc); + ret = (uint8_t *)string_alloc(b64out, gc); free(b64out); return ret; } @@ -240,8 +233,7 @@ make_base64_string(const uint8_t *str, struct gc_arena *gc) } static const char * -username_password_as_base64(const struct http_proxy_info *p, - struct gc_arena *gc) +username_password_as_base64(const struct http_proxy_info *p, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(strlen(p->up.username) + strlen(p->up.password) + 2, gc); ASSERT(strlen(p->up.username) > 0); @@ -285,10 +277,7 @@ get_user_pass_http(struct http_proxy_info *p, const bool force) { flags |= GET_USER_PASS_INLINE_CREDS; } - get_user_pass(&static_proxy_user_pass, - auth_file, - UP_TYPE_PROXY, - flags); + get_user_pass(&static_proxy_user_pass, auth_file, UP_TYPE_PROXY, flags); static_proxy_user_pass.nocache = p->options.nocache; protect_user_pass(&static_proxy_user_pass); } @@ -325,9 +314,7 @@ dump_residual(socket_descriptor_t sd, * Consumes all headers. */ static int -get_proxy_authenticate(socket_descriptor_t sd, - int timeout, - char **data, +get_proxy_authenticate(socket_descriptor_t sd, int timeout, char **data, volatile int *signal_received) { char buf[256]; @@ -347,22 +334,22 @@ get_proxy_authenticate(socket_descriptor_t sd, } if (ret == HTTP_AUTH_NONE && !strncmp(buf, "Proxy-Authenticate: ", 20)) { - if (!strncmp(buf+20, "Basic ", 6)) + if (!strncmp(buf + 20, "Basic ", 6)) { msg(D_PROXY, "PROXY AUTH BASIC: '%s'", buf); - *data = string_alloc(buf+26, NULL); + *data = string_alloc(buf + 26, NULL); ret = HTTP_AUTH_BASIC; } #if PROXY_DIGEST_AUTH - else if (!strncmp(buf+20, "Digest ", 7)) + else if (!strncmp(buf + 20, "Digest ", 7)) { msg(D_PROXY, "PROXY AUTH DIGEST: '%s'", buf); - *data = string_alloc(buf+27, NULL); + *data = string_alloc(buf + 27, NULL); ret = HTTP_AUTH_DIGEST; } #endif #if NTLM - else if (!strncmp(buf+20, "NTLM", 4)) + else if (!strncmp(buf + 20, "NTLM", 4)) { msg(D_PROXY, "PROXY AUTH NTLM: '%s'", buf); *data = NULL; @@ -385,18 +372,16 @@ store_proxy_authenticate(struct http_proxy_info *p, char *data) * Return true on success, or false on parse failure. */ static bool -get_key_value(const char *str, /* source string */ - char *key, /* key stored here */ - char *value, /* value stored here */ - int max_key_len, - int max_value_len, - const char **endptr) /* next search position */ +get_key_value(const char *str, /* source string */ + char *key, /* key stored here */ + char *value, /* value stored here */ + int max_key_len, int max_value_len, const char **endptr) /* next search position */ { int c; bool starts_with_quote = false; bool escape = false; - for (c = max_key_len-1; (*str && (*str != '=') && c--); ) + for (c = max_key_len - 1; (*str && (*str != '=') && c--);) { *key++ = *str++; } @@ -415,7 +400,7 @@ get_key_value(const char *str, /* source string */ starts_with_quote = true; } - for (c = max_value_len-1; *str && c--; str++) + for (c = max_value_len - 1; *str && c--; str++) { switch (*str) { @@ -529,7 +514,8 @@ http_proxy_new(const struct http_proxy_options *o) #if NTLM else if (!strcmp(o->auth_method_string, "ntlm")) { - msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN 2.7. Will try to use NTLM v2 authentication."); + msg(M_WARN, + "NTLM v1 authentication has been removed in OpenVPN 2.7. Will try to use NTLM v2 authentication."); p->auth_method = HTTP_AUTH_NTLM2; } else if (!strcmp(o->auth_method_string, "ntlm2")) @@ -539,8 +525,7 @@ http_proxy_new(const struct http_proxy_options *o) #endif else { - msg(M_FATAL, "ERROR: unknown HTTP authentication method: '%s'", - o->auth_method_string); + msg(M_FATAL, "ERROR: unknown HTTP authentication method: '%s'", o->auth_method_string); } } @@ -555,7 +540,8 @@ http_proxy_new(const struct http_proxy_options *o) #if !NTLM if (p->auth_method == HTTP_AUTH_NTLM2) { - msg(M_FATAL, "Sorry, this version of " PACKAGE_NAME " was built without NTLM Proxy support."); + msg(M_FATAL, + "Sorry, this version of " PACKAGE_NAME " was built without NTLM Proxy support."); } #endif @@ -570,10 +556,9 @@ http_proxy_close(struct http_proxy_info *hp) } static bool -add_proxy_headers(struct http_proxy_info *p, - socket_descriptor_t sd, /* already open to proxy */ - const char *host /* openvpn server remote */ - ) +add_proxy_headers(struct http_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ + const char *host /* openvpn server remote */ +) { char buf[512]; int i; @@ -584,12 +569,11 @@ add_proxy_headers(struct http_proxy_info *p, * If content is NULL the whole header is in name * Also remember if we already sent a Host: header */ - for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && p->options.custom_headers[i].name; i++) + for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && p->options.custom_headers[i].name; i++) { if (p->options.custom_headers[i].content) { - snprintf(buf, sizeof(buf), "%s: %s", - p->options.custom_headers[i].name, + snprintf(buf, sizeof(buf), "%s: %s", p->options.custom_headers[i].name, p->options.custom_headers[i].content); if (!strcasecmp(p->options.custom_headers[i].name, "Host")) { @@ -598,8 +582,7 @@ add_proxy_headers(struct http_proxy_info *p, } else { - snprintf(buf, sizeof(buf), "%s", - p->options.custom_headers[i].name); + snprintf(buf, sizeof(buf), "%s", p->options.custom_headers[i].name); if (!strncasecmp(p->options.custom_headers[i].name, "Host:", 5)) { host_header_sent = true; @@ -626,8 +609,7 @@ add_proxy_headers(struct http_proxy_info *p, /* send User-Agent string if provided */ if (p->options.user_agent) { - snprintf(buf, sizeof(buf), "User-Agent: %s", - p->options.user_agent); + snprintf(buf, sizeof(buf), "User-Agent: %s", p->options.user_agent); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) { @@ -641,11 +623,10 @@ add_proxy_headers(struct http_proxy_info *p, bool establish_http_proxy_passthru(struct http_proxy_info *p, - socket_descriptor_t sd, /* already open to proxy */ - const char *host, /* openvpn server remote */ - const char *port, /* openvpn server port */ - struct event_timeout *server_poll_timeout, - struct buffer *lookahead, + socket_descriptor_t sd, /* already open to proxy */ + const char *host, /* openvpn server remote */ + const char *port, /* openvpn server port */ + struct event_timeout *server_poll_timeout, struct buffer *lookahead, struct signal_info *sig_info) { struct gc_arena gc = gc_new(); @@ -657,8 +638,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p, volatile int *signal_received = &sig_info->signal_received; /* get user/pass if not previously given */ - if (p->auth_method == HTTP_AUTH_BASIC - || p->auth_method == HTTP_AUTH_DIGEST + if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_DIGEST || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, false); @@ -670,7 +650,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, unprotect_user_pass(&p->up); } - /* are we being called again after getting the digest server nonce in the previous transaction? */ + /* are we being called again after getting the digest server nonce in the previous transaction? + */ if (p->auth_method == HTTP_AUTH_DIGEST && p->proxy_authenticate) { nparms = 1; @@ -679,10 +660,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p, else { /* format HTTP CONNECT message */ - snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", - host, - port, - p->options.http_version); + snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port, p->options.http_version); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); @@ -723,8 +701,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p, goto error; } - snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s", - ntlm_phase_1(p, &gc)); + snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s", ntlm_phase_1(p, &gc)); msg(D_PROXY, "Attempting NTLM Proxy-Authorization phase 1"); dmsg(D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) @@ -748,7 +725,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, } /* receive reply from proxy */ - if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) + if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), + true, NULL, signal_received)) { goto error; } @@ -760,7 +738,6 @@ establish_http_proxy_passthru(struct http_proxy_info *p, /* parse return string */ nparms = sscanf(buf, "%*s %d", &status); - } /* check for a "407 Proxy Authentication Required" response */ @@ -779,7 +756,9 @@ establish_http_proxy_passthru(struct http_proxy_info *p, char buf2[512]; while (true) { - if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) + if (!recv_line(sd, buf, sizeof(buf), + get_server_poll_remaining_time(server_poll_timeout), true, NULL, + signal_received)) { goto error; } @@ -810,9 +789,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p, /* now send the phase 3 reply */ /* format HTTP CONNECT message */ - snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", - host, - port, + snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port, p->options.http_version); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); @@ -841,7 +818,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, const char *np3 = ntlm_phase_3(p, buf2, &gc); if (!np3) { - msg(D_PROXY, "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server"); + msg(D_PROXY, + "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server"); goto error; } snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s", np3); @@ -860,7 +838,9 @@ establish_http_proxy_passthru(struct http_proxy_info *p, } /* receive reply from proxy */ - if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) + if (!recv_line(sd, buf, sizeof(buf), + get_server_poll_remaining_time(server_poll_timeout), true, NULL, + signal_received)) { goto error; } @@ -904,7 +884,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p, if (!realm || !nonce) { msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response " - "from server: realm= or nonce= missing" ); + "from server: realm= or nonce= missing"); goto error; } @@ -914,38 +894,21 @@ establish_http_proxy_passthru(struct http_proxy_info *p, /* build the digest response */ - snprintf(uri, sizeof(uri), "%s:%s", - host, - port); + snprintf(uri, sizeof(uri), "%s:%s", host, port); if (opaque) { - const int len = strlen(opaque)+16; + const int len = strlen(opaque) + 16; opaque_kv = gc_malloc(len, false, &gc); snprintf(opaque_kv, len, ", opaque=\"%s\"", opaque); } - DigestCalcHA1(algor, - username, - realm, - password, - nonce, - (char *)cnonce, - session_key); - DigestCalcResponse(session_key, - nonce, - nonce_count, - (char *)cnonce, - qop, - http_method, - uri, - NULL, - response); + DigestCalcHA1(algor, username, realm, password, nonce, (char *)cnonce, session_key); + DigestCalcResponse(session_key, nonce, nonce_count, (char *)cnonce, qop, + http_method, uri, NULL, response); /* format HTTP CONNECT message */ - snprintf(buf, sizeof(buf), "%s %s HTTP/%s", - http_method, - uri, + snprintf(buf, sizeof(buf), "%s %s HTTP/%s", http_method, uri, p->options.http_version); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); @@ -963,17 +926,10 @@ establish_http_proxy_passthru(struct http_proxy_info *p, } /* send digest response */ - int sret = snprintf(buf, sizeof(buf), "Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s", - username, - realm, - nonce, - uri, - qop, - nonce_count, - cnonce, - response, - opaque_kv - ); + int sret = snprintf( + buf, sizeof(buf), + "Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s", + username, realm, nonce, uri, qop, nonce_count, cnonce, response, opaque_kv); if (sret >= sizeof(buf)) { goto error; @@ -992,7 +948,9 @@ establish_http_proxy_passthru(struct http_proxy_info *p, secure_memzero(buf, sizeof(buf)); /* receive reply from proxy */ - if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) + if (!recv_line(sd, buf, sizeof(buf), + get_server_poll_remaining_time(server_poll_timeout), true, NULL, + signal_received)) { goto error; } @@ -1017,10 +975,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, { /* figure out what kind of authentication the proxy needs */ char *pa = NULL; - const int method = get_proxy_authenticate(sd, - get_server_poll_remaining_time(server_poll_timeout), - &pa, - signal_received); + const int method = get_proxy_authenticate( + sd, get_server_poll_remaining_time(server_poll_timeout), &pa, signal_received); if (method != HTTP_AUTH_NONE) { if (pa) @@ -1029,7 +985,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, } if (p->options.auth_retry == PAR_NCT && method == HTTP_AUTH_BASIC) { - msg(D_PROXY, "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled"); + msg(D_PROXY, + "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled"); free(pa); goto error; } @@ -1040,7 +997,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, } else { - msg(D_PROXY, "HTTP proxy: do not recognize the authentication method required by proxy"); + msg(D_PROXY, + "HTTP proxy: do not recognize the authentication method required by proxy"); free(pa); goto error; } @@ -1069,7 +1027,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, /* SUCCESS */ /* receive line from proxy and discard */ - if (!recv_line(sd, NULL, 0, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) + if (!recv_line(sd, NULL, 0, get_server_poll_remaining_time(server_poll_timeout), true, NULL, + signal_received)) { goto error; } @@ -1082,7 +1041,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, { } - /* reset queried_creds so that we don't think that the next creds request is due to an auth error */ + /* reset queried_creds so that we don't think that the next creds request is due to an auth + * error */ p->queried_creds = false; #if 0 diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index fcca1ab58..be16d835b 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -34,19 +34,21 @@ #define HTTP_AUTH_NTLM2 4 #define HTTP_AUTH_N 5 /* number of HTTP_AUTH methods */ -struct http_custom_header { +struct http_custom_header +{ const char *name; const char *content; }; #define MAX_CUSTOM_HTTP_HEADER 10 -struct http_proxy_options { +struct http_proxy_options +{ const char *server; const char *port; -#define PAR_NO 0 /* don't support any auth retries */ -#define PAR_ALL 1 /* allow all proxy auth protocols */ -#define PAR_NCT 2 /* disable cleartext proxy auth protocols */ +#define PAR_NO 0 /* don't support any auth retries */ +#define PAR_ALL 1 /* allow all proxy auth protocols */ +#define PAR_NCT 2 /* disable cleartext proxy auth protocols */ int auth_retry; const char *auth_method_string; @@ -56,11 +58,13 @@ struct http_proxy_options { const char *user_agent; struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]; bool inline_creds; /* auth_file_up is inline credentials */ - bool first_time; /* indicates if we need to wipe user creds at the first iteration of the main loop */ + bool first_time; /* indicates if we need to wipe user creds at the first iteration of the main + loop */ bool nocache; }; -struct http_proxy_info { +struct http_proxy_info +{ bool defined; int auth_method; struct http_proxy_options options; @@ -77,12 +81,11 @@ struct http_proxy_info *http_proxy_new(const struct http_proxy_options *o); void http_proxy_close(struct http_proxy_info *hp); bool establish_http_proxy_passthru(struct http_proxy_info *p, - socket_descriptor_t sd, /* already open to proxy */ - const char *host, /* openvpn server remote */ - const char *port, /* openvpn server port */ + socket_descriptor_t sd, /* already open to proxy */ + const char *host, /* openvpn server remote */ + const char *port, /* openvpn server port */ struct event_timeout *server_poll_timeout, - struct buffer *lookahead, - struct signal_info *sig_info); + struct buffer *lookahead, struct signal_info *sig_info); uint8_t *make_base64_string2(const uint8_t *str, int str_len, struct gc_arena *gc); diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index 6c6e5ea68..eae03e367 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -46,24 +46,25 @@ struct port_share *port_share = NULL; /* GLOBAL */ #define COMMAND_EXIT 11 /* Response codes for background -> foreground communication */ -#define RESPONSE_INIT_SUCCEEDED 20 -#define RESPONSE_INIT_FAILED 21 +#define RESPONSE_INIT_SUCCEEDED 20 +#define RESPONSE_INIT_FAILED 21 /* * Return values for proxy_connection_io functions */ -#define IOSTAT_EAGAIN_ON_READ 0 /* recv returned EAGAIN */ -#define IOSTAT_EAGAIN_ON_WRITE 1 /* send returned EAGAIN */ -#define IOSTAT_READ_ERROR 2 /* the other end of our read socket (pc) was closed */ -#define IOSTAT_WRITE_ERROR 3 /* the other end of our write socket (pc->counterpart) was closed */ -#define IOSTAT_GOOD 4 /* nothing to report */ +#define IOSTAT_EAGAIN_ON_READ 0 /* recv returned EAGAIN */ +#define IOSTAT_EAGAIN_ON_WRITE 1 /* send returned EAGAIN */ +#define IOSTAT_READ_ERROR 2 /* the other end of our read socket (pc) was closed */ +#define IOSTAT_WRITE_ERROR 3 /* the other end of our write socket (pc->counterpart) was closed */ +#define IOSTAT_GOOD 4 /* nothing to report */ /* * A foreign (non-OpenVPN) connection we are proxying, * usually HTTPS */ -struct proxy_connection { +struct proxy_connection +{ bool defined; struct proxy_connection *next; struct proxy_connection *counterpart; @@ -156,11 +157,11 @@ recv_control(const socket_descriptor_t fd) static int send_control(const socket_descriptor_t fd, int code) { - unsigned char c = (unsigned char) code; + unsigned char c = (unsigned char)code; const ssize_t size = write(fd, &c, sizeof(c)); if (size == sizeof(c)) { - return (int) size; + return (int)size; } else { @@ -182,9 +183,7 @@ cmsg_size(void) * send commands, data, and file descriptors to the background process. */ static void -port_share_sendmsg(const socket_descriptor_t sd, - const char command, - const struct buffer *head, +port_share_sendmsg(const socket_descriptor_t sd, const char command, const struct buffer *head, const socket_descriptor_t sd_send) { if (socket_defined(sd)) @@ -196,8 +195,7 @@ port_share_sendmsg(const socket_descriptor_t sd, char cmd; ssize_t status; - dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: sendmsg sd=%d len=%d", - (int)sd_send, + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: sendmsg sd=%d len=%d", (int)sd_send, head ? BLEN(head) : -1); CLEAR(mesg); @@ -218,7 +216,7 @@ port_share_sendmsg(const socket_descriptor_t sd, mesg.msg_iov = iov; mesg.msg_controllen = cmsg_size(); - mesg.msg_control = (char *) malloc(mesg.msg_controllen); + mesg.msg_control = (char *)malloc(mesg.msg_controllen); check_malloc_return(mesg.msg_control); mesg.msg_flags = 0; @@ -240,9 +238,9 @@ port_share_sendmsg(const socket_descriptor_t sd, status = sendmsg(sd, &mesg, MSG_NOSIGNAL); if (status == -1) { - msg(M_WARN|M_ERRNO, "PORT SHARE: sendmsg failed -- unable to communicate with background process (%d,%d,%d,%d)", - sd, sd_send, sd_null[0], sd_null[1] - ); + msg(M_WARN | M_ERRNO, + "PORT SHARE: sendmsg failed -- unable to communicate with background process (%d,%d,%d,%d)", + sd, sd_send, sd_null[0], sd_null[1]); } close_socket_if_defined(sd_null[0]); @@ -345,13 +343,13 @@ journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_c slen = sizeof(from.addr); dlen = sizeof(to.addr); - if (!getpeername(pc->sd, (struct sockaddr *) &from.addr.sa, &slen) - && !getsockname(cp->sd, (struct sockaddr *) &to.addr.sa, &dlen)) + if (!getpeername(pc->sd, (struct sockaddr *)&from.addr.sa, &slen) + && !getsockname(cp->sd, (struct sockaddr *)&to.addr.sa, &dlen)) { const char *f = print_openvpn_sockaddr(&from, &gc); const char *t = print_openvpn_sockaddr(&to, &gc); - fnlen = strlen(journal_dir) + strlen(t) + 2; - jfn = (char *) malloc(fnlen); + fnlen = strlen(journal_dir) + strlen(t) + 2; + jfn = (char *)malloc(fnlen); check_malloc_return(jfn); snprintf(jfn, fnlen, "%s/%s", journal_dir, t); dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: client origin %s -> %s", jfn, f); @@ -367,7 +365,7 @@ journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_c } else { - msg(M_WARN|M_ERRNO, "PORT SHARE: unable to write journal file in %s", jfn); + msg(M_WARN | M_ERRNO, "PORT SHARE: unable to write journal file in %s", jfn); free(jfn); } } @@ -393,11 +391,13 @@ proxy_list_close(struct proxy_connection **list) } static inline void -proxy_connection_io_requeue(struct proxy_connection *pc, const int rwflags_new, struct event_set *es) +proxy_connection_io_requeue(struct proxy_connection *pc, const int rwflags_new, + struct event_set *es) { if (socket_defined(pc->sd) && pc->rwflags != rwflags_new) { - /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: requeue[%d] rwflags=%d", (int)pc->sd, rwflags_new);*/ + /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: requeue[%d] rwflags=%d", (int)pc->sd, + * rwflags_new);*/ event_ctl(es, pc->sd, rwflags_new, (void *)pc); pc->rwflags = rwflags_new; } @@ -411,12 +411,9 @@ proxy_connection_io_requeue(struct proxy_connection *pc, const int rwflags_new, * on success and false on failure to connect to server. */ static bool -proxy_entry_new(struct proxy_connection **list, - struct event_set *es, - const struct openvpn_sockaddr server_addr, - const socket_descriptor_t sd_client, - struct buffer *initial_data, - const char *journal_dir) +proxy_entry_new(struct proxy_connection **list, struct event_set *es, + const struct openvpn_sockaddr server_addr, const socket_descriptor_t sd_client, + struct buffer *initial_data, const char *journal_dir) { socket_descriptor_t sd_server; int status; @@ -426,7 +423,7 @@ proxy_entry_new(struct proxy_connection **list, /* connect to port share server */ if ((sd_server = socket(server_addr.addr.sa.sa_family, SOCK_STREAM, IPPROTO_TCP)) < 0) { - msg(M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket"); + msg(M_WARN | M_ERRNO, "PORT SHARE PROXY: cannot create socket"); return false; } status = openvpn_connect(sd_server, &server_addr.addr.sa, 5, NULL); @@ -472,11 +469,12 @@ proxy_entry_new(struct proxy_connection **list, journal_add(journal_dir, pc, cp); } - dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client, (int)sd_server); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client, + (int)sd_server); /* set initial i/o states */ proxy_connection_io_requeue(pc, EVENT_READ, es); - proxy_connection_io_requeue(cp, EVENT_READ|EVENT_WRITE, es); + proxy_connection_io_requeue(cp, EVENT_READ | EVENT_WRITE, es); return true; } @@ -488,12 +486,9 @@ proxy_entry_new(struct proxy_connection **list, * exit, true otherwise. */ static bool -control_message_from_parent(const socket_descriptor_t sd_control, - struct proxy_connection **list, - struct event_set *es, - const struct openvpn_sockaddr server_addr, - const int max_initial_buf, - const char *journal_dir) +control_message_from_parent(const socket_descriptor_t sd_control, struct proxy_connection **list, + struct event_set *es, const struct openvpn_sockaddr server_addr, + const int max_initial_buf, const char *journal_dir) { /* this buffer needs to be large enough to handle the largest buffer * that might be returned by the link_socket_read call in read_incoming_link. */ @@ -516,7 +511,7 @@ control_message_from_parent(const socket_descriptor_t sd_control, mesg.msg_iovlen = 2; mesg.msg_controllen = cmsg_size(); - mesg.msg_control = (char *) malloc(mesg.msg_controllen); + mesg.msg_control = (char *)malloc(mesg.msg_controllen); check_malloc_return(mesg.msg_control); mesg.msg_flags = 0; @@ -530,10 +525,8 @@ control_message_from_parent(const socket_descriptor_t sd_control, status = recvmsg(sd_control, &mesg, MSG_NOSIGNAL); if (status != -1) { - if (h == NULL - || h->cmsg_len != CMSG_LEN(sizeof(socket_descriptor_t)) - || h->cmsg_level != SOL_SOCKET - || h->cmsg_type != SCM_RIGHTS) + if (h == NULL || h->cmsg_len != CMSG_LEN(sizeof(socket_descriptor_t)) + || h->cmsg_level != SOL_SOCKET || h->cmsg_type != SCM_RIGHTS) { msg(M_WARN, "PORT SHARE PROXY: received unknown message"); } @@ -546,12 +539,7 @@ control_message_from_parent(const socket_descriptor_t sd_control, if (status >= 2 && command == COMMAND_REDIRECT) { buf.len = status - 1; - if (proxy_entry_new(list, - es, - server_addr, - received_fd, - &buf, - journal_dir)) + if (proxy_entry_new(list, es, server_addr, received_fd, &buf, journal_dir)) { CLEAR(buf); /* we gave the buffer to proxy_entry_new */ } @@ -610,7 +598,8 @@ proxy_connection_io_send(struct proxy_connection *pc, int *bytes_sent) *bytes_sent += status; if (status != pc->buf.len) { - dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: partial write[%d], tried=%d got=%d", (int)sd, pc->buf.len, status); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: partial write[%d], tried=%d got=%d", (int)sd, + pc->buf.len, status); buf_advance(&pc->buf, status); return IOSTAT_EAGAIN_ON_WRITE; } @@ -698,9 +687,7 @@ proxy_connection_io_status(const int status, int *rwflags_pc, int *rwflags_cp) * in the proxied connection. */ static int -proxy_connection_io_dispatch(struct proxy_connection *pc, - const int rwflags, - struct event_set *es) +proxy_connection_io_dispatch(struct proxy_connection *pc, const int rwflags, struct event_set *es) { const int max_transfer_per_iteration = 10000; struct proxy_connection *cp = pc->counterpart; @@ -739,10 +726,8 @@ bad: * This is the main function for the port share proxy background process. */ static void -port_share_proxy(const struct openvpn_sockaddr hostaddr, - const socket_descriptor_t sd_control, - const int max_initial_buf, - const char *journal_dir) +port_share_proxy(const struct openvpn_sockaddr hostaddr, const socket_descriptor_t sd_control, + const int max_initial_buf, const char *journal_dir) { if (send_control(sd_control, RESPONSE_INIT_SUCCEEDED) >= 0) { @@ -776,7 +761,8 @@ port_share_proxy(const struct openvpn_sockaddr hostaddr, const struct event_set_return *e = &esr[i]; if (e->arg == sd_control_marker) { - if (!control_message_from_parent(sd_control, &list, es, hostaddr, max_initial_buf, journal_dir)) + if (!control_message_from_parent(sd_control, &list, es, hostaddr, + max_initial_buf, journal_dir)) { goto done; } @@ -814,9 +800,7 @@ done: * share proxy. */ struct port_share * -port_share_open(const char *host, - const char *port, - const int max_initial_buf, +port_share_open(const char *host, const char *port, const int max_initial_buf, const char *journal_dir) { pid_t pid; @@ -834,9 +818,9 @@ port_share_open(const char *host, * Get host's IP address */ - status = openvpn_getaddrinfo(GETADDR_RESOLVE|GETADDR_FATAL, - host, port, 0, NULL, AF_UNSPEC, &ai); - ASSERT(status==0); + status = + openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_FATAL, host, port, 0, NULL, AF_UNSPEC, &ai); + ASSERT(status == 0); ASSERT(sizeof(hostaddr.addr) >= ai->ai_addrlen); memcpy(&hostaddr.addr.sa, ai->ai_addr, ai->ai_addrlen); freeaddrinfo(ai); @@ -982,7 +966,7 @@ port_share_abort(struct port_share *ps) bool is_openvpn_protocol(const struct buffer *buf) { - const unsigned char *p = (const unsigned char *) BSTR(buf); + const unsigned char *p = (const unsigned char *)BSTR(buf); const int len = BLEN(buf); if (len >= 3) { @@ -1004,7 +988,7 @@ is_openvpn_protocol(const struct buffer *buf) * We don't do the 2 byte check for tls-crypt-v2 because it is very * unrealistic to have only 2 bytes available. */ - return (plen >= 336 && plen < (1024 + 255)); + return (plen >= 336 && plen < (1024 + 255)); } else { diff --git a/src/openvpn/ps.h b/src/openvpn/ps.h index c6f563342..e28c403ab 100644 --- a/src/openvpn/ps.h +++ b/src/openvpn/ps.h @@ -29,7 +29,8 @@ #include "buffer.h" #include "ssl.h" -struct port_share { +struct port_share +{ /* Foreground's socket to background process */ socket_descriptor_t foreground_fd; @@ -39,9 +40,7 @@ struct port_share { extern struct port_share *port_share; -struct port_share *port_share_open(const char *host, - const char *port, - const int max_initial_buf, +struct port_share *port_share_open(const char *host, const char *port, const int max_initial_buf, const char *journal_dir); void port_share_close(struct port_share *ps); diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 301310056..889b26832 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -95,7 +95,7 @@ receive_auth_failed(struct context *c, const struct buffer *buffer) case AR_INTERACT: ssl_purge_auth(false); - /* Intentional [[fallthrough]]; */ + /* Intentional [[fallthrough]]; */ case AR_NOINTERACT: /* SOFT-SIGTUSR1 -- Auth failure error */ @@ -114,20 +114,19 @@ receive_auth_failed(struct context *c, const struct buffer *buffer) /* * Save the dynamic-challenge text even when management is defined */ - if (authfail_extended - && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf)) + if (authfail_extended && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf)) { ssl_put_auth_challenge(BSTR(&buf)); } #endif /* ifdef ENABLE_MANAGEMENT */ - } /* * Act on received restart message from server */ void -server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv) +server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, + const int adv) { if (c->options.pull) { @@ -250,7 +249,8 @@ server_pushed_info(const struct buffer *buffer, const int adv) } else { - msg(D_PUSH_ERRORS, "WARNING: Received INFO command is too long, won't notify management client."); + msg(D_PUSH_ERRORS, + "WARNING: Received INFO command is too long, won't notify management client."); } gc_free(&gc); @@ -292,20 +292,18 @@ receive_cr_response(struct context *c, const struct buffer *buffer) * if the server does not push a timeout */ static void -parse_auth_pending_keywords(const struct buffer *buffer, - unsigned int *server_timeout) +parse_auth_pending_keywords(const struct buffer *buffer, unsigned int *server_timeout) { struct buffer buf = *buffer; /* does the buffer start with "AUTH_PENDING," ? */ - if (!buf_advance(&buf, strlen("AUTH_PENDING")) - || !(buf_read_u8(&buf) == ',') || !BLEN(&buf)) + if (!buf_advance(&buf, strlen("AUTH_PENDING")) || !(buf_read_u8(&buf) == ',') || !BLEN(&buf)) { #ifdef ENABLE_MANAGEMENT if (management) { - management_set_state(management, OPENVPN_STATE_AUTH_PENDING, - "", NULL, NULL, NULL, NULL); + management_set_state(management, OPENVPN_STATE_AUTH_PENDING, "", NULL, NULL, NULL, + NULL); } #endif @@ -320,8 +318,8 @@ parse_auth_pending_keywords(const struct buffer *buffer, * buf_parse is called, as it will insert \0 bytes into the buffer */ if (management) { - management_set_state(management, OPENVPN_STATE_AUTH_PENDING, - BSTR(&buf), NULL, NULL, NULL, NULL); + management_set_state(management, OPENVPN_STATE_AUTH_PENDING, BSTR(&buf), NULL, NULL, NULL, + NULL); } #endif @@ -344,17 +342,18 @@ receive_auth_pending(struct context *c, const struct buffer *buffer) /* Cap the increase at the maximum time we are willing stay in the * pending authentication state */ - unsigned int max_timeout = max_uint(c->options.renegotiate_seconds/2, - c->options.handshake_window); + unsigned int max_timeout = + max_uint(c->options.renegotiate_seconds / 2, c->options.handshake_window); /* try to parse parameter keywords, default to hand-winow timeout if the * server does not supply a timeout */ unsigned int server_timeout = c->options.handshake_window; parse_auth_pending_keywords(buffer, &server_timeout); - msg(D_PUSH, "AUTH_PENDING received, extending handshake timeout from %us " - "to %us", c->options.handshake_window, - min_uint(max_timeout, server_timeout)); + msg(D_PUSH, + "AUTH_PENDING received, extending handshake timeout from %us " + "to %us", + c->options.handshake_window, min_uint(max_timeout, server_timeout)); const struct key_state *ks = get_primary_key(c->c2.tls_multi); c->c2.push_request_timeout = ks->established + min_uint(max_timeout, server_timeout); @@ -374,16 +373,16 @@ receive_auth_pending(struct context *c, const struct buffer *buffer) * * @return true on success, false on failure. */ -static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, - int msglevel, const char *fmt, ...) +static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, + const char *fmt, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO -__attribute__ ((format(gnu_printf, 4, 5))) + __attribute__((format(gnu_printf, 4, 5))) #else -__attribute__ ((format(__printf__, 4, 5))) + __attribute__((format(__printf__, 4, 5))) #endif #endif -; + ; /* * Send auth failed message from server to client. @@ -403,7 +402,7 @@ send_auth_failed(struct context *c, const char *client_reason) static const char auth_failed[] = "AUTH_FAILED"; size_t len; - len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); + len = (client_reason ? strlen(client_reason) + 1 : 0) + sizeof(auth_failed); if (len > PUSH_BUNDLE_SIZE) { len = PUSH_BUNDLE_SIZE; @@ -419,13 +418,12 @@ send_auth_failed(struct context *c, const char *client_reason) /* We kill the whole session, send the AUTH_FAILED to any TLS session * that might be active */ - send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_INITIAL], - BSTR(&buf), D_PUSH); - send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_ACTIVE], - BSTR(&buf), D_PUSH); + send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_INITIAL], BSTR(&buf), + D_PUSH); + send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_ACTIVE], BSTR(&buf), + D_PUSH); reschedule_multi_process(c); - } gc_free(&gc); @@ -433,8 +431,7 @@ send_auth_failed(struct context *c, const char *client_reason) bool -send_auth_pending_messages(struct tls_multi *tls_multi, - struct tls_session *session, +send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout) { struct key_state *ks = &session->key[KS_PRIMARY]; @@ -446,8 +443,8 @@ send_auth_pending_messages(struct tls_multi *tls_multi, /* Calculate the maximum timeout and subtract the time we already waited */ - unsigned int max_timeout = max_uint(tls_multi->opt.renegotiate_seconds/2, - tls_multi->opt.handshake_window); + unsigned int max_timeout = + max_uint(tls_multi->opt.renegotiate_seconds / 2, tls_multi->opt.handshake_window); max_timeout = max_timeout - (now - ks->initial); timeout = min_uint(max_timeout, timeout); @@ -506,17 +503,19 @@ incoming_push_message(struct context *c, const struct buffer *buffer) struct gc_arena gc = gc_new(); unsigned int option_types_found = 0; - msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc)); + msg(D_PUSH, "PUSH: Received control message: '%s'", + sanitize_control_message(BSTR(buffer), &gc)); - int status = process_incoming_push_msg(c, buffer, c->options.pull, - pull_permission_mask(c), + int status = process_incoming_push_msg(c, buffer, c->options.pull, pull_permission_mask(c), &option_types_found); if (status == PUSH_MSG_ERROR) { - msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc)); + msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", + sanitize_control_message(BSTR(buffer), &gc)); } - else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_UPDATE || status == PUSH_MSG_CONTINUATION) + else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_UPDATE + || status == PUSH_MSG_CONTINUATION) { c->options.push_option_types_found |= option_types_found; @@ -605,17 +604,14 @@ prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc, */ if (tls_multi->auth_token) { - push_option_fmt(gc, push_list, M_USAGE, "auth-token %s", - tls_multi->auth_token); + push_option_fmt(gc, push_list, M_USAGE, "auth-token %s", tls_multi->auth_token); char *base64user = NULL; int ret = openvpn_base64_encode(tls_multi->locked_username, - (int)strlen(tls_multi->locked_username), - &base64user); + (int)strlen(tls_multi->locked_username), &base64user); if (ret < USER_PASS_LEN && ret > 0) { - push_option_fmt(gc, push_list, M_USAGE, "auth-token-user %s", - base64user); + push_option_fmt(gc, push_list, M_USAGE, "auth-token-user %s", base64user); } free(base64user); } @@ -631,8 +627,7 @@ prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc, * @return true on success, false on failure. */ bool -prepare_push_reply(struct context *c, struct gc_arena *gc, - struct push_list *push_list) +prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list) { struct tls_multi *tls_multi = c->c2.tls_multi; struct options *o = &c->options; @@ -643,14 +638,12 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s", print_in6_addr(c->c2.push_ifconfig_ipv6_local, 0, gc), c->c2.push_ifconfig_ipv6_netbits, - print_in6_addr(c->c2.push_ifconfig_ipv6_remote, - 0, gc)); + print_in6_addr(c->c2.push_ifconfig_ipv6_remote, 0, gc)); } /* ipv4 */ if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local - && c->c2.push_ifconfig_remote_netmask - && !o->push_ifconfig_ipv4_blocked) + && c->c2.push_ifconfig_remote_netmask && !o->push_ifconfig_ipv4_blocked) { in_addr_t ifconfig_local = c->c2.push_ifconfig_local; if (c->c2.push_ifconfig_local_alias) @@ -659,14 +652,12 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, } push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s", print_in_addr_t(ifconfig_local, 0, gc), - print_in_addr_t(c->c2.push_ifconfig_remote_netmask, - 0, gc)); + print_in_addr_t(c->c2.push_ifconfig_remote_netmask, 0, gc)); } if (tls_multi->use_peer_id) { - push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", - tls_multi->peer_id); + push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", tls_multi->peer_id); } /* * If server uses --auth-gen-token and we have an auth token @@ -728,10 +719,11 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu); if (client_max_mtu < o->ce.tun_mtu) { - msg(M_WARN, "Warning: reported maximum MTU from client (%d) is lower " + msg(M_WARN, + "Warning: reported maximum MTU from client (%d) is lower " "than MTU used on the server (%d). Add tun-max-mtu %d " - "to client configuration.", client_max_mtu, - o->ce.tun_mtu, o->ce.tun_mtu); + "to client configuration.", + client_max_mtu, o->ce.tun_mtu, o->ce.tun_mtu); } } @@ -739,8 +731,7 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, } static bool -send_push_options(struct context *c, struct buffer *buf, - struct push_list *push_list, int safe_cap, +send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap, bool *push_sent, bool *multi_push) { struct push_entry *e = push_list->head; @@ -810,15 +801,13 @@ send_push_reply(struct context *c, struct push_list *per_client_push_list) buf_printf(&buf, "%s", push_reply_cmd); /* send options which are common to all clients */ - if (!send_push_options(c, &buf, &c->options.push_list, safe_cap, - &push_sent, &multi_push)) + if (!send_push_options(c, &buf, &c->options.push_list, safe_cap, &push_sent, &multi_push)) { goto fail; } /* send client-specific options */ - if (!send_push_options(c, &buf, per_client_push_list, safe_cap, - &push_sent, &multi_push)) + if (!send_push_options(c, &buf, per_client_push_list, safe_cap, &push_sent, &multi_push)) { goto fail; } @@ -828,7 +817,7 @@ send_push_reply(struct context *c, struct push_list *per_client_push_list) buf_printf(&buf, ",push-continuation 1"); } - if (BLEN(&buf) > sizeof(push_reply_cmd)-1) + if (BLEN(&buf) > sizeof(push_reply_cmd) - 1) { const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH); if (!status) @@ -863,8 +852,8 @@ fail: } static void -push_option_ex(struct gc_arena *gc, struct push_list *push_list, - const char *opt, bool enable, int msglevel) +push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable, + int msglevel) { if (!string_class(opt, CC_ANY, CC_COMMA)) { @@ -906,8 +895,7 @@ clone_push_list(struct options *o) push_reset(o); while (e) { - push_option_ex(&o->gc, &o->push_list, - string_alloc(e->option, &o->gc), true, M_FATAL); + push_option_ex(&o->gc, &o->push_list, string_alloc(e->option, &o->gc), true, M_FATAL); e = e->next; } } @@ -922,16 +910,16 @@ push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc) } static bool -push_option_fmt(struct gc_arena *gc, struct push_list *push_list, - int msglevel, const char *format, ...) +push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *format, + ...) { va_list arglist; - char tmp[256] = {0}; + char tmp[256] = { 0 }; int len; va_start(arglist, format); len = vsnprintf(tmp, sizeof(tmp), format, arglist); va_end(arglist); - if (len > sizeof(tmp)-1) + if (len > sizeof(tmp) - 1) { return false; } @@ -958,7 +946,7 @@ push_remove_option(struct options *o, const char *p) } /* ifconfig-ipv6 is special, as not part of the push list */ - if (streq( p, "ifconfig-ipv6" )) + if (streq(p, "ifconfig-ipv6")) { o->push_ifconfig_ipv6_blocked = true; return; @@ -971,8 +959,7 @@ push_remove_option(struct options *o, const char *p) /* cycle through the push list */ while (e) { - if (e->enable - && strncmp( e->option, p, strlen(p) ) == 0) + if (e->enable && strncmp(e->option, p, strlen(p)) == 0) { msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option); e->enable = false; @@ -1012,8 +999,7 @@ process_incoming_push_request(struct context *c) struct push_list push_list = { 0 }; struct gc_arena gc = gc_new(); - if (prepare_push_reply(c, &gc, &push_list) - && send_push_reply(c, &push_list)) + if (prepare_push_reply(c, &gc, &push_list) && send_push_reply(c, &push_list)) { ret = PUSH_MSG_REQUEST; c->c2.sent_push_reply_expiry = now + 30; @@ -1035,9 +1021,9 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) char line[OPTION_PARM_SIZE]; while (buf_parse(buf, ',', line, sizeof(line))) { - /* peer-id and auth-token might change on restart and this should not trigger reopening tun */ - if (strprefix(line, "peer-id ") - || strprefix(line, "auth-token ") + /* peer-id and auth-token might change on restart and this should not trigger reopening tun + */ + if (strprefix(line, "peer-id ") || strprefix(line, "auth-token ") || strprefix(line, "auth-token-user ")) { continue; @@ -1047,15 +1033,13 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) { continue; } - md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1); + md_ctx_update(ctx, (const uint8_t *)line, strlen(line) + 1); } } static int -process_incoming_push_reply(struct context *c, - unsigned int permission_mask, - unsigned int *option_types_found, - struct buffer *buf) +process_incoming_push_reply(struct context *c, unsigned int permission_mask, + unsigned int *option_types_found, struct buffer *buf) { int ret = PUSH_MSG_ERROR; const uint8_t ch = buf_read_u8(buf); @@ -1068,22 +1052,15 @@ process_incoming_push_reply(struct context *c, md_ctx_init(c->c2.pulled_options_state, "SHA256"); c->c2.pulled_options_digest_init_done = true; } - if (apply_push_options(c, - &c->options, - buf, - permission_mask, - option_types_found, - c->c2.es, + if (apply_push_options(c, &c->options, buf, permission_mask, option_types_found, c->c2.es, false)) { - push_update_digest(c->c2.pulled_options_state, &buf_orig, - &c->options); + push_update_digest(c->c2.pulled_options_state, &buf_orig, &c->options); switch (c->options.push_continuation) { case 0: case 1: - md_ctx_final(c->c2.pulled_options_state, - c->c2.pulled_options_digest.digest); + md_ctx_final(c->c2.pulled_options_state, c->c2.pulled_options_digest.digest); md_ctx_cleanup(c->c2.pulled_options_state); md_ctx_free(c->c2.pulled_options_state); c->c2.pulled_options_state = NULL; @@ -1106,10 +1083,8 @@ process_incoming_push_reply(struct context *c, } int -process_incoming_push_msg(struct context *c, - const struct buffer *buffer, - bool honor_received_options, - unsigned int permission_mask, +process_incoming_push_msg(struct context *c, const struct buffer *buffer, + bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found) { struct buffer buf = *buffer; @@ -1119,17 +1094,13 @@ process_incoming_push_msg(struct context *c, c->c2.push_request_received = true; return process_incoming_push_request(c); } - else if (honor_received_options - && buf_string_compare_advance(&buf, push_reply_cmd)) + else if (honor_received_options && buf_string_compare_advance(&buf, push_reply_cmd)) { - return process_incoming_push_reply(c, permission_mask, - option_types_found, &buf); + return process_incoming_push_reply(c, permission_mask, option_types_found, &buf); } - else if (honor_received_options - && buf_string_compare_advance(&buf, push_update_cmd)) + else if (honor_received_options && buf_string_compare_advance(&buf, push_update_cmd)) { - return process_incoming_push_update(c, permission_mask, - option_types_found, &buf); + return process_incoming_push_update(c, permission_mask, option_types_found, &buf); } else { @@ -1152,13 +1123,14 @@ remove_iroutes_from_push_route_list(struct options *o) /* cycle through the push list */ while (e) { - char *p[MAX_PARMS+1]; + char *p[MAX_PARMS + 1]; bool enable = true; /* parse the push item */ CLEAR(p); if (e->enable - && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) + && parse_line(e->option, p, SIZE(p) - 1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, + &gc)) { /* is the push item a route directive? */ if (p[0] && !strcmp(p[0], "route") && !p[3] && o->iroutes) @@ -1166,7 +1138,8 @@ remove_iroutes_from_push_route_list(struct options *o) /* get route parameters */ bool status1, status2; const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL); - const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL); + const in_addr_t netmask = getaddr( + GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL); /* did route parameters parse correctly? */ if (status1 && status2) @@ -1176,7 +1149,9 @@ remove_iroutes_from_push_route_list(struct options *o) /* does route match an iroute? */ for (ir = o->iroutes; ir != NULL; ir = ir->next) { - if (network == ir->network && netmask == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32)) + if (network == ir->network + && netmask + == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32)) { enable = false; break; @@ -1184,8 +1159,7 @@ remove_iroutes_from_push_route_list(struct options *o) } } } - else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2] - && o->iroutes_ipv6) + else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2] && o->iroutes_ipv6) { /* get route parameters */ struct in6_addr network; diff --git a/src/openvpn/push.h b/src/openvpn/push.h index b6770bcf2..22b940f39 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -34,17 +34,18 @@ #define PUSH_MSG_ALREADY_REPLIED 6 #define PUSH_MSG_UPDATE 7 -#define push_reply_cmd "PUSH_REPLY" +#define push_reply_cmd "PUSH_REPLY" #define push_update_cmd "PUSH_UPDATE" /* Push-update options flags */ -#define PUSH_OPT_TO_REMOVE (1<<0) -#define PUSH_OPT_OPTIONAL (1<<1) +#define PUSH_OPT_TO_REMOVE (1 << 0) +#define PUSH_OPT_OPTIONAL (1 << 1) int process_incoming_push_request(struct context *c); /** - * @brief Handles the receiving of a push-update message and applies updates to the specified options. + * @brief Handles the receiving of a push-update message and applies updates to the specified + * options. * * This function processes a push-update message, validating its content and applying updates * to the options specified in the message. It also handles split messages if the complete @@ -63,22 +64,19 @@ int process_incoming_push_request(struct context *c); * - `PUSH_MSG_ERROR`: An error occurred during message processing, or the message is invalid. */ -int process_incoming_push_update(struct context *c, - unsigned int permission_mask, - unsigned int *option_types_found, - struct buffer *buf); +int process_incoming_push_update(struct context *c, unsigned int permission_mask, + unsigned int *option_types_found, struct buffer *buf); -int process_incoming_push_msg(struct context *c, - const struct buffer *buffer, - bool honor_received_options, - unsigned int permission_mask, +int process_incoming_push_msg(struct context *c, const struct buffer *buffer, + bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found); bool send_push_request(struct context *c); void receive_auth_failed(struct context *c, const struct buffer *buffer); -void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv); +void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, + const int adv); void receive_exit_message(struct context *c); @@ -92,8 +90,7 @@ void clone_push_list(struct options *o); void push_option(struct options *o, const char *opt, int msglevel); -void push_options(struct options *o, char **p, int msglevel, - struct gc_arena *gc); +void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc); void push_reset(struct options *o); @@ -108,10 +105,8 @@ void send_auth_failed(struct context *c, const char *client_reason); * doc/management-notes.txt under client-pending-auth for * more details on message format */ -bool -send_auth_pending_messages(struct tls_multi *tls_multi, - struct tls_session *session, const char *extra, - unsigned int timeout); +bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, + const char *extra, unsigned int timeout); void send_restart(struct context *c, const char *kill_msg); @@ -130,7 +125,6 @@ void send_push_reply_auth_token(struct tls_multi *multi); * @param c The context struct * @param buffer Buffer containing the control message with AUTH_PENDING */ -void -receive_auth_pending(struct context *c, const struct buffer *buffer); +void receive_auth_pending(struct context *c, const struct buffer *buffer); #endif /* ifndef PUSH_H */ diff --git a/src/openvpn/push_util.c b/src/openvpn/push_util.c index b4d1e8b49..0862a7433 100644 --- a/src/openvpn/push_util.c +++ b/src/openvpn/push_util.c @@ -5,21 +5,14 @@ #include "push.h" int -process_incoming_push_update(struct context *c, - unsigned int permission_mask, - unsigned int *option_types_found, - struct buffer *buf) +process_incoming_push_update(struct context *c, unsigned int permission_mask, + unsigned int *option_types_found, struct buffer *buf) { int ret = PUSH_MSG_ERROR; const uint8_t ch = buf_read_u8(buf); if (ch == ',') { - if (apply_push_options(c, - &c->options, - buf, - permission_mask, - option_types_found, - c->c2.es, + if (apply_push_options(c, &c->options, buf, permission_mask, option_types_found, c->c2.es, true)) { switch (c->options.push_continuation) diff --git a/src/openvpn/pushlist.h b/src/openvpn/pushlist.h index 1b66517bd..ef4de88ac 100644 --- a/src/openvpn/pushlist.h +++ b/src/openvpn/pushlist.h @@ -25,13 +25,15 @@ /* parameters to be pushed to peer */ -struct push_entry { +struct push_entry +{ struct push_entry *next; bool enable; const char *option; }; -struct push_list { +struct push_list +{ struct push_entry *head; struct push_entry *tail; }; diff --git a/src/openvpn/reflect_filter.c b/src/openvpn/reflect_filter.c index 17255f76e..071df7c7a 100644 --- a/src/openvpn/reflect_filter.c +++ b/src/openvpn/reflect_filter.c @@ -46,10 +46,10 @@ reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl) int64_t dropped = irl->curr_period_counter - irl->max_per_period; if (dropped > 0) { - msg(D_TLS_DEBUG_LOW, "Dropped %" PRId64 " initial handshake packets" - " due to --connect-freq-initial %" PRId64 " %d", dropped, - irl->max_per_period, irl->period_length); - + msg(D_TLS_DEBUG_LOW, + "Dropped %" PRId64 " initial handshake packets" + " due to --connect-freq-initial %" PRId64 " %d", + dropped, irl->max_per_period, irl->period_length); } irl->last_period_reset = now; irl->curr_period_counter = 0; @@ -62,9 +62,11 @@ reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl) if (over_limit && !irl->warning_displayed) { - msg(M_WARN, "Note: --connect-freq-initial %" PRId64 " %d rate limit " + msg(M_WARN, + "Note: --connect-freq-initial %" PRId64 " %d rate limit " "exceeded, dropping initial handshake packets for the next %d " - "seconds", irl->max_per_period, irl->period_length, + "seconds", + irl->max_per_period, irl->period_length, (int)(irl->last_period_reset + irl->period_length - now)); irl->warning_displayed = true; } diff --git a/src/openvpn/reflect_filter.h b/src/openvpn/reflect_filter.h index e3fb165b3..0601f4b5f 100644 --- a/src/openvpn/reflect_filter.h +++ b/src/openvpn/reflect_filter.h @@ -26,7 +26,8 @@ /** struct that handles all the rate limiting logic for initial * responses */ -struct initial_packet_rate_limit { +struct initial_packet_rate_limit +{ /** This is a hard limit for packets per seconds. */ int64_t max_per_period; @@ -50,22 +51,19 @@ struct initial_packet_rate_limit { * checks if the connection is still allowed to connect under the rate * limit. This also increases the internal counter at the same time */ -bool -reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl); +bool reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl); /** * decreases the counter of initial packets seen, so connections that * successfully completed the three-way handshake do not count against * the counter of initial connection attempts */ -void -reflect_filter_rate_limit_decrease(struct initial_packet_rate_limit *irl); +void reflect_filter_rate_limit_decrease(struct initial_packet_rate_limit *irl); /** * allocate and initialize the initial-packet rate limiter structure */ -struct initial_packet_rate_limit * -initial_rate_limit_init(int max_per_period, int period_length); +struct initial_packet_rate_limit *initial_rate_limit_init(int max_per_period, int period_length); /** * free the initial-packet rate limiter structure diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 278dc3332..b4a747f9c 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -50,8 +50,7 @@ subtract_pid(const packet_id_type test, const packet_id_type base) * verify that test - base < extent while allowing for base or test wraparound */ static inline bool -reliable_pid_in_range1(const packet_id_type test, - const packet_id_type base, +reliable_pid_in_range1(const packet_id_type test, const packet_id_type base, const unsigned int extent) { return subtract_pid(test, base) < extent; @@ -61,8 +60,7 @@ reliable_pid_in_range1(const packet_id_type test, * verify that test < base + extent while allowing for base or test wraparound */ static inline bool -reliable_pid_in_range2(const packet_id_type test, - const packet_id_type base, +reliable_pid_in_range2(const packet_id_type test, const packet_id_type base, const unsigned int extent) { if (base + extent >= base) @@ -74,7 +72,7 @@ reliable_pid_in_range2(const packet_id_type test, } else { - if ((test+0x80000000u) < (base+0x80000000u) + extent) + if ((test + 0x80000000u) < (base + 0x80000000u) + extent) { return true; } @@ -87,8 +85,7 @@ reliable_pid_in_range2(const packet_id_type test, * verify that p1 < p2 while allowing for p1 or p2 wraparound */ static inline bool -reliable_pid_min(const packet_id_type p1, - const packet_id_type p2) +reliable_pid_min(const packet_id_type p1, const packet_id_type p2) { return !reliable_pid_in_range1(p1, p2, 0x80000000u); } @@ -144,8 +141,7 @@ reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid) bool -reliable_ack_read(struct reliable_ack *ack, - struct buffer *buf, const struct session_id *sid) +reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid) { struct session_id session_id_remote; @@ -154,12 +150,11 @@ reliable_ack_read(struct reliable_ack *ack, return false; } - if (ack->len >= 1 && (!session_id_defined(&session_id_remote) - || !session_id_equal(&session_id_remote, sid))) + if (ack->len >= 1 + && (!session_id_defined(&session_id_remote) || !session_id_equal(&session_id_remote, sid))) { struct gc_arena gc = gc_new(); - dmsg(D_REL_LOW, - "ACK read BAD SESSION-ID FROM REMOTE, local=%s, remote=%s", + dmsg(D_REL_LOW, "ACK read BAD SESSION-ID FROM REMOTE, local=%s, remote=%s", session_id_print(sid, &gc), session_id_print(&session_id_remote, &gc)); gc_free(&gc); return false; @@ -210,7 +205,7 @@ copy_acks_to_mru(struct reliable_ack *ack, struct reliable_ack *ack_mru, int n) { ASSERT(ack->len >= n); /* This loop is backward to ensure the same order as in ack */ - for (int i = n-1; i >= 0; i--) + for (int i = n - 1; i >= 0; i--) { packet_id_type id = ack->packet_id[i]; @@ -250,9 +245,7 @@ copy_acks_to_mru(struct reliable_ack *ack, struct reliable_ack *ack_mru, int n) /* write a packet ID acknowledgement record to buf, */ /* removing all acknowledged entries from ack */ bool -reliable_ack_write(struct reliable_ack *ack, - struct reliable_ack *ack_mru, - struct buffer *buf, +reliable_ack_write(struct reliable_ack *ack, struct reliable_ack *ack_mru, struct buffer *buf, const struct session_id *sid, int max, bool prepend) { int i, j, n; @@ -284,7 +277,8 @@ reliable_ack_write(struct reliable_ack *ack, packet_id_type pid = ack_mru->packet_id[i]; packet_id_type net_pid = htonpid(pid); ASSERT(buf_write(&sub, &net_pid, sizeof(net_pid))); - dmsg(D_REL_DEBUG, "ACK write ID " packet_id_format " (ack->len=%d, n=%d)", (packet_id_print_type)pid, ack->len, n); + dmsg(D_REL_DEBUG, "ACK write ID " packet_id_format " (ack->len=%d, n=%d)", + (packet_id_print_type)pid, ack->len, n); } if (total_acks) { @@ -293,7 +287,7 @@ reliable_ack_write(struct reliable_ack *ack, } if (n) { - for (i = 0, j = n; j < ack->len; ) + for (i = 0, j = n; j < ack->len;) { ack->packet_id[i++] = ack->packet_id[j++]; } @@ -494,7 +488,8 @@ reliable_not_replay(const struct reliable *rel, packet_id_type id) return true; bad: - dmsg(D_REL_DEBUG, "ACK " packet_id_format " is a replay: %s", (packet_id_print_type)id, reliable_print_ids(rel, &gc)); + dmsg(D_REL_DEBUG, "ACK " packet_id_format " is a replay: %s", (packet_id_print_type)id, + reliable_print_ids(rel, &gc)); gc_free(&gc); return false; } @@ -513,7 +508,8 @@ reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id) gc_free(&gc); } - dmsg(D_REL_DEBUG, "ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d", rel->size, rel->packet_id, id, ret); + dmsg(D_REL_DEBUG, "ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d", rel->size, + rel->packet_id, id, ret); return ret; } @@ -630,9 +626,7 @@ reliable_can_send(const struct reliable *rel) } } (void)n_active; /* dmsg might not generate code */ - dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s", - n_active, - n_current, + dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s", n_active, n_current, reliable_print_ids(rel, &gc)); gc_free(&gc); @@ -653,8 +647,7 @@ reliable_send(struct reliable *rel, int *opcode) /* If N_ACK_RETRANSMIT later packets have received ACKs, we assume * that the packet was lost and resend it even if the timeout has * not expired yet. */ - if (e->active - && (e->n_acks >= N_ACK_RETRANSMIT || local_now >= e->next_try)) + if (e->active && (e->n_acks >= N_ACK_RETRANSMIT || local_now >= e->next_try)) { if (!best || reliable_pid_min(e->packet_id, best->packet_id)) { @@ -720,9 +713,7 @@ reliable_send_timeout(const struct reliable *rel) } } - dmsg(D_REL_DEBUG, "ACK reliable_send_timeout %d %s", - (int) ret, - reliable_print_ids(rel, &gc)); + dmsg(D_REL_DEBUG, "ACK reliable_send_timeout %d %s", (int)ret, reliable_print_ids(rel, &gc)); gc_free(&gc); return ret; @@ -733,8 +724,8 @@ reliable_send_timeout(const struct reliable *rel) */ void -reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, - packet_id_type pid, int opcode) +reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, + int opcode) { for (int i = 0; i < rel->size; ++i) { @@ -753,11 +744,12 @@ reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, e->next_try = 0; e->timeout = 0; e->n_acks = 0; - dmsg(D_REL_DEBUG, "ACK mark active incoming ID " packet_id_format, (packet_id_print_type)e->packet_id); + dmsg(D_REL_DEBUG, "ACK mark active incoming ID " packet_id_format, + (packet_id_print_type)e->packet_id); return; } } - ASSERT(0); /* buf not found in rel */ + ASSERT(0); /* buf not found in rel */ } /* @@ -782,11 +774,12 @@ reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opco e->opcode = opcode; e->next_try = 0; e->timeout = rel->initial_timeout; - dmsg(D_REL_DEBUG, "ACK mark active outgoing ID " packet_id_format, (packet_id_print_type)e->packet_id); + dmsg(D_REL_DEBUG, "ACK mark active outgoing ID " packet_id_format, + (packet_id_print_type)e->packet_id); return; } } - ASSERT(0); /* buf not found in rel */ + ASSERT(0); /* buf not found in rel */ } /* delete a buffer previously activated by reliable_mark_active() */ diff --git a/src/openvpn/reliable.h b/src/openvpn/reliable.h index 6c37d7876..89a9b16f9 100644 --- a/src/openvpn/reliable.h +++ b/src/openvpn/reliable.h @@ -40,18 +40,21 @@ * @{ */ -#define RELIABLE_ACK_SIZE 8 /**< The maximum number of packet IDs - * waiting to be acknowledged which can - * be stored in one \c reliable_ack - * structure. */ - -#define RELIABLE_CAPACITY 12 /**< The maximum number of packets that - * the reliability layer for one VPN - * tunnel in one direction can store. */ - -#define N_ACK_RETRANSMIT 3 /**< We retry sending a packet early if - * this many later packets have been - * ACKed. */ +#define RELIABLE_ACK_SIZE \ + 8 /**< The maximum number of packet IDs \ + * waiting to be acknowledged which can \ + * be stored in one \c reliable_ack \ + * structure. */ + +#define RELIABLE_CAPACITY \ + 12 /**< The maximum number of packets that \ + * the reliability layer for one VPN \ + * tunnel in one direction can store. */ + +#define N_ACK_RETRANSMIT \ + 3 /**< We retry sending a packet early if \ + * this many later packets have been \ + * ACKed. */ /** * The acknowledgment structure in which packet IDs are stored for later @@ -76,9 +79,9 @@ struct reliable_entry interval_t timeout; time_t next_try; packet_id_type packet_id; - size_t n_acks; /* Number of acks received for packets with higher PID. - * Used for fast retransmission when there were at least - * N_ACK_RETRANSMIT. */ + size_t n_acks; /* Number of acks received for packets with higher PID. + * Used for fast retransmission when there were at least + * N_ACK_RETRANSMIT. */ int opcode; struct buffer buf; }; @@ -93,7 +96,7 @@ struct reliable interval_t initial_timeout; packet_id_type packet_id; int offset; /**< Offset of the bufs in the reliable_entry array */ - bool hold; /* don't xmit until reliable_schedule_now is called */ + bool hold; /* don't xmit until reliable_schedule_now is called */ struct reliable_entry array[RELIABLE_CAPACITY]; }; @@ -120,8 +123,7 @@ struct reliable * @li True, if processing was successful. * @li False, if an error occurs during processing. */ -bool reliable_ack_read(struct reliable_ack *ack, - struct buffer *buf, const struct session_id *sid); +bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid); /** @@ -141,9 +143,8 @@ bool reliable_ack_read(struct reliable_ack *ack, * @li True, if processing was successful. * @li False, if an error occurs during processing. */ -bool -reliable_ack_parse(struct buffer *buf, struct reliable_ack *ack, - struct session_id *session_id_remote); +bool reliable_ack_parse(struct buffer *buf, struct reliable_ack *ack, + struct session_id *session_id_remote); /** * Remove acknowledged packets from a reliable structure. @@ -212,9 +213,7 @@ reliable_ack_outstanding(struct reliable_ack *ack) * @li True, if processing was successful. * @li False, if an error occurs during processing. */ -bool reliable_ack_write(struct reliable_ack *ack, - struct reliable_ack *ack_mru, - struct buffer *buf, +bool reliable_ack_write(struct reliable_ack *ack, struct reliable_ack *ack_mru, struct buffer *buf, const struct session_id *sid, int max, bool prepend); /** @} name Functions for processing outgoing acknowledgments */ @@ -337,8 +336,8 @@ struct buffer *reliable_get_buf(struct reliable *rel); * @param pid The packet's packet ID. * @param opcode The packet's opcode. */ -void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, - packet_id_type pid, int opcode); +void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, + int opcode); /** * Record a packet ID for later acknowledgment. @@ -374,7 +373,6 @@ bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type struct reliable_entry *reliable_get_entry_sequenced(struct reliable *rel); - /** * Copies the first n acks from \c ack to \c ack_mru * @@ -382,8 +380,7 @@ struct reliable_entry *reliable_get_entry_sequenced(struct reliable *rel); * @param ack_mru The reliable structure to insert the acks into * @param n The number of ACKS to copy */ -void -copy_acks_to_mru(struct reliable_ack *ack, struct reliable_ack *ack_mru, int n); +void copy_acks_to_mru(struct reliable_ack *ack, struct reliable_ack *ack_mru, int n); /** @@ -426,8 +423,7 @@ struct buffer *reliable_get_buf_output_sequenced(struct reliable *rel); * @return the number of buffer that are available for sending without * breaking ack sequence * */ -int -reliable_get_num_output_sequenced_available(struct reliable *rel); +int reliable_get_num_output_sequenced_available(struct reliable *rel); /** * Mark the reliable entry associated with the given buffer as diff --git a/src/openvpn/ring_buffer.h b/src/openvpn/ring_buffer.h new file mode 100644 index 000000000..e554296a8 --- /dev/null +++ b/src/openvpn/ring_buffer.h @@ -0,0 +1,124 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2024 OpenVPN Inc + * 2019 Lev Stipakov + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef _WIN32 +#ifndef OPENVPN_RING_BUFFER_H +#define OPENVPN_RING_BUFFER_H + +#include +#include + +#include +#include + +/* + * Values below are taken from Wireguard Windows client + * https://github.com/WireGuard/wireguard-go/blob/master/tun/wintun/ring_windows.go#L14 + */ +#define WINTUN_RING_CAPACITY 0x800000 +#define WINTUN_RING_TRAILING_BYTES 0x10000 +#define WINTUN_MAX_PACKET_SIZE 0xffff +#define WINTUN_PACKET_ALIGN 4 + +#define TUN_IOCTL_REGISTER_RINGS \ + CTL_CODE(51820U, 0x970U, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) + +/** + * Wintun ring buffer + * See https://github.com/WireGuard/wintun#ring-layout + */ +struct tun_ring +{ + volatile ULONG head; + volatile ULONG tail; + volatile LONG alertable; + UCHAR data[WINTUN_RING_CAPACITY + WINTUN_RING_TRAILING_BYTES]; +}; + +/** + * Struct for ring buffers registration + * See https://github.com/WireGuard/wintun#registering-rings + */ +struct tun_register_rings +{ + struct + { + ULONG ring_size; + struct tun_ring *ring; + HANDLE tail_moved; + } send, receive; +}; + +struct TUN_PACKET_HEADER +{ + uint32_t size; +}; + +struct TUN_PACKET +{ + uint32_t size; + UCHAR data[WINTUN_MAX_PACKET_SIZE]; +}; + +/** + * Registers ring buffers used to exchange data between + * userspace openvpn process and wintun kernel driver, + * see https://github.com/WireGuard/wintun#registering-rings + * + * @param device handle to opened wintun device + * @param send_ring pointer to send ring + * @param receive_ring pointer to receive ring + * @param send_tail_moved event set by wintun to signal openvpn + * that data is available for reading in send ring + * @param receive_tail_moved event set by openvpn to signal wintun + * that data has been written to receive ring + * @return true if registration is successful, false otherwise - use + * GetLastError() + */ +static inline bool +register_ring_buffers(HANDLE device, struct tun_ring *send_ring, struct tun_ring *receive_ring, + HANDLE send_tail_moved, HANDLE receive_tail_moved) +{ + struct tun_register_rings rr; + BOOL res; + DWORD bytes_returned; + + ZeroMemory(&rr, sizeof(rr)); + + rr.send.ring = send_ring; + rr.send.ring_size = sizeof(struct tun_ring); + rr.send.tail_moved = send_tail_moved; + + rr.receive.ring = receive_ring; + rr.receive.ring_size = sizeof(struct tun_ring); + rr.receive.tail_moved = receive_tail_moved; + + res = DeviceIoControl(device, TUN_IOCTL_REGISTER_RINGS, &rr, sizeof(rr), NULL, 0, + &bytes_returned, NULL); + + return res != FALSE; +} + +#endif /* ifndef OPENVPN_RING_BUFFER_H */ +#endif /* ifdef _WIN32 */ diff --git a/src/openvpn/route.c b/src/openvpn/route.c index c4f7f95be..e5044850f 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -46,11 +46,11 @@ #include "memdbg.h" #if defined(TARGET_LINUX) || defined(TARGET_ANDROID) -#include /* RTM_GETROUTE etc. */ +#include /* RTM_GETROUTE etc. */ #endif #if defined(TARGET_NETBSD) -#include /* RT_ROUNDUP(), RT_ADVANCE() */ +#include /* RT_ROUNDUP(), RT_ADVANCE() */ #endif #ifdef _WIN32 @@ -67,7 +67,8 @@ static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tunta static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *); -static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index); +static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, + DWORD adapter_index); static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt); @@ -89,9 +90,7 @@ print_bypass_addresses(const struct route_bypass *rb) int i; for (i = 0; i < rb->n_bypass; ++i) { - msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s", - i, - print_in_addr_t(rb->bypass[i], 0, &gc)); + msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s", i, print_in_addr_t(rb->bypass[i], 0, &gc)); } gc_free(&gc); } @@ -99,9 +98,9 @@ print_bypass_addresses(const struct route_bypass *rb) #endif /* Route addition return status codes */ -#define RTA_ERROR 0 /* route addition failed */ -#define RTA_SUCCESS 1 /* route addition succeeded */ -#define RTA_EEXIST 2 /* route not added as it already exists */ +#define RTA_ERROR 0 /* route addition failed */ +#define RTA_SUCCESS 1 /* route addition succeeded */ +#define RTA_EEXIST 2 /* route not added as it already exists */ static bool add_bypass_address(struct route_bypass *rb, const in_addr_t a) @@ -169,7 +168,8 @@ clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc } void -copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a) +copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, + struct gc_arena *a) { *dest = *src; dest->gc = a; @@ -177,8 +177,7 @@ copy_route_option_list(struct route_option_list *dest, const struct route_option void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, - const struct route_ipv6_option_list *src, - struct gc_arena *a) + const struct route_ipv6_option_list *src, struct gc_arena *a) { *dest = *src; dest->gc = a; @@ -188,11 +187,8 @@ static const char * route_string(const struct route_ipv4 *r, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); - buf_printf(&out, "ROUTE network %s netmask %s gateway %s", - print_in_addr_t(r->network, 0, gc), - print_in_addr_t(r->netmask, 0, gc), - print_in_addr_t(r->gateway, 0, gc) - ); + buf_printf(&out, "ROUTE network %s netmask %s gateway %s", print_in_addr_t(r->network, 0, gc), + print_in_addr_t(r->netmask, 0, gc), print_in_addr_t(r->gateway, 0, gc)); if (r->flags & RT_METRIC_DEFINED) { buf_printf(&out, " metric %d", r->metric); @@ -232,10 +228,7 @@ setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int } static bool -get_special_addr(const struct route_list *rl, - const char *string, - in_addr_t *out, - bool *status) +get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status) { if (status) { @@ -270,7 +263,8 @@ get_special_addr(const struct route_list *rl, } else { - msg(M_INFO, PACKAGE_NAME " ROUTE: net_gateway undefined -- unable to get default gateway from system"); + msg(M_INFO, PACKAGE_NAME + " ROUTE: net_gateway undefined -- unable to get default gateway from system"); if (status) { *status = false; @@ -315,15 +309,13 @@ is_special_addr(const char *addr_str) } static bool -init_route(struct route_ipv4 *r, - struct addrinfo **network_list, - const struct route_option *ro, +init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro, const struct route_list *rl) { const in_addr_t default_netmask = IPV4_NETMASK_HOST; bool status; int ret; - struct in_addr special = {0}; + struct in_addr special = { 0 }; CLEAR(*r); r->option = ro; @@ -337,7 +329,7 @@ init_route(struct route_ipv4 *r, /* get_special_addr replaces specialaddr with a special ip addr * like gw. getaddrinfo is called to convert a a addrinfo struct */ - if (get_special_addr(rl, ro->network, (in_addr_t *) &special.s_addr, &status)) + if (get_special_addr(rl, ro->network, (in_addr_t *)&special.s_addr, &status)) { if (!status) { @@ -346,13 +338,12 @@ init_route(struct route_ipv4 *r, special.s_addr = htonl(special.s_addr); char buf[INET_ADDRSTRLEN]; inet_ntop(AF_INET, &special, buf, sizeof(buf)); - ret = openvpn_getaddrinfo(0, buf, NULL, 0, NULL, - AF_INET, network_list); + ret = openvpn_getaddrinfo(0, buf, NULL, 0, NULL, AF_INET, network_list); } else { - ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL, - ro->network, NULL, 0, NULL, AF_INET, network_list); + ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL, ro->network, NULL, 0, + NULL, AF_INET, network_list); } status = (ret == 0); @@ -366,13 +357,8 @@ init_route(struct route_ipv4 *r, if (is_route_parm_defined(ro->netmask)) { - r->netmask = getaddr( - GETADDR_HOST_ORDER - | GETADDR_WARN_ON_SIGNAL, - ro->netmask, - 0, - &status, - NULL); + r->netmask = + getaddr(GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, ro->netmask, 0, &status, NULL); if (!status) { goto fail; @@ -389,14 +375,8 @@ init_route(struct route_ipv4 *r, { if (!get_special_addr(rl, ro->gateway, &r->gateway, &status)) { - r->gateway = getaddr( - GETADDR_RESOLVE - | GETADDR_HOST_ORDER - | GETADDR_WARN_ON_SIGNAL, - ro->gateway, - 0, - &status, - NULL); + r->gateway = getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, + ro->gateway, 0, &status, NULL); } if (!status) { @@ -411,7 +391,9 @@ init_route(struct route_ipv4 *r, } else { - msg(M_WARN, PACKAGE_NAME " ROUTE: " PACKAGE_NAME " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options"); + msg(M_WARN, PACKAGE_NAME + " ROUTE: " PACKAGE_NAME + " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options"); goto fail; } } @@ -425,8 +407,7 @@ init_route(struct route_ipv4 *r, if (r->metric < 0) { msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0", - ro->network, - ro->metric); + ro->network, ro->metric); goto fail; } r->flags |= RT_METRIC_DEFINED; @@ -451,13 +432,12 @@ fail: } static bool -init_route_ipv6(struct route_ipv6 *r6, - const struct route_ipv6_option *r6o, - const struct route_ipv6_list *rl6 ) +init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o, + const struct route_ipv6_list *rl6) { CLEAR(*r6); - if (!get_ipv6_addr( r6o->prefix, &r6->network, &r6->netbits, M_WARN )) + if (!get_ipv6_addr(r6o->prefix, &r6->network, &r6->netbits, M_WARN)) { goto fail; } @@ -465,9 +445,9 @@ init_route_ipv6(struct route_ipv6 *r6, /* gateway */ if (is_route_parm_defined(r6o->gateway)) { - if (inet_pton( AF_INET6, r6o->gateway, &r6->gateway ) != 1) + if (inet_pton(AF_INET6, r6o->gateway, &r6->gateway) != 1) { - msg( M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway ); + msg(M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway); } } else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT) @@ -484,8 +464,7 @@ init_route_ipv6(struct route_ipv6 *r6, if (r6->metric < 0) { msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0", - r6o->prefix, - r6o->metric); + r6o->prefix, r6o->metric); goto fail; } r6->flags |= RT_METRIC_DEFINED; @@ -510,12 +489,8 @@ fail: } void -add_route_to_option_list(struct route_option_list *l, - const char *network, - const char *netmask, - const char *gateway, - const char *metric, - int table_id) +add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, + const char *gateway, const char *metric, int table_id) { struct route_option *ro; ALLOC_OBJ_GC(ro, struct route_option, l->gc); @@ -526,15 +501,11 @@ add_route_to_option_list(struct route_option_list *l, ro->table_id = table_id; ro->next = l->routes; l->routes = ro; - } void -add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, - const char *prefix, - const char *gateway, - const char *metric, - int table_id) +add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, + const char *gateway, const char *metric, int table_id) { struct route_ipv6_option *ro; ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc); @@ -561,9 +532,7 @@ clear_route_ipv6_list(struct route_ipv6_list *rl6) } void -route_list_add_vpn_gateway(struct route_list *rl, - struct env_set *es, - const in_addr_t addr) +route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr) { ASSERT(rl); rl->spec.remote_endpoint = addr; @@ -572,8 +541,7 @@ route_list_add_vpn_gateway(struct route_list *rl, } static void -add_block_local_item(struct route_list *rl, - const struct route_gateway_address *gateway, +add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway, in_addr_t target) { if (rl->rgi.gateway.netmask < 0xFFFFFFFF) @@ -585,11 +553,11 @@ add_block_local_item(struct route_list *rl, ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc); /* split a route into two smaller blocking routes, and direct them to target */ - l2 = ((~gateway->netmask)+1)>>1; + l2 = ((~gateway->netmask) + 1) >> 1; r1->flags = RT_DEFINED; r1->gateway = target; r1->network = gateway->addr & gateway->netmask; - r1->netmask = ~(l2-1); + r1->netmask = ~(l2 - 1); r1->next = rl->routes; rl->routes = r1; @@ -627,21 +595,15 @@ add_block_local_routes(struct route_list *rl) bool block_local_needed(const struct route_list *rl) { - const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED); - return (rl->flags & RG_BLOCK_LOCAL) - && (rl->rgi.flags & rgi_needed) == rgi_needed - && (rl->spec.flags & RTSA_REMOTE_ENDPOINT) - && rl->spec.remote_host_local != TLA_LOCAL; + const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED); + return (rl->flags & RG_BLOCK_LOCAL) && (rl->rgi.flags & rgi_needed) == rgi_needed + && (rl->spec.flags & RTSA_REMOTE_ENDPOINT) && rl->spec.remote_host_local != TLA_LOCAL; } bool -init_route_list(struct route_list *rl, - const struct route_option_list *opt, - const char *remote_endpoint, - int default_metric, - in_addr_t remote_host, - struct env_set *es, - openvpn_net_ctx_t *ctx) +init_route_list(struct route_list *rl, const struct route_option_list *opt, + const char *remote_endpoint, int default_metric, in_addr_t remote_host, + struct env_set *es, openvpn_net_ctx_t *ctx) { struct gc_arena gc = gc_new(); bool ret = true; @@ -683,14 +645,9 @@ init_route_list(struct route_list *rl, if (is_route_parm_defined(remote_endpoint)) { bool defined = false; - rl->spec.remote_endpoint = getaddr( - GETADDR_RESOLVE - | GETADDR_HOST_ORDER - | GETADDR_WARN_ON_SIGNAL, - remote_endpoint, - 0, - &defined, - NULL); + rl->spec.remote_endpoint = + getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, remote_endpoint, + 0, &defined, NULL); if (defined) { @@ -758,14 +715,13 @@ init_route_list(struct route_list *rl, * "good enough") */ static bool -route_ipv6_match_host( const struct route_ipv6 *r6, - const struct in6_addr *host ) +route_ipv6_match_host(const struct route_ipv6 *r6, const struct in6_addr *host) { unsigned int bits = r6->netbits; int i; unsigned int mask; - if (bits>128) + if (bits > 128) { return false; } @@ -783,9 +739,9 @@ route_ipv6_match_host( const struct route_ipv6 *r6, return true; } - mask = 0xff << (8-bits); + mask = 0xff << (8 - bits); - if ( (r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask )) + if ((r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask)) { return true; } @@ -794,12 +750,9 @@ route_ipv6_match_host( const struct route_ipv6 *r6, } bool -init_route_ipv6_list(struct route_ipv6_list *rl6, - const struct route_ipv6_option_list *opt6, - const char *remote_endpoint, - int default_metric, - const struct in6_addr *remote_host_ipv6, - struct env_set *es, +init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, + const char *remote_endpoint, int default_metric, + const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx) { struct gc_arena gc = gc_new(); @@ -823,7 +776,7 @@ init_route_ipv6_list(struct route_ipv6_list *rl6, } msg(D_ROUTE, "GDG6: remote_host_ipv6=%s", - remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a" ); + remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a"); get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6, ctx); if (rl6->rgi6.flags & RGI_ADDR_DEFINED) @@ -838,16 +791,16 @@ init_route_ipv6_list(struct route_ipv6_list *rl6, dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF"); } - if (is_route_parm_defined( remote_endpoint )) + if (is_route_parm_defined(remote_endpoint)) { - if (inet_pton( AF_INET6, remote_endpoint, - &rl6->remote_endpoint_ipv6) == 1) + if (inet_pton(AF_INET6, remote_endpoint, &rl6->remote_endpoint_ipv6) == 1) { rl6->spec_flags |= RTSA_REMOTE_ENDPOINT; } else { - msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", remote_endpoint); + msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", + remote_endpoint); ret = false; } } @@ -877,11 +830,11 @@ init_route_ipv6_list(struct route_ipv6_list *rl6, * avoiding routing loops, so ignore this part and let * need_remote_ipv6_route always evaluate to false */ - if (remote_host_ipv6 - && route_ipv6_match_host( r6, remote_host_ipv6 ) ) + if (remote_host_ipv6 && route_ipv6_match_host(r6, remote_host_ipv6)) { need_remote_ipv6_route = true; - msg(D_ROUTE, "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint", + msg(D_ROUTE, + "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint", print_in6_addr(r6->network, 0, &gc), r6->netbits, print_in6_addr(*remote_host_ipv6, 0, &gc)); } @@ -893,15 +846,15 @@ init_route_ipv6_list(struct route_ipv6_list *rl6, /* add VPN server host route if needed */ if (need_remote_ipv6_route) { - if ( (rl6->rgi6.flags & (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) == - (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) + if ((rl6->rgi6.flags & (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED)) + == (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED)) { struct route_ipv6 *r6; ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc); r6->network = *remote_host_ipv6; r6->netbits = 128; - if (!(rl6->rgi6.flags & RGI_ON_LINK) ) + if (!(rl6->rgi6.flags & RGI_ON_LINK)) { r6->gateway = rl6->rgi6.gateway.addr_ipv6; } @@ -918,7 +871,8 @@ init_route_ipv6_list(struct route_ipv6_list *rl6, } else { - msg(M_WARN, "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n" ); + msg(M_WARN, + "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n"); } } @@ -927,13 +881,8 @@ init_route_ipv6_list(struct route_ipv6_list *rl6, } static bool -add_route3(in_addr_t network, - in_addr_t netmask, - in_addr_t gateway, - const struct tuntap *tt, - unsigned int flags, - const struct route_gateway_info *rgi, - const struct env_set *es, +add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, + unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx) { struct route_ipv4 r; @@ -946,18 +895,13 @@ add_route3(in_addr_t network, } static void -del_route3(in_addr_t network, - in_addr_t netmask, - in_addr_t gateway, - const struct tuntap *tt, - unsigned int flags, - const struct route_gateway_info *rgi, - const struct env_set *es, +del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, + unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx) { struct route_ipv4 r; CLEAR(r); - r.flags = RT_DEFINED|RT_ADDED; + r.flags = RT_DEFINED | RT_ADDED; r.network = network; r.netmask = netmask; r.gateway = gateway; @@ -965,56 +909,42 @@ del_route3(in_addr_t network, } static bool -add_bypass_routes(struct route_bypass *rb, - in_addr_t gateway, - const struct tuntap *tt, - unsigned int flags, - const struct route_gateway_info *rgi, - const struct env_set *es, - openvpn_net_ctx_t *ctx) +add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, + unsigned int flags, const struct route_gateway_info *rgi, + const struct env_set *es, openvpn_net_ctx_t *ctx) { int ret = true; for (int i = 0; i < rb->n_bypass; ++i) { if (rb->bypass[i]) { - ret = add_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, - flags | ROUTE_REF_GW, rgi, es, ctx) && ret; + ret = add_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW, + rgi, es, ctx) + && ret; } } return ret; } static void -del_bypass_routes(struct route_bypass *rb, - in_addr_t gateway, - const struct tuntap *tt, - unsigned int flags, - const struct route_gateway_info *rgi, - const struct env_set *es, - openvpn_net_ctx_t *ctx) +del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, + unsigned int flags, const struct route_gateway_info *rgi, + const struct env_set *es, openvpn_net_ctx_t *ctx) { int i; for (i = 0; i < rb->n_bypass; ++i) { if (rb->bypass[i]) { - del_route3(rb->bypass[i], - IPV4_NETMASK_HOST, - gateway, - tt, - flags | ROUTE_REF_GW, - rgi, - es, + del_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW, rgi, es, ctx); } } } static bool -redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, - unsigned int flags, const struct env_set *es, - openvpn_net_ctx_t *ctx) +redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, + const struct env_set *es, openvpn_net_ctx_t *ctx) { const char err[] = "NOTE: unable to redirect IPv4 default gateway --"; bool ret = true; @@ -1064,9 +994,8 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, if ((rl->spec.flags & RTSA_REMOTE_HOST) && rl->spec.remote_host != IPV4_INVALID_ADDR) { - ret = add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, - rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, - &rl->rgi, es, ctx); + ret = add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr, + tt, flags | ROUTE_REF_GW, &rl->rgi, es, ctx); if (ret) { rl->iflags |= RL_DID_LOCAL; @@ -1080,20 +1009,23 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, #endif /* ifndef TARGET_ANDROID */ /* route DHCP/DNS server traffic through original default gateway */ - ret = add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, - &rl->rgi, es, ctx) && ret; + ret = add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es, + ctx) + && ret; if (rl->flags & RG_REROUTE_GW) { if (rl->flags & RG_DEF1) { /* add new default route (1st component) */ - ret = add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, - tt, flags, &rl->rgi, es, ctx) && ret; + ret = add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, + &rl->rgi, es, ctx) + && ret; /* add new default route (2nd component) */ - ret = add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, - tt, flags, &rl->rgi, es, ctx) && ret; + ret = add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, + &rl->rgi, es, ctx) + && ret; } else { @@ -1101,13 +1033,13 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, if (rl->rgi.flags & RGI_ADDR_DEFINED) { /* delete default route */ - del_route3(0, 0, rl->rgi.gateway.addr, tt, - flags | ROUTE_REF_GW, &rl->rgi, es, ctx); + del_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, + es, ctx); } /* add new default route */ - ret = add_route3(0, 0, rl->spec.remote_endpoint, tt, - flags, &rl->rgi, es, ctx) && ret; + ret = add_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx) + && ret; } } @@ -1119,9 +1051,8 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, } static void -undo_redirect_default_route_to_vpn(struct route_list *rl, - const struct tuntap *tt, unsigned int flags, - const struct env_set *es, +undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, + unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx) { if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY) @@ -1129,61 +1060,35 @@ undo_redirect_default_route_to_vpn(struct route_list *rl, /* delete remote host route */ if (rl->iflags & RL_DID_LOCAL) { - del_route3(rl->spec.remote_host, - IPV4_NETMASK_HOST, - rl->rgi.gateway.addr, - tt, - flags | ROUTE_REF_GW, - &rl->rgi, - es, - ctx); + del_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr, tt, + flags | ROUTE_REF_GW, &rl->rgi, es, ctx); rl->iflags &= ~RL_DID_LOCAL; } /* delete special DHCP/DNS bypass route */ - del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, - &rl->rgi, es, ctx); + del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es, ctx); if (rl->flags & RG_REROUTE_GW) { if (rl->flags & RG_DEF1) { /* delete default route (1st component) */ - del_route3(0x00000000, - 0x80000000, - rl->spec.remote_endpoint, - tt, - flags, - &rl->rgi, - es, - ctx); + del_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi, + es, ctx); /* delete default route (2nd component) */ - del_route3(0x80000000, - 0x80000000, - rl->spec.remote_endpoint, - tt, - flags, - &rl->rgi, - es, - ctx); + del_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi, + es, ctx); } else { /* delete default route */ - del_route3(0, - 0, - rl->spec.remote_endpoint, - tt, - flags, - &rl->rgi, - es, - ctx); + del_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx); /* restore original default route if there was any */ if (rl->rgi.flags & RGI_ADDR_DEFINED) { - add_route3(0, 0, rl->rgi.gateway.addr, tt, - flags | ROUTE_REF_GW, &rl->rgi, es, ctx); + add_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es, + ctx); } } } @@ -1193,32 +1098,28 @@ undo_redirect_default_route_to_vpn(struct route_list *rl, } bool -add_routes(struct route_list *rl, struct route_ipv6_list *rl6, - const struct tuntap *tt, unsigned int flags, - const struct env_set *es, openvpn_net_ctx_t *ctx) +add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, + unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx) { bool ret = redirect_default_route_to_vpn(rl, tt, flags, es, ctx); - if (rl && !(rl->iflags & RL_ROUTES_ADDED) ) + if (rl && !(rl->iflags & RL_ROUTES_ADDED)) { struct route_ipv4 *r; if (rl->routes && !tt->did_ifconfig_setup) { - msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv4 " + msg(M_INFO, + "WARNING: OpenVPN was configured to add an IPv4 " "route. However, no IPv4 has been configured for %s, " "therefore the route installation may fail or may not work " - "as expected.", tt->actual_name); + "as expected.", + tt->actual_name); } #ifdef ENABLE_MANAGEMENT if (management && rl->routes) { - management_set_state(management, - OPENVPN_STATE_ADD_ROUTES, - NULL, - NULL, - NULL, - NULL, + management_set_state(management, OPENVPN_STATE_ADD_ROUTES, NULL, NULL, NULL, NULL, NULL); } #endif @@ -1233,16 +1134,18 @@ add_routes(struct route_list *rl, struct route_ipv6_list *rl6, } rl->iflags |= RL_ROUTES_ADDED; } - if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) ) + if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED)) { struct route_ipv6 *r; if (!tt->did_ifconfig_ipv6_setup) { - msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 " + msg(M_INFO, + "WARNING: OpenVPN was configured to add an IPv6 " "route. However, no IPv6 has been configured for %s, " "therefore the route installation may fail or may not work " - "as expected.", tt->actual_name); + "as expected.", + tt->actual_name); } for (r = rl6->routes_ipv6; r; r = r->next) @@ -1260,18 +1163,16 @@ add_routes(struct route_list *rl, struct route_ipv6_list *rl6, } void -delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, - const struct tuntap *tt, unsigned int flags, - const struct env_set *es, openvpn_net_ctx_t *ctx) +delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, + unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx) { delete_routes_v4(rl, tt, flags, es, ctx); delete_routes_v6(rl6, tt, flags, es, ctx); } void -delete_routes_v4(struct route_list *rl, const struct tuntap *tt, - unsigned int flags, const struct env_set *es, - openvpn_net_ctx_t *ctx) +delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, + const struct env_set *es, openvpn_net_ctx_t *ctx) { if (rl && (rl->iflags & RL_ROUTES_ADDED)) { @@ -1292,9 +1193,8 @@ delete_routes_v4(struct route_list *rl, const struct tuntap *tt, } void -delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, - unsigned int flags, const struct env_set *es, - openvpn_net_ctx_t *ctx) +delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, + const struct env_set *es, openvpn_net_ctx_t *ctx) { if (rl6 && (rl6->iflags & RL_ROUTES_ADDED)) { @@ -1330,22 +1230,17 @@ show_opt(const char *option) static void print_route_option(const struct route_option *ro, int level) { - msg(level, " route %s/%s/%s/%s", - show_opt(ro->network), - show_opt(ro->netmask), - show_opt(ro->gateway), - show_opt(ro->metric)); + msg(level, " route %s/%s/%s/%s", show_opt(ro->network), show_opt(ro->netmask), + show_opt(ro->gateway), show_opt(ro->metric)); } void -print_route_options(const struct route_option_list *rol, - int level) +print_route_options(const struct route_option_list *rol, int level) { struct route_option *ro; if (rol->flags & RG_ENABLE) { - msg(level, " [redirect_default_gateway local=%d]", - (rol->flags & RG_LOCAL) != 0); + msg(level, " [redirect_default_gateway local=%d]", (rol->flags & RG_LOCAL) != 0); } for (ro = rol->routes; ro; ro = ro->next) { @@ -1354,8 +1249,7 @@ print_route_options(const struct route_option_list *rol, } void -print_default_gateway(const int msglevel, - const struct route_gateway_info *rgi, +print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6) { struct gc_arena gc = gc_new(); @@ -1486,23 +1380,22 @@ setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i) struct gc_arena gc = gc_new(); if (r6->flags & RT_DEFINED) { - struct buffer name1 = alloc_buf_gc( 256, &gc ); - struct buffer val = alloc_buf_gc( 256, &gc ); - struct buffer name2 = alloc_buf_gc( 256, &gc ); + struct buffer name1 = alloc_buf_gc(256, &gc); + struct buffer val = alloc_buf_gc(256, &gc); + struct buffer name2 = alloc_buf_gc(256, &gc); - buf_printf( &name1, "route_ipv6_network_%d", i ); - buf_printf( &val, "%s/%d", print_in6_addr( r6->network, 0, &gc ), - r6->netbits ); - setenv_str( es, BSTR(&name1), BSTR(&val) ); + buf_printf(&name1, "route_ipv6_network_%d", i); + buf_printf(&val, "%s/%d", print_in6_addr(r6->network, 0, &gc), r6->netbits); + setenv_str(es, BSTR(&name1), BSTR(&val)); - buf_printf( &name2, "route_ipv6_gateway_%d", i ); - setenv_str( es, BSTR(&name2), print_in6_addr( r6->gateway, 0, &gc )); + buf_printf(&name2, "route_ipv6_gateway_%d", i); + setenv_str(es, BSTR(&name2), print_in6_addr(r6->gateway, 0, &gc)); if (r6->flags & RT_METRIC_DEFINED) { - struct buffer name3 = alloc_buf_gc( 256, &gc ); - buf_printf( &name3, "route_ipv6_metric_%d", i); - setenv_int( es, BSTR(&name3), r6->metric); + struct buffer name3 = alloc_buf_gc(256, &gc); + buf_printf(&name3, "route_ipv6_metric_%d", i); + setenv_int(es, BSTR(&name3), r6->metric); } } gc_free(&gc); @@ -1542,19 +1435,15 @@ setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6) #define LR_ERROR 2 /* caller should abort adding route */ static int -local_route(in_addr_t network, - in_addr_t netmask, - in_addr_t gateway, +local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct route_gateway_info *rgi) { /* set LR_MATCH on local host routes */ - const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED|RGI_IFACE_DEFINED); - if (rgi - && (rgi->flags & rgi_needed) == rgi_needed - && gateway == rgi->gateway.addr + const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED | RGI_IFACE_DEFINED); + if (rgi && (rgi->flags & rgi_needed) == rgi_needed && gateway == rgi->gateway.addr && netmask == 0xFFFFFFFF) { - if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0) + if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0) { return LR_MATCH; } @@ -1581,17 +1470,16 @@ local_route(in_addr_t network, static inline bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi) { - return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK))); + return rgi + && (is_local_route == LR_MATCH + || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK))); } #endif bool -add_route(struct route_ipv4 *r, - const struct tuntap *tt, - unsigned int flags, - const struct route_gateway_info *rgi, /* may be NULL */ - const struct env_set *es, - openvpn_net_ctx_t *ctx) +add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, + const struct route_gateway_info *rgi, /* may be NULL */ + const struct env_set *es, openvpn_net_ctx_t *ctx) { int status = 0; int is_local_route; @@ -1634,8 +1522,8 @@ add_route(struct route_ipv4 *r, status = RTA_SUCCESS; - int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), - &r->gateway, iface, r->table_id, metric); + int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway, + iface, r->table_id, metric); if (ret == -EEXIST) { msg(D_ROUTE, "NOTE: Linux route add command failed because route exists"); @@ -1647,7 +1535,7 @@ add_route(struct route_ipv4 *r, status = RTA_ERROR; } -#elif defined (TARGET_ANDROID) +#elif defined(TARGET_ANDROID) char out[128]; if (rgi) @@ -1661,15 +1549,11 @@ add_route(struct route_ipv4 *r, bool ret = management_android_control(management, "ROUTE", out); status = ret ? RTA_SUCCESS : RTA_ERROR; -#elif defined (_WIN32) +#elif defined(_WIN32) { DWORD ai = TUN_ADAPTER_INDEX_INVALID; - argv_printf(&argv, "%s%s ADD %s MASK %s %s", - get_win_sys_path(), - WIN_ROUTE_PATH_SUFFIX, - network, - netmask, - gateway); + argv_printf(&argv, "%s%s ADD %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX, + network, netmask, gateway); if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "METRIC %d", r->metric); @@ -1695,8 +1579,8 @@ add_route(struct route_ipv4 *r, else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE) { netcmd_semaphore_lock(); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: Windows route add command failed"); + bool ret = + openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; netcmd_semaphore_release(); method = "route.exe"; @@ -1709,8 +1593,8 @@ add_route(struct route_ipv4 *r, { msg(D_ROUTE, "Route addition fallback to route.exe"); netcmd_semaphore_lock(); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: Windows route add command failed [adaptive]"); + bool ret = openvpn_execve_check( + &argv, es, 0, "ERROR: Windows route add command failed [adaptive]"); status = ret ? RTA_SUCCESS : RTA_ERROR; netcmd_semaphore_release(); method = "route.exe"; @@ -1727,17 +1611,13 @@ add_route(struct route_ipv4 *r, } } -#elif defined (TARGET_SOLARIS) +#elif defined(TARGET_SOLARIS) /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */ - argv_printf(&argv, "%s add", - ROUTE_PATH); + argv_printf(&argv, "%s add", ROUTE_PATH); - argv_printf_cat(&argv, "%s -netmask %s %s", - network, - netmask, - gateway); + argv_printf_cat(&argv, "%s -netmask %s %s", network, netmask, gateway); /* Solaris can only distinguish between "metric 0" == "on-link on the * interface where the IP address given is configured" and "metric > 0" @@ -1752,14 +1632,12 @@ add_route(struct route_ipv4 *r, } argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: Solaris route add command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_FREEBSD) - argv_printf(&argv, "%s add", - ROUTE_PATH); + argv_printf(&argv, "%s add", ROUTE_PATH); #if 0 if (r->flags & RT_METRIC_DEFINED) @@ -1768,22 +1646,17 @@ add_route(struct route_ipv4 *r, } #endif - argv_printf_cat(&argv, "-net %s %s %s", - network, - gateway, - netmask); + argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask); /* FIXME -- add on-link support for FreeBSD */ argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: FreeBSD route add command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_DRAGONFLY) - argv_printf(&argv, "%s add", - ROUTE_PATH); + argv_printf(&argv, "%s add", ROUTE_PATH); #if 0 if (r->flags & RT_METRIC_DEFINED) @@ -1792,22 +1665,17 @@ add_route(struct route_ipv4 *r, } #endif - argv_printf_cat(&argv, "-net %s %s %s", - network, - gateway, - netmask); + argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask); /* FIXME -- add on-link support for Dragonfly */ argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: DragonFly route add command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_DARWIN) - argv_printf(&argv, "%s add", - ROUTE_PATH); + argv_printf(&argv, "%s add", ROUTE_PATH); #if 0 if (r->flags & RT_METRIC_DEFINED) @@ -1820,28 +1688,21 @@ add_route(struct route_ipv4 *r, { /* Mac OS X route syntax for ON_LINK: * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */ - argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s", - network, - netmask, + argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s", network, netmask, rgi->iface); } else { - argv_printf_cat(&argv, "-net %s %s %s", - network, - gateway, - netmask); + argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask); } argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: OS X route add command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) - argv_printf(&argv, "%s add", - ROUTE_PATH); + argv_printf(&argv, "%s add", ROUTE_PATH); #if 0 if (r->flags & RT_METRIC_DEFINED) @@ -1850,47 +1711,36 @@ add_route(struct route_ipv4 *r, } #endif - argv_printf_cat(&argv, "-net %s %s -netmask %s", - network, - gateway, - netmask); + argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask); /* FIXME -- add on-link support for OpenBSD/NetBSD */ argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: OpenBSD/NetBSD route add command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_AIX) { int netbits = netmask_to_netbits2(r->netmask); - argv_printf(&argv, "%s add -net %s/%d %s", - ROUTE_PATH, - network, netbits, gateway); + argv_printf(&argv, "%s add -net %s/%d %s", ROUTE_PATH, network, netbits, gateway); argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: AIX route add command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; } #elif defined(TARGET_HAIKU) /* ex: route add /dev/net/ipro1000/0 0.0.0.0 gw 192.168.1.1 netmask 128.0.0.0 */ - argv_printf(&argv, "%s add %s inet %s gw %s netmask %s", - ROUTE_PATH, - rgi->iface, - network, - gateway, - netmask); + argv_printf(&argv, "%s add %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network, + gateway, netmask); argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: Haiku inet route add command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; -#else /* if defined(TARGET_LINUX) */ - msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); +#else /* if defined(TARGET_LINUX) */ + msg(M_FATAL, + "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); #endif /* if defined(TARGET_LINUX) */ done: @@ -1912,7 +1762,7 @@ done: void -route_ipv6_clear_host_bits( struct route_ipv6 *r6 ) +route_ipv6_clear_host_bits(struct route_ipv6 *r6) { /* clear host bit parts of route * (needed if routes are specified improperly, or if we need to @@ -1925,24 +1775,25 @@ route_ipv6_clear_host_bits( struct route_ipv6 *r6 ) { if (bits_to_clear >= 8) { - r6->network.s6_addr[byte--] = 0; bits_to_clear -= 8; + r6->network.s6_addr[byte--] = 0; + bits_to_clear -= 8; } else { - r6->network.s6_addr[byte--] &= (0xff << bits_to_clear); bits_to_clear = 0; + r6->network.s6_addr[byte--] &= (0xff << bits_to_clear); + bits_to_clear = 0; } } } bool -add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, - unsigned int flags, const struct env_set *es, - openvpn_net_ctx_t *ctx) +add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, + const struct env_set *es, openvpn_net_ctx_t *ctx) { int status = 0; bool gateway_needed = false; - if (!(r6->flags & RT_DEFINED) ) + if (!(r6->flags & RT_DEFINED)) { return true; /* no error */ } @@ -1952,10 +1803,10 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, #ifndef _WIN32 const char *device = tt->actual_name; - if (r6->iface != NULL) /* vpn server special route */ + if (r6->iface != NULL) /* vpn server special route */ { device = r6->iface; - if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) ) + if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway)) { gateway_needed = true; } @@ -1963,11 +1814,10 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, #endif route_ipv6_clear_host_bits(r6); - const char *network = print_in6_addr( r6->network, 0, &gc); - const char *gateway = print_in6_addr( r6->gateway, 0, &gc); + const char *network = print_in6_addr(r6->network, 0, &gc); + const char *gateway = print_in6_addr(r6->gateway, 0, &gc); -#if defined(TARGET_DARWIN) \ - || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ +#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) /* the BSD platforms cannot specify gateway and interface independently, @@ -1975,22 +1825,21 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, * we build a combined "$gateway%$interface" gateway string */ if (r6->iface != NULL && gateway_needed - && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */ + && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */ { - int len = strlen(gateway) + 1 + strlen(r6->iface)+1; - char *tmp = gc_malloc( len, true, &gc ); - snprintf( tmp, len, "%s%%%s", gateway, r6->iface ); + int len = strlen(gateway) + 1 + strlen(r6->iface) + 1; + char *tmp = gc_malloc(len, true, &gc); + snprintf(tmp, len, "%s%%%s", gateway, r6->iface); gateway = tmp; } #endif #ifndef _WIN32 - msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", - network, r6->netbits, gateway, r6->metric, device ); + msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway, + r6->metric, device); #else - msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) IF %lu", - network, r6->netbits, gateway, r6->metric, - r6->adapter_index ? r6->adapter_index : tt->adapter_index); + msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) IF %lu", network, r6->netbits, gateway, + r6->metric, r6->adapter_index ? r6->adapter_index : tt->adapter_index); #endif /* @@ -2004,18 +1853,19 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, * interfaces. OTOH, on "tap" interface, we must always set the * gateway unless the route is to be an on-link network */ - if (tt->type == DEV_TYPE_TAP - && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) ) + if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0)) { gateway_needed = true; } if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway)) { - msg(M_WARN, "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway " + msg(M_WARN, + "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway " "parameter for a --route-ipv6 option and no default was set via " "--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing " - "IPv6 route to %s/%d.", network, r6->netbits); + "IPv6 route to %s/%d.", + network, r6->netbits); status = 0; goto done; } @@ -2028,8 +1878,7 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, } status = RTA_SUCCESS; - int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, - gateway_needed ? &r6->gateway : NULL, + int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL, device, r6->table_id, metric); if (ret == -EEXIST) { @@ -2042,14 +1891,14 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, status = RTA_ERROR; } -#elif defined (TARGET_ANDROID) +#elif defined(TARGET_ANDROID) char out[64]; snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device); status = management_android_control(management, "ROUTE6", out); -#elif defined (_WIN32) +#elif defined(_WIN32) if (tt->options.msg_channel) { @@ -2059,7 +1908,7 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, { status = route_ipv6_ipapi(true, r6, tt); } -#elif defined (TARGET_SOLARIS) +#elif defined(TARGET_SOLARIS) /* example: route add -inet6 2001:db8::/32 somegateway 0 */ @@ -2072,11 +1921,7 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, * use the GW addresses - it seems to still work for fe80:: addresses, * however this is done internally. NUD maybe?) */ - argv_printf(&argv, "%s add -inet6 %s/%d %s", - ROUTE_PATH, - network, - r6->netbits, - gateway ); + argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway); /* on tun (not tap), not "elsewhere"? -> metric 0 */ if (tt->type == DEV_TYPE_TUN && !r6->iface) @@ -2085,16 +1930,12 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, } argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: Solaris route add -inet6 command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) - argv_printf(&argv, "%s add -inet6 %s/%d", - ROUTE_PATH, - network, - r6->netbits); + argv_printf(&argv, "%s add -inet6 %s/%d", ROUTE_PATH, network, r6->netbits); if (gateway_needed) { @@ -2106,15 +1947,12 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, } argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: *BSD route add -inet6 command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_DARWIN) - argv_printf(&argv, "%s add -inet6 %s -prefixlen %d", - ROUTE_PATH, - network, r6->netbits ); + argv_printf(&argv, "%s add -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits); if (gateway_needed) { @@ -2126,58 +1964,45 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, } argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: MacOS X route add -inet6 command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_OPENBSD) - argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s", - ROUTE_PATH, - network, r6->netbits, gateway ); + argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits, + gateway); argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: OpenBSD route add -inet6 command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_NETBSD) - argv_printf(&argv, "%s add -inet6 %s/%d %s", - ROUTE_PATH, - network, r6->netbits, gateway ); + argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway); argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: NetBSD route add -inet6 command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_AIX) - argv_printf(&argv, "%s add -inet6 %s/%d %s", - ROUTE_PATH, - network, r6->netbits, gateway); + argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway); argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: AIX route add command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #elif defined(TARGET_HAIKU) /* ex: route add /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */ - argv_printf(&argv, "%s add %s inet6 %s gw %s prefixlen %d", - ROUTE_PATH, - r6->iface, - network, - gateway, - r6->netbits); + argv_printf(&argv, "%s add %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network, + gateway, r6->netbits); argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, - "ERROR: Haiku inet6 route add command failed"); + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route add command failed"); status = ret ? RTA_SUCCESS : RTA_ERROR; #else /* if defined(TARGET_LINUX) */ - msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script"); + msg(M_FATAL, + "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script"); #endif /* if defined(TARGET_LINUX) */ done: @@ -2198,12 +2023,8 @@ done: } static void -delete_route(struct route_ipv4 *r, - const struct tuntap *tt, - unsigned int flags, - const struct route_gateway_info *rgi, - const struct env_set *es, - openvpn_net_ctx_t *ctx) +delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, + const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx) { #if !defined(TARGET_LINUX) const char *network; @@ -2213,12 +2034,12 @@ delete_route(struct route_ipv4 *r, #if !defined(TARGET_ANDROID) const char *gateway; #endif -#else /* if !defined(TARGET_LINUX) */ +#else /* if !defined(TARGET_LINUX) */ int metric; #endif int is_local_route; - if ((r->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED)) + if ((r->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED)) { return; } @@ -2249,19 +2070,16 @@ delete_route(struct route_ipv4 *r, metric = r->metric; } - if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), - &r->gateway, NULL, r->table_id, metric) < 0) + if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway, NULL, + r->table_id, metric) + < 0) { msg(M_WARN, "ERROR: Linux route delete command failed"); } -#elif defined (_WIN32) +#elif defined(_WIN32) - argv_printf(&argv, "%s%s DELETE %s MASK %s %s", - get_win_sys_path(), - WIN_ROUTE_PATH_SUFFIX, - network, - netmask, - gateway); + argv_printf(&argv, "%s%s DELETE %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX, + network, netmask, gateway); argv_msg(D_ROUTE, &argv); @@ -2289,7 +2107,8 @@ delete_route(struct route_ipv4 *r, { msg(D_ROUTE, "Route deletion fallback to route.exe"); netcmd_semaphore_lock(); - openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed [adaptive]"); + openvpn_execve_check(&argv, es, 0, + "ERROR: Windows route delete command failed [adaptive]"); netcmd_semaphore_release(); } } @@ -2298,35 +2117,23 @@ delete_route(struct route_ipv4 *r, ASSERT(0); } -#elif defined (TARGET_SOLARIS) +#elif defined(TARGET_SOLARIS) - argv_printf(&argv, "%s delete %s -netmask %s %s", - ROUTE_PATH, - network, - netmask, - gateway); + argv_printf(&argv, "%s delete %s -netmask %s %s", ROUTE_PATH, network, netmask, gateway); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed"); #elif defined(TARGET_FREEBSD) - argv_printf(&argv, "%s delete -net %s %s %s", - ROUTE_PATH, - network, - gateway, - netmask); + argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed"); #elif defined(TARGET_DRAGONFLY) - argv_printf(&argv, "%s delete -net %s %s %s", - ROUTE_PATH, - network, - gateway, - netmask); + argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed"); @@ -2335,19 +2142,12 @@ delete_route(struct route_ipv4 *r, if (is_on_link(is_local_route, flags, rgi)) { - argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s", - ROUTE_PATH, - network, - netmask, - rgi->iface); + argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s", ROUTE_PATH, + network, netmask, rgi->iface); } else { - argv_printf(&argv, "%s delete -net %s %s %s", - ROUTE_PATH, - network, - gateway, - netmask); + argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask); } argv_msg(D_ROUTE, &argv); @@ -2355,26 +2155,20 @@ delete_route(struct route_ipv4 *r, #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) - argv_printf(&argv, "%s delete -net %s %s -netmask %s", - ROUTE_PATH, - network, - gateway, - netmask); + argv_printf(&argv, "%s delete -net %s %s -netmask %s", ROUTE_PATH, network, gateway, netmask); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed"); #elif defined(TARGET_ANDROID) msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not " - "needed. The VpnService API allows routes to be set " - "on connect only and will clean up automatically."); + "needed. The VpnService API allows routes to be set " + "on connect only and will clean up automatically."); #elif defined(TARGET_AIX) { int netbits = netmask_to_netbits2(r->netmask); - argv_printf(&argv, "%s delete -net %s/%d %s", - ROUTE_PATH, - network, netbits, gateway); + argv_printf(&argv, "%s delete -net %s/%d %s", ROUTE_PATH, network, netbits, gateway); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed"); } @@ -2382,17 +2176,14 @@ delete_route(struct route_ipv4 *r, #elif defined(TARGET_HAIKU) /* ex: route delete /dev/net/ipro1000/0 inet 192.168.0.0 gw 192.168.1.1 netmask 255.255.0.0 */ - argv_printf(&argv, "%s delete %s inet %s gw %s netmask %s", - ROUTE_PATH, - rgi->iface, - network, - gateway, - netmask); + argv_printf(&argv, "%s delete %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network, + gateway, netmask); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route delete command failed"); #else /* if defined(TARGET_LINUX) */ - msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); + msg(M_FATAL, + "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); #endif /* if defined(TARGET_LINUX) */ done: @@ -2404,13 +2195,12 @@ done: } void -delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, - const struct env_set *es, +delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es, openvpn_net_ctx_t *ctx) { const char *network; - if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED)) + if ((r6->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED)) { return; } @@ -2422,7 +2212,7 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, #if !defined(TARGET_SOLARIS) bool gateway_needed = false; const char *device = tt->actual_name; - if (r6->iface != NULL) /* vpn server special route */ + if (r6->iface != NULL) /* vpn server special route */ { device = r6->iface; gateway_needed = true; @@ -2431,8 +2221,7 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, /* if we used a gateway on "add route", we also need to specify it on * delete, otherwise some OSes will refuse to delete the route */ - if (tt->type == DEV_TYPE_TAP - && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) ) + if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0)) { gateway_needed = true; } @@ -2442,13 +2231,12 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, struct gc_arena gc = gc_new(); struct argv argv = argv_new(); - network = print_in6_addr( r6->network, 0, &gc); + network = print_in6_addr(r6->network, 0, &gc); #if !defined(TARGET_LINUX) && !defined(_WIN32) - gateway = print_in6_addr( r6->gateway, 0, &gc); + gateway = print_in6_addr(r6->gateway, 0, &gc); #endif -#if defined(TARGET_DARWIN) \ - || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ +#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) /* the BSD platforms cannot specify gateway and interface independently, @@ -2456,16 +2244,16 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, * we build a combined "$gateway%$interface" gateway string */ if (r6->iface != NULL && gateway_needed - && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */ + && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */ { - int len = strlen(gateway) + 1 + strlen(r6->iface)+1; - char *tmp = gc_malloc( len, true, &gc ); - snprintf( tmp, len, "%s%%%s", gateway, r6->iface ); + int len = strlen(gateway) + 1 + strlen(r6->iface) + 1; + char *tmp = gc_malloc(len, true, &gc); + snprintf(tmp, len, "%s%%%s", gateway, r6->iface); gateway = tmp; } #endif - msg(D_ROUTE, "delete_route_ipv6(%s/%d)", network, r6->netbits ); + msg(D_ROUTE, "delete_route_ipv6(%s/%d)", network, r6->netbits); #if defined(TARGET_LINUX) int metric = -1; @@ -2474,14 +2262,14 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, metric = r6->metric; } - if (net_route_v6_del(ctx, &r6->network, r6->netbits, - gateway_needed ? &r6->gateway : NULL, device, r6->table_id, - metric) < 0) + if (net_route_v6_del(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL, + device, r6->table_id, metric) + < 0) { msg(M_WARN, "ERROR: Linux route v6 delete command failed"); } -#elif defined (_WIN32) +#elif defined(_WIN32) if (tt->options.msg_channel) { @@ -2491,25 +2279,18 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, { route_ipv6_ipapi(false, r6, tt); } -#elif defined (TARGET_SOLARIS) +#elif defined(TARGET_SOLARIS) /* example: route delete -inet6 2001:db8::/32 somegateway */ - argv_printf(&argv, "%s delete -inet6 %s/%d %s", - ROUTE_PATH, - network, - r6->netbits, - gateway ); + argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed"); #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) - argv_printf(&argv, "%s delete -inet6 %s/%d", - ROUTE_PATH, - network, - r6->netbits ); + argv_printf(&argv, "%s delete -inet6 %s/%d", ROUTE_PATH, network, r6->netbits); if (gateway_needed) { @@ -2525,9 +2306,7 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, #elif defined(TARGET_DARWIN) - argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d", - ROUTE_PATH, - network, r6->netbits ); + argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits); if (gateway_needed) { @@ -2543,48 +2322,40 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, #elif defined(TARGET_OPENBSD) - argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s", - ROUTE_PATH, - network, r6->netbits, gateway ); + argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits, + gateway); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed"); #elif defined(TARGET_NETBSD) - argv_printf(&argv, "%s delete -inet6 %s/%d %s", - ROUTE_PATH, - network, r6->netbits, gateway ); + argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed"); #elif defined(TARGET_AIX) - argv_printf(&argv, "%s delete -inet6 %s/%d %s", - ROUTE_PATH, - network, r6->netbits, gateway); + argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed"); #elif defined(TARGET_ANDROID) msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not " - "needed. The VpnService API allows routes to be set " - "on connect only and will clean up automatically."); + "needed. The VpnService API allows routes to be set " + "on connect only and will clean up automatically."); #elif defined(TARGET_HAIKU) /* ex: route delete /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */ - argv_printf(&argv, "%s delete %s inet6 %s gw %s prefixlen %d", - ROUTE_PATH, - r6->iface, - network, - gateway, - r6->netbits); + argv_printf(&argv, "%s delete %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network, + gateway, r6->netbits); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route delete command failed"); #else /* if defined(TARGET_LINUX) */ - msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script"); + msg(M_FATAL, + "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script"); #endif /* if defined(TARGET_LINUX) */ argv_free(&argv); @@ -2610,13 +2381,12 @@ get_windows_routing_table(struct gc_arena *gc) status = GetIpForwardTable(NULL, &size, TRUE); if (status == ERROR_INSUFFICIENT_BUFFER) { - rt = (PMIB_IPFORWARDTABLE) gc_malloc(size, false, gc); + rt = (PMIB_IPFORWARDTABLE)gc_malloc(size, false, gc); status = GetIpForwardTable(rt, &size, TRUE); if (status != NO_ERROR) { msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)", - strerror_win32(status, gc), - (unsigned int)status); + strerror_win32(status, gc), (unsigned int)status); rt = NULL; } } @@ -2624,9 +2394,7 @@ get_windows_routing_table(struct gc_arena *gc) } static int -test_route(const IP_ADAPTER_INFO *adapters, - const in_addr_t gateway, - DWORD *index) +test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index) { int count = 0; DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL); @@ -2638,11 +2406,7 @@ test_route(const IP_ADAPTER_INFO *adapters, } static void -test_route_helper(bool *ret, - int *count, - int *good, - int *ambig, - const IP_ADAPTER_INFO *adapters, +test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters, const in_addr_t gateway) { int c; @@ -2702,13 +2466,8 @@ test_routes(const struct route_list *rl, const struct tuntap *tt) } } - msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s", - good, - count, - len, - (int)ret, - ambig, - adapter_up ? "up" : "down"); + msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s", good, count, len, + (int)ret, ambig, adapter_up ? "up" : "down"); gc_free(&gc); return ret; @@ -2732,12 +2491,9 @@ get_default_gateway_row(const MIB_IPFORWARDTABLE *routes) const DWORD index = row->dwForwardIfIndex; const DWORD metric = row->dwForwardMetric1; - dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d", - i, - print_in_addr_t((in_addr_t) net, 0, &gc), - print_in_addr_t((in_addr_t) mask, 0, &gc), - (int)index, - (int)metric); + dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d", i, + print_in_addr_t((in_addr_t)net, 0, &gc), print_in_addr_t((in_addr_t)mask, 0, &gc), + (int)index, (int)metric); if (!net && !mask && metric < lowest_metric) { @@ -2778,8 +2534,7 @@ get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *bes if (status != NO_ERROR) { msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)", - strerror_win32(status, gc), - (unsigned int)status); + strerror_win32(status, gc), (unsigned int)status); goto done; } @@ -2790,13 +2545,11 @@ get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *bes CLEAR(luid); SOCKADDR_INET best_src; CLEAR(best_src); - status = GetBestRoute2(&luid, best_if_index, NULL, - dest, 0, best_route, &best_src); + status = GetBestRoute2(&luid, best_if_index, NULL, dest, 0, best_route, &best_src); if (status != NO_ERROR) { msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)", - strerror_win32(status, gc), - (unsigned int)status); + strerror_win32(status, gc), (unsigned int)status); goto done; } @@ -2887,13 +2640,10 @@ windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt) else if (count > 1) { msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)", - print_in_addr_t(r->gateway, 0, &gc), - count); + print_in_addr_t(r->gateway, 0, &gc), count); } - dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d", - on_tun, - count, + dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d", on_tun, count, (int)ret); gc_free(&gc); @@ -2906,8 +2656,8 @@ windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt) * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx */ void -get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - const struct in6_addr *dest, openvpn_net_ctx_t *ctx) +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, + openvpn_net_ctx_t *ctx) { struct gc_arena gc = gc_new(); CLEAR(*rgi6); @@ -2929,23 +2679,19 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, goto done; } - msg( D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s", - BestRoute.InterfaceIndex, - print_in6_addr( BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc), - BestRoute.DestinationPrefix.PrefixLength, - print_in6_addr( BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc) ); - msg( D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d", - (int) BestRoute.Metric, - (int) BestRoute.Loopback, - (int) BestRoute.AutoconfigureAddress, - (int) BestRoute.Immortal ); + msg(D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s", BestRoute.InterfaceIndex, + print_in6_addr(BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc), + BestRoute.DestinationPrefix.PrefixLength, + print_in6_addr(BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc)); + msg(D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d", (int)BestRoute.Metric, + (int)BestRoute.Loopback, (int)BestRoute.AutoconfigureAddress, (int)BestRoute.Immortal); rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr; - rgi6->adapter_index = BestRoute.InterfaceIndex; + rgi6->adapter_index = BestRoute.InterfaceIndex; rgi6->flags |= RGI_ADDR_DEFINED | RGI_IFACE_DEFINED; /* on-link is signalled by receiving an empty (::) NextHop */ - if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr) ) + if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr)) { rgi6->flags |= RGI_ON_LINK; } @@ -2961,7 +2707,9 @@ add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapt struct gc_arena gc = gc_new(); int ret = RTA_ERROR; DWORD status; - const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID) ? windows_route_find_if_index(r, tt) : adapter_index; + const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID) + ? windows_route_find_if_index(r, tt) + : adapter_index; if (if_index != TUN_ADAPTER_INDEX_INVALID) { @@ -2972,7 +2720,7 @@ add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapt fr.dwForwardPolicy = 0; fr.dwForwardNextHop = htonl(r->gateway); fr.dwForwardIfIndex = if_index; - fr.dwForwardType = 4; /* the next hop is not the final dest */ + fr.dwForwardType = 4; /* the next hop is not the final dest */ fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */ fr.dwForwardAge = 0; fr.dwForwardNextHopAS = 0; @@ -2985,8 +2733,7 @@ add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapt if ((r->network & r->netmask) != r->network) { msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s", - print_in_addr_t(r->network, 0, &gc), - print_in_addr_t(r->netmask, 0, &gc)); + print_in_addr_t(r->network, 0, &gc), print_in_addr_t(r->netmask, 0, &gc)); } status = CreateIpForwardEntry(&fr); @@ -3002,20 +2749,22 @@ add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapt else { /* failed, try increasing the metric to work around Vista issue */ - const unsigned int forward_metric_limit = 2048; /* iteratively retry higher metrics up to this limit */ + const unsigned int forward_metric_limit = + 2048; /* iteratively retry higher metrics up to this limit */ for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1) { - /* try a different forward type=3 ("the next hop is the final dest") in addition to 4. + /* try a different forward type=3 ("the next hop is the final dest") in addition + * to 4. * --redirect-gateway over RRAS seems to need this. */ for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType) { status = CreateIpForwardEntry(&fr); if (status == NO_ERROR) { - msg(D_ROUTE, "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u", - (unsigned int)fr.dwForwardMetric1, - (unsigned int)fr.dwForwardType); + msg(D_ROUTE, + "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u", + (unsigned int)fr.dwForwardMetric1, (unsigned int)fr.dwForwardType); ret = RTA_SUCCESS; goto doublebreak; } @@ -3035,9 +2784,10 @@ doublebreak: } else { - msg(M_WARN, "ERROR: route addition failed using CreateIpForwardEntry: " - "%s [status=%u if_index=%u]", strerror_win32(status, &gc), - (unsigned int)status, (unsigned int)if_index); + msg(M_WARN, + "ERROR: route addition failed using CreateIpForwardEntry: " + "%s [status=%u if_index=%u]", + strerror_win32(status, &gc), (unsigned int)status, (unsigned int)if_index); } } } @@ -3125,18 +2875,13 @@ do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct t return RTA_ERROR; } - route_message_t msg = { - .header = { - (add ? msg_add_route : msg_del_route), - sizeof(route_message_t), - 0 - }, - .family = AF_INET, - .prefix.ipv4.s_addr = htonl(r->network), - .gateway.ipv4.s_addr = htonl(r->gateway), - .iface = { .index = if_index, .name = "" }, - .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1) - }; + route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route), + sizeof(route_message_t), 0 }, + .family = AF_INET, + .prefix.ipv4.s_addr = htonl(r->network), + .gateway.ipv4.s_addr = htonl(r->gateway), + .iface = { .index = if_index, .name = "" }, + .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1) }; netmask_to_netbits(r->network, r->netmask, &msg.prefix_len); if (msg.prefix_len == -1) @@ -3166,7 +2911,7 @@ route_ipv6_ipapi(const bool add, const struct route_ipv6 *r, const struct tuntap fwd_row->Metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1); fwd_row->DestinationPrefix.Prefix.si_family = AF_INET6; fwd_row->DestinationPrefix.Prefix.Ipv6.sin6_addr = r->network; - fwd_row->DestinationPrefix.PrefixLength = (UINT8) r->netbits; + fwd_row->DestinationPrefix.PrefixLength = (UINT8)r->netbits; fwd_row->NextHop.si_family = AF_INET6; fwd_row->NextHop.Ipv6.sin6_addr = r->gateway; fwd_row->InterfaceIndex = r->adapter_index ? r->adapter_index : tt->adapter_index; @@ -3231,21 +2976,16 @@ static int do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt) { int status; - route_message_t msg = { - .header = { - (add ? msg_add_route : msg_del_route), - sizeof(route_message_t), - 0 - }, - .family = AF_INET6, - .prefix.ipv6 = r->network, - .prefix_len = r->netbits, - .gateway.ipv6 = r->gateway, - .iface = { .index = tt->adapter_index, .name = "" }, - .metric = ( (r->flags & RT_METRIC_DEFINED) ? r->metric : -1) - }; - - if (r->adapter_index) /* vpn server special route */ + route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route), + sizeof(route_message_t), 0 }, + .family = AF_INET6, + .prefix.ipv6 = r->network, + .prefix_len = r->netbits, + .gateway.ipv6 = r->gateway, + .iface = { .index = tt->adapter_index, .name = "" }, + .metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1) }; + + if (r->adapter_index) /* vpn server special route */ { msg.iface.index = r->adapter_index; } @@ -3254,8 +2994,7 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t * The tapdrvr knows about it and will answer neighbor discovery packets. * (only do this for routes actually using the tun/tap device) */ - if (tt->type == DEV_TYPE_TUN - && msg.iface.index == tt->adapter_index) + if (tt->type == DEV_TYPE_TUN && msg.iface.index == tt->adapter_index) { inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6); } @@ -3269,8 +3008,7 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel); if (status != RTA_ERROR) { - msg(D_ROUTE, "IPv6 route %s via service %s", - add ? "addition" : "deletion", + msg(D_ROUTE, "IPv6 route %s via service %s", add ? "addition" : "deletion", (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists"); } return status; @@ -3309,17 +3047,10 @@ format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc) buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d", print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc), print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc), - print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc), - (int)r->dwForwardPolicy, - (int)r->dwForwardIfIndex, - (int)r->dwForwardType, - (int)r->dwForwardProto, - (int)r->dwForwardAge, - (int)r->dwForwardNextHopAS, - (int)r->dwForwardMetric1, - (int)r->dwForwardMetric2, - (int)r->dwForwardMetric3, - (int)r->dwForwardMetric4, + print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc), (int)r->dwForwardPolicy, + (int)r->dwForwardIfIndex, (int)r->dwForwardType, (int)r->dwForwardProto, + (int)r->dwForwardAge, (int)r->dwForwardNextHopAS, (int)r->dwForwardMetric1, + (int)r->dwForwardMetric2, (int)r->dwForwardMetric3, (int)r->dwForwardMetric4, (int)r->dwForwardMetric5); return BSTR(&out); } @@ -3368,12 +3099,11 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ * normally on Linux. * It always fails and "ioctl(SIOCGIFCONF) failed" confuses users */ - } void -get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - const struct in6_addr *dest, openvpn_net_ctx_t *ctx) +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, + openvpn_net_ctx_t *ctx) { /* Same for ipv6 */ @@ -3437,7 +3167,7 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ if (ifr->ifr_addr.sa_family == AF_INET) { /* get interface addr */ - addr = ntohl(((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr.s_addr); + addr = ntohl(((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr.s_addr); /* get interface name */ strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name)); @@ -3455,7 +3185,7 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ if (rgi->flags & RGI_ON_LINK) { /* check that interface name of current interface - * matches interface name of best default route */ + * matches interface name of best default route */ if (strcmp(ifreq.ifr_name, best_name)) { continue; @@ -3479,7 +3209,7 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ { continue; } - netmask = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr); + netmask = ntohl(((struct sockaddr_in *)&ifreq.ifr_addr)->sin_addr.s_addr); /* check that interface matches default route */ if (((rgi->gateway.addr ^ addr) & netmask) != 0) @@ -3524,22 +3254,22 @@ done: * netlink(3), netlink(7), rtnetlink(7) * http://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/rtmon_linux.c */ -struct rtreq { +struct rtreq +{ struct nlmsghdr nh; struct rtmsg rtm; char attrbuf[512]; }; void -get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - const struct in6_addr *dest, openvpn_net_ctx_t *ctx) +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, + openvpn_net_ctx_t *ctx) { int flags; CLEAR(*rgi6); - if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6, - rgi6->iface) == 0) + if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6, rgi6->iface) == 0) { if (!IN6_IS_ADDR_UNSPECIFIED(&rgi6->gateway.addr_ipv6)) { @@ -3564,9 +3294,8 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, } } -#elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) \ - || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ - || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) +#elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) || defined(TARGET_FREEBSD) \ + || defined(TARGET_DRAGONFLY) || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) #include #include @@ -3577,7 +3306,8 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, #include #endif -struct rtmsg { +struct rtmsg +{ struct rt_msghdr m_rtm; char m_space[512]; }; @@ -3599,26 +3329,30 @@ struct rtmsg { */ #if defined(TARGET_DARWIN) -#define ROUNDUP(a) \ - ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t)) +#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t)) #elif defined(TARGET_NETBSD) #define ROUNDUP(a) RT_ROUNDUP(a) #else -#define ROUNDUP(a) \ - ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) +#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) #endif #if defined(TARGET_SOLARIS) -#define NEXTADDR(w, u) \ - if (rtm_addrs & (w)) { \ - l = sizeof(u); memmove(cp, &(u), l); cp += ROUNDUP(l); \ +#define NEXTADDR(w, u) \ + if (rtm_addrs & (w)) \ + { \ + l = sizeof(u); \ + memmove(cp, &(u), l); \ + cp += ROUNDUP(l); \ } #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in))) -#else /* if defined(TARGET_SOLARIS) */ -#define NEXTADDR(w, u) \ - if (rtm_addrs & (w)) { \ - l = ((struct sockaddr *)&(u))->sa_len; memmove(cp, &(u), l); cp += ROUNDUP(l); \ +#else /* if defined(TARGET_SOLARIS) */ +#define NEXTADDR(w, u) \ + if (rtm_addrs & (w)) \ + { \ + l = ((struct sockaddr *)&(u))->sa_len; \ + memmove(cp, &(u), l); \ + cp += ROUNDUP(l); \ } #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len)) @@ -3637,7 +3371,7 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ struct sockaddr so_dst, so_mask; char *cp = m_rtmsg.m_space; struct sockaddr *gate = NULL, *ifp = NULL, *sa; - struct rt_msghdr *rtm_aux; + struct rt_msghdr *rtm_aux; #define rtm m_rtmsg.m_rtm @@ -3647,7 +3381,7 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ pid = getpid(); seq = 0; #ifdef TARGET_OPENBSD - rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */ + rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */ #else rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP; #endif @@ -3688,7 +3422,7 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ } if (write(sockfd, (char *)&m_rtmsg, l) < 0) { - msg(M_WARN|M_ERRNO, "GDG: problem writing to routing socket"); + msg(M_WARN | M_ERRNO, "GDG: problem writing to routing socket"); goto done; } do @@ -3738,7 +3472,7 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ if (ifp) { /* get interface name */ - const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp; + const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp; if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface)) { memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen); @@ -3806,15 +3540,14 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ if (getifaddrs(&ifap) != 0) { - msg(M_WARN|M_ERRNO, "GDG: getifaddrs() failed"); + msg(M_WARN | M_ERRNO, "GDG: getifaddrs() failed"); goto done; } for (ifa = ifap; ifa; ifa = ifa->ifa_next) { - if (ifa->ifa_addr != NULL - && ifa->ifa_addr->sa_family == AF_LINK - && !strncmp(ifa->ifa_name, rgi->iface, IFNAMSIZ) ) + if (ifa->ifa_addr != NULL && ifa->ifa_addr->sa_family == AF_LINK + && !strncmp(ifa->ifa_name, rgi->iface, IFNAMSIZ)) { struct sockaddr_dl *sdl = (struct sockaddr_dl *)ifa->ifa_addr; memcpy(rgi->hwaddr, LLADDR(sdl), 6); @@ -3847,10 +3580,9 @@ done: #endif void -get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - const struct in6_addr *dest, openvpn_net_ctx_t *ctx) +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, + openvpn_net_ctx_t *ctx) { - struct rtmsg m_rtmsg; int sockfd = -1; int seq, l, pid, rtm_addrs; @@ -3866,7 +3598,7 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, pid = getpid(); seq = 0; #ifdef TARGET_OPENBSD - rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */ + rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */ #else rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP; #endif @@ -3887,8 +3619,8 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, so_dst.sin6_family = AF_INET6; so_mask.sin6_family = AF_INET6; - if (dest != NULL /* specific host? */ - && !IN6_IS_ADDR_UNSPECIFIED(dest) ) + if (dest != NULL /* specific host? */ + && !IN6_IS_ADDR_UNSPECIFIED(dest)) { so_dst.sin6_addr = *dest; /* :: needs /0 "netmask", host route wants "no netmask */ @@ -3916,15 +3648,14 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, } if (write(sockfd, (char *)&m_rtmsg, l) < 0) { - msg(M_WARN|M_ERRNO, "GDG6: problem writing to routing socket"); + msg(M_WARN | M_ERRNO, "GDG6: problem writing to routing socket"); goto done; } do { l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg)); - } - while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid)); + } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid)); close(sockfd); sockfd = -1; @@ -3967,14 +3698,12 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3], * but for a correct link-local address these must be :0000: ) */ - if (gate->sa_len == sizeof(struct sockaddr_in6) - && IN6_IS_ADDR_LINKLOCAL(&gw) ) + if (gate->sa_len == sizeof(struct sockaddr_in6) && IN6_IS_ADDR_LINKLOCAL(&gw)) { gw.s6_addr[2] = gw.s6_addr[3] = 0; } - if (gate->sa_len != sizeof(struct sockaddr_in6) - || IN6_IS_ADDR_UNSPECIFIED(&gw) ) + if (gate->sa_len != sizeof(struct sockaddr_in6) || IN6_IS_ADDR_UNSPECIFIED(&gw)) { rgi6->flags |= RGI_ON_LINK; } @@ -3988,7 +3717,7 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, if (ifp) { /* get interface name */ - const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp; + const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp; if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface)) { memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen); @@ -4072,15 +3801,15 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ address_size += route.gateway->sa_len; } - interface = (struct ifreq *)((addr_t)interface + IF_NAMESIZE - + sizeof(struct route_entry) + address_size); + interface = (struct ifreq *)((addr_t)interface + IF_NAMESIZE + sizeof(struct route_entry) + + address_size); } free(buffer); } void -get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - const struct in6_addr *dest, openvpn_net_ctx_t *ctx) +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, + openvpn_net_ctx_t *ctx) { /* TODO: Same for ipv6 with AF_INET6 */ CLEAR(*rgi6); @@ -4118,8 +3847,8 @@ get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ CLEAR(*rgi); } void -get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - const struct in6_addr *dest, openvpn_net_ctx_t *ctx) +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, + openvpn_net_ctx_t *ctx) { msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system"); CLEAR(*rgi6); @@ -4199,7 +3928,8 @@ add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist) while (iplist) { bool succeed = false; - const in_addr_t ip = getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL); + const in_addr_t ip = + getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL); if (succeed) { add_host_route_if_nonlocal(rb, ip); @@ -4247,7 +3977,7 @@ get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) #else /* if defined(_WIN32) */ static void -get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */ +get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */ { } @@ -4268,7 +3998,8 @@ int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) { struct gc_arena gc = gc_new(); - const in_addr_t nonlocal_netmask = 0x80000000L; /* routes with netmask <= to this are considered non-local */ + const in_addr_t nonlocal_netmask = + 0x80000000L; /* routes with netmask <= to this are considered non-local */ int ret = TLA_NONLOCAL; /* get full routing table */ @@ -4295,7 +4026,7 @@ test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) #else /* if defined(_WIN32) */ int -test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */ +test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */ { if (rgi) { diff --git a/src/openvpn/route.h b/src/openvpn/route.h index 1a358e326..ea8b767f0 100644 --- a/src/openvpn/route.h +++ b/src/openvpn/route.h @@ -36,18 +36,18 @@ /* * Windows route methods */ -#define ROUTE_METHOD_ADAPTIVE 0 /* try IP helper first then route.exe */ -#define ROUTE_METHOD_IPAPI 1 /* use IP helper API */ -#define ROUTE_METHOD_EXE 2 /* use route.exe */ -#define ROUTE_METHOD_SERVICE 3 /* use the privileged Windows service */ -#define ROUTE_METHOD_MASK 3 +#define ROUTE_METHOD_ADAPTIVE 0 /* try IP helper first then route.exe */ +#define ROUTE_METHOD_IPAPI 1 /* use IP helper API */ +#define ROUTE_METHOD_EXE 2 /* use route.exe */ +#define ROUTE_METHOD_SERVICE 3 /* use the privileged Windows service */ +#define ROUTE_METHOD_MASK 3 #endif /* * Route add/delete flags (must stay clear of ROUTE_METHOD bits) */ -#define ROUTE_DELETE_FIRST (1<<2) -#define ROUTE_REF_GW (1<<3) +#define ROUTE_DELETE_FIRST (1 << 2) +#define ROUTE_REF_GW (1 << 3) struct route_bypass { @@ -59,9 +59,9 @@ struct route_bypass struct route_special_addr { /* bits indicating which members below are defined */ -#define RTSA_REMOTE_ENDPOINT (1<<0) -#define RTSA_REMOTE_HOST (1<<1) -#define RTSA_DEFAULT_METRIC (1<<2) +#define RTSA_REMOTE_ENDPOINT (1 << 0) +#define RTSA_REMOTE_HOST (1 << 1) +#define RTSA_DEFAULT_METRIC (1 << 2) unsigned int flags; in_addr_t remote_endpoint; @@ -72,7 +72,8 @@ struct route_special_addr int default_metric; }; -struct route_option { +struct route_option +{ struct route_option *next; const char *network; const char *netmask; @@ -82,39 +83,43 @@ struct route_option { }; /* redirect-gateway flags */ -#define RG_ENABLE (1<<0) -#define RG_LOCAL (1<<1) -#define RG_DEF1 (1<<2) -#define RG_BYPASS_DHCP (1<<3) -#define RG_BYPASS_DNS (1<<4) -#define RG_REROUTE_GW (1<<5) -#define RG_AUTO_LOCAL (1<<6) -#define RG_BLOCK_LOCAL (1<<7) - -struct route_option_list { +#define RG_ENABLE (1 << 0) +#define RG_LOCAL (1 << 1) +#define RG_DEF1 (1 << 2) +#define RG_BYPASS_DHCP (1 << 3) +#define RG_BYPASS_DNS (1 << 4) +#define RG_REROUTE_GW (1 << 5) +#define RG_AUTO_LOCAL (1 << 6) +#define RG_BLOCK_LOCAL (1 << 7) + +struct route_option_list +{ unsigned int flags; /* RG_x flags */ struct route_option *routes; struct gc_arena *gc; }; -struct route_ipv6_option { +struct route_ipv6_option +{ struct route_ipv6_option *next; - const char *prefix; /* e.g. "2001:db8:1::/64" */ - const char *gateway; /* e.g. "2001:db8:0::2" */ - const char *metric; /* e.g. "5" */ + const char *prefix; /* e.g. "2001:db8:1::/64" */ + const char *gateway; /* e.g. "2001:db8:0::2" */ + const char *metric; /* e.g. "5" */ int table_id; }; -struct route_ipv6_option_list { - unsigned int flags; /* RG_x flags, see route_option-list */ +struct route_ipv6_option_list +{ + unsigned int flags; /* RG_x flags, see route_option-list */ struct route_ipv6_option *routes_ipv6; struct gc_arena *gc; }; -struct route_ipv4 { -#define RT_DEFINED (1<<0) -#define RT_ADDED (1<<1) -#define RT_METRIC_DEFINED (1<<2) +struct route_ipv4 +{ +#define RT_DEFINED (1 << 0) +#define RT_ADDED (1 << 1) +#define RT_METRIC_DEFINED (1 << 2) struct route_ipv4 *next; unsigned int flags; const struct route_option *option; @@ -125,9 +130,10 @@ struct route_ipv4 { int metric; }; -struct route_ipv6 { +struct route_ipv6 +{ struct route_ipv6 *next; - unsigned int flags; /* RT_ flags, see route_ipv4 */ + unsigned int flags; /* RT_ flags, see route_ipv4 */ struct in6_addr network; unsigned int netbits; struct in6_addr gateway; @@ -135,25 +141,27 @@ struct route_ipv6 { int table_id; /* gateway interface */ #ifdef _WIN32 - DWORD adapter_index; /* interface or ~0 if undefined */ + DWORD adapter_index; /* interface or ~0 if undefined */ #else - char *iface; /* interface name (null terminated) */ + char *iface; /* interface name (null terminated) */ #endif }; -struct route_gateway_address { +struct route_gateway_address +{ in_addr_t addr; in_addr_t netmask; }; -struct route_gateway_info { -#define RGI_ADDR_DEFINED (1<<0) /* set if gateway.addr defined */ -#define RGI_NETMASK_DEFINED (1<<1) /* set if gateway.netmask defined */ -#define RGI_HWADDR_DEFINED (1<<2) /* set if hwaddr is defined */ -#define RGI_IFACE_DEFINED (1<<3) /* set if iface is defined */ -#define RGI_OVERFLOW (1<<4) /* set if more interface addresses than will fit in addrs */ -#define RGI_ON_LINK (1<<5) +struct route_gateway_info +{ +#define RGI_ADDR_DEFINED (1 << 0) /* set if gateway.addr defined */ +#define RGI_NETMASK_DEFINED (1 << 1) /* set if gateway.netmask defined */ +#define RGI_HWADDR_DEFINED (1 << 2) /* set if hwaddr is defined */ +#define RGI_IFACE_DEFINED (1 << 3) /* set if iface is defined */ +#define RGI_OVERFLOW (1 << 4) /* set if more interface addresses than will fit in addrs */ +#define RGI_ON_LINK (1 << 5) unsigned int flags; /* gateway interface */ @@ -173,17 +181,19 @@ struct route_gateway_info { /* address/netmask pairs bound to interface */ #define RGI_N_ADDRESSES 8 - int n_addrs; /* len of addrs, may be 0 */ + int n_addrs; /* len of addrs, may be 0 */ struct route_gateway_address addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */ }; -struct route_ipv6_gateway_address { +struct route_ipv6_gateway_address +{ struct in6_addr addr_ipv6; int netbits_ipv6; }; -struct route_ipv6_gateway_info { -/* RGI_ flags used as in route_gateway_info */ +struct route_ipv6_gateway_info +{ + /* RGI_ flags used as in route_gateway_info */ unsigned int flags; /* gateway interface */ @@ -210,45 +220,50 @@ struct route_ipv6_gateway_info { /* address/netmask pairs bound to interface */ #define RGI_N_ADDRESSES 8 - int n_addrs; /* len of addrs, may be 0 */ - struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */ + int n_addrs; /* len of addrs, may be 0 */ + struct route_ipv6_gateway_address + addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */ }; -struct route_list { -#define RL_DID_REDIRECT_DEFAULT_GATEWAY (1<<0) -#define RL_DID_LOCAL (1<<1) -#define RL_ROUTES_ADDED (1<<2) +struct route_list +{ +#define RL_DID_REDIRECT_DEFAULT_GATEWAY (1 << 0) +#define RL_DID_LOCAL (1 << 1) +#define RL_ROUTES_ADDED (1 << 2) unsigned int iflags; struct route_special_addr spec; struct route_gateway_info rgi; - unsigned int flags; /* RG_x flags */ + unsigned int flags; /* RG_x flags */ struct route_ipv4 *routes; struct gc_arena gc; }; -struct route_ipv6_list { - unsigned int iflags; /* RL_ flags, see route_list */ +struct route_ipv6_list +{ + unsigned int iflags; /* RL_ flags, see route_list */ - unsigned int spec_flags; /* RTSA_ flags, route_special_addr */ + unsigned int spec_flags; /* RTSA_ flags, route_special_addr */ struct in6_addr remote_endpoint_ipv6; /* inside tun */ - struct in6_addr remote_host_ipv6; /* --remote address */ + struct in6_addr remote_host_ipv6; /* --remote address */ int default_metric; struct route_ipv6_gateway_info rgi6; - unsigned int flags; /* RG_x flags, see route_option_list */ + unsigned int flags; /* RG_x flags, see route_option_list */ struct route_ipv6 *routes_ipv6; struct gc_arena gc; }; /* internal OpenVPN route */ -struct iroute { +struct iroute +{ in_addr_t network; int netbits; struct iroute *next; }; -struct iroute_ipv6 { +struct iroute_ipv6 +{ struct in6_addr network; unsigned int netbits; struct iroute_ipv6 *next; @@ -270,79 +285,58 @@ struct route_option_list *new_route_option_list(struct gc_arena *a); struct route_ipv6_option_list *new_route_ipv6_option_list(struct gc_arena *a); -struct route_option_list *clone_route_option_list(const struct route_option_list *src, struct gc_arena *a); +struct route_option_list *clone_route_option_list(const struct route_option_list *src, + struct gc_arena *a); -struct route_ipv6_option_list *clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a); +struct route_ipv6_option_list *clone_route_ipv6_option_list( + const struct route_ipv6_option_list *src, struct gc_arena *a); -void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a); +void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, + struct gc_arena *a); void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, - const struct route_ipv6_option_list *src, - struct gc_arena *a); + const struct route_ipv6_option_list *src, struct gc_arena *a); -void route_ipv6_clear_host_bits( struct route_ipv6 *r6 ); +void route_ipv6_clear_host_bits(struct route_ipv6 *r6); -bool add_route_ipv6(struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx); +bool add_route_ipv6(struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags, + const struct env_set *es, openvpn_net_ctx_t *ctx); -void delete_route_ipv6(const struct route_ipv6 *r, const struct tuntap *tt, const struct env_set *es, openvpn_net_ctx_t *ctx); +void delete_route_ipv6(const struct route_ipv6 *r, const struct tuntap *tt, + const struct env_set *es, openvpn_net_ctx_t *ctx); bool add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx); -void add_route_to_option_list(struct route_option_list *l, - const char *network, - const char *netmask, - const char *gateway, - const char *metric, - int table_id); - -void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, - const char *prefix, - const char *gateway, - const char *metric, - int table_id); - -bool init_route_list(struct route_list *rl, - const struct route_option_list *opt, - const char *remote_endpoint, - int default_metric, - in_addr_t remote_host, - struct env_set *es, - openvpn_net_ctx_t *ctx); - -bool init_route_ipv6_list(struct route_ipv6_list *rl6, - const struct route_ipv6_option_list *opt6, - const char *remote_endpoint, - int default_metric, - const struct in6_addr *remote_host, - struct env_set *es, +void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, + const char *gateway, const char *metric, int table_id); + +void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, + const char *gateway, const char *metric, int table_id); + +bool init_route_list(struct route_list *rl, const struct route_option_list *opt, + const char *remote_endpoint, int default_metric, in_addr_t remote_host, + struct env_set *es, openvpn_net_ctx_t *ctx); + +bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, + const char *remote_endpoint, int default_metric, + const struct in6_addr *remote_host, struct env_set *es, openvpn_net_ctx_t *ctx); -void route_list_add_vpn_gateway(struct route_list *rl, - struct env_set *es, - const in_addr_t addr); +void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr); -bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, - const struct tuntap *tt, unsigned int flags, - const struct env_set *es, openvpn_net_ctx_t *ctx); +bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, + unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx); -void delete_routes(struct route_list *rl, - struct route_ipv6_list *rl6, - const struct tuntap *tt, - unsigned int flags, - const struct env_set *es, - openvpn_net_ctx_t *ctx); +void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, + unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx); -void -delete_routes_v4(struct route_list *rl, const struct tuntap *tt, - unsigned int flags, const struct env_set *es, - openvpn_net_ctx_t *ctx); +void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, + const struct env_set *es, openvpn_net_ctx_t *ctx); -void -delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, - unsigned int flags, const struct env_set *es, - openvpn_net_ctx_t *ctx); +void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, + const struct env_set *es, openvpn_net_ctx_t *ctx); void setenv_routes(struct env_set *es, const struct route_list *rl); @@ -357,16 +351,12 @@ bool is_special_addr(const char *addr_str); * @param dest Destination IP address in host byte order. * @param ctx Pointer to a platform-specific network context struct. */ -void get_default_gateway(struct route_gateway_info *rgi, - in_addr_t dest, - openvpn_net_ctx_t *ctx); +void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx); -void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi, - const struct in6_addr *dest, +void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi, const struct in6_addr *dest, openvpn_net_ctx_t *ctx); -void print_default_gateway(const int msglevel, - const struct route_gateway_info *rgi, +void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6); /* @@ -381,8 +371,7 @@ void print_default_gateway(const int msglevel, int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi); #ifndef ENABLE_SMALL -void print_route_options(const struct route_option_list *rol, - int level); +void print_route_options(const struct route_option_list *rol, int level); #endif @@ -394,7 +383,7 @@ void show_routes(int msglev); bool test_routes(const struct route_list *rl, const struct tuntap *tt); -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ static inline bool test_routes(const struct route_list *rl, const struct tuntap *tt) { @@ -413,7 +402,7 @@ netbits_to_netmask(const int netbits) in_addr_t mask = 0; if (netbits > 0 && netbits <= addrlen) { - mask = IPV4_NETMASK_HOST << (addrlen-netbits); + mask = IPV4_NETMASK_HOST << (addrlen - netbits); } return mask; } diff --git a/src/openvpn/run_command.c b/src/openvpn/run_command.c index ed5b08ca4..4a1ef2286 100644 --- a/src/openvpn/run_command.c +++ b/src/openvpn/run_command.c @@ -67,7 +67,7 @@ system_error_message(int stat, struct gc_arena *gc) #ifdef _WIN32 case OPENVPN_EXECVE_ERROR: buf_printf(&out, "external program did not execute -- "); - /* fall through */ + /* fall through */ default: buf_printf(&out, "returned error code %d", stat); @@ -126,20 +126,16 @@ openvpn_waitpid_check(pid_t pid, const char *msg_prefix, int msglevel) if (exitcode == OPENVPN_EXECVE_FAILURE) { - msg(msglevel, "%scould not execute external program (exit code 127)", - msg_prefix); + msg(msglevel, "%scould not execute external program (exit code 127)", msg_prefix); } else { - msg(msglevel, "%sexternal program exited with error status: %d", - msg_prefix, exitcode); + msg(msglevel, "%sexternal program exited with error status: %d", msg_prefix, exitcode); } - } else if (WIFSIGNALED(status)) { - msg(msglevel, "%sexternal program received signal %d", - msg_prefix, WTERMSIG(status)); + msg(msglevel, "%sexternal program received signal %d", msg_prefix, WTERMSIG(status)); } return false; @@ -234,7 +230,8 @@ openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned in * Wrapper around openvpn_execve */ int -openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message) +openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, + const char *error_message) { struct gc_arena gc = gc_new(); const int stat = openvpn_execve(a, es, flags); @@ -260,8 +257,7 @@ openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsig } if (error_message) { - msg(((flags & S_FATAL) ? M_FATAL : M_WARN), "%s: %s", - error_message, + msg(((flags & S_FATAL) ? M_FATAL : M_WARN), "%s: %s", error_message, system_error_message(stat, &gc)); } done: @@ -276,7 +272,7 @@ done: * associated with formatting and parsing a command line. */ int -openvpn_popen(const struct argv *a, const struct env_set *es) +openvpn_popen(const struct argv *a, const struct env_set *es) { struct gc_arena gc = gc_new(); int ret = -1; @@ -298,20 +294,20 @@ openvpn_popen(const struct argv *a, const struct env_set *es) pid = fork(); if (pid == (pid_t)0) /* child side */ { - close(pipe_stdout[0]); /* Close read end */ + close(pipe_stdout[0]); /* Close read end */ dup2(pipe_stdout[1], 1); execve(cmd, argv, envp); exit(OPENVPN_EXECVE_FAILURE); } - else if (pid > (pid_t)0) /* parent side */ + else if (pid > (pid_t)0) /* parent side */ { int status = 0; - close(pipe_stdout[1]); /* Close write end */ + close(pipe_stdout[1]); /* Close write end */ waitpid(pid, &status, 0); ret = pipe_stdout[0]; } - else /* fork failed */ + else /* fork failed */ { close(pipe_stdout[0]); close(pipe_stdout[1]); diff --git a/src/openvpn/run_command.h b/src/openvpn/run_command.h index e70373244..4b74f221d 100644 --- a/src/openvpn/run_command.h +++ b/src/openvpn/run_command.h @@ -27,36 +27,38 @@ #include "env_set.h" /* Script security */ -#define SSEC_NONE 0 /* strictly no calling of external programs */ -#define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/ -#define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */ -#define SSEC_PW_ENV 3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */ +#define SSEC_NONE 0 /* strictly no calling of external programs */ +#define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/ +#define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */ +#define SSEC_PW_ENV \ + 3 /* allow calling of built-in programs and user-defined scripts that may receive a password \ + as an environmental variable */ -#define OPENVPN_EXECVE_ERROR -1 /* generic error while forking to run an external program */ -#define OPENVPN_EXECVE_NOT_ALLOWED -2 /* external program not run due to script security */ -#define OPENVPN_EXECVE_FAILURE 127 /* exit code passed back from child when execve fails */ +#define OPENVPN_EXECVE_ERROR -1 /* generic error while forking to run an external program */ +#define OPENVPN_EXECVE_NOT_ALLOWED -2 /* external program not run due to script security */ +#define OPENVPN_EXECVE_FAILURE 127 /* exit code passed back from child when execve fails */ int script_security(void); void script_security_set(int level); /* openvpn_execve flags */ -#define S_SCRIPT (1<<0) -#define S_FATAL (1<<1) +#define S_SCRIPT (1 << 0) +#define S_FATAL (1 << 1) /** Instead of returning 1/0 for success/fail, * return exit code when between 0 and 255 and -1 otherwise */ -#define S_EXITCODE (1<<2) +#define S_EXITCODE (1 << 2) /** instead of waiting for child process to exit and report the status, * return the pid of the child process */ -#define S_NOWAITPID (1<<3) +#define S_NOWAITPID (1 << 3) /* wrapper around the execve() call */ -int openvpn_popen(const struct argv *a, const struct env_set *es); +int openvpn_popen(const struct argv *a, const struct env_set *es); bool openvpn_execve_allowed(const unsigned int flags); -int openvpn_execve_check(const struct argv *a, const struct env_set *es, - const unsigned int flags, const char *error_message); +int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, + const char *error_message); #ifndef WIN32 @@ -72,9 +74,7 @@ int openvpn_execve_check(const struct argv *a, const struct env_set *es, * @return true if the process is still running, false if * an error condition occurred */ -bool -openvpn_waitpid_check(pid_t pid, const char *msg_prefix, - int msglevel); +bool openvpn_waitpid_check(pid_t pid, const char *msg_prefix, int msglevel); #endif @@ -83,13 +83,12 @@ openvpn_waitpid_check(pid_t pid, const char *msg_prefix, * 0 and 255, -1 otherwise */ static inline int -openvpn_run_script(const struct argv *a, const struct env_set *es, - const unsigned int flags, const char *hook) +openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, + const char *hook) { char msg[256]; - snprintf(msg, sizeof(msg), - "WARNING: Failed running command (%s)", hook); + snprintf(msg, sizeof(msg), "WARNING: Failed running command (%s)", hook); return openvpn_execve_check(a, es, flags | S_SCRIPT, msg); } diff --git a/src/openvpn/schedule.c b/src/openvpn/schedule.c index f89f34143..c9fef2406 100644 --- a/src/openvpn/schedule.c +++ b/src/openvpn/schedule.c @@ -54,15 +54,12 @@ schedule_entry_debug_info(const char *caller, const struct schedule_entry *e) struct gc_arena gc = gc_new(); if (e) { - dmsg(D_SCHEDULER, "SCHEDULE: %s wakeup=[%s] pri=%u", - caller, - tv_string_abs(&e->tv, &gc), + dmsg(D_SCHEDULER, "SCHEDULE: %s wakeup=[%s] pri=%u", caller, tv_string_abs(&e->tv, &gc), e->pri); } else { - dmsg(D_SCHEDULER, "SCHEDULE: %s NULL", - caller); + dmsg(D_SCHEDULER, "SCHEDULE: %s NULL", caller); } gc_free(&gc); } @@ -84,8 +81,7 @@ schedule_set_pri(struct schedule_entry *e) * that keys do not collide. */ static inline int -schedule_entry_compare(const struct schedule_entry *e1, - const struct schedule_entry *e2) +schedule_entry_compare(const struct schedule_entry *e1, const struct schedule_entry *e2) { if (e1->tv.tv_sec < e2->tv.tv_sec) { @@ -360,12 +356,11 @@ schedule_add_modify(struct schedule *s, struct schedule_entry *e) if (s->root) { - schedule_insert(s, e); /* trivial insert into tree */ + schedule_insert(s, e); /* trivial insert into tree */ } else { s->root = e; /* tree was empty, we are the first element */ - } /* This is the magic of the randomized treap algorithm which * keeps the tree balanced. Move the node up the tree until @@ -446,12 +441,8 @@ schedule_find_earliest_wakeup(struct schedule *s) * internally consistent. */ int -schedule_debug_entry(const struct schedule_entry *e, - int depth, - int *count, - struct timeval *least, - const struct timeval *min, - const struct timeval *max) +schedule_debug_entry(const struct schedule_entry *e, int depth, int *count, struct timeval *least, + const struct timeval *min, const struct timeval *max) { struct gc_arena gc = gc_new(); int maxdepth = depth; @@ -493,13 +484,13 @@ schedule_debug_entry(const struct schedule_entry *e, *least = e->tv; } - d = schedule_debug_entry(e->lt, depth+1, count, least, min, &e->tv); + d = schedule_debug_entry(e->lt, depth + 1, count, least, min, &e->tv); if (d > maxdepth) { maxdepth = d; } - d = schedule_debug_entry(e->gt, depth+1, count, least, &e->tv, max); + d = schedule_debug_entry(e->gt, depth + 1, count, least, &e->tv, max); if (d > maxdepth) { maxdepth = d; @@ -576,14 +567,8 @@ schedule_verify(struct schedule *s) if (e) { - printf("Verification Phase count=%d maxlev=%d sru=%d ins=%d coll=%d ls=%d l=%s", - count, - maxlev, - zz.sru, - zz.ins, - zz.coll, - zz.lsteps, - tv_string(&e->tv, &gc)); + printf("Verification Phase count=%d maxlev=%d sru=%d ins=%d coll=%d ls=%d l=%s", count, + maxlev, zz.sru, zz.ins, zz.coll, zz.lsteps, tv_string(&e->tv, &gc)); if (!tv_eq(&least, &e->tv)) { @@ -604,11 +589,11 @@ schedule_randomize_array(struct schedule_entry **array, int size) for (i = 0; i < size; ++i) { const int src = get_random() % size; - struct schedule_entry *tmp = array [i]; + struct schedule_entry *tmp = array[i]; if (i != src) { - array [i] = array [src]; - array [src] = tmp; + array[i] = array[src]; + array[src] = tmp; } } } @@ -625,14 +610,10 @@ schedule_print_work(struct schedule_entry *e, int indent) if (e) { printf("%s [%u] e=" ptr_format ", p=" ptr_format " lt=" ptr_format " gt=" ptr_format "\n", - tv_string(&e->tv, &gc), - e->pri, - (ptr_type)e, - (ptr_type)e->parent, - (ptr_type)e->lt, + tv_string(&e->tv, &gc), e->pri, (ptr_type)e, (ptr_type)e->parent, (ptr_type)e->lt, (ptr_type)e->gt); - schedule_print_work(e->lt, indent+1); - schedule_print_work(e->gt, indent+1); + schedule_print_work(e->lt, indent + 1); + schedule_print_work(e->gt, indent + 1); } else { diff --git a/src/openvpn/schedule.h b/src/openvpn/schedule.h index fad3f36c5..79311c546 100644 --- a/src/openvpn/schedule.h +++ b/src/openvpn/schedule.h @@ -42,8 +42,8 @@ struct schedule_entry { - struct timeval tv; /* wakeup time */ - unsigned int pri; /* random treap priority */ + struct timeval tv; /* wakeup time */ + unsigned int pri; /* random treap priority */ struct schedule_entry *parent; /* treap (btree) links */ struct schedule_entry *lt; struct schedule_entry *gt; @@ -52,7 +52,7 @@ struct schedule_entry struct schedule { struct schedule_entry *earliest_wakeup; /* cached earliest wakeup */ - struct schedule_entry *root; /* the root of the treap (btree) */ + struct schedule_entry *root; /* the root of the treap (btree) */ }; /* Public functions */ @@ -94,9 +94,7 @@ void schedule_remove_node(struct schedule *s, struct schedule_entry *e); * an opaque object. */ static inline void -schedule_add_entry(struct schedule *s, - struct schedule_entry *e, - const struct timeval *tv, +schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma) { if (!IN_TREE(e) || !sigma || !tv_within_sigma(tv, &e->tv, sigma)) @@ -114,8 +112,7 @@ schedule_add_entry(struct schedule *s, * is randomized every time an entry is re-added). */ static inline struct schedule_entry * -schedule_get_earliest_wakeup(struct schedule *s, - struct timeval *wakeup) +schedule_get_earliest_wakeup(struct schedule *s, struct timeval *wakeup) { struct schedule_entry *ret; diff --git a/src/openvpn/session_id.h b/src/openvpn/session_id.h index 7c0a9689f..24e7ab09a 100644 --- a/src/openvpn/session_id.h +++ b/src/openvpn/session_id.h @@ -44,8 +44,7 @@ extern const struct session_id x_session_id_zero; #define SID_SIZE (sizeof(x_session_id_zero.id)) static inline bool -session_id_equal(const struct session_id *sid1, - const struct session_id *sid2) +session_id_equal(const struct session_id *sid1, const struct session_id *sid2) { return !memcmp(sid1->id, sid2->id, SID_SIZE); } diff --git a/src/openvpn/shaper.c b/src/openvpn/shaper.c index 1c8cfb35c..fb2621e2b 100644 --- a/src/openvpn/shaper.c +++ b/src/openvpn/shaper.c @@ -86,6 +86,5 @@ shaper_reset_wakeup(struct shaper *s) void shaper_msg(struct shaper *s) { - msg(M_INFO, "Output Traffic Shaping initialized at %d bytes per second", - s->bytes_per_second); + msg(M_INFO, "Output Traffic Shaping initialized at %d bytes per second", s->bytes_per_second); } diff --git a/src/openvpn/shaper.h b/src/openvpn/shaper.h index 9996b0857..4483d1584 100644 --- a/src/openvpn/shaper.h +++ b/src/openvpn/shaper.h @@ -36,10 +36,10 @@ * the output direction. */ -#define SHAPER_MIN 100 /* bytes per second */ +#define SHAPER_MIN 100 /* bytes per second */ #define SHAPER_MAX 100000000 -#define SHAPER_MAX_TIMEOUT 10 /* seconds */ +#define SHAPER_MAX_TIMEOUT 10 /* seconds */ #define SHAPER_USE_FP @@ -125,11 +125,12 @@ shaper_wrote_bytes(struct shaper *s, int nbytes) /* compute delay in microseconds */ tv.tv_sec = 0; #ifdef SHAPER_USE_FP - tv.tv_usec = min_int((int)((double)max_int(nbytes, 100) * s->factor), (SHAPER_MAX_TIMEOUT*1000000)); + tv.tv_usec = + min_int((int)((double)max_int(nbytes, 100) * s->factor), (SHAPER_MAX_TIMEOUT * 1000000)); #else tv.tv_usec = s->bytes_per_second - ? min_int(max_int(nbytes, 100) * s->factor, (SHAPER_MAX_TIMEOUT*1000000)) - : 0; + ? min_int(max_int(nbytes, 100) * s->factor, (SHAPER_MAX_TIMEOUT * 1000000)) + : 0; #endif if (tv.tv_usec) @@ -138,11 +139,9 @@ shaper_wrote_bytes(struct shaper *s, int nbytes) tv_add(&s->wakeup, &tv); #ifdef SHAPER_DEBUG - dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%" PRIi64 " usec=%ld", - nbytes, - (long)tv.tv_usec, - (int64_t)s->wakeup.tv_sec, - (long)s->wakeup.tv_usec); + dmsg(D_SHAPER_DEBUG, + "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%" PRIi64 " usec=%ld", nbytes, + (long)tv.tv_usec, (int64_t)s->wakeup.tv_sec, (long)s->wakeup.tv_usec); #endif } } diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index 02df5e0eb..5f5a80884 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -43,20 +43,19 @@ struct signal_info siginfo_static; /* GLOBAL */ -struct signame { +struct signame +{ int value; int priority; const char *upper; const char *lower; }; -static const struct signame signames[] = { - { SIGINT, 5, "SIGINT", "sigint"}, - { SIGTERM, 4, "SIGTERM", "sigterm" }, - { SIGHUP, 3, "SIGHUP", "sighup" }, - { SIGUSR1, 2, "SIGUSR1", "sigusr1" }, - { SIGUSR2, 1, "SIGUSR2", "sigusr2" } -}; +static const struct signame signames[] = { { SIGINT, 5, "SIGINT", "sigint" }, + { SIGTERM, 4, "SIGTERM", "sigterm" }, + { SIGHUP, 3, "SIGHUP", "sighup" }, + { SIGUSR1, 2, "SIGUSR1", "sigusr1" }, + { SIGUSR2, 1, "SIGUSR2", "sigusr2" } }; /* mask for hard signals from management or windows */ static unsigned long long ignored_hard_signals_mask; @@ -209,8 +208,7 @@ throw_signal_soft(const int signum, const char *signal_text) if (try_throw_signal(&siginfo_static, signum, SIG_SOURCE_SOFT)) { siginfo_static.signal_text = signal_text; - msg(D_SIGNAL_DEBUG, "Throw signal (soft): %s (%s)", signal_name(signum, true), - signal_text); + msg(D_SIGNAL_DEBUG, "Throw signal (soft): %s (%s)", signal_name(signum, true), signal_text); } else { @@ -241,8 +239,7 @@ register_signal(struct signal_info *si, int signum, const char *signal_text) { si->source = SIG_SOURCE_CONNECTION_FAILED; } - msg(D_SIGNAL_DEBUG, "register signal: %s (%s)", signal_name(signum, true), - signal_text); + msg(D_SIGNAL_DEBUG, "register signal: %s (%s)", signal_name(signum, true), signal_text); } else { @@ -330,7 +327,8 @@ print_signal(const struct signal_info *si, const char *title, int msglevel) break; default: - msg(msglevel, "Unknown signal %d [%s,%s] received by %s", si->signal_received, hs, type, t); + msg(msglevel, "Unknown signal %d [%s,%s] received by %s", si->signal_received, hs, + type, t); break; } } @@ -365,13 +363,10 @@ signal_restart_status(const struct signal_info *si) if (state >= 0) { - management_set_state(management, - state, - si->signal_text ? si->signal_text : signal_name(si->signal_received, true), - NULL, - NULL, - NULL, - NULL); + management_set_state(management, state, + si->signal_text ? si->signal_text + : signal_name(si->signal_received, true), + NULL, NULL, NULL, NULL); } } #endif /* ifdef ENABLE_MANAGEMENT */ @@ -401,7 +396,7 @@ pre_init_signal_catch(void) struct sigaction sa; CLEAR(sa); - sigfillset(&block_mask); /* all signals */ + sigfillset(&block_mask); /* all signals */ sa.sa_handler = signal_handler; sa.sa_mask = block_mask; /* signals blocked inside the handler */ sa.sa_flags = SA_RESTART; /* match with the behaviour of signal() on Linux and BSD */ @@ -430,9 +425,9 @@ post_init_signal_catch(void) struct sigaction sa; CLEAR(sa); - sigfillset(&block_mask); /* all signals */ + sigfillset(&block_mask); /* all signals */ sa.sa_handler = signal_handler; - sa.sa_mask = block_mask; /* signals blocked inside the handler */ + sa.sa_mask = block_mask; /* signals blocked inside the handler */ sa.sa_flags = SA_RESTART; /* match with the behaviour of signal() on Linux and BSD */ signal_mode = SM_POST_INIT; @@ -498,8 +493,10 @@ print_status(struct context *c, struct status_output *so) status_printf(so, "Updated,%s", time_string(0, 0, false, &gc)); status_printf(so, "TUN/TAP read bytes," counter_format, c->c2.tun_read_bytes); status_printf(so, "TUN/TAP write bytes," counter_format, c->c2.tun_write_bytes); - status_printf(so, "TCP/UDP read bytes," counter_format, c->c2.link_read_bytes + c->c2.dco_read_bytes); - status_printf(so, "TCP/UDP write bytes," counter_format, c->c2.link_write_bytes + c->c2.dco_write_bytes); + status_printf(so, "TCP/UDP read bytes," counter_format, + c->c2.link_read_bytes + c->c2.dco_read_bytes); + status_printf(so, "TCP/UDP write bytes," counter_format, + c->c2.link_write_bytes + c->c2.dco_write_bytes); status_printf(so, "Auth read bytes," counter_format, c->c2.link_read_bytes_auth); #ifdef USE_COMP if (c->c2.comp_context) @@ -565,12 +562,13 @@ process_explicit_exit_notification_init(struct context *c) void process_explicit_exit_notification_timer_wakeup(struct context *c) { - if (event_timeout_trigger(&c->c2.explicit_exit_notification_interval, - &c->c2.timeval, + if (event_timeout_trigger(&c->c2.explicit_exit_notification_interval, &c->c2.timeval, ETT_DEFAULT)) { - ASSERT(c->c2.explicit_exit_notification_time_wait && c->options.ce.explicit_exit_notification); - if (now >= c->c2.explicit_exit_notification_time_wait + c->options.ce.explicit_exit_notification) + ASSERT(c->c2.explicit_exit_notification_time_wait + && c->options.ce.explicit_exit_notification); + if (now >= c->c2.explicit_exit_notification_time_wait + + c->options.ce.explicit_exit_notification) { event_timeout_clear(&c->c2.explicit_exit_notification_interval); register_signal(c->sig, SIGTERM, "exit-with-notification"); @@ -608,8 +606,7 @@ static bool process_sigterm(struct context *c) { bool ret = true; - if (c->options.ce.explicit_exit_notification - && !c->c2.explicit_exit_notification_time_wait) + if (c->options.ce.explicit_exit_notification && !c->c2.explicit_exit_notification_time_wait) { process_explicit_exit_notification_init(c); ret = false; diff --git a/src/openvpn/sig.h b/src/openvpn/sig.h index 93219f75c..7e5dd9f7a 100644 --- a/src/openvpn/sig.h +++ b/src/openvpn/sig.h @@ -26,8 +26,8 @@ #include "status.h" #include "win32.h" -#define SIG_SOURCE_SOFT 0 -#define SIG_SOURCE_HARD 1 +#define SIG_SOURCE_SOFT 0 +#define SIG_SOURCE_HARD 1 /* CONNECTION_FAILED is also a "soft" status, * It is thrown if a connection attempt fails */ diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 8510e1d81..8fc10bc9a 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -60,8 +60,7 @@ sockets_read_residual(const struct context *c) * Convert sockflags/getaddr_flags into getaddr_flags */ static unsigned int -sf2gaf(const unsigned int getaddr_flags, - const unsigned int sockflags) +sf2gaf(const unsigned int getaddr_flags, const unsigned int sockflags) { if (sockflags & SF_HOST_RANDOMIZE) { @@ -77,9 +76,8 @@ sf2gaf(const unsigned int getaddr_flags, * Functions related to the translation of DNS names to IP addresses. */ static int -get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, - void *network, unsigned int *netbits, - int resolve_retry_seconds, struct signal_info *sig_info, +get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, void *network, + unsigned int *netbits, int resolve_retry_seconds, struct signal_info *sig_info, int msglevel) { char *endp, *sep, *var_host = NULL; @@ -108,9 +106,7 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, break; default: - msg(M_WARN, - "Unsupported AF family passed to getaddrinfo for %s (%d)", - hostname, af); + msg(M_WARN, "Unsupported AF family passed to getaddrinfo for %s (%d)", hostname, af); goto out; } @@ -122,8 +118,7 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, var_host = strdup(hostname); if (!var_host) { - msg(M_NONFATAL | M_ERRNO, - "Can't allocate hostname buffer for getaddrinfo"); + msg(M_NONFATAL | M_ERRNO, "Can't allocate hostname buffer for getaddrinfo"); goto out; } @@ -134,15 +129,14 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, bits = strtoul(sep + 1, &endp, 10); if ((*endp != '\0') || (bits > max_bits)) { - msg(msglevel, "IP prefix '%s': invalid '/bits' spec (%s)", hostname, - sep + 1); + msg(msglevel, "IP prefix '%s': invalid '/bits' spec (%s)", hostname, sep + 1); goto out; } *sep = '\0'; } - ret = openvpn_getaddrinfo(flags & ~GETADDR_HOST_ORDER, var_host, NULL, - resolve_retry_seconds, sig_info, af, &ai); + ret = openvpn_getaddrinfo(flags & ~GETADDR_HOST_ORDER, var_host, NULL, resolve_retry_seconds, + sig_info, af, &ai); if ((ret == 0) && network) { struct in6_addr *ip6; @@ -167,8 +161,7 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, default: /* can't get here because 'af' was previously checked */ - msg(M_WARN, - "Unsupported AF family for %s (%d)", var_host, af); + msg(M_WARN, "Unsupported AF family for %s (%d)", var_host, af); goto out; } } @@ -191,19 +184,15 @@ out: } in_addr_t -getaddr(unsigned int flags, - const char *hostname, - int resolve_retry_seconds, - bool *succeeded, +getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info) { in_addr_t addr; int status; - status = get_addr_generic(AF_INET, flags, hostname, &addr, NULL, - resolve_retry_seconds, sig_info, - M_WARN); - if (status==0) + status = get_addr_generic(AF_INET, flags, hostname, &addr, NULL, resolve_retry_seconds, + sig_info, M_WARN); + if (status == 0) { if (succeeded) { @@ -222,16 +211,15 @@ getaddr(unsigned int flags, } bool -get_ipv6_addr(const char *hostname, struct in6_addr *network, - unsigned int *netbits, int msglevel) +get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel) { - if (get_addr_generic(AF_INET6, GETADDR_RESOLVE, hostname, network, netbits, - 0, NULL, msglevel) < 0) + if (get_addr_generic(AF_INET6, GETADDR_RESOLVE, hostname, network, netbits, 0, NULL, msglevel) + < 0) { return false; } - return true; /* parsing OK, values set */ + return true; /* parsing OK, values set */ } static inline bool @@ -256,12 +244,8 @@ streqnull(const char *a, const char *b) * otherwise. (like getaddrinfo) */ static int -get_cached_dns_entry(struct cached_dns_entry *dns_cache, - const char *hostname, - const char *servname, - int ai_family, - int resolve_flags, - struct addrinfo **ai) +get_cached_dns_entry(struct cached_dns_entry *dns_cache, const char *hostname, const char *servname, + int ai_family, int resolve_flags, struct addrinfo **ai) { struct cached_dns_entry *ph; int flags; @@ -271,10 +255,8 @@ get_cached_dns_entry(struct cached_dns_entry *dns_cache, for (ph = dns_cache; ph; ph = ph->next) { - if (streqnull(ph->hostname, hostname) - && streqnull(ph->servname, servname) - && ph->ai_family == ai_family - && ph->flags == flags) + if (streqnull(ph->hostname, hostname) && streqnull(ph->servname, servname) + && ph->ai_family == ai_family && ph->flags == flags) { *ai = ph->ai; return 0; @@ -285,28 +267,19 @@ get_cached_dns_entry(struct cached_dns_entry *dns_cache, static int -do_preresolve_host(struct context *c, - const char *hostname, - const char *servname, - const int af, +do_preresolve_host(struct context *c, const char *hostname, const char *servname, const int af, const int flags) { struct addrinfo *ai; int status; - if (get_cached_dns_entry(c->c1.dns_cache, - hostname, - servname, - af, - flags, - &ai) == 0) + if (get_cached_dns_entry(c->c1.dns_cache, hostname, servname, af, flags, &ai) == 0) { /* entry already cached, return success */ return 0; } - status = openvpn_getaddrinfo(flags, hostname, servname, - c->options.resolve_retry_seconds, NULL, + status = openvpn_getaddrinfo(flags, hostname, servname, c->options.resolve_retry_seconds, NULL, af, &ai); if (status == 0) { @@ -333,7 +306,6 @@ do_preresolve_host(struct context *c, } gc_addspecial(ai, &gc_freeaddrinfo_callback, &c->gc); - } return status; } @@ -342,10 +314,8 @@ void do_preresolve(struct context *c) { struct connection_list *l = c->options.connection_list; - const unsigned int preresolve_flags = GETADDR_RESOLVE - |GETADDR_UPDATE_MANAGEMENT_STATE - |GETADDR_MENTION_RESOLVE_RETRY - |GETADDR_FATAL; + const unsigned int preresolve_flags = GETADDR_RESOLVE | GETADDR_UPDATE_MANAGEMENT_STATE + | GETADDR_MENTION_RESOLVE_RETRY | GETADDR_FATAL; for (int i = 0; i < l->len; ++i) @@ -378,8 +348,7 @@ do_preresolve(struct context *c) /* HTTP remote hostname does not need to be resolved */ if (!ce->http_proxy_options) { - status = do_preresolve_host(c, remote, ce->remote_port, - ce->af, flags); + status = do_preresolve_host(c, remote, ce->remote_port, ce->af, flags); if (status != 0) { goto err; @@ -389,11 +358,8 @@ do_preresolve(struct context *c) /* Preresolve proxy */ if (ce->http_proxy_options) { - status = do_preresolve_host(c, - ce->http_proxy_options->server, - ce->http_proxy_options->port, - ce->af, - preresolve_flags); + status = do_preresolve_host(c, ce->http_proxy_options->server, + ce->http_proxy_options->port, ce->af, preresolve_flags); if (status != 0) { @@ -403,11 +369,8 @@ do_preresolve(struct context *c) if (ce->socks_proxy_server) { - status = do_preresolve_host(c, - ce->socks_proxy_server, - ce->socks_proxy_port, - ce->af, - flags); + status = + do_preresolve_host(c, ce->socks_proxy_server, ce->socks_proxy_port, ce->af, flags); if (status != 0) { goto err; @@ -433,10 +396,8 @@ do_preresolve(struct context *c) { goto err; } - } } - } return; @@ -453,9 +414,11 @@ getaddrinfo_addr_family_name(int af) { switch (af) { - case AF_INET: return "[AF_INET]"; + case AF_INET: + return "[AF_INET]"; - case AF_INET6: return "[AF_INET6]"; + case AF_INET6: + return "[AF_INET6]"; } return ""; } @@ -465,17 +428,13 @@ getaddrinfo_addr_family_name(int af) * If resolve error, try again for resolve_retry_seconds seconds. */ int -openvpn_getaddrinfo(unsigned int flags, - const char *hostname, - const char *servname, - int resolve_retry_seconds, - struct signal_info *sig_info, - int ai_family, +openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, + int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res) { struct addrinfo hints; int status; - struct signal_info sigrec = {0}; + struct signal_info sigrec = { 0 }; int msglevel = (flags & GETADDR_FATAL) ? M_FATAL : D_RESOLVE_ERRORS; struct gc_arena gc = gc_new(); const char *print_hostname; @@ -500,8 +459,7 @@ openvpn_getaddrinfo(unsigned int flags, msglevel |= M_MSG_VIRT_OUT; } - if ((flags & (GETADDR_FATAL_ON_SIGNAL|GETADDR_WARN_ON_SIGNAL)) - && !sig_info) + if ((flags & (GETADDR_FATAL_ON_SIGNAL | GETADDR_WARN_ON_SIGNAL)) && !sig_info) { sig_info = &sigrec; } @@ -533,12 +491,12 @@ openvpn_getaddrinfo(unsigned int flags, status = getaddrinfo(hostname, servname, &hints, res); - if (status != 0) /* parse as numeric address failed? */ + if (status != 0) /* parse as numeric address failed? */ { const int fail_wait_interval = 5; /* seconds */ /* Add +4 to cause integer division rounding up (1 + 4) = 5, (0+4)/5=0 */ - int resolve_retries = (flags & GETADDR_TRY_ONCE) ? 1 : - ((resolve_retry_seconds + 4)/ fail_wait_interval); + int resolve_retries = + (flags & GETADDR_TRY_ONCE) ? 1 : ((resolve_retry_seconds + 4) / fail_wait_interval); const char *fmt; int level = 0; @@ -561,8 +519,7 @@ openvpn_getaddrinfo(unsigned int flags, } fmt = "RESOLVE: Cannot resolve host address: %s:%s%s (%s)"; - if ((flags & GETADDR_MENTION_RESOLVE_RETRY) - && !resolve_retry_seconds) + if ((flags & GETADDR_MENTION_RESOLVE_RETRY) && !resolve_retry_seconds) { fmt = "RESOLVE: Cannot resolve host address: %s:%s%s (%s)" "(I would have retried this name query if you had " @@ -571,8 +528,8 @@ openvpn_getaddrinfo(unsigned int flags, if (!(flags & GETADDR_RESOLVE) || status == EAI_FAIL) { - msg(msglevel, "RESOLVE: Cannot parse IP address: %s:%s (%s)", - print_hostname, print_servname, gai_strerror(status)); + msg(msglevel, "RESOLVE: Cannot parse IP address: %s:%s (%s)", print_hostname, + print_servname, gai_strerror(status)); goto done; } @@ -581,12 +538,7 @@ openvpn_getaddrinfo(unsigned int flags, { if (management) { - management_set_state(management, - OPENVPN_STATE_RESOLVE, - NULL, - NULL, - NULL, - NULL, + management_set_state(management, OPENVPN_STATE_RESOLVE, NULL, NULL, NULL, NULL, NULL); } } @@ -603,9 +555,8 @@ openvpn_getaddrinfo(unsigned int flags, #endif /* try hostname lookup */ hints.ai_flags &= ~AI_NUMERICHOST; - dmsg(D_SOCKET_DEBUG, - "GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d", - flags, hints.ai_family, hints.ai_socktype); + dmsg(D_SOCKET_DEBUG, "GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d", flags, + hints.ai_family, hints.ai_socktype); status = getaddrinfo(hostname, servname, &hints, res); if (sig_info) @@ -616,9 +567,8 @@ openvpn_getaddrinfo(unsigned int flags, /* why are we overwriting SIGUSR1 ? */ if (signal_reset(sig_info, SIGUSR1) == SIGUSR1) /* ignore SIGUSR1 */ { - msg(level, - "RESOLVE: Ignored SIGUSR1 signal received during " - "DNS resolution attempt"); + msg(level, "RESOLVE: Ignored SIGUSR1 signal received during " + "DNS resolution attempt"); } else { @@ -650,11 +600,7 @@ openvpn_getaddrinfo(unsigned int flags, level = D_RESOLVE_ERRORS; } - msg(level, - fmt, - print_hostname, - print_servname, - getaddrinfo_addr_family_name(ai_family), + msg(level, fmt, print_hostname, print_servname, getaddrinfo_addr_family_name(ai_family), gai_strerror(status)); if (--resolve_retries <= 0) @@ -679,9 +625,8 @@ openvpn_getaddrinfo(unsigned int flags, /* IP address parse succeeded */ if (flags & GETADDR_RANDOMIZE) { - msg(M_WARN, - "WARNING: ignoring --remote-random-hostname because the " - "hostname is an IP address"); + msg(M_WARN, "WARNING: ignoring --remote-random-hostname because the " + "hostname is an IP address"); } } @@ -718,11 +663,11 @@ openvpn_inet_aton(const char *dotted_quad, struct in_addr *addr) { if (a < 256 && b < 256 && c < 256 && d < 256) { - addr->s_addr = htonl(a<<24 | b<<16 | c<<8 | d); + addr->s_addr = htonl(a << 24 | b << 16 | c << 8 | d); return OIA_IP; /* good dotted quad */ } } - if (string_class(dotted_quad, CC_DIGIT|CC_DOT, 0)) + if (string_class(dotted_quad, CC_DIGIT | CC_DOT, 0)) { return OIA_ERROR; /* probably a badly formatted dotted quad */ } @@ -800,7 +745,7 @@ ipv6_addr_safe(const char *ipv6_text_addr) /* verify that string will convert to IPv6 address */ { struct in6_addr a6; - return inet_pton( AF_INET6, ipv6_text_addr, &a6 ) == 1; + return inet_pton(AF_INET6, ipv6_text_addr, &a6) == 1; } } @@ -810,7 +755,7 @@ dns_addr_safe(const char *addr) if (addr) { const size_t len = strlen(addr); - return len > 0 && len <= 255 && string_class(addr, CC_ALNUM|CC_DASH|CC_DOT, 0); + return len > 0 && len <= 255 && string_class(addr, CC_ALNUM | CC_DASH | CC_DOT, 0); } else { @@ -859,7 +804,7 @@ mac_addr_safe(const char *mac_addr) while ((c = *p++)) { - if ( (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') ) + if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')) { ++nnum; if (nnum > 2) @@ -890,8 +835,7 @@ socket_get_sndbuf(socket_descriptor_t sd) socklen_t len; len = sizeof(val); - if (getsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *) &val, &len) == 0 - && len == sizeof(val)) + if (getsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *)&val, &len) == 0 && len == sizeof(val)) { return val; } @@ -903,7 +847,7 @@ static void socket_set_sndbuf(socket_descriptor_t sd, int size) { #if defined(SOL_SOCKET) && defined(SO_SNDBUF) - if (setsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *) &size, sizeof(size)) != 0) + if (setsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *)&size, sizeof(size)) != 0) { msg(M_WARN, "NOTE: setsockopt SO_SNDBUF=%d failed", size); } @@ -918,8 +862,7 @@ socket_get_rcvbuf(socket_descriptor_t sd) socklen_t len; len = sizeof(val); - if (getsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *) &val, &len) == 0 - && len == sizeof(val)) + if (getsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *)&val, &len) == 0 && len == sizeof(val)) { return val; } @@ -931,7 +874,7 @@ static bool socket_set_rcvbuf(socket_descriptor_t sd, int size) { #if defined(SOL_SOCKET) && defined(SO_RCVBUF) - if (setsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *) &size, sizeof(size)) != 0) + if (setsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *)&size, sizeof(size)) != 0) { msg(M_WARN, "NOTE: setsockopt SO_RCVBUF=%d failed", size); return false; @@ -941,31 +884,25 @@ socket_set_rcvbuf(socket_descriptor_t sd, int size) } void -socket_set_buffers(socket_descriptor_t fd, const struct socket_buffer_size *sbs, - bool reduce_size) +socket_set_buffers(socket_descriptor_t fd, const struct socket_buffer_size *sbs, bool reduce_size) { if (sbs) { const int sndbuf_old = socket_get_sndbuf(fd); const int rcvbuf_old = socket_get_rcvbuf(fd); - if (sbs->sndbuf - && (reduce_size || sndbuf_old < sbs->sndbuf)) + if (sbs->sndbuf && (reduce_size || sndbuf_old < sbs->sndbuf)) { socket_set_sndbuf(fd, sbs->sndbuf); } - if (sbs->rcvbuf - && (reduce_size || rcvbuf_old < sbs->rcvbuf)) + if (sbs->rcvbuf && (reduce_size || rcvbuf_old < sbs->rcvbuf)) { socket_set_rcvbuf(fd, sbs->rcvbuf); } - msg(D_OSBUF, "Socket Buffers: R=[%d->%d] S=[%d->%d]", - rcvbuf_old, - socket_get_rcvbuf(fd), - sndbuf_old, - socket_get_sndbuf(fd)); + msg(D_OSBUF, "Socket Buffers: R=[%d->%d] S=[%d->%d]", rcvbuf_old, socket_get_rcvbuf(fd), + sndbuf_old, socket_get_sndbuf(fd)); } } @@ -977,7 +914,7 @@ static bool socket_set_tcp_nodelay(socket_descriptor_t sd, int state) { #if defined(_WIN32) || (defined(IPPROTO_TCP) && defined(TCP_NODELAY)) - if (setsockopt(sd, IPPROTO_TCP, TCP_NODELAY, (void *) &state, sizeof(state)) != 0) + if (setsockopt(sd, IPPROTO_TCP, TCP_NODELAY, (void *)&state, sizeof(state)) != 0) { msg(M_WARN, "NOTE: setsockopt TCP_NODELAY=%d failed", state); return false; @@ -987,7 +924,7 @@ socket_set_tcp_nodelay(socket_descriptor_t sd, int state) dmsg(D_OSBUF, "Socket flags: TCP_NODELAY=%d succeeded", state); return true; } -#else /* if defined(_WIN32) || (defined(IPPROTO_TCP) && defined(TCP_NODELAY)) */ +#else /* if defined(_WIN32) || (defined(IPPROTO_TCP) && defined(TCP_NODELAY)) */ msg(M_WARN, "NOTE: setsockopt TCP_NODELAY=%d failed (No kernel support)", state); return false; #endif @@ -997,7 +934,7 @@ static inline void socket_set_mark(socket_descriptor_t sd, int mark) { #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK - if (mark && setsockopt(sd, SOL_SOCKET, SO_MARK, (void *) &mark, sizeof(mark)) != 0) + if (mark && setsockopt(sd, SOL_SOCKET, SO_MARK, (void *)&mark, sizeof(mark)) != 0) { msg(M_WARN, "NOTE: setsockopt SO_MARK=%d failed", mark); } @@ -1065,8 +1002,7 @@ create_socket_tcp(struct addrinfo *addrinfo) /* set SO_REUSEADDR on socket */ { int on = 1; - if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, - (void *) &on, sizeof(on)) < 0) + if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)) < 0) { msg(M_ERR, "TCP: Cannot setsockopt SO_REUSEADDR on TCP socket"); } @@ -1099,31 +1035,29 @@ create_socket_udp(struct addrinfo *addrinfo, const unsigned int flags) if (addrinfo->ai_family == AF_INET) { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) - if (setsockopt(sd, SOL_IP, IP_PKTINFO, - (void *)&pad, sizeof(pad)) < 0) + if (setsockopt(sd, SOL_IP, IP_PKTINFO, (void *)&pad, sizeof(pad)) < 0) { msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO"); } #elif defined(IP_RECVDSTADDR) - if (setsockopt(sd, IPPROTO_IP, IP_RECVDSTADDR, - (void *)&pad, sizeof(pad)) < 0) + if (setsockopt(sd, IPPROTO_IP, IP_RECVDSTADDR, (void *)&pad, sizeof(pad)) < 0) { msg(M_ERR, "UDP: failed setsockopt for IP_RECVDSTADDR"); } -#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ +#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif } else if (addrinfo->ai_family == AF_INET6) { #ifndef IPV6_RECVPKTINFO /* Some older Darwin platforms require this */ - if (setsockopt(sd, IPPROTO_IPV6, IPV6_PKTINFO, - (void *)&pad, sizeof(pad)) < 0) + if (setsockopt(sd, IPPROTO_IPV6, IPV6_PKTINFO, (void *)&pad, sizeof(pad)) < 0) #else - if (setsockopt(sd, IPPROTO_IPV6, IPV6_RECVPKTINFO, - (void *)&pad, sizeof(pad)) < 0) + if (setsockopt(sd, IPPROTO_IPV6, IPV6_RECVPKTINFO, (void *)&pad, sizeof(pad)) < 0) #endif - { msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO");} + { + msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO"); + } } } #endif /* if ENABLE_IP_PKTINFO */ @@ -1143,14 +1077,12 @@ bind_local(struct link_socket *sock, const sa_family_t ai_family) { if (sock->socks_proxy && sock->info.proto == PROTO_UDP) { - socket_bind(sock->ctrl_sd, sock->info.lsa->bind_local, - ai_family, "SOCKS", false); + socket_bind(sock->ctrl_sd, sock->info.lsa->bind_local, ai_family, "SOCKS", false); } else { - socket_bind(sock->sd, sock->info.lsa->bind_local, - ai_family, - "TCP/UDP", sock->info.bind_ipv6_only); + socket_bind(sock->sd, sock->info.lsa->bind_local, ai_family, "TCP/UDP", + sock->info.bind_ipv6_only); } } } @@ -1198,11 +1130,12 @@ create_socket(struct link_socket *sock, struct addrinfo *addr) if (sock->bind_dev) { msg(M_INFO, "Using bind-dev %s", sock->bind_dev); - if (setsockopt(sock->sd, SOL_SOCKET, SO_BINDTODEVICE, sock->bind_dev, strlen(sock->bind_dev) + 1) != 0) + if (setsockopt(sock->sd, SOL_SOCKET, SO_BINDTODEVICE, sock->bind_dev, + strlen(sock->bind_dev) + 1) + != 0) { - msg(M_WARN|M_ERRNO, "WARN: setsockopt SO_BINDTODEVICE=%s failed", sock->bind_dev); + msg(M_WARN | M_ERRNO, "WARN: setsockopt SO_BINDTODEVICE=%s failed", sock->bind_dev); } - } #endif @@ -1237,9 +1170,7 @@ protect_fd_nonlocal(int fd, const struct sockaddr *addr) * Functions used for establishing a TCP stream connection. */ static void -socket_do_listen(socket_descriptor_t sd, - const struct addrinfo *local, - bool do_listen, +socket_do_listen(socket_descriptor_t sd, const struct addrinfo *local, bool do_listen, bool do_set_nonblock) { struct gc_arena gc = gc_new(); @@ -1264,9 +1195,7 @@ socket_do_listen(socket_descriptor_t sd, } socket_descriptor_t -socket_do_accept(socket_descriptor_t sd, - struct link_socket_actual *act, - const bool nowait) +socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const bool nowait) { /* af_addr_size WILL return 0 in this case if AFs other than AF_INET * are compiled because act is empty here. @@ -1314,7 +1243,8 @@ socket_do_accept(socket_descriptor_t sd, /* only valid if we have remote_len_af!=0 */ else if (remote_len_af && remote_len != remote_len_af) { - msg(D_LINK_ERRORS, "TCP: Received strange incoming connection with unknown address length=%d", remote_len); + msg(D_LINK_ERRORS, + "TCP: Received strange incoming connection with unknown address length=%d", remote_len); openvpn_close_socket(new_sd); new_sd = SOCKET_UNDEFINED; } @@ -1331,19 +1261,14 @@ static void tcp_connection_established(const struct link_socket_actual *act) { struct gc_arena gc = gc_new(); - msg(M_INFO, "TCP connection established with %s", - print_link_socket_actual(act, &gc)); + msg(M_INFO, "TCP connection established with %s", print_link_socket_actual(act, &gc)); gc_free(&gc); } static socket_descriptor_t -socket_listen_accept(socket_descriptor_t sd, - struct link_socket_actual *act, - const char *remote_dynamic, - const struct addrinfo *local, - bool do_listen, - bool nowait, - volatile int *signal_received) +socket_listen_accept(socket_descriptor_t sd, struct link_socket_actual *act, + const char *remote_dynamic, const struct addrinfo *local, bool do_listen, + bool nowait, volatile int *signal_received) { struct gc_arena gc = gc_new(); /* struct openvpn_sockaddr *remote = &act->dest; */ @@ -1397,8 +1322,7 @@ socket_listen_accept(socket_descriptor_t sd, if (ai && !addrlist_match(&remote_verify, ai)) { - msg(M_WARN, - "TCP NOTE: Rejected connection attempt from %s due to --remote setting", + msg(M_WARN, "TCP NOTE: Rejected connection attempt from %s due to --remote setting", print_link_socket_actual(act, &gc)); if (openvpn_close_socket(new_sd)) { @@ -1430,10 +1354,7 @@ socket_listen_accept(socket_descriptor_t sd, } void -socket_bind(socket_descriptor_t sd, - struct addrinfo *local, - int ai_family, - const char *prefix, +socket_bind(socket_descriptor_t sd, struct addrinfo *local, int ai_family, const char *prefix, bool ipv6only) { struct gc_arena gc = gc_new(); @@ -1460,33 +1381,30 @@ socket_bind(socket_descriptor_t sd, } if (!cur) { - msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", - prefix, addr_family_name(ai_family)); + msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", prefix, + addr_family_name(ai_family)); } if (ai_family == AF_INET6) { - int v6only = ipv6only ? 1 : 0; /* setsockopt must have an "int" */ + int v6only = ipv6only ? 1 : 0; /* setsockopt must have an "int" */ msg(M_INFO, "setsockopt(IPV6_V6ONLY=%d)", v6only); - if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, (void *) &v6only, sizeof(v6only))) + if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&v6only, sizeof(v6only))) { - msg(M_NONFATAL|M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only); + msg(M_NONFATAL | M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only); } } if (bind(sd, cur->ai_addr, cur->ai_addrlen)) { - msg(M_FATAL | M_ERRNO, "%s: Socket bind failed on local address %s", - prefix, + msg(M_FATAL | M_ERRNO, "%s: Socket bind failed on local address %s", prefix, print_sockaddr_ex(local->ai_addr, ":", PS_SHOW_PORT, &gc)); } gc_free(&gc); } int -openvpn_connect(socket_descriptor_t sd, - const struct sockaddr *remote, - int connect_timeout, +openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received) { int status = 0; @@ -1506,7 +1424,7 @@ openvpn_connect(socket_descriptor_t sd, #else status == EINPROGRESS #endif - ) + ) { while (true) { @@ -1561,7 +1479,7 @@ openvpn_connect(socket_descriptor_t sd, socklen_t len; len = sizeof(val); - if (getsockopt(sd, SOL_SOCKET, SO_ERROR, (void *) &val, &len) == 0 + if (getsockopt(sd, SOL_SOCKET, SO_ERROR, (void *)&val, &len) == 0 && len == sizeof(val)) { status = val; @@ -1586,43 +1504,31 @@ set_actual_address(struct link_socket_actual *actual, struct addrinfo *ai) if (ai->ai_family == AF_INET) { - actual->dest.addr.in4 = - *((struct sockaddr_in *) ai->ai_addr); + actual->dest.addr.in4 = *((struct sockaddr_in *)ai->ai_addr); } else if (ai->ai_family == AF_INET6) { - actual->dest.addr.in6 = - *((struct sockaddr_in6 *) ai->ai_addr); + actual->dest.addr.in6 = *((struct sockaddr_in6 *)ai->ai_addr); } else { ASSERT(0); } - } static void -socket_connect(socket_descriptor_t *sd, - const struct sockaddr *dest, - const int connect_timeout, +socket_connect(socket_descriptor_t *sd, const struct sockaddr *dest, const int connect_timeout, struct signal_info *sig_info) { struct gc_arena gc = gc_new(); int status; - msg(M_INFO, "Attempting to establish TCP connection with %s", - print_sockaddr(dest, &gc)); + msg(M_INFO, "Attempting to establish TCP connection with %s", print_sockaddr(dest, &gc)); #ifdef ENABLE_MANAGEMENT if (management) { - management_set_state(management, - OPENVPN_STATE_TCP_CONNECT, - NULL, - NULL, - NULL, - NULL, - NULL); + management_set_state(management, OPENVPN_STATE_TCP_CONNECT, NULL, NULL, NULL, NULL, NULL); } #endif @@ -1637,9 +1543,8 @@ socket_connect(socket_descriptor_t *sd, if (status) { - - msg(D_LINK_ERRORS, "TCP: connect to %s failed: %s", - print_sockaddr(dest, &gc), strerror(status)); + msg(D_LINK_ERRORS, "TCP: connect to %s failed: %s", print_sockaddr(dest, &gc), + strerror(status)); openvpn_close_socket(*sd); *sd = SOCKET_UNDEFINED; @@ -1647,8 +1552,7 @@ socket_connect(socket_descriptor_t *sd, } else { - msg(M_INFO, "TCP connection established with %s", - print_sockaddr(dest, &gc)); + msg(M_INFO, "TCP connection established with %s", print_sockaddr(dest, &gc)); } done: @@ -1661,15 +1565,12 @@ done: * such as TCP. */ -static void -stream_buf_init(struct stream_buf *sb, struct buffer *buf, - const unsigned int sockflags, const int proto); +static void stream_buf_init(struct stream_buf *sb, struct buffer *buf, const unsigned int sockflags, + const int proto); -static void -stream_buf_close(struct stream_buf *sb); +static void stream_buf_close(struct stream_buf *sb); -static bool -stream_buf_added(struct stream_buf *sb, int length_added); +static bool stream_buf_added(struct stream_buf *sb, int length_added); /* For stream protocols, allocate a buffer to build up packet. * Called after frame has been finalized. */ @@ -1687,16 +1588,12 @@ socket_frame_init(const struct frame *frame, struct link_socket *sock) if (link_socket_connection_oriented(sock)) { #ifdef _WIN32 - stream_buf_init(&sock->stream_buf, - &sock->reads.buf_init, - sock->sockflags, + stream_buf_init(&sock->stream_buf, &sock->reads.buf_init, sock->sockflags, sock->info.proto); #else alloc_buf_sock_tun(&sock->stream_buf_data, frame); - stream_buf_init(&sock->stream_buf, - &sock->stream_buf_data, - sock->sockflags, + stream_buf_init(&sock->stream_buf, &sock->stream_buf_data, sock->sockflags, sock->info.proto); #endif } @@ -1710,8 +1607,7 @@ resolve_bind_local(struct link_socket *sock, const sa_family_t af) /* resolve local address if undefined */ if (!sock->info.lsa->bind_local) { - int flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL - |GETADDR_FATAL | GETADDR_PASSIVE; + int flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | GETADDR_FATAL | GETADDR_PASSIVE; int status; if (proto_is_dgram(sock->info.proto)) @@ -1720,24 +1616,19 @@ resolve_bind_local(struct link_socket *sock, const sa_family_t af) } /* will return AF_{INET|INET6}from local_host */ - status = get_cached_dns_entry(sock->dns_cache, - sock->local_host, - sock->local_port, - af, - flags, - &sock->info.lsa->bind_local); + status = get_cached_dns_entry(sock->dns_cache, sock->local_host, sock->local_port, af, + flags, &sock->info.lsa->bind_local); if (status) { - status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0, - NULL, af, &sock->info.lsa->bind_local); + status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0, NULL, af, + &sock->info.lsa->bind_local); } - if (status !=0) + if (status != 0) { - msg(M_FATAL, "getaddrinfo() failed for local \"%s:%s\": %s", - sock->local_host, sock->local_port, - gai_strerror(status)); + msg(M_FATAL, "getaddrinfo() failed for local \"%s:%s\": %s", sock->local_host, + sock->local_port, gai_strerror(status)); } /* the address family returned by openvpn_getaddrinfo() should be @@ -1759,9 +1650,7 @@ resolve_bind_local(struct link_socket *sock, const sa_family_t af) } static void -resolve_remote(struct link_socket *sock, - int phase, - const char **remote_dynamic, +resolve_remote(struct link_socket *sock, int phase, const char **remote_dynamic, struct signal_info *sig_info) { volatile int *signal_received = sig_info ? &sig_info->signal_received : NULL; @@ -1772,7 +1661,8 @@ resolve_remote(struct link_socket *sock, { if (sock->remote_host) { - unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags); + unsigned int flags = + sf2gaf(GETADDR_RESOLVE | GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags); int retry = 0; int status = -1; struct addrinfo *ai; @@ -1819,15 +1709,12 @@ resolve_remote(struct link_socket *sock, } - status = get_cached_dns_entry(sock->dns_cache, - sock->remote_host, - sock->remote_port, - sock->info.af, - flags, &ai); + status = get_cached_dns_entry(sock->dns_cache, sock->remote_host, sock->remote_port, + sock->info.af, flags, &ai); if (status) { - status = openvpn_getaddrinfo(flags, sock->remote_host, sock->remote_port, - retry, sig_info, sock->info.af, &ai); + status = openvpn_getaddrinfo(flags, sock->remote_host, sock->remote_port, retry, + sig_info, sock->info.af, &ai); } if (status == 0) @@ -1835,19 +1722,14 @@ resolve_remote(struct link_socket *sock, sock->info.lsa->remote_list = ai; sock->info.lsa->current_remote = ai; - dmsg(D_SOCKET_DEBUG, - "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", - flags, - phase, - retry, - signal_received ? *signal_received : -1, - status); + dmsg(D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", + flags, phase, retry, signal_received ? *signal_received : -1, status); } if (signal_received && *signal_received) { goto done; } - if (status!=0) + if (status != 0) { if (signal_received) { @@ -1874,8 +1756,7 @@ resolve_remote(struct link_socket *sock, CLEAR(sock->info.lsa->actual); if (sock->info.lsa->current_remote) { - set_actual_address(&sock->info.lsa->actual, - sock->info.lsa->current_remote); + set_actual_address(&sock->info.lsa->actual, sock->info.lsa->current_remote); } } @@ -1884,7 +1765,6 @@ done: } - struct link_socket * link_socket_new(void) { @@ -2077,8 +1957,7 @@ linksock_print_addr(struct link_socket *sock) } ASSERT(cur); msg(msglevel, "%s link local (bound): %s", - proto2ascii(sock->info.proto, sock->info.af, true), - print_sockaddr(cur->ai_addr, &gc)); + proto2ascii(sock->info.proto, sock->info.af, true), print_sockaddr(cur->ai_addr, &gc)); } else { @@ -2087,12 +1966,8 @@ linksock_print_addr(struct link_socket *sock) } /* print active remote address */ - msg(msglevel, "%s link remote: %s", - proto2ascii(sock->info.proto, sock->info.af, true), - print_link_socket_actual_ex(&sock->info.lsa->actual, - ":", - PS_SHOW_PORT_IF_DEFINED, - &gc)); + msg(msglevel, "%s link remote: %s", proto2ascii(sock->info.proto, sock->info.af, true), + print_link_socket_actual_ex(&sock->info.lsa->actual, ":", PS_SHOW_PORT_IF_DEFINED, &gc)); gc_free(&gc); } @@ -2105,26 +1980,17 @@ phase2_tcp_server(struct link_socket *sock, const char *remote_dynamic, switch (sock->mode) { case LS_MODE_DEFAULT: - sock->sd = socket_listen_accept(sock->sd, - &sock->info.lsa->actual, - remote_dynamic, - sock->info.lsa->bind_local, - true, - false, - signal_received); + sock->sd = + socket_listen_accept(sock->sd, &sock->info.lsa->actual, remote_dynamic, + sock->info.lsa->bind_local, true, false, signal_received); break; case LS_MODE_TCP_LISTEN: - socket_do_listen(sock->sd, - sock->info.lsa->bind_local, - true, - false); + socket_do_listen(sock->sd, sock->info.lsa->bind_local, true, false); break; case LS_MODE_TCP_ACCEPT_FROM: - sock->sd = socket_do_accept(sock->sd, - &sock->info.lsa->actual, - false); + sock->sd = socket_do_accept(sock->sd, &sock->info.lsa->actual, false); if (!socket_defined(sock->sd)) { register_signal(sig_info, SIGTERM, "socket-undefined"); @@ -2145,10 +2011,8 @@ phase2_tcp_client(struct link_socket *sock, struct signal_info *sig_info) bool proxy_retry = false; do { - socket_connect(&sock->sd, - sock->info.lsa->current_remote->ai_addr, - get_server_poll_remaining_time(sock->server_poll_timeout), - sig_info); + socket_connect(&sock->sd, sock->info.lsa->current_remote->ai_addr, + get_server_poll_remaining_time(sock->server_poll_timeout), sig_info); if (sig_info->signal_received) { @@ -2157,21 +2021,14 @@ phase2_tcp_client(struct link_socket *sock, struct signal_info *sig_info) if (sock->http_proxy) { - proxy_retry = establish_http_proxy_passthru(sock->http_proxy, - sock->sd, - sock->proxy_dest_host, - sock->proxy_dest_port, - sock->server_poll_timeout, - &sock->stream_buf.residual, - sig_info); + proxy_retry = establish_http_proxy_passthru( + sock->http_proxy, sock->sd, sock->proxy_dest_host, sock->proxy_dest_port, + sock->server_poll_timeout, &sock->stream_buf.residual, sig_info); } else if (sock->socks_proxy) { - establish_socks_proxy_passthru(sock->socks_proxy, - sock->sd, - sock->proxy_dest_host, - sock->proxy_dest_port, - sock->server_poll_timeout, + establish_socks_proxy_passthru(sock->socks_proxy, sock->sd, sock->proxy_dest_host, + sock->proxy_dest_port, sock->server_poll_timeout, sig_info); } if (proxy_retry) @@ -2181,27 +2038,21 @@ phase2_tcp_client(struct link_socket *sock, struct signal_info *sig_info) } } while (proxy_retry); - } static void phase2_socks_client(struct link_socket *sock, struct signal_info *sig_info) { - socket_connect(&sock->ctrl_sd, - sock->info.lsa->current_remote->ai_addr, - get_server_poll_remaining_time(sock->server_poll_timeout), - sig_info); + socket_connect(&sock->ctrl_sd, sock->info.lsa->current_remote->ai_addr, + get_server_poll_remaining_time(sock->server_poll_timeout), sig_info); if (sig_info->signal_received) { return; } - establish_socks_proxy_udpassoc(sock->socks_proxy, - sock->ctrl_sd, - &sock->socks_relay.dest, - sock->server_poll_timeout, - sig_info); + establish_socks_proxy_udpassoc(sock->socks_proxy, sock->ctrl_sd, &sock->socks_relay.dest, + sock->server_poll_timeout, sig_info); if (sig_info->signal_received) { @@ -2224,8 +2075,7 @@ phase2_socks_client(struct link_socket *sock, struct signal_info *sig_info) #if defined(_WIN32) static void -create_socket_dco_win(struct context *c, struct link_socket *sock, - struct signal_info *sig_info) +create_socket_dco_win(struct context *c, struct link_socket *sock, struct signal_info *sig_info) { /* in P2P mode we must have remote resolved at this point */ struct addrinfo *remoteaddr = sock->info.lsa->current_remote; @@ -2273,14 +2123,13 @@ create_socket_dco_win(struct context *c, struct link_socket *sock, /* finalize socket initialization */ void -link_socket_init_phase2(struct context *c, - struct link_socket *sock) +link_socket_init_phase2(struct context *c, struct link_socket *sock) { const struct frame *frame = &c->c2.frame; struct signal_info *sig_info = c->sig; const char *remote_dynamic = NULL; - struct signal_info sig_save = {0}; + struct signal_info sig_save = { 0 }; ASSERT(sock); ASSERT(sig_info); @@ -2305,7 +2154,7 @@ link_socket_init_phase2(struct context *c, } /* Second chance to resolv/create socket */ - resolve_remote(sock, 2, &remote_dynamic, sig_info); + resolve_remote(sock, 2, &remote_dynamic, sig_info); /* If a valid remote has been found, create the socket with its addrinfo */ #if defined(_WIN32) @@ -2326,7 +2175,7 @@ link_socket_init_phase2(struct context *c, /* If we have no --remote and have still not figured out the * protocol family to use we will use the first of the bind */ - if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local) + if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local) { /* Warn if this is because neither v4 or v6 was specified * and we should not connect a remote */ @@ -2360,7 +2209,6 @@ link_socket_init_phase2(struct context *c, else if (sock->info.proto == PROTO_TCP_CLIENT) { phase2_tcp_client(sock, sig_info); - } else if (sock->info.proto == PROTO_UDP && sock->socks_proxy) { @@ -2454,7 +2302,8 @@ setenv_trusted(struct env_set *es, const struct link_socket_info *info) } static void -ipchange_fmt(const bool include_cmd, struct argv *argv, const struct link_socket_info *info, struct gc_arena *gc) +ipchange_fmt(const bool include_cmd, struct argv *argv, const struct link_socket_info *info, + struct gc_arena *gc) { const char *host = print_sockaddr_ex(&info->lsa->actual.dest.addr.sa, " ", PS_SHOW_PORT, gc); if (include_cmd) @@ -2466,13 +2315,11 @@ ipchange_fmt(const bool include_cmd, struct argv *argv, const struct link_socket { argv_printf(argv, "%s", host); } - } void link_socket_connection_initiated(struct link_socket_info *info, - const struct link_socket_actual *act, - const char *common_name, + const struct link_socket_actual *act, const char *common_name, struct env_set *es) { struct gc_arena gc = gc_new(); @@ -2488,7 +2335,8 @@ link_socket_connection_initiated(struct link_socket_info *info, { buf_printf(&out, "[%s] ", common_name); } - buf_printf(&out, "Peer Connection Initiated with %s", print_link_socket_actual(&info->lsa->actual, &gc)); + buf_printf(&out, "Peer Connection Initiated with %s", + print_link_socket_actual(&info->lsa->actual, &gc)); msg(M_INFO, "%s", BSTR(&out)); } @@ -2500,7 +2348,8 @@ link_socket_connection_initiated(struct link_socket_info *info, { struct argv argv = argv_new(); ipchange_fmt(false, &argv, info, &gc); - if (plugin_call(info->plugins, OPENVPN_PLUGIN_IPCHANGE, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) + if (plugin_call(info->plugins, OPENVPN_PLUGIN_IPCHANGE, &argv, NULL, es) + != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: ipchange plugin call failed"); } @@ -2521,8 +2370,7 @@ link_socket_connection_initiated(struct link_socket_info *info, } void -link_socket_bad_incoming_addr(struct buffer *buf, - const struct link_socket_info *info, +link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr) { struct gc_arena gc = gc_new(); @@ -2534,8 +2382,7 @@ link_socket_bad_incoming_addr(struct buffer *buf, case AF_INET6: msg(D_LINK_ERRORS, "TCP/UDP: Incoming packet rejected from %s[%d], expected peer address: %s (allow this incoming source address/port by removing --remote or adding --float)", - print_link_socket_actual(from_addr, &gc), - (int)from_addr->dest.addr.sa.sa_family, + print_link_socket_actual(from_addr, &gc), (int)from_addr->dest.addr.sa.sa_family, print_sockaddr_ex(info->lsa->remote_list->ai_addr, ":", PS_SHOW_PORT, &gc)); /* print additional remote addresses */ for (ai = info->lsa->remote_list->ai_next; ai; ai = ai->ai_next) @@ -2560,16 +2407,16 @@ link_socket_current_remote(const struct link_socket_info *info) { const struct link_socket_addr *lsa = info->lsa; -/* - * This logic supports "redirect-gateway" semantic, which - * makes sense only for PF_INET routes over PF_INET endpoints - * - * Maybe in the future consider PF_INET6 endpoints also ... - * by now just ignore it - * - * For --remote entries with multiple addresses this - * only return the actual endpoint we have successfully connected to - */ + /* + * This logic supports "redirect-gateway" semantic, which + * makes sense only for PF_INET routes over PF_INET endpoints + * + * Maybe in the future consider PF_INET6 endpoints also ... + * by now just ignore it + * + * For --remote entries with multiple addresses this + * only return the actual endpoint we have successfully connected to + */ if (lsa->actual.dest.addr.sa.sa_family != AF_INET) { return IPV4_INVALID_ADDR; @@ -2581,8 +2428,7 @@ link_socket_current_remote(const struct link_socket_info *info) } else if (lsa->current_remote) { - return ntohl(((struct sockaddr_in *)lsa->current_remote->ai_addr) - ->sin_addr.s_addr); + return ntohl(((struct sockaddr_in *)lsa->current_remote->ai_addr)->sin_addr.s_addr); } else { @@ -2595,12 +2441,12 @@ link_socket_current_remote_ipv6(const struct link_socket_info *info) { const struct link_socket_addr *lsa = info->lsa; -/* This logic supports "redirect-gateway" semantic, - * for PF_INET6 routes over PF_INET6 endpoints - * - * For --remote entries with multiple addresses this - * only return the actual endpoint we have successfully connected to - */ + /* This logic supports "redirect-gateway" semantic, + * for PF_INET6 routes over PF_INET6 endpoints + * + * For --remote entries with multiple addresses this + * only return the actual endpoint we have successfully connected to + */ if (lsa->actual.dest.addr.sa.sa_family != AF_INET6) { return NULL; @@ -2631,20 +2477,16 @@ socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena * { if (rwflags & EVENT_READ) { - buf_printf(&out, "S%s", - (s->rwflags_debug & EVENT_READ) ? "R" : "r"); + buf_printf(&out, "S%s", (s->rwflags_debug & EVENT_READ) ? "R" : "r"); #ifdef _WIN32 - buf_printf(&out, "%s", - overlapped_io_state_ascii(&s->reads)); + buf_printf(&out, "%s", overlapped_io_state_ascii(&s->reads)); #endif } if (rwflags & EVENT_WRITE) { - buf_printf(&out, "S%s", - (s->rwflags_debug & EVENT_WRITE) ? "W" : "w"); + buf_printf(&out, "S%s", (s->rwflags_debug & EVENT_WRITE) ? "W" : "w"); #ifdef _WIN32 - buf_printf(&out, "%s", - overlapped_io_state_ascii(&s->writes)); + buf_printf(&out, "%s", overlapped_io_state_ascii(&s->writes)); #endif } } @@ -2671,9 +2513,7 @@ stream_buf_reset(struct stream_buf *sb) } static void -stream_buf_init(struct stream_buf *sb, - struct buffer *buf, - const unsigned int sockflags, +stream_buf_init(struct stream_buf *sb, struct buffer *buf, const unsigned int sockflags, const int proto) { sb->buf_init = *buf; @@ -2682,9 +2522,8 @@ stream_buf_init(struct stream_buf *sb, sb->residual = alloc_buf(sb->maxlen); sb->error = false; #if PORT_SHARE - sb->port_share_state = ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCP_SERVER)) - ? PS_ENABLED - : PS_DISABLED; + sb->port_share_state = + ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCP_SERVER)) ? PS_ENABLED : PS_DISABLED; #endif stream_buf_reset(sb); @@ -2699,9 +2538,7 @@ stream_buf_set_next(struct stream_buf *sb) sb->next.offset = sb->buf.offset + sb->buf.len; sb->next.len = (sb->len >= 0 ? sb->len : sb->maxlen) - sb->buf.len; dmsg(D_STREAM_DEBUG, "STREAM: SET NEXT, buf=[%d,%d] next=[%d,%d] len=%d maxlen=%d", - sb->buf.offset, sb->buf.len, - sb->next.offset, sb->next.len, - sb->len, sb->maxlen); + sb->buf.offset, sb->buf.len, sb->next.offset, sb->next.len, sb->len, sb->maxlen); ASSERT(sb->next.len > 0); ASSERT(buf_safe(&sb->buf, sb->next.len)); } @@ -2709,8 +2546,7 @@ stream_buf_set_next(struct stream_buf *sb) static inline void stream_buf_get_final(struct stream_buf *sb, struct buffer *buf) { - dmsg(D_STREAM_DEBUG, "STREAM: GET FINAL len=%d", - buf_defined(&sb->buf) ? sb->buf.len : -1); + dmsg(D_STREAM_DEBUG, "STREAM: GET FINAL len=%d", buf_defined(&sb->buf) ? sb->buf.len : -1); ASSERT(buf_defined(&sb->buf)); *buf = sb->buf; } @@ -2718,8 +2554,7 @@ stream_buf_get_final(struct stream_buf *sb, struct buffer *buf) static inline void stream_buf_get_next(struct stream_buf *sb, struct buffer *buf) { - dmsg(D_STREAM_DEBUG, "STREAM: GET NEXT len=%d", - buf_defined(&sb->next) ? sb->next.len : -1); + dmsg(D_STREAM_DEBUG, "STREAM: GET NEXT len=%d", buf_defined(&sb->next) ? sb->next.len : -1); ASSERT(buf_defined(&sb->next)); *buf = sb->next; } @@ -2733,8 +2568,7 @@ stream_buf_read_setup_dowork(struct link_socket *sock) ASSERT(buf_init(&sock->stream_buf.residual, 0)); sock->stream_buf.residual_fully_formed = stream_buf_added(&sock->stream_buf, 0); dmsg(D_STREAM_DEBUG, "STREAM: RESIDUAL FULLY FORMED [%s], len=%d", - sock->stream_buf.residual_fully_formed ? "YES" : "NO", - sock->stream_buf.residual.len); + sock->stream_buf.residual_fully_formed ? "YES" : "NO", sock->stream_buf.residual.len); } if (!sock->stream_buf.residual_fully_formed) @@ -2745,8 +2579,7 @@ stream_buf_read_setup_dowork(struct link_socket *sock) } static bool -stream_buf_added(struct stream_buf *sb, - int length_added) +stream_buf_added(struct stream_buf *sb, int length_added) { dmsg(D_STREAM_DEBUG, "STREAM: ADD length_added=%d", length_added); if (length_added > 0) @@ -2756,7 +2589,7 @@ stream_buf_added(struct stream_buf *sb, /* if length unknown, see if we can get the length prefix from * the head of the buffer */ - if (sb->len < 0 && sb->buf.len >= (int) sizeof(packet_size_type)) + if (sb->len < 0 && sb->buf.len >= (int)sizeof(packet_size_type)) { packet_size_type net_size; @@ -2782,7 +2615,9 @@ stream_buf_added(struct stream_buf *sb, if (sb->len < 1 || sb->len > sb->maxlen) { - msg(M_WARN, "WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]", sb->len, sb->maxlen); + msg(M_WARN, + "WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]", + sb->len, sb->maxlen); stream_buf_reset(sb); sb->error = true; return false; @@ -2799,8 +2634,7 @@ stream_buf_added(struct stream_buf *sb, ASSERT(buf_copy_excess(&sb->residual, &sb->buf, sb->len)); } dmsg(D_STREAM_DEBUG, "STREAM: ADD returned TRUE, buf_len=%d, residual_len=%d", - BLEN(&sb->buf), - BLEN(&sb->residual)); + BLEN(&sb->buf), BLEN(&sb->residual)); return true; } else @@ -2831,7 +2665,7 @@ socket_listen_event_handle(struct link_socket *s) init_net_event_win32(&s->listen_handle, FD_ACCEPT, s->sd, 0); } return &s->listen_handle; -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ return s->sd; #endif } @@ -2841,9 +2675,7 @@ socket_listen_event_handle(struct link_socket *s) */ const char * -print_sockaddr_ex(const struct sockaddr *sa, - const char *separator, - const unsigned int flags, +print_sockaddr_ex(const struct sockaddr *sa, const char *separator, const unsigned int flags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(128, gc); @@ -2861,7 +2693,7 @@ print_sockaddr_ex(const struct sockaddr *sa, buf_puts(&out, "[AF_INET]"); } salen = sizeof(struct sockaddr_in); - addr_is_defined = ((struct sockaddr_in *) sa)->sin_addr.s_addr != 0; + addr_is_defined = ((struct sockaddr_in *)sa)->sin_addr.s_addr != 0; break; case AF_INET6: @@ -2870,7 +2702,7 @@ print_sockaddr_ex(const struct sockaddr *sa, buf_puts(&out, "[AF_INET6]"); } salen = sizeof(struct sockaddr_in6); - addr_is_defined = !IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *) sa)->sin6_addr); + addr_is_defined = !IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)sa)->sin6_addr); break; case AF_UNSPEC: @@ -2887,10 +2719,10 @@ print_sockaddr_ex(const struct sockaddr *sa, ASSERT(0); } - status = getnameinfo(sa, salen, hostaddr, sizeof(hostaddr), - servname, sizeof(servname), NI_NUMERICHOST | NI_NUMERICSERV); + status = getnameinfo(sa, salen, hostaddr, sizeof(hostaddr), servname, sizeof(servname), + NI_NUMERICHOST | NI_NUMERICSERV); - if (status!=0) + if (status != 0) { buf_printf(&out, "[nameinfo() err: %s]", gai_strerror(status)); return BSTR(&out); @@ -2924,7 +2756,7 @@ print_sockaddr_ex(const struct sockaddr *sa, const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc) { - return print_link_socket_actual_ex(act, ":", PS_SHOW_PORT|PS_SHOW_PKTINFO, gc); + return print_link_socket_actual_ex(act, ":", PS_SHOW_PORT | PS_SHOW_PKTINFO, gc); } #ifndef IF_NAMESIZE @@ -2932,10 +2764,8 @@ print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena * #endif const char * -print_link_socket_actual_ex(const struct link_socket_actual *act, - const char *separator, - const unsigned int flags, - struct gc_arena *gc) +print_link_socket_actual_ex(const struct link_socket_actual *act, const char *separator, + const unsigned int flags, struct gc_arena *gc) { if (act) { @@ -2959,12 +2789,11 @@ print_link_socket_actual_ex(const struct link_socket_actual *act, #elif defined(IP_RECVDSTADDR) sa.addr.in4.sin_addr = act->pi.in4; ifname[0] = 0; -#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ +#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif buf_printf(&out, " (via %s%%%s)", - print_sockaddr_ex(&sa.addr.sa, separator, 0, gc), - ifname); + print_sockaddr_ex(&sa.addr.sa, separator, 0, gc), ifname); } break; @@ -2976,8 +2805,9 @@ print_link_socket_actual_ex(const struct link_socket_actual *act, sin6.sin6_family = AF_INET6; sin6.sin6_addr = act->pi.in6.ipi6_addr; if_indextoname(act->pi.in6.ipi6_ifindex, ifname); - if (getnameinfo((struct sockaddr *)&sin6, sizeof(struct sockaddr_in6), - buf, sizeof(buf), NULL, 0, NI_NUMERICHOST) == 0) + if (getnameinfo((struct sockaddr *)&sin6, sizeof(struct sockaddr_in6), buf, + sizeof(buf), NULL, 0, NI_NUMERICHOST) + == 0) { buf_printf(&out, " (via %s%%%s)", buf, ifname); } @@ -3027,8 +2857,7 @@ print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc) { char *out = gc_malloc(INET6_ADDRSTRLEN, true, gc); - if (memcmp(&a6, &in6addr_any, sizeof(a6)) != 0 - || !(flags & IA_EMPTY_IF_UNDEF)) + if (memcmp(&a6, &in6addr_any, sizeof(a6)) != 0 || !(flags & IA_EMPTY_IF_UNDEF)) { inet_ntop(AF_INET6, &a6, out, INET6_ADDRSTRLEN); } @@ -3050,30 +2879,31 @@ print_in_port_t(in_port_t port, struct gc_arena *gc) * (add in steps of 8 bits, taking overflow into next round) */ struct in6_addr -add_in6_addr( struct in6_addr base, uint32_t add ) +add_in6_addr(struct in6_addr base, uint32_t add) { int i; - for (i = 15; i>=0 && add > 0; i--) + for (i = 15; i >= 0 && add > 0; i--) { register int carry; register uint32_t h; - h = (unsigned char) base.s6_addr[i]; - base.s6_addr[i] = (h+add) & UINT8_MAX; + h = (unsigned char)base.s6_addr[i]; + base.s6_addr[i] = (h + add) & UINT8_MAX; /* using explicit carry for the 8-bit additions will catch * 8-bit and(!) 32-bit overruns nicely */ - carry = ((h & 0xff) + (add & 0xff)) >> 8; - add = (add>>8) + carry; + carry = ((h & 0xff) + (add & 0xff)) >> 8; + add = (add >> 8) + carry; } return base; } /* set environmental variables for ip/port in *addr */ void -setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvpn_sockaddr *addr, const unsigned int flags) +setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvpn_sockaddr *addr, + const unsigned int flags) { char name_buf[256]; @@ -3101,11 +2931,10 @@ setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvp break; case AF_INET6: - if (IN6_IS_ADDR_V4MAPPED( &addr->addr.in6.sin6_addr )) + if (IN6_IS_ADDR_V4MAPPED(&addr->addr.in6.sin6_addr)) { struct in_addr ia; - memcpy(&ia.s_addr, &addr->addr.in6.sin6_addr.s6_addr[12], - sizeof(ia.s_addr)); + memcpy(&ia.s_addr, &addr->addr.in6.sin6_addr.s6_addr[12], sizeof(ia.s_addr)); snprintf(name_buf, sizeof(name_buf), "%s_ip", name_prefix); inet_ntop(AF_INET, &ia, buf, sizeof(buf)); } @@ -3126,7 +2955,8 @@ setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvp } void -setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags) +setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, + const unsigned int flags) { if (addr || !(flags & SA_SET_IF_NONZERO)) { @@ -3139,9 +2969,7 @@ setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, co } void -setenv_in6_addr(struct env_set *es, - const char *name_prefix, - const struct in6_addr *addr, +setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags) { if (!IN6_IS_ADDR_UNSPECIFIED(addr) || !(flags & SA_SET_IF_NONZERO)) @@ -3155,10 +2983,8 @@ setenv_in6_addr(struct env_set *es, } void -setenv_link_socket_actual(struct env_set *es, - const char *name_prefix, - const struct link_socket_actual *act, - const unsigned int flags) +setenv_link_socket_actual(struct env_set *es, const char *name_prefix, + const struct link_socket_actual *act, const unsigned int flags) { setenv_sockaddr(es, name_prefix, &act->dest, flags); } @@ -3167,7 +2993,8 @@ setenv_link_socket_actual(struct env_set *es, * Convert protocol names between index and ascii form. */ -struct proto_names { +struct proto_names +{ const char *short_form; const char *display_form; sa_family_t proto_af; @@ -3176,22 +3003,22 @@ struct proto_names { /* Indexed by PROTO_x */ static const struct proto_names proto_names[] = { - {"proto-uninitialized", "proto-NONE", AF_UNSPEC, PROTO_NONE}, + { "proto-uninitialized", "proto-NONE", AF_UNSPEC, PROTO_NONE }, /* try IPv4 and IPv6 (client), bind dual-stack (server) */ - {"udp", "UDP", AF_UNSPEC, PROTO_UDP}, - {"tcp-server", "TCP_SERVER", AF_UNSPEC, PROTO_TCP_SERVER}, - {"tcp-client", "TCP_CLIENT", AF_UNSPEC, PROTO_TCP_CLIENT}, - {"tcp", "TCP", AF_UNSPEC, PROTO_TCP}, + { "udp", "UDP", AF_UNSPEC, PROTO_UDP }, + { "tcp-server", "TCP_SERVER", AF_UNSPEC, PROTO_TCP_SERVER }, + { "tcp-client", "TCP_CLIENT", AF_UNSPEC, PROTO_TCP_CLIENT }, + { "tcp", "TCP", AF_UNSPEC, PROTO_TCP }, /* force IPv4 */ - {"udp4", "UDPv4", AF_INET, PROTO_UDP}, - {"tcp4-server", "TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER}, - {"tcp4-client", "TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT}, - {"tcp4", "TCPv4", AF_INET, PROTO_TCP}, + { "udp4", "UDPv4", AF_INET, PROTO_UDP }, + { "tcp4-server", "TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER }, + { "tcp4-client", "TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT }, + { "tcp4", "TCPv4", AF_INET, PROTO_TCP }, /* force IPv6 */ - {"udp6", "UDPv6", AF_INET6, PROTO_UDP}, - {"tcp6-server", "TCPv6_SERVER", AF_INET6, PROTO_TCP_SERVER}, - {"tcp6-client", "TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT}, - {"tcp6", "TCPv6", AF_INET6, PROTO_TCP}, + { "udp6", "UDPv6", AF_INET6, PROTO_UDP }, + { "tcp6-server", "TCPv6_SERVER", AF_INET6, PROTO_TCP_SERVER }, + { "tcp6-client", "TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT }, + { "tcp6", "TCPv6", AF_INET6, PROTO_TCP }, }; int @@ -3262,9 +3089,11 @@ addr_family_name(int af) { switch (af) { - case AF_INET: return "AF_INET"; + case AF_INET: + return "AF_INET"; - case AF_INET6: return "AF_INET6"; + case AF_INET6: + return "AF_INET6"; } return "AF_UNSPEC"; } @@ -3290,13 +3119,11 @@ proto_remote(int proto, bool remote) return "UDPv4"; } - if ( (remote && proto == PROTO_TCP_CLIENT) - || (!remote && proto == PROTO_TCP_SERVER)) + if ((remote && proto == PROTO_TCP_CLIENT) || (!remote && proto == PROTO_TCP_SERVER)) { return "TCPv4_SERVER"; } - if ( (remote && proto == PROTO_TCP_SERVER) - || (!remote && proto == PROTO_TCP_CLIENT)) + if ((remote && proto == PROTO_TCP_SERVER) || (!remote && proto == PROTO_TCP_CLIENT)) { return "TCPv4_CLIENT"; } @@ -3312,9 +3139,9 @@ proto_remote(int proto, bool remote) void bad_address_length(int actual, int expected) { - msg(M_FATAL, "ERROR: received strange incoming packet with an address length of %d -- we only accept address lengths of %d.", - actual, - expected); + msg(M_FATAL, + "ERROR: received strange incoming packet with an address length of %d -- we only accept address lengths of %d.", + actual, expected); } /* @@ -3322,8 +3149,7 @@ bad_address_length(int actual, int expected) */ int -link_socket_read_tcp(struct link_socket *sock, - struct buffer *buf) +link_socket_read_tcp(struct link_socket *sock, struct buffer *buf) { int len = 0; @@ -3336,9 +3162,9 @@ link_socket_read_tcp(struct link_socket *sock, */ if (sock->sd == SOCKET_UNDEFINED) { - msg(M_INFO, "BUG: link_socket_read_tcp(): sock->sd==-1, reset client instance" ); - sock->stream_reset = true; /* reset client instance */ - return buf->len = 0; /* nothing to read */ + msg(M_INFO, "BUG: link_socket_read_tcp(): sock->sd==-1, reset client instance"); + sock->stream_reset = true; /* reset client instance */ + return buf->len = 0; /* nothing to read */ } #ifdef _WIN32 @@ -3381,24 +3207,23 @@ link_socket_read_tcp(struct link_socket *sock, * both IPv4 and IPv6 destination addresses, plus padding (see RFC 2292) */ #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) -#define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof(struct in6_pktinfo)), \ - CMSG_SPACE(sizeof(struct in_pktinfo)) ) +#define PKTINFO_BUF_SIZE \ + max_int(CMSG_SPACE(sizeof(struct in6_pktinfo)), CMSG_SPACE(sizeof(struct in_pktinfo))) #else -#define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof(struct in6_pktinfo)), \ - CMSG_SPACE(sizeof(struct in_addr)) ) +#define PKTINFO_BUF_SIZE \ + max_int(CMSG_SPACE(sizeof(struct in6_pktinfo)), CMSG_SPACE(sizeof(struct in_addr))) #endif static socklen_t -link_socket_read_udp_posix_recvmsg(struct link_socket *sock, - struct buffer *buf, +link_socket_read_udp_posix_recvmsg(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from) { struct iovec iov; uint8_t pktinfo_buf[PKTINFO_BUF_SIZE]; - struct msghdr mesg = {0}; + struct msghdr mesg = { 0 }; socklen_t fromlen = sizeof(from->dest.addr); - ASSERT(sock->sd >= 0); /* can't happen */ + ASSERT(sock->sd >= 0); /* can't happen */ iov.iov_base = BPTR(buf); iov.iov_len = buf_forward_capacity_total(buf); @@ -3414,43 +3239,40 @@ link_socket_read_udp_posix_recvmsg(struct link_socket *sock, struct cmsghdr *cmsg; fromlen = mesg.msg_namelen; cmsg = CMSG_FIRSTHDR(&mesg); - if (cmsg != NULL - && CMSG_NXTHDR(&mesg, cmsg) == NULL + if (cmsg != NULL && CMSG_NXTHDR(&mesg, cmsg) == NULL #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) - && cmsg->cmsg_level == SOL_IP - && cmsg->cmsg_type == IP_PKTINFO - && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_pktinfo)) ) + && cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_PKTINFO + && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_pktinfo))) #elif defined(IP_RECVDSTADDR) - && cmsg->cmsg_level == IPPROTO_IP - && cmsg->cmsg_type == IP_RECVDSTADDR - && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_addr)) ) -#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ + && cmsg->cmsg_level == IPPROTO_IP && cmsg->cmsg_type == IP_RECVDSTADDR + && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_addr))) +#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) - struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA(cmsg); + struct in_pktinfo *pkti = (struct in_pktinfo *)CMSG_DATA(cmsg); from->pi.in4.ipi_ifindex = pkti->ipi_ifindex; from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst; #elif defined(IP_RECVDSTADDR) - from->pi.in4 = *(struct in_addr *) CMSG_DATA(cmsg); -#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ + from->pi.in4 = *(struct in_addr *)CMSG_DATA(cmsg); +#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif } - else if (cmsg != NULL - && CMSG_NXTHDR(&mesg, cmsg) == NULL - && cmsg->cmsg_level == IPPROTO_IPV6 - && cmsg->cmsg_type == IPV6_PKTINFO - && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in6_pktinfo)) ) + else if (cmsg != NULL && CMSG_NXTHDR(&mesg, cmsg) == NULL + && cmsg->cmsg_level == IPPROTO_IPV6 && cmsg->cmsg_type == IPV6_PKTINFO + && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in6_pktinfo))) { - struct in6_pktinfo *pkti6 = (struct in6_pktinfo *) CMSG_DATA(cmsg); + struct in6_pktinfo *pkti6 = (struct in6_pktinfo *)CMSG_DATA(cmsg); from->pi.in6.ipi6_ifindex = pkti6->ipi6_ifindex; from->pi.in6.ipi6_addr = pkti6->ipi6_addr; } else if (cmsg != NULL) { - msg(M_WARN, "CMSG received that cannot be parsed (cmsg_level=%d, cmsg_type=%d, cmsg=len=%d)", (int)cmsg->cmsg_level, (int)cmsg->cmsg_type, (int)cmsg->cmsg_len ); + msg(M_WARN, + "CMSG received that cannot be parsed (cmsg_level=%d, cmsg_type=%d, cmsg=len=%d)", + (int)cmsg->cmsg_level, (int)cmsg->cmsg_type, (int)cmsg->cmsg_len); } } @@ -3459,15 +3281,14 @@ link_socket_read_udp_posix_recvmsg(struct link_socket *sock, #endif /* if ENABLE_IP_PKTINFO */ int -link_socket_read_udp_posix(struct link_socket *sock, - struct buffer *buf, +link_socket_read_udp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from) { socklen_t fromlen = sizeof(from->dest.addr); socklen_t expectedlen = af_addr_size(sock->info.af); addr_zero_host(&from->dest); - ASSERT(sock->sd >= 0); /* can't happen */ + ASSERT(sock->sd >= 0); /* can't happen */ #if ENABLE_IP_PKTINFO /* Both PROTO_UDPv4 and PROTO_UDPv6 */ @@ -3478,8 +3299,8 @@ link_socket_read_udp_posix(struct link_socket *sock, else #endif { - buf->len = recvfrom(sock->sd, BPTR(buf), buf_forward_capacity(buf), 0, - &from->dest.addr.sa, &fromlen); + buf->len = recvfrom(sock->sd, BPTR(buf), buf_forward_capacity(buf), 0, &from->dest.addr.sa, + &fromlen); } /* FIXME: won't do anything when sock->info.af == AF_UNSPEC */ if (buf->len >= 0 && expectedlen && fromlen != expectedlen) @@ -3496,9 +3317,7 @@ link_socket_read_udp_posix(struct link_socket *sock, */ ssize_t -link_socket_write_tcp(struct link_socket *sock, - struct buffer *buf, - struct link_socket_actual *to) +link_socket_write_tcp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { packet_size_type len = BLEN(buf); dmsg(D_STREAM_DEBUG, "STREAM: WRITE %d offset=%d", (int)len, buf->offset); @@ -3515,8 +3334,7 @@ link_socket_write_tcp(struct link_socket *sock, #if ENABLE_IP_PKTINFO ssize_t -link_socket_write_udp_posix_sendmsg(struct link_socket *sock, - struct buffer *buf, +link_socket_write_udp_posix_sendmsg(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { struct iovec iov; @@ -3544,19 +3362,19 @@ link_socket_write_udp_posix_sendmsg(struct link_socket *sock, cmsg->cmsg_type = IP_PKTINFO; { struct in_pktinfo *pkti; - pkti = (struct in_pktinfo *) CMSG_DATA(cmsg); + pkti = (struct in_pktinfo *)CMSG_DATA(cmsg); pkti->ipi_ifindex = to->pi.in4.ipi_ifindex; pkti->ipi_spec_dst = to->pi.in4.ipi_spec_dst; pkti->ipi_addr.s_addr = 0; } #elif defined(IP_RECVDSTADDR) - ASSERT( CMSG_SPACE(sizeof(struct in_addr)) <= sizeof(pktinfo_buf) ); + ASSERT(CMSG_SPACE(sizeof(struct in_addr)) <= sizeof(pktinfo_buf)); mesg.msg_controllen = CMSG_SPACE(sizeof(struct in_addr)); cmsg = CMSG_FIRSTHDR(&mesg); cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); cmsg->cmsg_level = IPPROTO_IP; cmsg->cmsg_type = IP_RECVDSTADDR; - *(struct in_addr *) CMSG_DATA(cmsg) = to->pi.in4; + *(struct in_addr *)CMSG_DATA(cmsg) = to->pi.in4; #else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ @@ -3569,7 +3387,7 @@ link_socket_write_udp_posix_sendmsg(struct link_socket *sock, mesg.msg_name = &to->dest.addr.sa; mesg.msg_namelen = sizeof(struct sockaddr_in6); - ASSERT( CMSG_SPACE(sizeof(struct in6_pktinfo)) <= sizeof(pktinfo_buf) ); + ASSERT(CMSG_SPACE(sizeof(struct in6_pktinfo)) <= sizeof(pktinfo_buf)); mesg.msg_control = pktinfo_buf; mesg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); mesg.msg_flags = 0; @@ -3578,13 +3396,14 @@ link_socket_write_udp_posix_sendmsg(struct link_socket *sock, cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_PKTINFO; - pkti6 = (struct in6_pktinfo *) CMSG_DATA(cmsg); + pkti6 = (struct in6_pktinfo *)CMSG_DATA(cmsg); pkti6->ipi6_ifindex = to->pi.in6.ipi6_ifindex; pkti6->ipi6_addr = to->pi.in6.ipi6_addr; break; } - default: ASSERT(0); + default: + ASSERT(0); } return sendmsg(sock->sd, &mesg, 0); } @@ -3643,8 +3462,8 @@ socket_recv_queue(struct link_socket *sock, int maxsize) if (socket_is_dco_win(sock)) { - status = ReadFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len, - &sock->reads.size, &sock->reads.overlapped); + status = ReadFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len, &sock->reads.size, + &sock->reads.overlapped); /* Readfile status is inverted from WSARecv */ status = !status; } @@ -3652,28 +3471,15 @@ socket_recv_queue(struct link_socket *sock, int maxsize) { sock->reads.addr_defined = true; sock->reads.addrlen = sizeof(sock->reads.addr6); - status = WSARecvFrom( - sock->sd, - wsabuf, - 1, - &sock->reads.size, - &sock->reads.flags, - (struct sockaddr *) &sock->reads.addr, - &sock->reads.addrlen, - &sock->reads.overlapped, - NULL); + status = WSARecvFrom(sock->sd, wsabuf, 1, &sock->reads.size, &sock->reads.flags, + (struct sockaddr *)&sock->reads.addr, &sock->reads.addrlen, + &sock->reads.overlapped, NULL); } else if (proto_is_tcp(sock->info.proto)) { sock->reads.addr_defined = false; - status = WSARecv( - sock->sd, - wsabuf, - 1, - &sock->reads.size, - &sock->reads.flags, - &sock->reads.overlapped, - NULL); + status = WSARecv(sock->sd, wsabuf, 1, &sock->reads.size, &sock->reads.flags, + &sock->reads.overlapped, NULL); } else { @@ -3696,8 +3502,7 @@ socket_recv_queue(struct link_socket *sock, int maxsize) sock->reads.status = 0; dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive immediate return [%d,%d]", - (int) wsabuf[0].len, - (int) sock->reads.size); + (int)wsabuf[0].len, (int)sock->reads.size); } else { @@ -3706,8 +3511,7 @@ socket_recv_queue(struct link_socket *sock, int maxsize) { sock->reads.iostate = IOSTATE_QUEUED; sock->reads.status = status; - dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive queued [%d]", - (int) wsabuf[0].len); + dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive queued [%d]", (int)wsabuf[0].len); } else /* error occurred */ { @@ -3715,8 +3519,7 @@ socket_recv_queue(struct link_socket *sock, int maxsize) ASSERT(SetEvent(sock->reads.overlapped.hEvent)); sock->reads.iostate = IOSTATE_IMMEDIATE_RETURN; sock->reads.status = status; - dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive error [%d]: %s", - (int) wsabuf[0].len, + dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive error [%d]: %s", (int)wsabuf[0].len, strerror_win32(status, &gc)); gc_free(&gc); } @@ -3748,12 +3551,11 @@ socket_send_queue(struct link_socket *sock, struct buffer *buf, const struct lin if (socket_is_dco_win(sock)) { - status = WriteFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len, - &sock->writes.size, &sock->writes.overlapped); + status = WriteFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len, &sock->writes.size, + &sock->writes.overlapped); /* WriteFile status is inverted from WSASendTo */ status = !status; - } else if (proto_is_udp(sock->info.proto)) { @@ -3770,30 +3572,17 @@ socket_send_queue(struct link_socket *sock, struct buffer *buf, const struct lin sock->writes.addrlen = sizeof(sock->writes.addr); } - status = WSASendTo( - sock->sd, - wsabuf, - 1, - &sock->writes.size, - sock->writes.flags, - (struct sockaddr *) &sock->writes.addr, - sock->writes.addrlen, - &sock->writes.overlapped, - NULL); + status = WSASendTo(sock->sd, wsabuf, 1, &sock->writes.size, sock->writes.flags, + (struct sockaddr *)&sock->writes.addr, sock->writes.addrlen, + &sock->writes.overlapped, NULL); } else if (proto_is_tcp(sock->info.proto)) { /* destination address for TCP writes was established on connection initiation */ sock->writes.addr_defined = false; - status = WSASend( - sock->sd, - wsabuf, - 1, - &sock->writes.size, - sock->writes.flags, - &sock->writes.overlapped, - NULL); + status = WSASend(sock->sd, wsabuf, 1, &sock->writes.size, sock->writes.flags, + &sock->writes.overlapped, NULL); } else { @@ -3810,9 +3599,8 @@ socket_send_queue(struct link_socket *sock, struct buffer *buf, const struct lin sock->writes.status = 0; - dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send immediate return [%d,%d]", - (int) wsabuf[0].len, - (int) sock->writes.size); + dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send immediate return [%d,%d]", (int)wsabuf[0].len, + (int)sock->writes.size); } else { @@ -3822,8 +3610,7 @@ socket_send_queue(struct link_socket *sock, struct buffer *buf, const struct lin { sock->writes.iostate = IOSTATE_QUEUED; sock->writes.status = status; - dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send queued [%d]", - (int) wsabuf[0].len); + dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send queued [%d]", (int)wsabuf[0].len); } else /* error occurred */ { @@ -3832,8 +3619,7 @@ socket_send_queue(struct link_socket *sock, struct buffer *buf, const struct lin sock->writes.iostate = IOSTATE_IMMEDIATE_RETURN; sock->writes.status = status; - dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send error [%d]: %s", - (int) wsabuf[0].len, + dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send error [%d]: %s", (int)wsabuf[0].len, strerror_win32(status, &gc)); gc_free(&gc); @@ -3905,7 +3691,9 @@ read_sockaddr_from_packet(struct buffer *buf, struct sockaddr *dst) sa_len = sizeof(struct sockaddr_in); if (buf_len(buf) < sa_len) { - msg(M_FATAL, "ERROR: received incoming packet with too short length of %d -- must be at least %d.", buf_len(buf), sa_len); + msg(M_FATAL, + "ERROR: received incoming packet with too short length of %d -- must be at least %d.", + buf_len(buf), sa_len); } memcpy(dst, sa, sa_len); buf_advance(buf, sa_len); @@ -3915,14 +3703,17 @@ read_sockaddr_from_packet(struct buffer *buf, struct sockaddr *dst) sa_len = sizeof(struct sockaddr_in6); if (buf_len(buf) < sa_len) { - msg(M_FATAL, "ERROR: received incoming packet with too short length of %d -- must be at least %d.", buf_len(buf), sa_len); + msg(M_FATAL, + "ERROR: received incoming packet with too short length of %d -- must be at least %d.", + buf_len(buf), sa_len); } memcpy(dst, sa, sa_len); buf_advance(buf, sa_len); break; default: - msg(M_FATAL, "ERROR: received incoming packet with invalid address family %d.", sa->sa_family); + msg(M_FATAL, "ERROR: received incoming packet with invalid address family %d.", + sa->sa_family); } return sa_len; @@ -3930,9 +3721,7 @@ read_sockaddr_from_packet(struct buffer *buf, struct sockaddr *dst) /* Returns the number of bytes successfully read */ int -sockethandle_finalize(sockethandle_t sh, - struct overlapped_io *io, - struct buffer *buf, +sockethandle_finalize(sockethandle_t sh, struct overlapped_io *io, struct buffer *buf, struct link_socket_actual *from) { int ret = -1; @@ -4025,10 +3814,7 @@ sockethandle_finalize(sockethandle_t sh, */ unsigned int -socket_set(struct link_socket *s, - struct event_set *es, - unsigned int rwflags, - void *arg, +socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent) { if (s) @@ -4108,20 +3894,15 @@ create_socket_unix(void) } void -socket_bind_unix(socket_descriptor_t sd, - struct sockaddr_un *local, - const char *prefix) +socket_bind_unix(socket_descriptor_t sd, struct sockaddr_un *local, const char *prefix) { struct gc_arena gc = gc_new(); const mode_t orig_umask = umask(0); - if (bind(sd, (struct sockaddr *) local, sizeof(struct sockaddr_un))) + if (bind(sd, (struct sockaddr *)local, sizeof(struct sockaddr_un))) { - msg(M_FATAL | M_ERRNO, - "%s: Socket bind[%d] failed on unix domain socket %s", - prefix, - (int)sd, - sockaddr_unix_name(local, "NULL")); + msg(M_FATAL | M_ERRNO, "%s: Socket bind[%d] failed on unix domain socket %s", prefix, + (int)sd, sockaddr_unix_name(local, "NULL")); } umask(orig_umask); @@ -4129,14 +3910,13 @@ socket_bind_unix(socket_descriptor_t sd, } socket_descriptor_t -socket_accept_unix(socket_descriptor_t sd, - struct sockaddr_un *remote) +socket_accept_unix(socket_descriptor_t sd, struct sockaddr_un *remote) { socklen_t remote_len = sizeof(struct sockaddr_un); socket_descriptor_t ret; CLEAR(*remote); - ret = accept(sd, (struct sockaddr *) remote, &remote_len); + ret = accept(sd, (struct sockaddr *)remote, &remote_len); if (ret >= 0) { /* set socket file descriptor to not pass across execs, so that @@ -4147,10 +3927,9 @@ socket_accept_unix(socket_descriptor_t sd, } int -socket_connect_unix(socket_descriptor_t sd, - struct sockaddr_un *remote) +socket_connect_unix(socket_descriptor_t sd, struct sockaddr_un *remote) { - int status = connect(sd, (struct sockaddr *) remote, sizeof(struct sockaddr_un)); + int status = connect(sd, (struct sockaddr *)remote, sizeof(struct sockaddr_un)); if (status) { status = openvpn_errno(); diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index f30411d68..ed375901e 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -64,7 +64,8 @@ typedef uint16_t packet_size_type; struct openvpn_sockaddr { /*int dummy;*/ /* add offset to force a bug if sa not explicitly dereferenced */ - union { + union + { struct sockaddr sa; struct sockaddr_in in4; struct sockaddr_in6 in6; @@ -72,7 +73,8 @@ struct openvpn_sockaddr }; /* struct to hold preresolved host names */ -struct cached_dns_entry { +struct cached_dns_entry +{ const char *hostname; const char *servname; int ai_family; @@ -88,7 +90,8 @@ struct link_socket_actual struct openvpn_sockaddr dest; #if ENABLE_IP_PKTINFO - union { + union + { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) struct in_pktinfo in4; #elif defined(IP_RECVDSTADDR) @@ -103,9 +106,9 @@ struct link_socket_actual struct link_socket_addr { struct addrinfo *bind_local; - struct addrinfo *remote_list; /* complete remote list */ - struct addrinfo *current_remote; /* remote used in the - * current connection attempt */ + struct addrinfo *remote_list; /* complete remote list */ + struct addrinfo *current_remote; /* remote used in the + * current connection attempt */ struct link_socket_actual actual; /* reply to this address */ }; @@ -116,10 +119,10 @@ struct link_socket_info const char *ipchange_command; const struct plugin_list *plugins; bool remote_float; - int proto; /* Protocol (PROTO_x defined below) */ - sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/ + int proto; /* Protocol (PROTO_x defined below) */ + sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/ bool bind_ipv6_only; - int mtu_changed; /* Set to true when mtu value is changed */ + int mtu_changed; /* Set to true when mtu value is changed */ }; /* @@ -135,7 +138,7 @@ struct stream_buf struct buffer buf; struct buffer next; - int len; /* -1 if not yet known */ + int len; /* -1 if not yet known */ bool error; /* if true, fatal TCP error has occurred, * requiring that connection be restarted */ @@ -163,10 +166,8 @@ struct socket_buffer_size * @param sbs new sizes. * @param reduce_size apply the new size even if smaller than current one */ -void -socket_set_buffers(socket_descriptor_t fd, - const struct socket_buffer_size *sbs, - bool reduce_size); +void socket_set_buffers(socket_descriptor_t fd, const struct socket_buffer_size *sbs, + bool reduce_size); /* * This is the main socket structure used by OpenVPN. The SOCKET_ @@ -177,10 +178,10 @@ struct link_socket { struct link_socket_info info; - struct event_arg ev_arg; /**< this struct will store a pointer to either mi or - * link_socket, depending on the event type, to keep - * it accessible it's placed within the same struct - * it points to. */ + struct event_arg ev_arg; /**< this struct will store a pointer to either mi or + * link_socket, depending on the event type, to keep + * it accessible it's placed within the same struct + * it points to. */ socket_descriptor_t sd; socket_descriptor_t ctrl_sd; /* only used for UDP over Socks */ @@ -205,9 +206,9 @@ struct link_socket struct cached_dns_entry *dns_cache; bool bind_local; -#define LS_MODE_DEFAULT 0 -#define LS_MODE_TCP_LISTEN 1 -#define LS_MODE_TCP_ACCEPT_FROM 2 +#define LS_MODE_DEFAULT 0 +#define LS_MODE_TCP_LISTEN 1 +#define LS_MODE_TCP_ACCEPT_FROM 2 int mode; int resolve_retry_seconds; @@ -215,15 +216,15 @@ struct link_socket struct socket_buffer_size socket_buffer_sizes; - int mtu; /* OS discovered MTU, or 0 if unknown */ + int mtu; /* OS discovered MTU, or 0 if unknown */ -#define SF_USE_IP_PKTINFO (1<<0) -#define SF_TCP_NODELAY (1<<1) -#define SF_PORT_SHARE (1<<2) -#define SF_HOST_RANDOMIZE (1<<3) -#define SF_GETADDRINFO_DGRAM (1<<4) -#define SF_DCO_WIN (1<<5) -#define SF_PREPEND_SA (1<<6) +#define SF_USE_IP_PKTINFO (1 << 0) +#define SF_TCP_NODELAY (1 << 1) +#define SF_PORT_SHARE (1 << 2) +#define SF_HOST_RANDOMIZE (1 << 3) +#define SF_GETADDRINFO_DGRAM (1 << 4) +#define SF_DCO_WIN (1 << 5) +#define SF_PREPEND_SA (1 << 6) unsigned int sockflags; int mark; const char *bind_dev; @@ -277,12 +278,13 @@ struct link_socket int socket_recv_queue(struct link_socket *sock, int maxsize); -int socket_send_queue(struct link_socket *sock, - struct buffer *buf, +int socket_send_queue(struct link_socket *sock, struct buffer *buf, const struct link_socket_actual *to); -typedef struct { - union { +typedef struct +{ + union + { SOCKET s; HANDLE h; }; @@ -290,17 +292,15 @@ typedef struct { bool prepend_sa; /* are incoming packets prepended with sockaddr? */ } sockethandle_t; -int sockethandle_finalize(sockethandle_t sh, - struct overlapped_io *io, - struct buffer *buf, +int sockethandle_finalize(sockethandle_t sh, struct overlapped_io *io, struct buffer *buf, struct link_socket_actual *from); static inline BOOL SocketHandleGetOverlappedResult(sockethandle_t sh, struct overlapped_io *io) { - return sh.is_handle ? - GetOverlappedResult(sh.h, &io->overlapped, &io->size, FALSE) : - WSAGetOverlappedResult(sh.s, &io->overlapped, &io->size, FALSE, &io->flags); + return sh.is_handle + ? GetOverlappedResult(sh.h, &io->overlapped, &io->size, FALSE) + : WSAGetOverlappedResult(sh.s, &io->overlapped, &io->size, FALSE, &io->flags); } static inline int @@ -321,7 +321,7 @@ SocketHandleSetInvalError(sockethandle_t sh) sh.is_handle ? SetLastError(ERROR_INVALID_FUNCTION) : WSASetLastError(WSAEINVAL); } -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ #define openvpn_close_socket(s) close(s) @@ -329,29 +329,19 @@ SocketHandleSetInvalError(sockethandle_t sh) struct link_socket *link_socket_new(void); -void socket_bind(socket_descriptor_t sd, - struct addrinfo *local, - int af_family, - const char *prefix, +void socket_bind(socket_descriptor_t sd, struct addrinfo *local, int af_family, const char *prefix, bool ipv6only); -int openvpn_connect(socket_descriptor_t sd, - const struct sockaddr *remote, - int connect_timeout, +int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received); - /* * Initialize link_socket object. */ -void -link_socket_init_phase1(struct context *c, - int sock_index, - int mode); +void link_socket_init_phase1(struct context *c, int sock_index, int mode); -void link_socket_init_phase2(struct context *c, - struct link_socket *sock); +void link_socket_init_phase2(struct context *c, struct link_socket *sock); void do_preresolve(struct context *c); @@ -359,75 +349,57 @@ void link_socket_close(struct link_socket *sock); void sd_close(socket_descriptor_t *sd); -#define PS_SHOW_PORT_IF_DEFINED (1<<0) -#define PS_SHOW_PORT (1<<1) -#define PS_SHOW_PKTINFO (1<<2) -#define PS_DONT_SHOW_ADDR (1<<3) -#define PS_DONT_SHOW_FAMILY (1<<4) - -const char *print_sockaddr_ex(const struct sockaddr *addr, - const char *separator, - const unsigned int flags, - struct gc_arena *gc); - -static inline -const char * -print_openvpn_sockaddr(const struct openvpn_sockaddr *addr, - struct gc_arena *gc) +#define PS_SHOW_PORT_IF_DEFINED (1 << 0) +#define PS_SHOW_PORT (1 << 1) +#define PS_SHOW_PKTINFO (1 << 2) +#define PS_DONT_SHOW_ADDR (1 << 3) +#define PS_DONT_SHOW_FAMILY (1 << 4) + +const char *print_sockaddr_ex(const struct sockaddr *addr, const char *separator, + const unsigned int flags, struct gc_arena *gc); + +static inline const char * +print_openvpn_sockaddr(const struct openvpn_sockaddr *addr, struct gc_arena *gc) { return print_sockaddr_ex(&addr->addr.sa, ":", PS_SHOW_PORT, gc); } -static inline -const char * -print_sockaddr(const struct sockaddr *addr, - struct gc_arena *gc) +static inline const char * +print_sockaddr(const struct sockaddr *addr, struct gc_arena *gc) { return print_sockaddr_ex(addr, ":", PS_SHOW_PORT, gc); } +const char *print_link_socket_actual_ex(const struct link_socket_actual *act, const char *separator, + const unsigned int flags, struct gc_arena *gc); -const char *print_link_socket_actual_ex(const struct link_socket_actual *act, - const char *separator, - const unsigned int flags, - struct gc_arena *gc); - -const char *print_link_socket_actual(const struct link_socket_actual *act, - struct gc_arena *gc); +const char *print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc); -#define IA_EMPTY_IF_UNDEF (1<<0) -#define IA_NET_ORDER (1<<1) +#define IA_EMPTY_IF_UNDEF (1 << 0) +#define IA_NET_ORDER (1 << 1) const char *print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc); const char *print_in6_addr(struct in6_addr addr6, unsigned int flags, struct gc_arena *gc); const char *print_in_port_t(in_port_t port, struct gc_arena *gc); -struct in6_addr add_in6_addr( struct in6_addr base, uint32_t add ); +struct in6_addr add_in6_addr(struct in6_addr base, uint32_t add); -#define SA_IP_PORT (1<<0) -#define SA_SET_IF_NONZERO (1<<1) -void setenv_sockaddr(struct env_set *es, - const char *name_prefix, - const struct openvpn_sockaddr *addr, - const unsigned int flags); +#define SA_IP_PORT (1 << 0) +#define SA_SET_IF_NONZERO (1 << 1) +void setenv_sockaddr(struct env_set *es, const char *name_prefix, + const struct openvpn_sockaddr *addr, const unsigned int flags); -void setenv_in_addr_t(struct env_set *es, - const char *name_prefix, - in_addr_t addr, +void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags); -void setenv_in6_addr(struct env_set *es, - const char *name_prefix, - const struct in6_addr *addr, +void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags); -void setenv_link_socket_actual(struct env_set *es, - const char *name_prefix, - const struct link_socket_actual *act, - const unsigned int flags); +void setenv_link_socket_actual(struct env_set *es, const char *name_prefix, + const struct link_socket_actual *act, const unsigned int flags); void bad_address_length(int actual, int expected); @@ -437,20 +409,16 @@ void bad_address_length(int actual, int expected); #define IPV4_INVALID_ADDR 0xffffffff in_addr_t link_socket_current_remote(const struct link_socket_info *info); -const struct in6_addr *link_socket_current_remote_ipv6 - (const struct link_socket_info *info); +const struct in6_addr *link_socket_current_remote_ipv6(const struct link_socket_info *info); void link_socket_connection_initiated(struct link_socket_info *info, const struct link_socket_actual *addr, - const char *common_name, - struct env_set *es); + const char *common_name, struct env_set *es); -void link_socket_bad_incoming_addr(struct buffer *buf, - const struct link_socket_info *info, +void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr); -void set_actual_address(struct link_socket_actual *actual, - struct addrinfo *ai); +void set_actual_address(struct link_socket_actual *actual, struct addrinfo *ai); void link_socket_bad_outgoing_addr(void); @@ -465,9 +433,9 @@ void link_socket_update_buffer_sizes(struct link_socket *sock, int rcvbuf, int s */ /* return values of openvpn_inet_aton */ -#define OIA_HOSTNAME 0 -#define OIA_IP 1 -#define OIA_ERROR -1 +#define OIA_HOSTNAME 0 +#define OIA_IP 1 +#define OIA_ERROR -1 int openvpn_inet_aton(const char *dotted_quad, struct in_addr *addr); /* integrity validation on pulled options */ @@ -481,23 +449,18 @@ bool ipv6_addr_safe(const char *ipv6_text_addr); socket_descriptor_t create_socket_tcp(struct addrinfo *); -socket_descriptor_t socket_do_accept(socket_descriptor_t sd, - struct link_socket_actual *act, +socket_descriptor_t socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const bool nowait); #if UNIX_SOCK_SUPPORT socket_descriptor_t create_socket_unix(void); -void socket_bind_unix(socket_descriptor_t sd, - struct sockaddr_un *local, - const char *prefix); +void socket_bind_unix(socket_descriptor_t sd, struct sockaddr_un *local, const char *prefix); -socket_descriptor_t socket_accept_unix(socket_descriptor_t sd, - struct sockaddr_un *remote); +socket_descriptor_t socket_accept_unix(socket_descriptor_t sd, struct sockaddr_un *remote); -int socket_connect_unix(socket_descriptor_t sd, - struct sockaddr_un *remote); +int socket_connect_unix(socket_descriptor_t sd, struct sockaddr_un *remote); void sockaddr_unix_init(struct sockaddr_un *local, const char *path); @@ -513,20 +476,20 @@ bool unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, int *uid, int *g * DNS resolution */ -#define GETADDR_RESOLVE (1<<0) -#define GETADDR_FATAL (1<<1) -#define GETADDR_HOST_ORDER (1<<2) -#define GETADDR_MENTION_RESOLVE_RETRY (1<<3) -#define GETADDR_FATAL_ON_SIGNAL (1<<4) -#define GETADDR_WARN_ON_SIGNAL (1<<5) -#define GETADDR_MSG_VIRT_OUT (1<<6) -#define GETADDR_TRY_ONCE (1<<7) -#define GETADDR_UPDATE_MANAGEMENT_STATE (1<<8) -#define GETADDR_RANDOMIZE (1<<9) -#define GETADDR_PASSIVE (1<<10) -#define GETADDR_DATAGRAM (1<<11) - -#define GETADDR_CACHE_MASK (GETADDR_DATAGRAM|GETADDR_PASSIVE) +#define GETADDR_RESOLVE (1 << 0) +#define GETADDR_FATAL (1 << 1) +#define GETADDR_HOST_ORDER (1 << 2) +#define GETADDR_MENTION_RESOLVE_RETRY (1 << 3) +#define GETADDR_FATAL_ON_SIGNAL (1 << 4) +#define GETADDR_WARN_ON_SIGNAL (1 << 5) +#define GETADDR_MSG_VIRT_OUT (1 << 6) +#define GETADDR_TRY_ONCE (1 << 7) +#define GETADDR_UPDATE_MANAGEMENT_STATE (1 << 8) +#define GETADDR_RANDOMIZE (1 << 9) +#define GETADDR_PASSIVE (1 << 10) +#define GETADDR_DATAGRAM (1 << 11) + +#define GETADDR_CACHE_MASK (GETADDR_DATAGRAM | GETADDR_PASSIVE) /** * Translate an IPv4 addr or hostname from string form to in_addr_t @@ -534,24 +497,17 @@ bool unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, int *uid, int *g * In case of resolve error, it will try again for * resolve_retry_seconds seconds. */ -in_addr_t getaddr(unsigned int flags, - const char *hostname, - int resolve_retry_seconds, - bool *succeeded, - struct signal_info *sig_info); +in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, + bool *succeeded, struct signal_info *sig_info); /** * Translate an IPv6 addr or hostname from string form to in6_addr */ -bool get_ipv6_addr(const char *hostname, struct in6_addr *network, - unsigned int *netbits, int msglevel); - -int openvpn_getaddrinfo(unsigned int flags, - const char *hostname, - const char *servname, - int resolve_retry_seconds, - struct signal_info *sig_info, - int ai_family, +bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, + int msglevel); + +int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, + int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res); /* @@ -562,8 +518,9 @@ int openvpn_getaddrinfo(unsigned int flags, * Use enum's instead of #define to allow for easier * optional proto support */ -enum proto_num { - PROTO_NONE, /* catch for uninitialized */ +enum proto_num +{ + PROTO_NONE, /* catch for uninitialized */ PROTO_UDP, PROTO_TCP, PROTO_TCP_SERVER, @@ -665,11 +622,14 @@ addr_defined(const struct openvpn_sockaddr *addr) } switch (addr->addr.sa.sa_family) { - case AF_INET: return addr->addr.in4.sin_addr.s_addr != 0; + case AF_INET: + return addr->addr.in4.sin_addr.s_addr != 0; - case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(&addr->addr.in6.sin6_addr); + case AF_INET6: + return !IN6_IS_ADDR_UNSPECIFIED(&addr->addr.in6.sin6_addr); - default: return 0; + default: + return 0; } } @@ -705,17 +665,21 @@ addr_defined_ipi(const struct link_socket_actual *lsa) switch (lsa->dest.addr.sa.sa_family) { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) - case AF_INET: return lsa->pi.in4.ipi_spec_dst.s_addr != 0; + case AF_INET: + return lsa->pi.in4.ipi_spec_dst.s_addr != 0; #elif defined(IP_RECVDSTADDR) - case AF_INET: return lsa->pi.in4.s_addr != 0; + case AF_INET: + return lsa->pi.in4.s_addr != 0; #endif - case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(&lsa->pi.in6.ipi6_addr); + case AF_INET6: + return !IN6_IS_ADDR_UNSPECIFIED(&lsa->pi.in6.ipi6_addr); - default: return 0; + default: + return 0; } -#else /* if ENABLE_IP_PKTINFO */ +#else /* if ENABLE_IP_PKTINFO */ ASSERT(0); #endif return false; @@ -751,14 +715,16 @@ addrlist_match(const struct openvpn_sockaddr *a1, const struct addrinfo *addrlis switch (a1->addr.sa.sa_family) { case AF_INET: - if (a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr) + if (a1->addr.in4.sin_addr.s_addr + == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr) { return true; } break; case AF_INET6: - if (IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6 *) curele->ai_addr)->sin6_addr)) + if (IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, + &((struct sockaddr_in6 *)curele->ai_addr)->sin6_addr)) { return true; } @@ -781,7 +747,8 @@ addrlist_port_match(const struct openvpn_sockaddr *a1, const struct addrinfo *a2 { case AF_INET: if (curele->ai_family == AF_INET - && a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr + && a1->addr.in4.sin_addr.s_addr + == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr && a1->addr.in4.sin_port == ((struct sockaddr_in *)curele->ai_addr)->sin_port) { return true; @@ -790,8 +757,10 @@ addrlist_port_match(const struct openvpn_sockaddr *a1, const struct addrinfo *a2 case AF_INET6: if (curele->ai_family == AF_INET6 - && IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6 *) curele->ai_addr)->sin6_addr) - && a1->addr.in6.sin6_port == ((struct sockaddr_in6 *) curele->ai_addr)->sin6_port) + && IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, + &((struct sockaddr_in6 *)curele->ai_addr)->sin6_addr) + && a1->addr.in6.sin6_port + == ((struct sockaddr_in6 *)curele->ai_addr)->sin6_port) { return true; } @@ -805,7 +774,6 @@ addrlist_port_match(const struct openvpn_sockaddr *a1, const struct addrinfo *a2 } - static inline bool addr_port_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { @@ -824,24 +792,19 @@ addr_port_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr } static inline bool -addr_match_proto(const struct openvpn_sockaddr *a1, - const struct openvpn_sockaddr *a2, +addr_match_proto(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2, const int proto) { - return link_socket_proto_connection_oriented(proto) - ? addr_match(a1, a2) - : addr_port_match(a1, a2); + return link_socket_proto_connection_oriented(proto) ? addr_match(a1, a2) + : addr_port_match(a1, a2); } static inline bool -addrlist_match_proto(const struct openvpn_sockaddr *a1, - struct addrinfo *addr_list, - const int proto) +addrlist_match_proto(const struct openvpn_sockaddr *a1, struct addrinfo *addr_list, const int proto) { - return link_socket_proto_connection_oriented(proto) - ? addrlist_match(a1, addr_list) - : addrlist_port_match(a1, addr_list); + return link_socket_proto_connection_oriented(proto) ? addrlist_match(a1, addr_list) + : addrlist_port_match(a1, addr_list); } static inline void @@ -864,9 +827,11 @@ af_addr_size(sa_family_t af) { switch (af) { - case AF_INET: return sizeof(struct sockaddr_in); + case AF_INET: + return sizeof(struct sockaddr_in); - case AF_INET6: return sizeof(struct sockaddr_in6); + case AF_INET6: + return sizeof(struct sockaddr_in6); default: #if 0 @@ -889,8 +854,7 @@ link_socket_actual_match(const struct link_socket_actual *a1, const struct link_ static inline bool socket_foreign_protocol_detected(const struct link_socket *sock) { - return link_socket_connection_oriented(sock) - && sock->stream_buf.port_share_state == PS_FOREIGN; + return link_socket_connection_oriented(sock) && sock->stream_buf.port_share_state == PS_FOREIGN; } static inline const struct buffer * @@ -931,8 +895,7 @@ socket_connection_reset(const struct link_socket *sock, int status) } static inline bool -link_socket_verify_incoming_addr(struct buffer *buf, - const struct link_socket_info *info, +link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr) { if (buf->len > 0) @@ -959,8 +922,7 @@ link_socket_verify_incoming_addr(struct buffer *buf, } static inline void -link_socket_get_outgoing_addr(struct buffer *buf, - const struct link_socket_info *info, +link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act) { if (buf->len > 0) @@ -980,23 +942,18 @@ link_socket_get_outgoing_addr(struct buffer *buf, } static inline void -link_socket_set_outgoing_addr(struct link_socket_info *info, - const struct link_socket_actual *act, - const char *common_name, - struct env_set *es) +link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, + const char *common_name, struct env_set *es) { struct link_socket_addr *lsa = info->lsa; if ( /* new or changed address? */ (!info->connection_established - || !addr_match_proto(&act->dest, &lsa->actual.dest, info->proto) - ) + || !addr_match_proto(&act->dest, &lsa->actual.dest, info->proto)) && /* address undef or address == remote or --float */ (info->remote_float - || (!lsa->remote_list || addrlist_match_proto(&act->dest, lsa->remote_list, info->proto)) - ) - ) + || (!lsa->remote_list || addrlist_match_proto(&act->dest, lsa->remote_list, info->proto)))) { link_socket_connection_initiated(info, act, common_name, es); } @@ -1032,14 +989,12 @@ socket_is_dco_win(const struct link_socket *s) * Socket Read Routines */ -int link_socket_read_tcp(struct link_socket *sock, - struct buffer *buf); +int link_socket_read_tcp(struct link_socket *sock, struct buffer *buf); #ifdef _WIN32 static inline int -link_socket_read_udp_win32(struct link_socket *sock, - struct buffer *buf, +link_socket_read_udp_win32(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from) { sockethandle_t sh = { .s = sock->sd }; @@ -1054,17 +1009,14 @@ link_socket_read_udp_win32(struct link_socket *sock, #else /* ifdef _WIN32 */ -int link_socket_read_udp_posix(struct link_socket *sock, - struct buffer *buf, +int link_socket_read_udp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from); #endif /* ifdef _WIN32 */ /* read a TCP or UDP packet from link */ static inline int -link_socket_read(struct link_socket *sock, - struct buffer *buf, - struct link_socket_actual *from) +link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from) { if (proto_is_udp(sock->info.proto) || socket_is_dco_win(sock)) /* unified UDPv4 and UDPv6, for DCO-WIN the kernel @@ -1096,16 +1048,13 @@ link_socket_read(struct link_socket *sock, * Socket Write routines */ -ssize_t link_socket_write_tcp(struct link_socket *sock, - struct buffer *buf, +ssize_t link_socket_write_tcp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to); #ifdef _WIN32 static inline int -link_socket_write_win32(struct link_socket *sock, - struct buffer *buf, - struct link_socket_actual *to) +link_socket_write_win32(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { int err = 0; int status = 0; @@ -1144,16 +1093,14 @@ link_socket_write_win32(struct link_socket *sock, } } -#else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ -ssize_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, - struct buffer *buf, +ssize_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to); static inline ssize_t -link_socket_write_udp_posix(struct link_socket *sock, - struct buffer *buf, +link_socket_write_udp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { #if ENABLE_IP_PKTINFO @@ -1164,14 +1111,12 @@ link_socket_write_udp_posix(struct link_socket *sock, } else #endif - return sendto(sock->sd, BPTR(buf), BLEN(buf), 0, - (struct sockaddr *) &to->dest.addr.sa, - (socklen_t) af_addr_size(to->dest.addr.sa.sa_family)); + return sendto(sock->sd, BPTR(buf), BLEN(buf), 0, (struct sockaddr *)&to->dest.addr.sa, + (socklen_t)af_addr_size(to->dest.addr.sa.sa_family)); } static inline ssize_t -link_socket_write_tcp_posix(struct link_socket *sock, - struct buffer *buf) +link_socket_write_tcp_posix(struct link_socket *sock, struct buffer *buf) { return send(sock->sd, BPTR(buf), BLEN(buf), MSG_NOSIGNAL); } @@ -1179,9 +1124,7 @@ link_socket_write_tcp_posix(struct link_socket *sock, #endif /* ifdef _WIN32 */ static inline ssize_t -link_socket_write_udp(struct link_socket *sock, - struct buffer *buf, - struct link_socket_actual *to) +link_socket_write_udp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { #ifdef _WIN32 return link_socket_write_win32(sock, buf, to); @@ -1192,9 +1135,7 @@ link_socket_write_udp(struct link_socket *sock, /* write a TCP or UDP packet to link */ static inline ssize_t -link_socket_write(struct link_socket *sock, - struct buffer *buf, - struct link_socket_actual *to) +link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { if (proto_is_udp(sock->info.proto) || socket_is_dco_win(sock)) { @@ -1222,7 +1163,7 @@ link_socket_extract_tos(struct link_socket *sock, const struct buffer *ipbuf) { if (sock && ipbuf) { - struct openvpn_iphdr *iph = (struct openvpn_iphdr *) BPTR(ipbuf); + struct openvpn_iphdr *iph = (struct openvpn_iphdr *)BPTR(ipbuf); sock->ptos = iph->tos; sock->ptos_defined = true; } @@ -1266,17 +1207,11 @@ socket_event_handle(const struct link_socket *sock) event_t socket_listen_event_handle(struct link_socket *sock); -unsigned int -socket_set(struct link_socket *sock, - struct event_set *es, - unsigned int rwflags, - void *arg, - unsigned int *persistent); +unsigned int socket_set(struct link_socket *sock, struct event_set *es, unsigned int rwflags, + void *arg, unsigned int *persistent); static inline void -socket_set_listen_persistent(struct link_socket *sock, - struct event_set *es, - void *arg) +socket_set_listen_persistent(struct link_socket *sock, struct event_set *es, void *arg) { if (sock && !sock->listen_persistent_queued) { diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index 6192c39e6..481d3fb4f 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -45,12 +45,10 @@ #include "memdbg.h" -#define UP_TYPE_SOCKS "SOCKS Proxy" +#define UP_TYPE_SOCKS "SOCKS Proxy" struct socks_proxy_info * -socks_proxy_new(const char *server, - const char *port, - const char *authfile) +socks_proxy_new(const char *server, const char *port, const char *authfile) { struct socks_proxy_info *p; @@ -83,8 +81,7 @@ socks_proxy_close(struct socks_proxy_info *sp) } static bool -socks_username_password_auth(struct socks_proxy_info *p, - socket_descriptor_t sd, +socks_username_password_auth(struct socks_proxy_info *p, socket_descriptor_t sd, struct event_timeout *server_poll_timeout, volatile int *signal_received) { @@ -102,24 +99,23 @@ socks_username_password_auth(struct socks_proxy_info *p, goto cleanup; } - if ( (strlen(creds.username) > 255) || (strlen(creds.password) > 255) ) + if ((strlen(creds.username) > 255) || (strlen(creds.password) > 255)) { - msg(M_NONFATAL, - "SOCKS username and/or password exceeds 255 characters. " - "Authentication not possible."); + msg(M_NONFATAL, "SOCKS username and/or password exceeds 255 characters. " + "Authentication not possible."); goto cleanup; } - int sret = snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", - (int) strlen(creds.username), creds.username, - (int) strlen(creds.password), creds.password); + int sret = snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int)strlen(creds.username), + creds.username, (int)strlen(creds.password), creds.password); ASSERT(sret <= sizeof(to_send)); size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL); if (size != strlen(to_send)) { - msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port write failed on send()"); + msg(D_LINK_ERRORS | M_ERRNO, + "socks_username_password_auth: TCP port write failed on send()"); goto cleanup; } @@ -147,14 +143,16 @@ socks_username_password_auth(struct socks_proxy_info *p, /* timeout? */ if (status == 0) { - msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read timeout expired"); + msg(D_LINK_ERRORS | M_ERRNO, + "socks_username_password_auth: TCP port read timeout expired"); goto cleanup; } /* error */ if (status < 0) { - msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on select()"); + msg(D_LINK_ERRORS | M_ERRNO, + "socks_username_password_auth: TCP port read failed on select()"); goto cleanup; } @@ -164,7 +162,8 @@ socks_username_password_auth(struct socks_proxy_info *p, /* error? */ if (size != 1) { - msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on recv()"); + msg(D_LINK_ERRORS | M_ERRNO, + "socks_username_password_auth: TCP port read failed on recv()"); goto cleanup; } @@ -187,10 +186,8 @@ cleanup: } static bool -socks_handshake(struct socks_proxy_info *p, - socket_descriptor_t sd, - struct event_timeout *server_poll_timeout, - volatile int *signal_received) +socks_handshake(struct socks_proxy_info *p, socket_descriptor_t sd, + struct event_timeout *server_poll_timeout, volatile int *signal_received) { char buf[2]; int len = 0; @@ -201,7 +198,6 @@ socks_handshake(struct socks_proxy_info *p, if (p->authfile[0]) { method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */ - } size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL); if (size != sizeof(method_sel)) @@ -282,7 +278,8 @@ socks_handshake(struct socks_proxy_info *p, case 2: /* login/password */ if (!p->authfile[0]) { - msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were " + msg(D_LINK_ERRORS, + "socks_handshake: server asked for username/login auth but we were " "not provided any credentials"); return false; } @@ -303,15 +300,13 @@ socks_handshake(struct socks_proxy_info *p, } static bool -recv_socks_reply(socket_descriptor_t sd, - struct openvpn_sockaddr *addr, - struct event_timeout *server_poll_timeout, - volatile int *signal_received) +recv_socks_reply(socket_descriptor_t sd, struct openvpn_sockaddr *addr, + struct event_timeout *server_poll_timeout, volatile int *signal_received) { char atyp = '\0'; int alen = 0; int len = 0; - char buf[270]; /* 4 + alen(max 256) + 2 */ + char buf[270]; /* 4 + alen(max 256) + 2 */ if (addr != NULL) { @@ -379,18 +374,18 @@ recv_socks_reply(socket_descriptor_t sd, { switch (atyp) { - case '\x01': /* IP V4 */ + case '\x01': /* IP V4 */ alen = 4; break; - case '\x03': /* DOMAINNAME */ + case '\x03': /* DOMAINNAME */ /* RFC 1928, section 5: 1 byte length, bytes name, * so the total "address length" is (length+1) */ - alen = (unsigned char) c + 1; + alen = (unsigned char)c + 1; break; - case '\x04': /* IP V6 */ + case '\x04': /* IP V6 */ alen = 16; break; @@ -421,8 +416,7 @@ recv_socks_reply(socket_descriptor_t sd, memcpy(&addr->addr.in4.sin_addr, buf + 4, sizeof(addr->addr.in4.sin_addr)); memcpy(&addr->addr.in4.sin_port, buf + 8, sizeof(addr->addr.in4.sin_port)); struct gc_arena gc = gc_new(); - msg(M_INFO, "SOCKS proxy wants us to send UDP to %s", - print_openvpn_sockaddr(addr, &gc)); + msg(M_INFO, "SOCKS proxy wants us to send UDP to %s", print_openvpn_sockaddr(addr, &gc)); gc_free(&gc); } @@ -435,12 +429,12 @@ port_from_servname(const char *servname) { int port = 0; port = atoi(servname); - if (port >0 && port < 65536) + if (port > 0 && port < 65536) { return port; } - struct servent *service; + struct servent *service; service = getservbyname(servname, NULL); if (service) { @@ -452,9 +446,9 @@ port_from_servname(const char *servname) void establish_socks_proxy_passthru(struct socks_proxy_info *p, - socket_descriptor_t sd, /* already open to proxy */ - const char *host, /* openvpn server remote */ - const char *servname, /* openvpn server port */ + socket_descriptor_t sd, /* already open to proxy */ + const char *host, /* openvpn server remote */ + const char *servname, /* openvpn server port */ struct event_timeout *server_poll_timeout, struct signal_info *sig_info) { @@ -467,32 +461,34 @@ establish_socks_proxy_passthru(struct socks_proxy_info *p, } /* format Socks CONNECT message */ - buf[0] = '\x05'; /* VER = 5 */ - buf[1] = '\x01'; /* CMD = 1 (CONNECT) */ - buf[2] = '\x00'; /* RSV */ - buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */ + buf[0] = '\x05'; /* VER = 5 */ + buf[1] = '\x01'; /* CMD = 1 (CONNECT) */ + buf[2] = '\x00'; /* RSV */ + buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */ len = strlen(host); len = (5 + len + 2 > sizeof(buf)) ? (sizeof(buf) - 5 - 2) : len; - buf[4] = (char) len; + buf[4] = (char)len; memcpy(buf + 5, host, len); int port = port_from_servname(servname); - if (port ==0) + if (port == 0) { - msg(D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number", servname); + msg(D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number", + servname); goto error; } - buf[5 + len] = (char) (port >> 8); - buf[5 + len + 1] = (char) (port & 0xff); + buf[5 + len] = (char)(port >> 8); + buf[5 + len + 1] = (char)(port & 0xff); { const ssize_t size = send(sd, buf, 5 + len + 2, MSG_NOSIGNAL); if ((int)size != 5 + (int)len + 2) { - msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()"); + msg(D_LINK_ERRORS | M_ERRNO, + "establish_socks_proxy_passthru: TCP port write failed on send()"); goto error; } } @@ -514,7 +510,7 @@ error: void establish_socks_proxy_udpassoc(struct socks_proxy_info *p, - socket_descriptor_t ctrl_sd, /* already open to proxy */ + socket_descriptor_t ctrl_sd, /* already open to proxy */ struct openvpn_sockaddr *relay_addr, struct event_timeout *server_poll_timeout, struct signal_info *sig_info) @@ -528,12 +524,12 @@ establish_socks_proxy_udpassoc(struct socks_proxy_info *p, /* send Socks UDP ASSOCIATE message */ /* VER = 5, CMD = 3 (UDP ASSOCIATE), RSV = 0, ATYP = 1 (IP V4), * BND.ADDR = 0, BND.PORT = 0 */ - const ssize_t size = send(ctrl_sd, - "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00", - 10, MSG_NOSIGNAL); + const ssize_t size = + send(ctrl_sd, "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00", 10, MSG_NOSIGNAL); if (size != 10) { - msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()"); + msg(D_LINK_ERRORS | M_ERRNO, + "establish_socks_proxy_passthru: TCP port write failed on send()"); goto error; } } @@ -560,8 +556,7 @@ error: * Run after UDP read. */ void -socks_process_incoming_udp(struct buffer *buf, - struct link_socket_actual *from) +socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from) { int atyp; @@ -577,7 +572,7 @@ socks_process_incoming_udp(struct buffer *buf, } atyp = buf_read_u8(buf); - if (atyp != 1) /* ATYP == 1 (IP V4) */ + if (atyp != 1) /* ATYP == 1 (IP V4) */ { goto error; } @@ -599,8 +594,7 @@ error: * Returns the size of the header. */ int -socks_process_outgoing_udp(struct buffer *buf, - const struct link_socket_actual *to) +socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to) { /* * Get a 10 byte subset buffer prepended to buf -- @@ -612,8 +606,8 @@ socks_process_outgoing_udp(struct buffer *buf, /* crash if not enough headroom in buf */ ASSERT(buf_defined(&head)); - buf_write_u16(&head, 0); /* RSV = 0 */ - buf_write_u8(&head, 0); /* FRAG = 0 */ + buf_write_u16(&head, 0); /* RSV = 0 */ + buf_write_u8(&head, 0); /* FRAG = 0 */ buf_write_u8(&head, '\x01'); /* ATYP = 1 (IP V4) */ buf_write(&head, &to->dest.addr.in4.sin_addr, sizeof(to->dest.addr.in4.sin_addr)); buf_write(&head, &to->dest.addr.in4.sin_port, sizeof(to->dest.addr.in4.sin_port)); diff --git a/src/openvpn/socks.h b/src/openvpn/socks.h index 985745bfe..b5a69b9e7 100644 --- a/src/openvpn/socks.h +++ b/src/openvpn/socks.h @@ -33,7 +33,8 @@ struct openvpn_sockaddr; struct link_socket_actual; -struct socks_proxy_info { +struct socks_proxy_info +{ bool defined; char server[128]; @@ -41,29 +42,26 @@ struct socks_proxy_info { char authfile[256]; }; -struct socks_proxy_info *socks_proxy_new(const char *server, - const char *port, +struct socks_proxy_info *socks_proxy_new(const char *server, const char *port, const char *authfile); void socks_proxy_close(struct socks_proxy_info *sp); void establish_socks_proxy_passthru(struct socks_proxy_info *p, - socket_descriptor_t sd, /* already open to proxy */ - const char *host, /* openvpn server remote */ - const char *servname, /* openvpn server port */ + socket_descriptor_t sd, /* already open to proxy */ + const char *host, /* openvpn server remote */ + const char *servname, /* openvpn server port */ struct event_timeout *server_poll_timeout, struct signal_info *sig_info); void establish_socks_proxy_udpassoc(struct socks_proxy_info *p, - socket_descriptor_t ctrl_sd, /* already open to proxy */ + socket_descriptor_t ctrl_sd, /* already open to proxy */ struct openvpn_sockaddr *relay_addr, struct event_timeout *server_poll_timeout, struct signal_info *sig_info); -void socks_process_incoming_udp(struct buffer *buf, - struct link_socket_actual *from); +void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from); -int socks_process_outgoing_udp(struct buffer *buf, - const struct link_socket_actual *to); +int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to); #endif /* ifndef SOCKS_H */ diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 06621bd49..b7db1e713 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -74,20 +74,20 @@ static int tls_handshake_error; /* GLOBAL */ static int tls_packets_generated; /* GLOBAL */ static int tls_packets_sent; /* GLOBAL */ -#define INCR_SENT ++tls_packets_sent -#define INCR_GENERATED ++tls_packets_generated -#define INCR_SUCCESS ++tls_handshake_success -#define INCR_ERROR ++tls_handshake_error +#define INCR_SENT ++tls_packets_sent +#define INCR_GENERATED ++tls_packets_generated +#define INCR_SUCCESS ++tls_handshake_success +#define INCR_ERROR ++tls_handshake_error void show_tls_performance_stats(void) { msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%", - (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0, + (double)tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0, tls_handshake_success, tls_handshake_error, - (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0); + (double)(tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0); } -#else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */ +#else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */ #define INCR_SENT #define INCR_GENERATED @@ -111,7 +111,7 @@ tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes) if (*reneg_bytes == -1) /* Not user-specified */ { msg(M_WARN, "WARNING: cipher with small block size in use, " - "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks."); + "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks."); *reneg_bytes = 64 * 1024 * 1024; } } @@ -129,9 +129,10 @@ tls_get_limit_aead(const char *ciphername) /* set limit to 7/8 of the limit so the renegotiation can succeed before * we go over the limit */ - limit = limit/8 * 7; + limit = limit / 8 * 7; - msg(D_SHOW_KEYS, "Note: AEAD cipher %s will trigger a renegotiation" + msg(D_SHOW_KEYS, + "Note: AEAD cipher %s will trigger a renegotiation" " at a sum of %" PRIi64 " blocks and packets.", ciphername, limit); return limit; @@ -152,8 +153,7 @@ tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu) overhead += 10; /* tls-auth and tls-crypt */ - overhead += max_int(tls_crypt_buf_overhead(), - packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE); + overhead += max_int(tls_crypt_buf_overhead(), packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE); /* TCP length field and opcode */ overhead += 3; @@ -217,8 +217,7 @@ calc_control_channel_frame_overhead(const struct tls_session *session) /* Add the typical UDP overhead for an IPv6 UDP packet. TCP+IPv6 has a * larger overhead but the risk of a TCP connection getting dropped because * we try to send a too large packet is basically zero */ - overhead += datagram_overhead(session->untrusted_addr.dest.addr.sa.sa_family, - PROTO_UDP); + overhead += datagram_overhead(session->untrusted_addr.dest.addr.sa.sa_family, PROTO_UDP); return overhead; } @@ -252,7 +251,8 @@ pem_password_setup(const char *auth_file) unprotect_user_pass(&passbuf); if (!strlen(passbuf.password)) { - get_user_pass(&passbuf, auth_file, UP_TYPE_PRIVATE_KEY, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY); + get_user_pass(&passbuf, auth_file, UP_TYPE_PRIVATE_KEY, + GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY); } } @@ -291,8 +291,7 @@ enable_auth_user_pass(void) } void -auth_user_pass_setup(const char *auth_file, bool is_inline, - const struct static_challenge_info *sci) +auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci) { unsigned int flags = GET_USER_PASS_MANAGEMENT; @@ -308,11 +307,7 @@ auth_user_pass_setup(const char *auth_file, bool is_inline, if (auth_challenge) /* dynamic challenge/response */ { flags |= GET_USER_PASS_DYNAMIC_CHALLENGE; - get_user_pass_cr(&auth_user_pass, - auth_file, - UP_TYPE_AUTH, - flags, - auth_challenge); + get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, auth_challenge); } else if (sci) /* static challenge response */ { @@ -325,11 +320,7 @@ auth_user_pass_setup(const char *auth_file, bool is_inline, { flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT; } - get_user_pass_cr(&auth_user_pass, - auth_file, - UP_TYPE_AUTH, - flags, - sci->challenge_text); + get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, sci->challenge_text); } else #endif /* ifdef ENABLE_MANAGEMENT */ @@ -468,11 +459,10 @@ tls_version_parse(const char *vstr, const char *extra) * @param crl_file_inline True if crl_file is an inline CRL. */ static void -tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, - bool crl_file_inline) +tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline) { /* if something goes wrong with stat(), we'll store 0 as mtime */ - platform_stat_t crl_stat = {0}; + platform_stat_t crl_stat = { 0 }; /* * an inline CRL can't change at runtime, therefore there is no need to @@ -536,11 +526,10 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_ch if (options->dh_file) { - tls_ctx_load_dh_params(new_ctx, options->dh_file, - options->dh_file_inline); + tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline); } } - else /* if client */ + else /* if client */ { tls_ctx_client_new(new_ctx); } @@ -567,8 +556,9 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_ch if (options->pkcs12_file) { - if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, - options->pkcs12_file_inline, !options->ca_file)) + if (0 + != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, options->pkcs12_file_inline, + !options->ca_file)) { goto err; } @@ -593,8 +583,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_ch #ifdef ENABLE_MANAGEMENT else if (options->management_flags & MF_EXTERNAL_CERT) { - char *cert = management_query_cert(management, - options->management_certificate); + char *cert = management_query_cert(management, options->management_certificate); tls_ctx_load_cert_file(new_ctx, cert, true); free(cert); } @@ -606,8 +595,9 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_ch if (options->priv_key_file) { - if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, - options->priv_key_file_inline)) + if (0 + != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, + options->priv_key_file_inline)) { goto err; } @@ -625,15 +615,16 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_ch if (options->ca_file || options->ca_path) { - tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, - options->ca_path, options->tls_server); + tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, options->ca_path, + options->tls_server); } /* Load extra certificates that are part of our own certificate * chain but shouldn't be included in the verify chain */ if (options->extra_certs_file) { - tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline); + tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, + options->extra_certs_file_inline); } /* Check certificate notBefore and notAfter */ @@ -777,9 +768,8 @@ print_key_id(struct tls_multi *multi, struct gc_arena *gc) for (int i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = get_key_scan(multi, i); - buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i, - state_name(ks->state), ks_auth_name(ks->authenticated), - ks->key_id, + buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i, state_name(ks->state), + ks_auth_name(ks->authenticated), ks->key_id, session_id_print(&ks->session_id_remote, gc)); } @@ -832,8 +822,7 @@ key_state_init(struct tls_session *session, struct key_state *ks) * Build TLS object that reads/writes ciphertext * to/from memory BIOs. */ - key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, - session); + key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session); /* Set control-channel initiation mode */ ks->initial_opcode = session->initial_opcode; @@ -869,14 +858,12 @@ key_state_init(struct tls_session *session, struct key_state *ks) session->opt->frame.buf.headroom, TLS_RELIABLE_N_SEND_BUFFERS, ks->key_id ? false : session->opt->xmit_hold); reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame), - session->opt->frame.buf.headroom, TLS_RELIABLE_N_REC_BUFFERS, - false); + session->opt->frame.buf.headroom, TLS_RELIABLE_N_REC_BUFFERS, false); reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout); /* init packet ID tracker */ - packet_id_init(&ks->crypto_options.packet_id, - session->opt->replay_window, session->opt->replay_time, "SSL", - ks->key_id); + packet_id_init(&ks->crypto_options.packet_id, session->opt->replay_window, + session->opt->replay_time, "SSL", ks->key_id); ks->crypto_options.pid_persist = NULL; @@ -888,11 +875,10 @@ key_state_init(struct tls_session *session, struct key_state *ks) * Attempt CRL reload before TLS negotiation. Won't be performed if * the file was not modified since the last reload */ - if (session->opt->crl_file - && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) + if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) { - tls_ctx_reload_crl(&session->opt->ssl_ctx, - session->opt->crl_file, session->opt->crl_file_inline); + tls_ctx_reload_crl(&session->opt->ssl_ctx, session->opt->crl_file, + session->opt->crl_file_inline); } } @@ -963,7 +949,7 @@ tls_session_user_pass_enabled(struct tls_session *session) #ifdef ENABLE_MANAGEMENT || management_enable_def_auth(management) #endif - ); + ); } @@ -1012,8 +998,8 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session) } else { - session->initial_opcode = session->opt->tls_crypt_v2 ? - P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2; + session->initial_opcode = session->opt->tls_crypt_v2 ? P_CONTROL_HARD_RESET_CLIENT_V3 + : P_CONTROL_HARD_RESET_CLIENT_V2; } /* Initialize control channel authentication parameters */ @@ -1021,10 +1007,8 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session) session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame)); /* initialize packet ID replay window for --tls-auth */ - packet_id_init(&session->tls_wrap.opt.packet_id, - session->opt->replay_window, - session->opt->replay_time, - "TLS_WRAP", session->key_id); + packet_id_init(&session->tls_wrap.opt.packet_id, session->opt->replay_window, + session->opt->replay_time, "TLS_WRAP", session->key_id); /* If we are using tls-crypt-v2 we manipulate the packet id to be (ab)used * to indicate early protocol negotiation */ @@ -1035,8 +1019,7 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session) } /* load most recent packet-id to replay protect on --tls-auth */ - packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist, - &session->tls_wrap.opt.packet_id); + packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist, &session->tls_wrap.opt.packet_id); key_state_init(session, &session->key[KS_PRIMARY]); @@ -1094,9 +1077,7 @@ static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src) { msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d", - session_index_name(dest), - session_index_name(src), - reinit_src); + session_index_name(dest), session_index_name(src), reinit_src); ASSERT(src != dest); ASSERT(src >= 0 && src < TM_SIZE); ASSERT(dest >= 0 && dest < TM_SIZE); @@ -1200,8 +1181,7 @@ tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu) */ struct tls_auth_standalone * -tls_auth_standalone_init(struct tls_options *tls_options, - struct gc_arena *gc) +tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc) { struct tls_auth_standalone *tas; @@ -1242,9 +1222,7 @@ tls_auth_standalone_free(struct tls_auth_standalone *tas) * sets. */ void -tls_multi_init_set_options(struct tls_multi *multi, - const char *local, - const char *remote) +tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote) { /* initialize options string */ multi->opt.local_options = local; @@ -1290,8 +1268,7 @@ tls_multi_free(struct tls_multi *multi, bool clear) */ static void -key_source_print(const struct key_source *k, - const char *prefix) +key_source_print(const struct key_source *k, const char *prefix) { struct gc_arena gc = gc_new(); @@ -1299,17 +1276,11 @@ key_source_print(const struct key_source *k, VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1)); VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2)); - dmsg(D_SHOW_KEY_SOURCE, - "%s pre_master: %s", - prefix, + dmsg(D_SHOW_KEY_SOURCE, "%s pre_master: %s", prefix, format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc)); - dmsg(D_SHOW_KEY_SOURCE, - "%s random1: %s", - prefix, + dmsg(D_SHOW_KEY_SOURCE, "%s random1: %s", prefix, format_hex(k->random1, sizeof(k->random1), 0, &gc)); - dmsg(D_SHOW_KEY_SOURCE, - "%s random2: %s", - prefix, + dmsg(D_SHOW_KEY_SOURCE, "%s random2: %s", prefix, format_hex(k->random2, sizeof(k->random2), 0, &gc)); gc_free(&gc); @@ -1323,24 +1294,15 @@ key_source2_print(const struct key_source2 *k) } static bool -openvpn_PRF(const uint8_t *secret, - int secret_len, - const char *label, - const uint8_t *client_seed, - int client_seed_len, - const uint8_t *server_seed, - int server_seed_len, - const struct session_id *client_sid, - const struct session_id *server_sid, - uint8_t *output, - int output_len) +openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed, + int client_seed_len, const uint8_t *server_seed, int server_seed_len, + const struct session_id *client_sid, const struct session_id *server_sid, + uint8_t *output, int output_len) { /* concatenate seed components */ - struct buffer seed = alloc_buf(strlen(label) - + client_seed_len - + server_seed_len - + SID_SIZE * 2); + struct buffer seed = + alloc_buf(strlen(label) + client_seed_len + server_seed_len + SID_SIZE * 2); ASSERT(buf_write(&seed, label, strlen(label))); ASSERT(buf_write(&seed, client_seed, client_seed_len)); @@ -1356,8 +1318,7 @@ openvpn_PRF(const uint8_t *secret, } /* compute PRF */ - bool ret = ssl_tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, - output, output_len); + bool ret = ssl_tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len); buf_clear(&seed); free_buf(&seed); @@ -1367,11 +1328,8 @@ openvpn_PRF(const uint8_t *secret, } static void -init_epoch_keys(struct key_state *ks, - struct tls_multi *multi, - const struct key_type *key_type, - bool server, - struct key2 *key2) +init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, + bool server, struct key2 *key2) { /* For now we hardcode this to be 16 for the software based data channel * DCO based implementations/HW implementation might adjust this number @@ -1402,19 +1360,15 @@ init_epoch_keys(struct key_state *ks, * b) They let userspace do the key derivation and pass all the individual * keys to the DCO layer. * */ - epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count); + epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count); secure_memzero(&e1_send, sizeof(e1_send)); secure_memzero(&e1_recv, sizeof(e1_recv)); } static void -init_key_contexts(struct key_state *ks, - struct tls_multi *multi, - const struct key_type *key_type, - bool server, - struct key2 *key2, - bool dco_enabled) +init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, + bool server, struct key2 *key2, bool dco_enabled) { struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi; @@ -1428,12 +1382,10 @@ init_key_contexts(struct key_state *ks, msg(M_FATAL, "FATAL: DCO does not support --auth"); } - int ret = init_key_dco_bi(multi, ks, key2, key_direction, - key_type->cipher, server); + int ret = init_key_dco_bi(multi, ks, key2, key_direction, key_type->cipher, server); if (ret < 0) { - msg(M_FATAL, "Impossible to install key material in DCO: %s", - strerror(-ret)); + msg(M_FATAL, "Impossible to install key material in DCO: %s", strerror(-ret)); } /* encrypt/decrypt context are unused with DCO */ @@ -1445,7 +1397,8 @@ init_key_contexts(struct key_state *ks, { if (!cipher_kt_mode_aead(key_type->cipher)) { - msg(M_FATAL, "AEAD cipher (currently %s) " + msg(M_FATAL, + "AEAD cipher (currently %s) " "required for epoch data format.", cipher_kt_name(key_type->cipher)); } @@ -1461,8 +1414,8 @@ static bool generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2) { if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL, - strlen(EXPORT_KEY_DATA_LABEL), - key2->keys, sizeof(key2->keys))) + strlen(EXPORT_KEY_DATA_LABEL), key2->keys, + sizeof(key2->keys))) { return false; } @@ -1479,42 +1432,28 @@ generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key const struct key_state *ks = &session->key[KS_PRIMARY]; const struct key_source2 *key_src = ks->key_src; - const struct session_id *client_sid = session->opt->server ? - &ks->session_id_remote : &session->session_id; - const struct session_id *server_sid = !session->opt->server ? - &ks->session_id_remote : &session->session_id; + const struct session_id *client_sid = + session->opt->server ? &ks->session_id_remote : &session->session_id; + const struct session_id *server_sid = + !session->opt->server ? &ks->session_id_remote : &session->session_id; /* debugging print of source key material */ key_source2_print(key_src); /* compute master secret */ - if (!openvpn_PRF(key_src->client.pre_master, - sizeof(key_src->client.pre_master), - KEY_EXPANSION_ID " master secret", - key_src->client.random1, - sizeof(key_src->client.random1), - key_src->server.random1, - sizeof(key_src->server.random1), - NULL, - NULL, - master, - sizeof(master))) + if (!openvpn_PRF(key_src->client.pre_master, sizeof(key_src->client.pre_master), + KEY_EXPANSION_ID " master secret", key_src->client.random1, + sizeof(key_src->client.random1), key_src->server.random1, + sizeof(key_src->server.random1), NULL, NULL, master, sizeof(master))) { return false; } /* compute key expansion */ - if (!openvpn_PRF(master, - sizeof(master), - KEY_EXPANSION_ID " key expansion", - key_src->client.random2, - sizeof(key_src->client.random2), - key_src->server.random2, - sizeof(key_src->server.random2), - client_sid, - server_sid, - (uint8_t *)key2->keys, - sizeof(key2->keys))) + if (!openvpn_PRF(master, sizeof(master), KEY_EXPANSION_ID " key expansion", + key_src->client.random2, sizeof(key_src->client.random2), + key_src->server.random2, sizeof(key_src->server.random2), client_sid, + server_sid, (uint8_t *)key2->keys, sizeof(key2->keys))) { return false; } @@ -1530,8 +1469,7 @@ generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key * master key. */ static bool -generate_key_expansion(struct tls_multi *multi, struct key_state *ks, - struct tls_session *session) +generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session) { struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi; bool ret = false; @@ -1558,17 +1496,16 @@ generate_key_expansion(struct tls_multi *multi, struct key_state *ks, if (!generate_key_expansion_openvpn_prf(session, &key2)) { msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system " - "might not support the old TLS 1.0 PRF calculation anymore or " - "the policy does not allow it (e.g. running in FIPS mode). " - "The peer did not announce support for the modern TLS Export " - "feature that replaces the TLS 1.0 PRF (requires OpenVPN " - "2.6.x or higher)"); + "might not support the old TLS 1.0 PRF calculation anymore or " + "the policy does not allow it (e.g. running in FIPS mode). " + "The peer did not announce support for the modern TLS Export " + "feature that replaces the TLS 1.0 PRF (requires OpenVPN " + "2.6.x or higher)"); goto exit; } } - key2_print(&key2, &session->opt->key_type, - "Master Encrypt", "Master Decrypt"); + key2_print(&key2, &session->opt->key_type, "Master Encrypt", "Master Decrypt"); /* check for weak keys */ for (int i = 0; i < 2; ++i) @@ -1580,8 +1517,7 @@ generate_key_expansion(struct tls_multi *multi, struct key_state *ks, } } - init_key_contexts(ks, multi, &session->opt->key_type, server, &key2, - session->opt->dco_enabled); + init_key_contexts(ks, multi, &session->opt->key_type, server, &key2, session->opt->dco_enabled); ret = true; exit: @@ -1597,11 +1533,10 @@ exit: * can thus be called only once per session. */ bool -tls_session_generate_data_channel_keys(struct tls_multi *multi, - struct tls_session *session) +tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session) { bool ret = false; - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ if (ks->authenticated <= KS_AUTH_FALSE) { @@ -1616,8 +1551,7 @@ tls_session_generate_data_channel_keys(struct tls_multi *multi, msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed"); goto cleanup; } - tls_limit_reneg_bytes(session->opt->key_type.cipher, - &session->opt->renegotiate_bytes); + tls_limit_reneg_bytes(session->opt->key_type.cipher, &session->opt->renegotiate_bytes); session->opt->aead_usage_limit = tls_get_limit_aead(session->opt->key_type.cipher); @@ -1631,23 +1565,18 @@ cleanup: } bool -tls_session_update_crypto_params_do_work(struct tls_multi *multi, - struct tls_session *session, - struct options *options, - struct frame *frame, - struct frame *frame_fragment, - struct link_socket_info *lsi, +tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session, + struct options *options, struct frame *frame, + struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco) { if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) { /* keys already generated, nothing to do */ return true; - } - init_key_type(&session->opt->key_type, options->ciphername, - options->authname, true, true); + init_key_type(&session->opt->key_type, options->ciphername, options->authname, true, true); bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher); session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM); @@ -1691,10 +1620,8 @@ tls_session_update_crypto_params_do_work(struct tls_multi *multi, * mssfix are set to update in-kernel config */ if (options->ping_send_timeout || frame->mss_fix) { - int ret = dco_set_peer(dco, multi->dco_peer_id, - options->ping_send_timeout, - options->ping_rec_timeout, - frame->mss_fix); + int ret = dco_set_peer(dco, multi->dco_peer_id, options->ping_send_timeout, + options->ping_rec_timeout, frame->mss_fix); if (ret < 0) { msg(D_DCO, "Cannot set DCO peer parameters for peer (id=%u): %s", @@ -1707,11 +1634,9 @@ tls_session_update_crypto_params_do_work(struct tls_multi *multi, } bool -tls_session_update_crypto_params(struct tls_multi *multi, - struct tls_session *session, +tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, - struct frame *frame_fragment, - struct link_socket_info *lsi, + struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco) { if (!check_session_cipher(session, options)) @@ -1722,19 +1647,18 @@ tls_session_update_crypto_params(struct tls_multi *multi, /* Import crypto settings that might be set by pull/push */ session->opt->crypto_flags |= options->imported_protocol_flags; - return tls_session_update_crypto_params_do_work(multi, session, options, - frame, frame_fragment, lsi, dco); + return tls_session_update_crypto_params_do_work(multi, session, options, frame, frame_fragment, + lsi, dco); } static bool -random_bytes_to_buf(struct buffer *buf, - uint8_t *out, - int outlen) +random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen) { if (!rand_bytes(out, outlen)) { - msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]"); + msg(M_FATAL, + "ERROR: Random number generator cannot obtain entropy for key generation [SSL]"); } if (!buf_write(buf, out, outlen)) { @@ -1744,9 +1668,7 @@ random_bytes_to_buf(struct buffer *buf, } static bool -key_source2_randomize_write(struct key_source2 *k2, - struct buffer *buf, - bool server) +key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server) { struct key_source *k = &k2->client; if (server) @@ -1777,9 +1699,7 @@ key_source2_randomize_write(struct key_source2 *k2, } static int -key_source2_read(struct key_source2 *k2, - struct buffer *buf, - bool server) +key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server) { struct key_source *k = &k2->client; @@ -1829,10 +1749,10 @@ flush_payload_buffer(struct key_state *ks) static void key_state_soft_reset(struct tls_session *session) { - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ - ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */ + ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */ key_state_free(ks_lame, false); *ks_lame = *ks; @@ -1905,7 +1825,7 @@ read_string(struct buffer *buf, char *str, const unsigned int capacity) { return -len; } - str[len-1] = '\0'; + str[len - 1] = '\0'; return len; } @@ -1919,14 +1839,14 @@ read_string_alloc(struct buffer *buf) { return NULL; } - str = (char *) malloc(len); + str = (char *)malloc(len); check_malloc_return(str); if (!buf_read(buf, str, len)) { free(str); return NULL; } - str[len-1] = '\0'; + str[len - 1] = '\0'; return str; } @@ -2019,7 +1939,6 @@ push_peer_info(struct buffer *buf, struct tls_session *session) if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers) && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers)) { - buf_printf(&out, "IV_NCP=2\n"); } } @@ -2058,7 +1977,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session) { buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc)); } - buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() ); + buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version()); #if defined(_WIN32) buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc)); #else @@ -2080,8 +1999,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session) || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0) && session->opt->push_peer_info_detail > 2) || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0) - || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0) - ) + || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0)) && buf_safe(&out, strlen(e->string) + 1)) { buf_printf(&out, "%s\n", e->string); @@ -2128,7 +2046,7 @@ write_compat_local_options(struct buffer *buf, const char *options) static bool key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session) { - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ ASSERT(buf_init(buf, 0)); @@ -2163,7 +2081,7 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi } else #endif - if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN)) + if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN)) { goto error; } @@ -2174,8 +2092,7 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi { #ifdef ENABLE_MANAGEMENT auth_user_pass_setup(session->opt->auth_user_pass_file, - session->opt->auth_user_pass_file_inline, - session->opt->sci); + session->opt->auth_user_pass_file_inline, session->opt->sci); #else auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->auth_user_pass_file_inline, NULL); @@ -2228,8 +2145,7 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi goto error; } - if (session->opt->server && session->opt->mode != MODE_SERVER - && ks->key_id == 0) + if (session->opt->server && session->opt->mode != MODE_SERVER && ks->key_id == 0) { /* tls-server option set and not P2MP server, so we * are a P2P client running in tls-server mode */ @@ -2253,18 +2169,16 @@ export_user_keying_material(struct tls_session *session) struct gc_arena gc = gc_new(); unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc); - if (key_state_export_keying_material(session, - session->opt->ekm_label, - session->opt->ekm_label_size, - ekm, session->opt->ekm_size)) + if (key_state_export_keying_material(session, session->opt->ekm_label, + session->opt->ekm_label_size, ekm, + session->opt->ekm_size)) { unsigned int len = (size * 2) + 2; const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc); setenv_str(session->opt->es, "exported_keying_material", key); - dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", - __func__, key); + dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", __func__, key); secure_memzero(ekm, size); } else @@ -2283,7 +2197,7 @@ export_user_keying_material(struct tls_session *session) static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session) { - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ struct gc_arena gc = gc_new(); char *options; @@ -2295,8 +2209,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio /* discard leading uint32 */ if (!buf_advance(buf, 4)) { - msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", - buf->len); + msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", buf->len); goto error; } @@ -2304,8 +2217,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio int key_method_flags = buf_read_u8(buf); if ((key_method_flags & KEY_METHOD_MASK) != 2) { - msg(D_TLS_ERRORS, - "TLS ERROR: Unknown key_method/flags=%d received from remote host", + msg(D_TLS_ERRORS, "TLS ERROR: Unknown key_method/flags=%d received from remote host", key_method_flags); goto error; } @@ -2313,7 +2225,8 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio /* get key source material (not actual keys yet) */ if (!key_source2_read(ks->key_src, buf, session->opt->server)) { - msg(D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer"); + msg(D_TLS_ERRORS, + "TLS Error: Error reading remote data channel key source entropy from plaintext buffer"); goto error; } @@ -2343,13 +2256,11 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio } free(multi->remote_ciphername); - multi->remote_ciphername = - options_string_extract_option(options, "cipher", NULL); + multi->remote_ciphername = options_string_extract_option(options, "cipher", NULL); multi->remote_usescomp = strstr(options, ",comp-lzo,"); /* In OCC we send '[null-cipher]' instead 'none' */ - if (multi->remote_ciphername - && strcmp(multi->remote_ciphername, "[null-cipher]") == 0) + if (multi->remote_ciphername && strcmp(multi->remote_ciphername, "[null-cipher]") == 0) { free(multi->remote_ciphername); multi->remote_ciphername = string_alloc("none", NULL); @@ -2357,10 +2268,10 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio if (username_len < 0 || password_len < 0) { - msg(D_TLS_ERRORS, "TLS Error: Username (%d) or password (%d) too long", - abs(username_len), abs(password_len)); + msg(D_TLS_ERRORS, "TLS Error: Username (%d) or password (%d) too long", abs(username_len), + abs(password_len)); auth_set_client_reason(multi, "Username or password is too long. " - "Maximum length is 128 bytes"); + "Maximum length is 128 bytes"); /* treat the same as failed username/password and do not error * out (goto error) to sent an AUTH_FAILED back to the client */ @@ -2386,8 +2297,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio /* Session verification should have occurred during TLS negotiation*/ if (!session->verified) { - msg(D_TLS_ERRORS, - "TLS Error: Certificate verification failed (key-method 2)"); + msg(D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 2)"); goto error; } ks->authenticated = KS_AUTH_TRUE; @@ -2410,7 +2320,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp) { msg(D_PUSH, "Note: 'compress migrate' detected remote peer " - "with compression enabled."); + "with compression enabled."); remote_options = options_string_compat_lzo(remote_options, &gc); } #endif @@ -2419,7 +2329,8 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio if (session->opt->ssl_flags & SSLF_OPT_VERIFY) { - msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify"); + msg(D_TLS_ERRORS, + "Option inconsistency warnings triggering disconnect due to --opt-verify"); ks->authenticated = KS_AUTH_FALSE; } } @@ -2435,7 +2346,9 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio { export_user_keying_material(session); - if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS) + if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, + session->opt->es) + != OPENVPN_PLUGIN_FUNC_SUCCESS) { ks->authenticated = KS_AUTH_FALSE; } @@ -2485,8 +2398,8 @@ auth_deferred_expire_window(const struct tls_options *o) * @return if the state change was succesful */ static bool -session_move_pre_start(const struct tls_session *session, - struct key_state *ks, bool skip_initial_send) +session_move_pre_start(const struct tls_session *session, struct key_state *ks, + bool skip_initial_send) { struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable); if (!buf) @@ -2519,17 +2432,10 @@ session_move_pre_start(const struct tls_session *session, #ifdef ENABLE_MANAGEMENT if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1) { - management_set_state(management, - OPENVPN_STATE_WAIT, - NULL, - NULL, - NULL, - NULL, - NULL); + management_set_state(management, OPENVPN_STATE_WAIT, NULL, NULL, NULL, NULL, NULL); } #endif return true; - } /** @@ -2538,8 +2444,7 @@ session_move_pre_start(const struct tls_session *session, */ static void session_move_active(struct tls_multi *multi, struct tls_session *session, - struct link_socket_info *to_link_socket_info, - struct key_state *ks) + struct link_socket_info *to_link_socket_info, struct key_state *ks) { dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE"); @@ -2554,8 +2459,8 @@ session_move_active(struct tls_multi *multi, struct tls_session *session, INCR_SUCCESS; /* Set outgoing address for data channel packets */ - link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, - session->common_name, session->opt->es); + link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name, + session->opt->es); /* Check if we need to advance the tls_multi state machine */ if (multi->multi_state == CAS_NOT_CONNECTED) @@ -2581,8 +2486,7 @@ session_move_active(struct tls_multi *multi, struct tls_session *session, } bool -session_skip_to_pre_start(struct tls_session *session, - struct tls_pre_decrypt_state *state, +session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, struct link_socket_actual *from) { struct key_state *ks = &session->key[KS_PRIMARY]; @@ -2656,8 +2560,7 @@ error: * Returns false if an error is encountered that should abort the session. */ static bool -read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, - bool *continue_tls_process) +read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process) { int status = 0; if (buf->len) @@ -2665,8 +2568,7 @@ read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, status = key_state_write_ciphertext(&ks->ks_ssl, buf); if (status == -1) { - msg(D_TLS_ERRORS, - "TLS Error: Incoming Ciphertext -> TLS object write error"); + msg(D_TLS_ERRORS, "TLS Error: Incoming Ciphertext -> TLS object write error"); return false; } } @@ -2686,14 +2588,13 @@ read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, static bool control_packet_needs_wkc(const struct key_state *ks) { - return (ks->crypto_options.flags & CO_RESEND_WKC) - && (ks->send_reliable->packet_id == 1); + return (ks->crypto_options.flags & CO_RESEND_WKC) && (ks->send_reliable->packet_id == 1); } static bool -read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, - interval_t *wakeup, bool *continue_tls_process) +read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup, + bool *continue_tls_process) { ASSERT(buf_init(buf, 0)); @@ -2748,7 +2649,8 @@ write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_pr * if we have a large wrapped client key. */ if (maxlen < 16) { - msg(D_TLS_ERRORS, "Warning: --max-packet-size (%d) setting too low. " + msg(D_TLS_ERRORS, + "Warning: --max-packet-size (%d) setting too low. " "Sending minimum sized packet.", session->opt->frame.tun_mtu); maxlen = 16; @@ -2765,8 +2667,7 @@ write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_pr if (status == -1) { - msg(D_TLS_ERRORS, - "TLS Error: Ciphertext -> reliable TCP/UDP transport read error"); + msg(D_TLS_ERRORS, "TLS Error: Ciphertext -> reliable TCP/UDP transport read error"); gc_free(&gc); return false; } @@ -2822,12 +2723,9 @@ check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session, } static bool -tls_process_state(struct tls_multi *multi, - struct tls_session *session, - struct buffer *to_link, +tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, - struct link_socket_info *to_link_socket_info, - interval_t *wakeup) + struct link_socket_info *to_link_socket_info, interval_t *wakeup) { /* This variable indicates if we should call this method * again to process more incoming/outgoing TLS state/data @@ -2836,7 +2734,7 @@ tls_process_state(struct tls_multi *multi, * should only be done after the outer loop (sending packets etc.) * has run once more */ bool continue_tls_process = false; - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ /* Initial handshake */ if (ks->state == S_INITIAL) @@ -2886,8 +2784,7 @@ tls_process_state(struct tls_multi *multi, struct buffer b = *buf; INCR_SENT; - write_control_auth(session, ks, &b, to_link_addr, opcode, - CONTROL_SEND_ACK_MAX, true); + write_control_auth(session, ks, &b, to_link_addr, opcode, CONTROL_SEND_ACK_MAX, true); *to_link = b; dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP"); @@ -2943,8 +2840,9 @@ tls_process_state(struct tls_multi *multi, /* Send Key */ buf = &ks->plaintext_write_buf; - if (!buf->len && ((ks->state == S_START && !session->opt->server) - || (ks->state == S_GOT_KEY && session->opt->server))) + if (!buf->len + && ((ks->state == S_START && !session->opt->server) + || (ks->state == S_GOT_KEY && session->opt->server))) { if (!key_method_2_write(buf, multi, session)) { @@ -2979,8 +2877,7 @@ tls_process_state(struct tls_multi *multi, int status = key_state_write_plaintext(&ks->ks_ssl, buf); if (status == -1) { - msg(D_TLS_ERRORS, - "TLS ERROR: Outgoing Plaintext -> TLS object write error"); + msg(D_TLS_ERRORS, "TLS ERROR: Outgoing Plaintext -> TLS object write error"); goto error; } if (status == 1) @@ -3027,15 +2924,13 @@ should_trigger_renegotiation(const struct tls_session *session, const struct key } /* Byte limit */ - if (session->opt->renegotiate_bytes > 0 - && ks->n_bytes >= session->opt->renegotiate_bytes) + if (session->opt->renegotiate_bytes > 0 && ks->n_bytes >= session->opt->renegotiate_bytes) { return true; } /* Packet limit */ - if (session->opt->renegotiate_packets - && ks->n_packets >= session->opt->renegotiate_packets) + if (session->opt->renegotiate_packets && ks->n_packets >= session->opt->renegotiate_packets) { return true; } @@ -3102,14 +2997,11 @@ should_trigger_renegotiation(const struct tls_session *session, const struct key * want to send to our peer. */ static bool -tls_process(struct tls_multi *multi, - struct tls_session *session, - struct buffer *to_link, - struct link_socket_actual **to_link_addr, - struct link_socket_info *to_link_socket_info, +tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, + struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup) { - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ /* Make sure we were initialized and that we're not in an error state */ @@ -3118,21 +3010,18 @@ tls_process(struct tls_multi *multi, ASSERT(session_id_defined(&session->session_id)); /* Should we trigger a soft reset? -- new key, keeps old key for a while */ - if (ks->state >= S_GENERATED_KEYS - && should_trigger_renegotiation(session, ks)) - { - msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format - "/%" PRIi64 " pkts=" counter_format "/%" PRIi64 - " aead_limit_send=%" PRIu64 "/%" PRIu64 - " aead_limit_recv=%" PRIu64 "/%" PRIu64, - (int) (now - ks->established), session->opt->renegotiate_seconds, - ks->n_bytes, session->opt->renegotiate_bytes, - ks->n_packets, session->opt->renegotiate_packets, + if (ks->state >= S_GENERATED_KEYS && should_trigger_renegotiation(session, ks)) + { + msg(D_TLS_DEBUG_LOW, + "TLS: soft reset sec=%d/%d bytes=" counter_format "/%" PRIi64 " pkts=" counter_format + "/%" PRIi64 " aead_limit_send=%" PRIu64 "/%" PRIu64 " aead_limit_recv=%" PRIu64 + "/%" PRIu64, + (int)(now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes, + session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets, ks->crypto_options.key_ctx_bi.encrypt.plaintext_blocks + ks->n_packets, session->opt->aead_usage_limit, ks->crypto_options.key_ctx_bi.decrypt.plaintext_blocks + ks->n_packets, - session->opt->aead_usage_limit - ); + session->opt->aead_usage_limit); key_state_soft_reset(session); } @@ -3149,19 +3038,15 @@ tls_process(struct tls_multi *multi, update_time(); dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d", - continue_tls_process, - state_name(ks->state), - state_name(ks_lame->state), - to_link->len, + continue_tls_process, state_name(ks->state), state_name(ks_lame->state), to_link->len, *wakeup); - continue_tls_process = tls_process_state(multi, session, to_link, to_link_addr, - to_link_socket_info, wakeup); + continue_tls_process = + tls_process_state(multi, session, to_link, to_link_addr, to_link_socket_info, wakeup); if (ks->state == S_ERROR) { return false; } - } update_time(); @@ -3192,8 +3077,7 @@ tls_process(struct tls_multi *multi, { struct buffer buf = ks->ack_write_buf; ASSERT(buf_init(&buf, multi->opt.frame.buf.headroom)); - write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1, - RELIABLE_ACK_SIZE, false); + write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false); *to_link = buf; dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP"); } @@ -3202,8 +3086,7 @@ tls_process(struct tls_multi *multi, /* When should we wake up again? */ if (ks->state >= S_INITIAL || ks->state == S_ERROR_PRE) { - compute_earliest_wakeup(wakeup, - reliable_send_timeout(ks->send_reliable)); + compute_earliest_wakeup(wakeup, reliable_send_timeout(ks->send_reliable)); if (ks->must_negotiate) { @@ -3213,8 +3096,7 @@ tls_process(struct tls_multi *multi, if (ks->established && session->opt->renegotiate_seconds) { - compute_earliest_wakeup(wakeup, - ks->established + session->opt->renegotiate_seconds - now); + compute_earliest_wakeup(wakeup, ks->established + session->opt->renegotiate_seconds - now); } dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup); @@ -3260,7 +3142,7 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) if (session->tls_wrap.work.data == dataptr) { msg(M_INFO, "Warning buffer of freed TLS session is " - "still in use (tls_wrap.work.data)"); + "still in use (tls_wrap.work.data)"); goto used; } @@ -3278,7 +3160,8 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) */ if (!ks->send_reliable) { - msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL " + msg(M_FATAL, + "ERROR: session->key[%d]->send_reliable is NULL " "while key state is %s. Exiting.", i, state_name(ks->state)); } @@ -3287,7 +3170,8 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) { if (ks->send_reliable->array[j].buf.data == dataptr) { - msg(M_INFO, "Warning buffer of freed TLS session is still in" + msg(M_INFO, + "Warning buffer of freed TLS session is still in" " use (session->key[%d].send_reliable->array[%d])", i, j); @@ -3310,11 +3194,9 @@ used: */ int -tls_multi_process(struct tls_multi *multi, - struct buffer *to_link, +tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, - struct link_socket_info *to_link_socket_info, - interval_t *wakeup) + struct link_socket_info *to_link_socket_info, interval_t *wakeup) { struct gc_arena gc = gc_new(); int active = TLSMP_INACTIVE; @@ -3338,29 +3220,26 @@ tls_multi_process(struct tls_multi *multi, /* set initial remote address. This triggers connecting with that * session. So we only do that if the TM_ACTIVE session is not * established */ - if (i == TM_INITIAL && ks->state == S_INITIAL - && get_primary_key(multi)->state <= S_INITIAL + if (i == TM_INITIAL && ks->state == S_INITIAL && get_primary_key(multi)->state <= S_INITIAL && link_socket_actual_defined(&to_link_socket_info->lsa->actual)) { ks->remote_addr = to_link_socket_info->lsa->actual; } dmsg(D_TLS_DEBUG, - "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s", - i, - state_name(ks->state), - session_id_print(&session->session_id, &gc), + "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s", i, + state_name(ks->state), session_id_print(&session->session_id, &gc), session_id_print(&ks->session_id_remote, &gc), print_link_socket_actual(&ks->remote_addr, &gc)); - if ((ks->state >= S_INITIAL || ks->state == S_ERROR_PRE) && link_socket_actual_defined(&ks->remote_addr)) + if ((ks->state >= S_INITIAL || ks->state == S_ERROR_PRE) + && link_socket_actual_defined(&ks->remote_addr)) { struct link_socket_actual *tla = NULL; update_time(); - if (tls_process(multi, session, to_link, &tla, - to_link_socket_info, wakeup)) + if (tls_process(multi, session, to_link, &tla, to_link_socket_info, wakeup)) { active = TLSMP_ACTIVE; } @@ -3386,14 +3265,12 @@ tls_multi_process(struct tls_multi *multi, { ++multi->n_soft_errors; - if (i == TM_ACTIVE - || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE)) + if (i == TM_ACTIVE || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE)) { error = true; } - if (i == TM_ACTIVE - && ks_lame->state >= S_GENERATED_KEYS + if (i == TM_ACTIVE && ks_lame->state >= S_GENERATED_KEYS && !multi->opt.single_session) { move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true); @@ -3425,8 +3302,8 @@ tls_multi_process(struct tls_multi *multi, if (ks->state == S_ACTIVE && ks->authenticated == KS_AUTH_TRUE) { /* Session is now fully authenticated. - * tls_session_generate_data_channel_keys will move ks->state - * from S_ACTIVE to S_GENERATED_KEYS */ + * tls_session_generate_data_channel_keys will move ks->state + * from S_ACTIVE to S_GENERATED_KEYS */ if (!tls_session_generate_data_channel_keys(multi, session)) { msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed"); @@ -3471,7 +3348,8 @@ tls_multi_process(struct tls_multi *multi, { move_session(multi, TM_ACTIVE, TM_INITIAL, true); tas = tls_authentication_status(multi); - msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: initial untrusted " + msg(D_TLS_DEBUG_LOW, + "TLS: tls_multi_process: initial untrusted " "session promoted to %strusted", tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-"); @@ -3528,8 +3406,8 @@ nohard: * try to generate a sensible error message and print it */ static void -print_key_id_not_found_reason(struct tls_multi *multi, - const struct link_socket_actual *from, int key_id) +print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from, + int key_id) { struct gc_arena gc = gc_new(); const char *source = print_link_socket_actual(from, &gc); @@ -3547,17 +3425,14 @@ print_key_id_not_found_reason(struct tls_multi *multi, * session but has not generated keys. */ if (ks->state >= S_INITIAL && ks->state < S_GENERATED_KEYS) { - msg(D_MULTI_DROPPED, - "Key %s [%d] not initialized (yet), dropping packet.", - source, key_id); + msg(D_MULTI_DROPPED, "Key %s [%d] not initialized (yet), dropping packet.", source, + key_id); gc_free(&gc); return; } if (ks->state >= S_ACTIVE && ks->authenticated != KS_AUTH_TRUE) { - msg(D_MULTI_DROPPED, - "Key %s [%d] not authorized%s, dropping packet.", - source, key_id, + msg(D_MULTI_DROPPED, "Key %s [%d] not authorized%s, dropping packet.", source, key_id, (ks->authenticated == KS_AUTH_DEFERRED) ? " (deferred)" : ""); gc_free(&gc); return; @@ -3567,8 +3442,7 @@ print_key_id_not_found_reason(struct tls_multi *multi, msg(D_TLS_ERRORS, "TLS Error: local/remote TLS keys are out of sync: %s " "(received key id: %d, known key ids: %s)", - source, key_id, - print_key_id(multi, &gc)); + source, key_id, print_key_id(multi, &gc)); gc_free(&gc); } @@ -3580,11 +3454,8 @@ print_key_id_not_found_reason(struct tls_multi *multi, * AEAD ciphers to the start of the authenticated data. */ static inline void -handle_data_channel_packet(struct tls_multi *multi, - const struct link_socket_actual *from, - struct buffer *buf, - struct crypto_options **opt, - bool floated, +handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from, + struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start) { struct gc_arena gc = gc_new(); @@ -3630,7 +3501,8 @@ handle_data_channel_packet(struct tls_multi *multi, { if (buf->len < 4) { - msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", + msg(D_TLS_ERRORS, + "Protocol error: received P_DATA_V2 from %s but length is < 4", print_link_socket_actual(from, &gc)); ++multi->n_soft_errors; goto done; @@ -3640,9 +3512,8 @@ handle_data_channel_packet(struct tls_multi *multi, ++ks->n_packets; ks->n_bytes += buf->len; - dmsg(D_TLS_KEYSELECT, - "TLS: tls_pre_decrypt, key_id=%d, IP=%s", - key_id, print_link_socket_actual(from, &gc)); + dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_decrypt, key_id=%d, IP=%s", key_id, + print_link_socket_actual(from, &gc)); gc_free(&gc); return; } @@ -3683,14 +3554,9 @@ done: */ bool -tls_pre_decrypt(struct tls_multi *multi, - const struct link_socket_actual *from, - struct buffer *buf, - struct crypto_options **opt, - bool floated, - const uint8_t **ad_start) +tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, + struct crypto_options **opt, bool floated, const uint8_t **ad_start) { - if (buf->len <= 0) { buf->len = 0; @@ -3717,18 +3583,16 @@ tls_pre_decrypt(struct tls_multi *multi, /* control channel packet */ bool do_burst = false; bool new_link = false; - struct session_id sid; /* remote session ID */ + struct session_id sid; /* remote session ID */ /* verify legal opcode */ if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE) { - if (op == P_CONTROL_HARD_RESET_CLIENT_V1 - || op == P_CONTROL_HARD_RESET_SERVER_V1) + if (op == P_CONTROL_HARD_RESET_CLIENT_V1 || op == P_CONTROL_HARD_RESET_SERVER_V1) { msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1"); } - msg(D_TLS_ERRORS, - "TLS Error: unknown opcode received from %s op=%d", + msg(D_TLS_ERRORS, "TLS Error: unknown opcode received from %s op=%d", print_link_socket_actual(from, &gc), op); goto error; } @@ -3737,8 +3601,8 @@ tls_pre_decrypt(struct tls_multi *multi, if (is_hard_reset_method2(op)) { /* verify client -> server or server -> client connection */ - if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 - || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server) + if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_CLIENT_V3) + && !multi->opt.server) || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server)) { msg(D_TLS_ERRORS, @@ -3751,8 +3615,8 @@ tls_pre_decrypt(struct tls_multi *multi, /* * Authenticate Packet */ - dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", - packet_opcode_name(op), print_link_socket_actual(from, &gc)); + dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", packet_opcode_name(op), + print_link_socket_actual(from, &gc)); /* get remote session-id */ { @@ -3760,8 +3624,7 @@ tls_pre_decrypt(struct tls_multi *multi, buf_advance(&tmp, 1); if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid)) { - msg(D_TLS_ERRORS, - "TLS Error: session-id not found in packet from %s", + msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s", print_link_socket_actual(from, &gc)); goto error; } @@ -3774,29 +3637,25 @@ tls_pre_decrypt(struct tls_multi *multi, struct tls_session *session = &multi->session[i]; struct key_state *ks = &session->key[KS_PRIMARY]; - dmsg(D_TLS_DEBUG, - "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s", - i, - state_name(ks->state), - session_id_print(&session->session_id, &gc), - session_id_print(&sid, &gc), - print_link_socket_actual(from, &gc), - session_id_print(&ks->session_id_remote, &gc), - print_link_socket_actual(&ks->remote_addr, &gc)); + dmsg( + D_TLS_DEBUG, + "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s", + i, state_name(ks->state), session_id_print(&session->session_id, &gc), + session_id_print(&sid, &gc), print_link_socket_actual(from, &gc), + session_id_print(&ks->session_id_remote, &gc), + print_link_socket_actual(&ks->remote_addr, &gc)); if (session_id_equal(&ks->session_id_remote, &sid)) /* found a match */ { if (i == TM_LAME_DUCK) { - msg(D_TLS_ERRORS, - "TLS ERROR: received control packet with stale session-id=%s", + msg(D_TLS_ERRORS, "TLS ERROR: received control packet with stale session-id=%s", session_id_print(&sid, &gc)); goto error; } - dmsg(D_TLS_DEBUG, - "TLS: found match, session[%d], sid=%s", - i, session_id_print(&sid, &gc)); + dmsg(D_TLS_DEBUG, "TLS: found match, session[%d], sid=%s", i, + session_id_print(&sid, &gc)); break; } } @@ -3827,8 +3686,8 @@ tls_pre_decrypt(struct tls_multi *multi, goto error; } - if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from, - session->opt, true)) + if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from, session->opt, + true)) { goto error; } @@ -3836,13 +3695,7 @@ tls_pre_decrypt(struct tls_multi *multi, #ifdef ENABLE_MANAGEMENT if (management) { - management_set_state(management, - OPENVPN_STATE_AUTH, - NULL, - NULL, - NULL, - NULL, - NULL); + management_set_state(management, OPENVPN_STATE_AUTH, NULL, NULL, NULL, NULL, NULL); } #endif @@ -3852,10 +3705,8 @@ tls_pre_decrypt(struct tls_multi *multi, * * Without --tls-auth, we leave authentication entirely up to TLS. */ - msg(D_TLS_DEBUG_LOW, - "TLS: Initial packet from %s, sid=%s", - print_link_socket_actual(from, &gc), - session_id_print(&sid, &gc)); + msg(D_TLS_DEBUG_LOW, "TLS: Initial packet from %s, sid=%s", + print_link_socket_actual(from, &gc), session_id_print(&sid, &gc)); do_burst = true; new_link = true; @@ -3872,11 +3723,8 @@ tls_pre_decrypt(struct tls_multi *multi, */ if (i != TM_ACTIVE && i != TM_INITIAL) { - msg(D_TLS_ERRORS, - "TLS Error: Unroutable control packet received from %s (si=%d op=%s)", - print_link_socket_actual(from, &gc), - i, - packet_opcode_name(op)); + msg(D_TLS_ERRORS, "TLS Error: Unroutable control packet received from %s (si=%d op=%s)", + print_link_socket_actual(from, &gc), i, packet_opcode_name(op)); goto error; } @@ -3897,17 +3745,16 @@ tls_pre_decrypt(struct tls_multi *multi, */ if (op == P_CONTROL_SOFT_RESET_V1 && ks->state >= S_GENERATED_KEYS) { - if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), - from, session->opt, false)) + if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from, + session->opt, false)) { goto error; } key_state_soft_reset(session); - dmsg(D_TLS_DEBUG, - "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", - i, session_id_print(&sid, &gc)); + dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", i, + session_id_print(&sid, &gc)); } else { @@ -3928,8 +3775,8 @@ tls_pre_decrypt(struct tls_multi *multi, do_burst = true; } - if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), - from, session->opt, initial_packet)) + if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from, + session->opt, initial_packet)) { /* if an initial packet in read_control_auth, we rather * error out than anything else */ @@ -3940,9 +3787,8 @@ tls_pre_decrypt(struct tls_multi *multi, goto error; } - dmsg(D_TLS_DEBUG, - "TLS: received control channel packet s#=%d sid=%s", - i, session_id_print(&sid, &gc)); + dmsg(D_TLS_DEBUG, "TLS: received control channel packet s#=%d sid=%s", i, + session_id_print(&sid, &gc)); } } @@ -3994,9 +3840,8 @@ tls_pre_decrypt(struct tls_multi *multi, /* Check key_id */ if (ks->key_id != key_id) { - msg(D_TLS_ERRORS, - "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", - ks->key_id, key_id, print_key_id(multi, &gc)); + msg(D_TLS_ERRORS, "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", ks->key_id, + key_id, print_key_id(multi, &gc)); goto error; } @@ -4010,8 +3855,7 @@ tls_pre_decrypt(struct tls_multi *multi, if (!reliable_ack_read(&send_ack, buf, &session->session_id)) { - msg(D_TLS_ERRORS, - "TLS Error: reading acknowledgement record from packet"); + msg(D_TLS_ERRORS, "TLS Error: reading acknowledgement record from packet"); goto error; } reliable_send_purge(ks->send_reliable, &send_ack); @@ -4034,14 +3878,14 @@ tls_pre_decrypt(struct tls_multi *multi, ASSERT(in); if (!buf_copy(in, buf)) { - msg(D_MULTI_DROPPED, - "Incoming control channel packet too big, dropping."); + msg(D_MULTI_DROPPED, "Incoming control channel packet too big, dropping."); goto error; } reliable_mark_active_incoming(ks->rec_reliable, in, id, op); } - /* Process outgoing acknowledgment for packet just received, even if it's a replay */ + /* Process outgoing acknowledgment for packet just received, even if it's a replay + */ reliable_ack_acknowledge_packet_id(ks->rec_ack, id); } } @@ -4090,8 +3934,7 @@ tls_select_encryption_key(struct tls_multi *multi) /* Choose the key with which to encrypt a data packet */ void -tls_pre_encrypt(struct tls_multi *multi, - struct buffer *buf, struct crypto_options **opt) +tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt) { multi->save_ks = NULL; if (buf->len <= 0) @@ -4146,8 +3989,7 @@ tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf) ASSERT(ks); - peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 - | (multi->peer_id & 0xFFFFFF)); + peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 | (multi->peer_id & 0xFFFFFF)); ASSERT(buf_write_prepend(buf, &peer, 4)); } @@ -4172,9 +4014,7 @@ tls_post_encrypt(struct tls_multi *multi, struct buffer *buf) */ bool -tls_send_payload(struct key_state *ks, - const uint8_t *data, - int size) +tls_send_payload(struct key_state *ks, const uint8_t *data, int size) { bool ret = false; @@ -4206,8 +4046,7 @@ tls_send_payload(struct key_state *ks, } bool -tls_rec_payload(struct tls_multi *multi, - struct buffer *buf) +tls_rec_payload(struct tls_multi *multi, struct buffer *buf) { bool ret = false; @@ -4260,8 +4099,7 @@ tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual } void -show_available_tls_ciphers(const char *cipher_list, - const char *cipher_list_tls13, +show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile) { printf("Available TLS Ciphers, listed in order of preference:\n"); @@ -4278,8 +4116,7 @@ show_available_tls_ciphers(const char *cipher_list, printf("\n" "Be aware that that whether a cipher suite in this list can actually work\n" "depends on the specific setup of both peers. See the man page entries of\n" - "--tls-cipher and --show-tls for more details.\n\n" - ); + "--tls-cipher and --show-tls for more details.\n\n"); } /* @@ -4385,7 +4222,8 @@ protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc) } if (flags & PD_VERBOSE) { - buf_printf(&out, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc)); + buf_printf(&out, " tls_crypt_hmac=%s", + format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc)); } /* * Remainder is encrypted and optional wKc diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index b952cd92b..976808d86 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -57,9 +57,10 @@ /* * Various timeouts */ -#define TLS_MULTI_REFRESH 15 /* call tls_multi_process once every n seconds */ -#define TLS_MULTI_HORIZON 2 /* call tls_multi_process frequently for n seconds after - * every packet sent/received action */ +#define TLS_MULTI_REFRESH 15 /* call tls_multi_process once every n seconds */ +#define TLS_MULTI_HORIZON \ + 2 /* call tls_multi_process frequently for n seconds after \ + * every packet sent/received action */ /* * Buffer sizes (also see mtu.h). @@ -77,49 +78,49 @@ * as reserved for this reason */ /** Support P_DATA_V2 */ -#define IV_PROTO_DATA_V2 (1<<1) +#define IV_PROTO_DATA_V2 (1 << 1) /** Assume client will send a push request and server does not need * to wait for a push-request to send a push-reply */ -#define IV_PROTO_REQUEST_PUSH (1<<2) +#define IV_PROTO_REQUEST_PUSH (1 << 2) /** Supports key derivation via TLS key material exporter [RFC5705] */ -#define IV_PROTO_TLS_KEY_EXPORT (1<<3) +#define IV_PROTO_TLS_KEY_EXPORT (1 << 3) /** Supports signaling keywords with AUTH_PENDING, e.g. timeout=xy */ -#define IV_PROTO_AUTH_PENDING_KW (1<<4) +#define IV_PROTO_AUTH_PENDING_KW (1 << 4) /** Support doing NCP in P2P mode. This mode works by both peers looking at * each other's IV_ variables and deterministically deciding both on the same * result. */ -#define IV_PROTO_NCP_P2P (1<<5) +#define IV_PROTO_NCP_P2P (1 << 5) /** Supports the --dns option introduced in version 2.6. Not sent anymore. */ -#define IV_PROTO_DNS_OPTION (1<<6) +#define IV_PROTO_DNS_OPTION (1 << 6) /** Support for explicit exit notify via control channel * This also includes support for the protocol-flags pushed option */ -#define IV_PROTO_CC_EXIT_NOTIFY (1<<7) +#define IV_PROTO_CC_EXIT_NOTIFY (1 << 7) /** Support for AUTH_FAIL,TEMP messages */ -#define IV_PROTO_AUTH_FAIL_TEMP (1<<8) +#define IV_PROTO_AUTH_FAIL_TEMP (1 << 8) /** Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key) */ -#define IV_PROTO_DYN_TLS_CRYPT (1<<9) +#define IV_PROTO_DYN_TLS_CRYPT (1 << 9) /** Support the extended packet id and epoch format for data channel packets */ -#define IV_PROTO_DATA_EPOCH (1<<10) +#define IV_PROTO_DATA_EPOCH (1 << 10) /** Supports the --dns option after all the incompatible changes */ -#define IV_PROTO_DNS_OPTION_V2 (1<<11) +#define IV_PROTO_DNS_OPTION_V2 (1 << 11) /** Supports push-update */ -#define IV_PROTO_PUSH_UPDATE (1<<12) +#define IV_PROTO_PUSH_UPDATE (1 << 12) /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN" -#define KEY_METHOD_2 2 +#define KEY_METHOD_2 2 /* key method taken from lower 4 bits */ #define KEY_METHOD_MASK 0x0F @@ -206,9 +207,7 @@ void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu) * Used to verify compatibility of local and remote option * sets. */ -void tls_multi_init_set_options(struct tls_multi *multi, - const char *local, - const char *remote); +void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote); /** * Cleanup a \c tls_multi structure and free associated memory @@ -228,9 +227,9 @@ void tls_multi_free(struct tls_multi *multi, bool clear); /** @} addtogroup control_processor */ -#define TLSMP_INACTIVE 0 -#define TLSMP_ACTIVE 1 -#define TLSMP_KILL 2 +#define TLSMP_INACTIVE 0 +#define TLSMP_ACTIVE 1 +#define TLSMP_KILL 2 #define TLSMP_RECONNECT 3 /* @@ -239,11 +238,9 @@ void tls_multi_free(struct tls_multi *multi, bool clear); * Basically decides if we should call tls_process for * the active or untrusted sessions. */ -int tls_multi_process(struct tls_multi *multi, - struct buffer *to_link, +int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, - struct link_socket_info *to_link_socket_info, - interval_t *wakeup); + struct link_socket_info *to_link_socket_info, interval_t *wakeup); /**************************************************************************/ @@ -299,11 +296,8 @@ int tls_multi_process(struct tls_multi *multi, * @li False if the packet is a data channel packet, or if an error * occurred during processing of a control channel packet. */ -bool tls_pre_decrypt(struct tls_multi *multi, - const struct link_socket_actual *from, - struct buffer *buf, - struct crypto_options **opt, - bool floated, +bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, + struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start); @@ -325,8 +319,7 @@ bool tls_pre_decrypt(struct tls_multi *multi, * @param buf - The buffer containing the outgoing packet. * @param opt - Returns a crypto options structure with the security parameters. */ -void tls_pre_encrypt(struct tls_multi *multi, - struct buffer *buf, struct crypto_options **opt); +void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt); /** * Selects the primary encryption that should be used to encrypt data of an @@ -351,8 +344,7 @@ struct key_state *tls_select_encryption_key(struct tls_multi *multi); * * @ingroup data_crypto */ -void -tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf); +void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf); /** * Prepend an OpenVPN data channel P_DATA_V2 header to the packet. The @@ -370,8 +362,7 @@ tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf); * * @ingroup data_crypto */ -void -tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf); +void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf); /** * Perform some accounting for the key state used. @@ -435,15 +426,12 @@ void ssl_put_auth_challenge(const char *cr_str); /* * Send a payload over the TLS control channel */ -bool tls_send_payload(struct key_state *ks, - const uint8_t *data, - int size); +bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size); /* * Receive a payload through the TLS control channel */ -bool tls_rec_payload(struct tls_multi *multi, - struct buffer *buf); +bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf); /** * Updates remote address in TLS sessions. @@ -451,8 +439,7 @@ bool tls_rec_payload(struct tls_multi *multi, * @param multi - Tunnel to update * @param addr - new address */ -void tls_update_remote_addr(struct tls_multi *multi, - const struct link_socket_actual *addr); +void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr); /** * Update TLS session crypto parameters (cipher and auth) and derive data @@ -472,12 +459,9 @@ void tls_update_remote_addr(struct tls_multi *multi, * * @return true if updating succeeded or keys are already generated, false otherwise. */ -bool tls_session_update_crypto_params(struct tls_multi *multi, - struct tls_session *session, - struct options *options, - struct frame *frame, - struct frame *frame_fragment, - struct link_socket_info *lsi, +bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, + struct options *options, struct frame *frame, + struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco); /* @@ -536,14 +520,12 @@ tls_set_single_session(struct tls_multi *multi) * protocol_dump() flags */ #define PD_TLS_AUTH_HMAC_SIZE_MASK 0xFF -#define PD_SHOW_DATA (1<<8) -#define PD_TLS (1<<9) -#define PD_VERBOSE (1<<10) -#define PD_TLS_CRYPT (1<<11) +#define PD_SHOW_DATA (1 << 8) +#define PD_TLS (1 << 9) +#define PD_VERBOSE (1 << 10) +#define PD_TLS_CRYPT (1 << 11) -const char *protocol_dump(struct buffer *buffer, - unsigned int flags, - struct gc_arena *gc); +const char *protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc); /* * debugging code @@ -569,10 +551,8 @@ bool is_hard_reset_method2(int op); * @param cipher_list_tls13 list of allowed TLS 1.3+ cipher, or NULL * @param tls_cert_profile TLS certificate crypto profile name. */ -void -show_available_tls_ciphers(const char *cipher_list, - const char *cipher_list_tls13, - const char *tls_cert_profile); +void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, + const char *tls_cert_profile); /** @@ -581,25 +561,19 @@ show_available_tls_ciphers(const char *cipher_list, * This erases the source material used to generate the data channel keys, and * can thus be called only once per session. */ -bool -tls_session_generate_data_channel_keys(struct tls_multi *multi, - struct tls_session *session); +bool tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session); -void -tls_session_soft_reset(struct tls_multi *multi); +void tls_session_soft_reset(struct tls_multi *multi); /** * Load ovpn.xkey provider used for external key signing */ -void -load_xkey_provider(void); +void load_xkey_provider(void); /* Special method to skip the three way handshake RESET stages. This is * used by the HMAC code when seeing a packet that matches the previous * HMAC based stateless server state */ -bool -session_skip_to_pre_start(struct tls_session *session, - struct tls_pre_decrypt_state *state, - struct link_socket_actual *from); +bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, + struct link_socket_actual *from); #endif /* ifndef OPENVPN_SSL_H */ diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 8023fed28..da3e1e10c 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -101,11 +101,11 @@ void tls_clear_error(void); * if a parse error should be flagged. */ #define TLS_VER_BAD -1 -#define TLS_VER_UNSPEC 0 /* default */ -#define TLS_VER_1_0 1 -#define TLS_VER_1_1 2 -#define TLS_VER_1_2 3 -#define TLS_VER_1_3 4 +#define TLS_VER_UNSPEC 0 /* default */ +#define TLS_VER_1_0 1 +#define TLS_VER_1_1 2 +#define TLS_VER_1_2 3 +#define TLS_VER_1_3 4 int tls_version_parse(const char *vstr, const char *extra); /** @@ -218,8 +218,7 @@ void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx); * of inline files. * @param dh_file_inline True if dh_file is an inline file. */ -void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, - bool dh_file_inline); +void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline); /** * Load Elliptic Curve Parameters, and load them into the library-specific @@ -228,8 +227,7 @@ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, * @param ctx TLS context to use * @param curve_name The name of the elliptic curve to load. */ -void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name - ); +void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name); /** * Load PKCS #12 file for key, cert and (optionally) CA certs, and add to @@ -246,8 +244,8 @@ void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name * @return 1 if an error occurred, 0 if parsing was * successful. */ -int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, - bool pkcs12_file_inline, bool load_ca_file); +int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, + bool load_ca_file); /** * Use Windows cryptoapi for key and cert, and add to library-specific TLS @@ -271,8 +269,7 @@ void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert * of inline files. * @param cert_file_inline True if cert_file is an inline file. */ -void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, - bool cert_file_inline); +void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline); /** * Load private key file into the given TLS context. @@ -318,8 +315,8 @@ int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx); * connection and should use the CA for verifying * client certificates */ -void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, - bool ca_file_inline, const char *ca_path, bool tls_server); +void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, + const char *ca_path, bool tls_server); /** * Load extra certificate authority certificates from the given file or path. @@ -334,8 +331,7 @@ void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, * @param extra_certs_file_inline True if extra_certs_file is an inline * file. */ -void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, - const char *extra_certs_file, +void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline); #ifdef ENABLE_CRYPTO_MBEDTLS @@ -364,15 +360,14 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx); * @param is_server Initialise a server? * @param session The session associated with the given key_state */ -void key_state_ssl_init(struct key_state_ssl *ks_ssl, - const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session); +void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, + bool is_server, struct tls_session *session); /** * Sets a TLS session to be shutdown state, so the TLS library will generate * a shutdown alert. */ -void -key_state_ssl_shutdown(struct key_state_ssl *ks_ssl); +void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl); /** * Free the SSL channel part of the given key state. @@ -389,12 +384,12 @@ void key_state_ssl_free(struct key_state_ssl *ks_ssl); * an array containing the inline CRL. * @param crl_inline True if crl_file is an inline CRL. */ -void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, - const char *crl_file, bool crl_inline); +void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, + bool crl_inline); -#define EXPORT_KEY_DATA_LABEL "EXPORTER-OpenVPN-datakeys" -#define EXPORT_P2P_PEERID_LABEL "EXPORTER-OpenVPN-p2p-peerid" -#define EXPORT_DYNAMIC_TLS_CRYPT_LABEL "EXPORTER-OpenVPN-dynamic-tls-crypt" +#define EXPORT_KEY_DATA_LABEL "EXPORTER-OpenVPN-datakeys" +#define EXPORT_P2P_PEERID_LABEL "EXPORTER-OpenVPN-p2p-peerid" +#define EXPORT_DYNAMIC_TLS_CRYPT_LABEL "EXPORTER-OpenVPN-dynamic-tls-crypt" /** * Keying Material Exporters [RFC 5705] allows additional keying material to be * derived from existing TLS channel. This exported keying material can then be @@ -407,10 +402,8 @@ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, * @param ekm_size The size of ekm, in bytes * @returns true if exporting succeeded, false otherwise */ -bool -key_state_export_keying_material(struct tls_session *session, - const char *label, size_t label_size, - void *ekm, size_t ekm_size); +bool key_state_export_keying_material(struct tls_session *session, const char *label, + size_t label_size, void *ekm, size_t ekm_size); /**************************************************************************/ /** @addtogroup control_tls @@ -453,8 +446,7 @@ int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf); * again later to retry. * - \c -1: An error occurred. */ -int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, - const uint8_t *data, int len); +int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len); /** * Extract ciphertext data from the TLS module. @@ -499,8 +491,7 @@ int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf); * again later to retry. * - \c -1: An error occurred. */ -int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, - struct buffer *buf); +int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf); /** * Extract plaintext data from the TLS module. @@ -548,10 +539,8 @@ void print_details(struct key_state_ssl *ks_ssl, const char *prefix); * @param tls13 Select if <=TLS1.2 or TLS1.3+ ciphers * should be shown */ -void -show_available_tls_ciphers_list(const char *cipher_list, - const char *tls_cert_profile, - bool tls13); +void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, + bool tls13); /** * Show the available elliptic curves in the crypto library diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 1fdc18724..cd5293afe 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -117,15 +117,16 @@ * \ref key_generation "data channel key generation". * @ingroup control_processor */ -struct key_source { - uint8_t pre_master[48]; /**< Random used for master secret - * generation, provided only by client - * OpenVPN peer. */ - uint8_t random1[32]; /**< Seed used for master secret - * generation, provided by both client - * and server. */ - uint8_t random2[32]; /**< Seed used for key expansion, provided - * by both client and server. */ +struct key_source +{ + uint8_t pre_master[48]; /**< Random used for master secret + * generation, provided only by client + * OpenVPN peer. */ + uint8_t random1[32]; /**< Seed used for master secret + * generation, provided by both client + * and server. */ + uint8_t random2[32]; /**< Seed used for key expansion, provided + * by both client and server. */ }; @@ -134,9 +135,10 @@ struct key_source { * 2 \ref key_generation "data channel key generation". * @ingroup control_processor */ -struct key_source2 { - struct key_source client; /**< Random provided by client. */ - struct key_source server; /**< Random provided by server. */ +struct key_source2 +{ + struct key_source client; /**< Random provided by client. */ + struct key_source server; /**< Random provided by server. */ }; @@ -147,15 +149,16 @@ struct key_source2 { * being set to KS_AUTH_TRUE or KS_AUTH_FALSE * Only KS_AUTH_TRUE is fully authenticated */ -enum ks_auth_state { - KS_AUTH_FALSE, /**< Key state is not authenticated */ - KS_AUTH_DEFERRED, /**< Key state authentication is being deferred, - * by async auth */ - KS_AUTH_TRUE /**< Key state is authenticated. TLS and user/pass - * succeeded. This includes AUTH_PENDING/OOB - * authentication as those hold the - * connection artificially in KS_AUTH_DEFERRED - */ +enum ks_auth_state +{ + KS_AUTH_FALSE, /**< Key state is not authenticated */ + KS_AUTH_DEFERRED, /**< Key state authentication is being deferred, + * by async auth */ + KS_AUTH_TRUE /**< Key state is authenticated. TLS and user/pass + * succeeded. This includes AUTH_PENDING/OOB + * authentication as those hold the + * connection artificially in KS_AUTH_DEFERRED + */ }; struct auth_deferred_status @@ -168,14 +171,16 @@ struct auth_deferred_status /* key_state_test_auth_control_file return values, these specify the * current status of a deferred authentication */ -enum auth_deferred_result { - ACF_PENDING, /**< deferred auth still pending */ - ACF_SUCCEEDED, /**< deferred auth has suceeded */ - ACF_DISABLED, /**< deferred auth is not used */ - ACF_FAILED /**< deferred auth has failed */ +enum auth_deferred_result +{ + ACF_PENDING, /**< deferred auth still pending */ + ACF_SUCCEEDED, /**< deferred auth has suceeded */ + ACF_DISABLED, /**< deferred auth is not used */ + ACF_FAILED /**< deferred auth has failed */ }; -enum dco_key_status { +enum dco_key_status +{ DCO_NOT_INSTALLED, DCO_INSTALLED_PRIMARY, DCO_INSTALLED_SECONDARY @@ -219,34 +224,34 @@ struct key_state struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */ - time_t initial; /* when we created this session */ - time_t established; /* when our state went S_ACTIVE */ - time_t must_negotiate; /* key negotiation times out if not finished before this time */ - time_t must_die; /* this object is destroyed at this time */ - time_t peer_last_packet; /* Last time we received a packet in this control session */ + time_t initial; /* when we created this session */ + time_t established; /* when our state went S_ACTIVE */ + time_t must_negotiate; /* key negotiation times out if not finished before this time */ + time_t must_die; /* this object is destroyed at this time */ + time_t peer_last_packet; /* Last time we received a packet in this control session */ - int initial_opcode; /* our initial P_ opcode */ - struct session_id session_id_remote; /* peer's random session ID */ + int initial_opcode; /* our initial P_ opcode */ + struct session_id session_id_remote; /* peer's random session ID */ struct link_socket_actual remote_addr; /* peer's IP addr */ - struct crypto_options crypto_options;/* data channel crypto options */ + struct crypto_options crypto_options; /* data channel crypto options */ - struct key_source2 *key_src; /* source entropy for key expansion */ + struct key_source2 *key_src; /* source entropy for key expansion */ struct buffer plaintext_read_buf; struct buffer plaintext_write_buf; struct buffer ack_write_buf; struct reliable *send_reliable; /* holds a copy of outgoing packets until ACK received */ - struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */ - struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */ - struct reliable_ack *lru_acks; /* keeps the most recently acked packages*/ + struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */ + struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */ + struct reliable_ack *lru_acks; /* keeps the most recently acked packages*/ /** Holds outgoing message for the control channel until ks->state reaches * S_ACTIVE */ struct buffer_list *paybuf; - counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */ - counter_type n_packets; /* how many packets sent/recvd since last key exchange */ + counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */ + counter_type n_packets; /* how many packets sent/recvd since last key exchange */ /* * If bad username/password, TLS connection will come up but 'authenticated' will be false. @@ -269,19 +274,20 @@ struct key_state /** Control channel wrapping (--tls-auth/--tls-crypt) context */ struct tls_wrap_ctx { - enum { - TLS_WRAP_NONE = 0, /**< No control channel wrapping */ - TLS_WRAP_AUTH, /**< Control channel authentication */ - TLS_WRAP_CRYPT, /**< Control channel encryption and authentication */ - } mode; /**< Control channel wrapping mode */ - struct crypto_options opt; /**< Crypto state */ - struct buffer work; /**< Work buffer (only for --tls-crypt) */ - struct key_ctx tls_crypt_v2_server_key; /**< Decrypts client keys */ - const struct buffer *tls_crypt_v2_wkc; /**< Wrapped client key, - * sent to server */ - struct buffer tls_crypt_v2_metadata; /**< Received from client */ - bool cleanup_key_ctx; /**< opt.key_ctx_bi is owned by - * this context */ + enum + { + TLS_WRAP_NONE = 0, /**< No control channel wrapping */ + TLS_WRAP_AUTH, /**< Control channel authentication */ + TLS_WRAP_CRYPT, /**< Control channel encryption and authentication */ + } mode; /**< Control channel wrapping mode */ + struct crypto_options opt; /**< Crypto state */ + struct buffer work; /**< Work buffer (only for --tls-crypt) */ + struct key_ctx tls_crypt_v2_server_key; /**< Decrypts client keys */ + const struct buffer *tls_crypt_v2_wkc; /**< Wrapped client key, + * sent to server */ + struct buffer tls_crypt_v2_metadata; /**< Received from client */ + bool cleanup_key_ctx; /**< opt.key_ctx_bi is owned by + * this context */ /** original key data to be xored in to the key for dynamic tls-crypt. * * We keep the original key data to ensure that the newly generated key @@ -363,8 +369,8 @@ struct tls_options /* struct crypto_option flags */ unsigned int crypto_flags; - int replay_window; /* --replay-window parm */ - int replay_time; /* --replay-window parm */ + int replay_window; /* --replay-window parm */ + int replay_time; /* --replay-window parm */ const char *config_ciphername; const char *config_ncp_ciphers; @@ -392,9 +398,9 @@ struct tls_options const char *auth_user_pass_file; bool auth_user_pass_file_inline; - bool auth_token_generate; /**< Generate auth-tokens on successful - * user/pass auth,seet via - * options->auth_token_generate. */ + bool auth_token_generate; /**< Generate auth-tokens on successful + * user/pass auth,seet via + * options->auth_token_generate. */ bool auth_token_call_auth; /**< always call normal authentication */ unsigned int auth_token_lifetime; unsigned int auth_token_renewal; @@ -415,17 +421,17 @@ struct tls_options #endif /* configuration file SSL-related boolean and low-permutation options */ -#define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0) -#define SSLF_CLIENT_CERT_OPTIONAL (1<<1) -#define SSLF_USERNAME_AS_COMMON_NAME (1<<2) -#define SSLF_AUTH_USER_PASS_OPTIONAL (1<<3) -#define SSLF_OPT_VERIFY (1<<4) -#define SSLF_CRL_VERIFY_DIR (1<<5) +#define SSLF_CLIENT_CERT_NOT_REQUIRED (1 << 0) +#define SSLF_CLIENT_CERT_OPTIONAL (1 << 1) +#define SSLF_USERNAME_AS_COMMON_NAME (1 << 2) +#define SSLF_AUTH_USER_PASS_OPTIONAL (1 << 3) +#define SSLF_OPT_VERIFY (1 << 4) +#define SSLF_CRL_VERIFY_DIR (1 << 5) #define SSLF_TLS_VERSION_MIN_SHIFT 6 -#define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */ +#define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */ #define SSLF_TLS_VERSION_MAX_SHIFT 10 -#define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */ -#define SSLF_TLS_DEBUG_ENABLED (1<<14) +#define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */ +#define SSLF_TLS_DEBUG_ENABLED (1 << 14) unsigned int ssl_flags; #ifdef ENABLE_MANAGEMENT @@ -456,10 +462,11 @@ struct tls_options * This is the index of \c tls_session.key * * @{ */ -#define KS_PRIMARY 0 /**< Primary %key state index. */ -#define KS_LAME_DUCK 1 /**< %Key state index that will retire - * soon. */ -#define KS_SIZE 2 /**< Size of the \c tls_session.key array. */ +#define KS_PRIMARY 0 /**< Primary %key state index. */ +#define KS_LAME_DUCK \ + 1 /**< %Key state index that will retire \ + * soon. */ +#define KS_SIZE 2 /**< Size of the \c tls_session.key array. */ /** @} name Index of key_state objects within a tls_session structure */ /** @} addtogroup control_processor */ @@ -494,7 +501,7 @@ struct tls_session * tls_wrap_reneg.mode is TLS_WRAP_CRYPT, otherwise ignore it */ struct tls_wrap_ctx tls_wrap_reneg; - int initial_opcode; /* our initial P_ opcode */ + int initial_opcode; /* our initial P_ opcode */ struct session_id session_id; /* our random session ID */ /** @@ -510,7 +517,7 @@ struct tls_session struct cert_hash_set *cert_hash_set; - bool verified; /* true if peer certificate was verified against CA */ + bool verified; /* true if peer certificate was verified against CA */ /* not-yet-authenticated incoming client */ struct link_socket_actual untrusted_addr; @@ -535,12 +542,14 @@ struct tls_session * is being negotiated. * * @{ */ -#define TM_ACTIVE 0 /**< Active \c tls_session. */ -#define TM_INITIAL 1 /**< As yet un-trusted \c tls_session - * being negotiated. */ -#define TM_LAME_DUCK 2 /**< Old \c tls_session. */ -#define TM_SIZE 3 /**< Size of the \c tls_multi.session - * array. */ +#define TM_ACTIVE 0 /**< Active \c tls_session. */ +#define TM_INITIAL \ + 1 /**< As yet un-trusted \c tls_session \ + * being negotiated. */ +#define TM_LAME_DUCK 2 /**< Old \c tls_session. */ +#define TM_SIZE \ + 3 /**< Size of the \c tls_multi.session \ + * array. */ /** @} name Index of tls_session objects within a tls_multi structure */ /** @} addtogroup control_processor */ @@ -612,7 +621,7 @@ struct tls_multi * used by tls_pre_encrypt to communicate the encrypt key * to tls_post_encrypt() */ - struct key_state *save_ks; /* temporary pointer used between pre/post routines */ + struct key_state *save_ks; /* temporary pointer used between pre/post routines */ /* * Used to return outgoing address from @@ -620,8 +629,8 @@ struct tls_multi */ struct link_socket_actual to_link_addr; - int n_sessions; /**< Number of sessions negotiated thus - * far. */ + int n_sessions; /**< Number of sessions negotiated thus + * far. */ enum multi_status multi_state; /* @@ -692,8 +701,8 @@ struct tls_multi uint32_t peer_id; bool use_peer_id; - char *remote_ciphername; /**< cipher specified in peer's config file */ - bool remote_usescomp; /**< remote announced comp-lzo in OCC string */ + char *remote_ciphername; /**< cipher specified in peer's config file */ + bool remote_usescomp; /**< remote announced comp-lzo in OCC string */ /* * Our session objects. diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 22e777b91..635b53ce0 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -52,35 +52,28 @@ #include #if MBEDTLS_VERSION_NUMBER >= 0x02040000 - #include +#include #else - #include +#include #endif #include #include -static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy = -{ +static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy = { /* Hashes from SHA-1 and above */ - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) - |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) - |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) - |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) - |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) - |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), + MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) + | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) + | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 0xFFFFFFF, /* Any PK alg */ 0xFFFFFFF, /* Any curve */ 1024, /* RSA-1024 and larger */ }; -static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred = -{ +static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred = { /* SHA-2 and above */ - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) - |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) - |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) - |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), + MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) + | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 0xFFFFFFF, /* Any PK alg */ 0xFFFFFFF, /* Any curve */ 2048, /* RSA-2048 and larger */ @@ -184,9 +177,8 @@ tls_ctx_initialised(struct tls_root_ctx *ctx) * Mbed TLS stores this callback in the mbedtls_ssl_config struct and it * is used in the mbedtls_ssl_contexts set up from that config. */ int -mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, - const unsigned char *kb, size_t maclen, - size_t keylen, size_t ivlen, +mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, const unsigned char *kb, + size_t maclen, size_t keylen, size_t ivlen, const unsigned char client_random[32], const unsigned char server_random[32], mbedtls_tls_prf_types tls_prf_type) @@ -195,8 +187,8 @@ mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, struct key_state_ssl *ks_ssl = &session->key[KS_PRIMARY].ks_ssl; struct tls_key_cache *cache = &ks_ssl->tls_key_cache; - static_assert(sizeof(ks_ssl->ctx->session->master) - == sizeof(cache->master_secret), "master size mismatch"); + static_assert(sizeof(ks_ssl->ctx->session->master) == sizeof(cache->master_secret), + "master size mismatch"); memcpy(cache->client_server_random, client_random, 32); memcpy(cache->client_server_random + 32, server_random, 32); @@ -218,10 +210,8 @@ mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, * mbedtls_ssl_config. It is placed in the mbedtls_ssl_context after it * has been set up. */ void -mbedtls_ssl_export_keys_cb(void *p_expkey, - mbedtls_ssl_key_export_type type, - const unsigned char *secret, - size_t secret_len, +mbedtls_ssl_export_keys_cb(void *p_expkey, mbedtls_ssl_key_export_type type, + const unsigned char *secret, size_t secret_len, const unsigned char client_random[32], const unsigned char server_random[32], mbedtls_tls_prf_types tls_prf_type) @@ -241,8 +231,7 @@ mbedtls_ssl_export_keys_cb(void *p_expkey, * a different value, something is wrong with mbed TLS. */ if (secret_len != sizeof(cache->master_secret)) { - msg(M_FATAL, - "ERROR: Incorrect TLS 1.2 master secret length: Got %zu, expected %zu", + msg(M_FATAL, "ERROR: Incorrect TLS 1.2 master secret length: Got %zu, expected %zu", secret_len, sizeof(cache->master_secret)); } @@ -257,8 +246,7 @@ mbedtls_ssl_export_keys_cb(void *p_expkey, bool -key_state_export_keying_material(struct tls_session *session, - const char *label, size_t label_size, +key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size) { ASSERT(strlen(label) == label_size); @@ -267,7 +255,8 @@ key_state_export_keying_material(struct tls_session *session, /* Our version of mbed TLS has a built-in TLS-Exporter. */ mbedtls_ssl_context *ctx = session->key[KS_PRIMARY].ks_ssl.ctx; - if (mbed_ok(mbedtls_ssl_export_keying_material(ctx, ekm, ekm_size, label, label_size, NULL, 0, 0))) + if (mbed_ok( + mbedtls_ssl_export_keying_material(ctx, ekm, ekm_size, label, label_size, NULL, 0, 0))) { return true; } @@ -287,10 +276,8 @@ key_state_export_keying_material(struct tls_session *session, } int ret = mbedtls_ssl_tls_prf(cache->tls_prf_type, cache->master_secret, - sizeof(cache->master_secret), - label, cache->client_server_random, - sizeof(cache->client_server_random), - ekm, ekm_size); + sizeof(cache->master_secret), label, cache->client_server_random, + sizeof(cache->client_server_random), ekm, ekm_size); if (mbed_ok(ret)) { @@ -301,7 +288,7 @@ key_state_export_keying_material(struct tls_session *session, secure_memzero(ekm, session->opt->ekm_size); return false; } -#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ +#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ } bool @@ -324,7 +311,8 @@ tls_translate_cipher_name(const char *cipher_name) if (0 != strcmp(cipher_name, pair->iana_name)) { /* Deprecated name found, notify user */ - msg(M_WARN, "Deprecated cipher suite name '%s', please use IANA name '%s'", pair->openssl_name, pair->iana_name); + msg(M_WARN, "Deprecated cipher suite name '%s', please use IANA name '%s'", + pair->openssl_name, pair->iana_name); } return pair->iana_name; @@ -339,8 +327,10 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) return; } - msg(M_WARN, "mbed TLS does not support setting tls-ciphersuites. " - "Ignoring TLS 1.3 cipher list: %s", ciphers); + msg(M_WARN, + "mbed TLS does not support setting tls-ciphersuites. " + "Ignoring TLS 1.3 cipher list: %s", + ciphers); } void @@ -359,7 +349,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) int cipher_count = get_num_elements(ciphers, ':'); /* Allocate an array for them */ - ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count+1) + ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count + 1) /* Parse allowed ciphers, getting IDs */ int i = 0; @@ -368,8 +358,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) token = strtok(tmp_ciphers, ":"); while (token) { - ctx->allowed_ciphers[i] = mbedtls_ssl_get_ciphersuite_id( - tls_translate_cipher_name(token)); + ctx->allowed_ciphers[i] = mbedtls_ssl_get_ciphersuite_id(tls_translate_cipher_name(token)); if (0 != ctx->allowed_ciphers[i]) { i++; @@ -382,8 +371,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { - if (!profile || 0 == strcmp(profile, "legacy") - || 0 == strcmp(profile, "insecure")) + if (!profile || 0 == strcmp(profile, "legacy") || 0 == strcmp(profile, "insecure")) { ctx->cert_profile = openvpn_x509_crt_profile_legacy; } @@ -418,8 +406,7 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) const char *token; while ((token = strsep(&tmp_groups, ":"))) { - const mbedtls_ecp_curve_info *ci = - mbedtls_ecp_curve_info_from_name(token); + const mbedtls_ecp_curve_info *ci = mbedtls_ecp_curve_info_from_name(token); if (!ci) { msg(M_WARN, "Warning unknown curve/group specified: %s", token); @@ -461,13 +448,11 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) } void -tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, - bool dh_inline) +tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_inline) { if (dh_inline) { - if (!mbed_ok(mbedtls_dhm_parse_dhm(ctx->dhm_ctx, - (const unsigned char *) dh_file, + if (!mbed_ok(mbedtls_dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *)dh_file, strlen(dh_file) + 1))) { msg(M_FATAL, "Cannot read inline DH parameters"); @@ -482,24 +467,23 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, } msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with " counter_format " bit key", - (counter_type) mbedtls_dhm_get_bitlen(ctx->dhm_ctx)); + (counter_type)mbedtls_dhm_get_bitlen(ctx->dhm_ctx)); } void -tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name - ) +tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name) { if (NULL != curve_name) { msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an " - "ECDH curve with --ecdh-curve, using default curves. Use " - "--tls-groups to specify curves."); + "ECDH curve with --ecdh-curve, using default curves. Use " + "--tls-groups to specify curves."); } } int -tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, - bool pkcs12_file_inline, bool load_ca_file) +tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, + bool load_ca_file) { msg(M_FATAL, "PKCS #12 files not yet supported for mbed TLS."); return 0; @@ -514,8 +498,7 @@ tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert) #endif /* _WIN32 */ void -tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, - bool cert_inline) +tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_inline) { ASSERT(NULL != ctx); @@ -526,8 +509,7 @@ tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, if (cert_inline) { - if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, - (const unsigned char *)cert_file, + if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)cert_file, strlen(cert_file) + 1))) { msg(M_FATAL, "Cannot load inline certificate file"); @@ -543,8 +525,7 @@ tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, } int -tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, - bool priv_key_inline) +tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_inline) { int status; ASSERT(NULL != ctx); @@ -556,40 +537,29 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, if (priv_key_inline) { - status = mbedtls_compat_pk_parse_key(ctx->priv_key, - (const unsigned char *) priv_key_file, + status = mbedtls_compat_pk_parse_key(ctx->priv_key, (const unsigned char *)priv_key_file, strlen(priv_key_file) + 1, NULL, 0, - mbedtls_ctr_drbg_random, - rand_ctx_get()); + mbedtls_ctr_drbg_random, rand_ctx_get()); if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) { - char passbuf[512] = {0}; + char passbuf[512] = { 0 }; pem_password_callback(passbuf, 512, 0, NULL); - status = mbedtls_compat_pk_parse_key(ctx->priv_key, - (const unsigned char *) priv_key_file, - strlen(priv_key_file) + 1, - (unsigned char *) passbuf, - strlen(passbuf), - mbedtls_ctr_drbg_random, - rand_ctx_get()); + status = mbedtls_compat_pk_parse_key( + ctx->priv_key, (const unsigned char *)priv_key_file, strlen(priv_key_file) + 1, + (unsigned char *)passbuf, strlen(passbuf), mbedtls_ctr_drbg_random, rand_ctx_get()); } } else { - status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, - priv_key_file, - NULL, - mbedtls_ctr_drbg_random, - rand_ctx_get()); + status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL, + mbedtls_ctr_drbg_random, rand_ctx_get()); if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) { - char passbuf[512] = {0}; + char passbuf[512] = { 0 }; pem_password_callback(passbuf, 512, 0, NULL); - status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, - priv_key_file, passbuf, - mbedtls_ctr_drbg_random, - rand_ctx_get()); + status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, priv_key_file, passbuf, + mbedtls_ctr_drbg_random, rand_ctx_get()); } } if (!mbed_ok(status)) @@ -605,10 +575,8 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, return 1; } - if (!mbed_ok(mbedtls_compat_pk_check_pair(&ctx->crt_chain->pk, - ctx->priv_key, - mbedtls_ctr_drbg_random, - rand_ctx_get()))) + if (!mbed_ok(mbedtls_compat_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key, + mbedtls_ctr_drbg_random, rand_ctx_get()))) { msg(M_WARN, "Private key does not match the certificate"); return 1; @@ -636,13 +604,12 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, * @return 0 on success, non-zero mbed TLS error code on failure. */ static inline int -external_pkcs1_sign( void *ctx_voidptr, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, +external_pkcs1_sign(void *ctx_voidptr, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, #if MBEDTLS_VERSION_NUMBER < 0x03020100 - int mode, + int mode, #endif - mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, - unsigned char *sig ) + mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, + unsigned char *sig) { struct external_context *const ctx = ctx_voidptr; int rv; @@ -670,23 +637,22 @@ external_pkcs1_sign( void *ctx_voidptr, */ if (md_alg != MBEDTLS_MD_NONE) { - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg); if (md_info == NULL) { - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA); } - if (!mbed_ok(mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ))) + if (!mbed_ok(mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size))) { - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA); } - hashlen = mbedtls_md_get_size( md_info ); + hashlen = mbedtls_md_get_size(md_info); asn_len = 10 + oid_size; } - if ((SIZE_MAX - hashlen) < asn_len - || ctx->signature_length < (asn_len + hashlen)) + if ((SIZE_MAX - hashlen) < asn_len || ctx->signature_length < (asn_len + hashlen)) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } @@ -705,12 +671,12 @@ external_pkcs1_sign( void *ctx_voidptr, * Digest ::= OCTET STRING */ *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; - *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); + *p++ = (unsigned char)(0x08 + oid_size + hashlen); *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; - *p++ = (unsigned char) ( 0x04 + oid_size ); + *p++ = (unsigned char)(0x04 + oid_size); *p++ = MBEDTLS_ASN1_OID; *p++ = oid_size & 0xFF; - memcpy( p, oid, oid_size ); + memcpy(p, oid, oid_size); p += oid_size; *p++ = MBEDTLS_ASN1_NULL; *p++ = 0x00; @@ -725,8 +691,7 @@ external_pkcs1_sign( void *ctx_voidptr, memcpy(p, hash, hashlen); /* Call external signature function */ - if (!ctx->sign(ctx->sign_ctx, to_sign, asn_len + hashlen, sig, - ctx->signature_length)) + if (!ctx->sign(ctx->sign_ctx, to_sign, asn_len + hashlen, sig, ctx->signature_length)) { rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED; goto done; @@ -748,8 +713,8 @@ external_key_len(void *vctx) } int -tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, - external_sign_func sign_func, void *sign_ctx) +tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, external_sign_func sign_func, + void *sign_ctx) { ASSERT(NULL != ctx); @@ -762,7 +727,7 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA) { msg(M_WARN, "ERROR: external key with mbed TLS requires a " - "certificate with an RSA key."); + "certificate with an RSA key."); return 1; } @@ -771,8 +736,8 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, ctx->external_key.sign_ctx = sign_ctx; ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context); - if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, &ctx->external_key, - NULL, external_pkcs1_sign, external_key_len))) + if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, &ctx->external_key, NULL, + external_pkcs1_sign, external_key_len))) { return 1; } @@ -783,8 +748,7 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, #ifdef ENABLE_MANAGEMENT /** Query the management interface for a signature, see external_sign_func. */ static bool -management_sign_func(void *sign_ctx, const void *src, size_t src_len, - void *dst, size_t dst_len) +management_sign_func(void *sign_ctx, const void *src, size_t src_len, void *dst, size_t dst_len) { bool ret = false; char *src_b64 = NULL; @@ -799,8 +763,7 @@ management_sign_func(void *sign_ctx, const void *src, size_t src_len, * We only support RSA external keys and PKCS1 signatures at the moment * in mbed TLS, so the signature parameter is hardcoded to this encoding */ - if (!(dst_b64 = management_query_pk_sig(management, src_b64, - "RSA_PKCS1_PADDING"))) + if (!(dst_b64 = management_query_pk_sig(management, src_b64, "RSA_PKCS1_PADDING"))) { goto cleanup; } @@ -827,8 +790,8 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) #endif /* ifdef ENABLE_MANAGEMENT */ void -tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, - bool ca_inline, const char *ca_path, bool tls_server) +tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_inline, const char *ca_path, + bool tls_server) { if (ca_path) { @@ -837,8 +800,7 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, if (ca_file && ca_inline) { - if (!mbed_ok(mbedtls_x509_crt_parse(ctx->ca_chain, - (const unsigned char *) ca_file, + if (!mbed_ok(mbedtls_x509_crt_parse(ctx->ca_chain, (const unsigned char *)ca_file, strlen(ca_file) + 1))) { msg(M_FATAL, "Cannot load inline CA certificates"); @@ -867,8 +829,7 @@ tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, if (extra_certs_inline) { - if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, - (const unsigned char *) extra_certs_file, + if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)extra_certs_file, strlen(extra_certs_file) + 1))) { msg(M_FATAL, "Cannot load inline extra-certs file"); @@ -916,7 +877,7 @@ buf_free_entries(endless_buffer *buf) } static int -endless_buf_read( endless_buffer *in, unsigned char *out, size_t out_len ) +endless_buf_read(endless_buffer *in, unsigned char *out, size_t out_len) { size_t read_len = 0; @@ -931,8 +892,7 @@ endless_buf_read( endless_buffer *in, unsigned char *out, size_t out_len ) if (block_len <= out_len - read_len) { buffer_entry *cur_entry = in->first_block; - memcpy(out + read_len, cur_entry->data + in->data_start, - block_len); + memcpy(out + read_len, cur_entry->data + in->data_start, block_len); read_len += block_len; @@ -948,8 +908,7 @@ endless_buf_read( endless_buffer *in, unsigned char *out, size_t out_len ) } else { - memcpy(out + read_len, in->first_block->data + in->data_start, - out_len - read_len); + memcpy(out + read_len, in->first_block->data + in->data_start, out_len - read_len); in->data_start += out_len - read_len; read_len = out_len; } @@ -959,7 +918,7 @@ endless_buf_read( endless_buffer *in, unsigned char *out, size_t out_len ) } static int -endless_buf_write( endless_buffer *out, const unsigned char *in, size_t len ) +endless_buf_write(endless_buffer *out, const unsigned char *in, size_t len) { buffer_entry *new_block = malloc(sizeof(buffer_entry)); if (NULL == new_block) @@ -995,22 +954,21 @@ endless_buf_write( endless_buffer *out, const unsigned char *in, size_t len ) } static int -ssl_bio_read( void *ctx, unsigned char *out, size_t out_len) +ssl_bio_read(void *ctx, unsigned char *out, size_t out_len) { - bio_ctx *my_ctx = (bio_ctx *) ctx; + bio_ctx *my_ctx = (bio_ctx *)ctx; return endless_buf_read(&my_ctx->in, out, out_len); } static int -ssl_bio_write( void *ctx, const unsigned char *in, size_t in_len) +ssl_bio_write(void *ctx, const unsigned char *in, size_t in_len) { - bio_ctx *my_ctx = (bio_ctx *) ctx; + bio_ctx *my_ctx = (bio_ctx *)ctx; return endless_buf_write(&my_ctx->out, in, in_len); } static void -my_debug( void *ctx, int level, const char *file, int line, - const char *str ) +my_debug(void *ctx, int level, const char *file, int line, const char *str) { int my_loglevel = (level < 3) ? D_TLS_DEBUG_MED : D_TLS_DEBUG; msg(my_loglevel, "mbed TLS msg (%s:%d): %s", file, line, str); @@ -1022,8 +980,8 @@ my_debug( void *ctx, int level, const char *file, int line, void tls_ctx_personalise_random(struct tls_root_ctx *ctx) { - static char old_sha256_hash[32] = {0}; - unsigned char sha256_hash[32] = {0}; + static char old_sha256_hash[32] = { 0 }; + unsigned char sha256_hash[32] = { 0 }; mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get(); if (NULL != ctx->crt_chain) @@ -1055,7 +1013,7 @@ tls_version_max(void) #elif defined(MBEDTLS_SSL_PROTO_TLS1_2) return TLS_VER_1_2; #else - #error mbedtls is compiled without support for TLS 1.2 or 1.3 +#error mbedtls is compiled without support for TLS 1.2 or 1.3 #endif } @@ -1088,8 +1046,7 @@ tls_version_to_ssl_version(int tls_ver) } void -backend_tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file, - bool crl_inline) +backend_tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file, bool crl_inline) { ASSERT(crl_file); @@ -1101,8 +1058,7 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file, if (crl_inline) { - if (!mbed_ok(mbedtls_x509_crl_parse(ctx->crl, - (const unsigned char *)crl_file, + if (!mbed_ok(mbedtls_x509_crl_parse(ctx->crl, (const unsigned char *)crl_file, strlen(crl_file) + 1))) { msg(M_WARN, "CRL: cannot parse inline CRL"); @@ -1124,8 +1080,7 @@ err: } void -key_state_ssl_init(struct key_state_ssl *ks_ssl, - const struct tls_root_ctx *ssl_ctx, bool is_server, +key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session) { ASSERT(NULL != ssl_ctx); @@ -1135,8 +1090,8 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, /* Initialise SSL config */ ALLOC_OBJ_CLEAR(ks_ssl->ssl_config, mbedtls_ssl_config); mbedtls_ssl_config_init(ks_ssl->ssl_config); - mbedtls_ssl_config_defaults(ks_ssl->ssl_config, ssl_ctx->endpoint, - MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); + mbedtls_ssl_config_defaults(ks_ssl->ssl_config, ssl_ctx->endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT); #ifdef MBEDTLS_DEBUG_C /* We only want to have mbed TLS generate debug level logging when we would * also display it. @@ -1152,8 +1107,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, } #endif mbedtls_ssl_conf_dbg(ks_ssl->ssl_config, my_debug, NULL); - mbedtls_ssl_conf_rng(ks_ssl->ssl_config, mbedtls_ctr_drbg_random, - rand_ctx_get()); + mbedtls_ssl_conf_rng(ks_ssl->ssl_config, mbedtls_ctr_drbg_random, rand_ctx_get()); mbedtls_ssl_conf_cert_profile(ks_ssl->ssl_config, &ssl_ctx->cert_profile); @@ -1168,8 +1122,8 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, } /* Disable TLS renegotiations if the mbedtls library supports that feature. - * OpenVPN's renegotiation creates new SSL sessions and does not depend on - * this feature and TLS renegotiations have been problematic in the past. */ + * OpenVPN's renegotiation creates new SSL sessions and does not depend on + * this feature and TLS renegotiations have been problematic in the past. */ #if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED); #endif /* MBEDTLS_SSL_RENEGOTIATION */ @@ -1186,12 +1140,10 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, /* Initialise authentication information */ if (is_server) { - mbed_ok(mbedtls_ssl_conf_dh_param_ctx(ks_ssl->ssl_config, - ssl_ctx->dhm_ctx)); + mbed_ok(mbedtls_ssl_conf_dh_param_ctx(ks_ssl->ssl_config, ssl_ctx->dhm_ctx)); } - mbed_ok(mbedtls_ssl_conf_own_cert(ks_ssl->ssl_config, ssl_ctx->crt_chain, - ssl_ctx->priv_key)); + mbed_ok(mbedtls_ssl_conf_own_cert(ks_ssl->ssl_config, ssl_ctx->crt_chain, ssl_ctx->priv_key)); /* Initialise SSL verification */ if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) @@ -1210,8 +1162,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, /* Initialize minimum TLS version */ { const int configured_tls_version_min = - (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) - &SSLF_TLS_VERSION_MIN_MASK; + (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; /* default to TLS 1.2 */ mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2; @@ -1227,8 +1178,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, /* Initialize maximum TLS version */ { const int configured_tls_version_max = - (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) - &SSLF_TLS_VERSION_MAX_MASK; + (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_UNKNOWN; @@ -1245,10 +1195,10 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version); } -#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) \ + && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, old style. */ - mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, - mbedtls_ssl_export_keys_cb, session); + mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session); #endif /* Initialise SSL context */ @@ -1267,8 +1217,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, /* Initialise BIOs */ ALLOC_OBJ_CLEAR(ks_ssl->bio_ctx, bio_ctx); - mbedtls_ssl_set_bio(ks_ssl->ctx, ks_ssl->bio_ctx, ssl_bio_write, - ssl_bio_read, NULL); + mbedtls_ssl_set_bio(ks_ssl->ctx, ks_ssl->bio_ctx, ssl_bio_write, ssl_bio_read, NULL); } @@ -1317,7 +1266,7 @@ key_state_write_plaintext(struct key_state_ssl *ks, struct buffer *buf) if (1 == retval) { - memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ + memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ buf->len = 0; } @@ -1350,16 +1299,14 @@ key_state_write_plaintext_const(struct key_state_ssl *ks, const uint8_t *data, i { return 0; } - mbed_log_err(D_TLS_ERRORS, retval, - "TLS ERROR: write tls_write_plaintext_const error"); + mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_plaintext_const error"); return -1; } if (retval != len) { - msg(D_TLS_ERRORS, - "TLS ERROR: write tls_write_plaintext_const incomplete %d/%d", - retval, len); + msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_plaintext_const incomplete %d/%d", retval, + len); perf_pop(); return -1; } @@ -1446,15 +1393,14 @@ key_state_write_ciphertext(struct key_state_ssl *ks, struct buffer *buf) { return 0; } - mbed_log_err(D_TLS_ERRORS, retval, - "TLS ERROR: write tls_write_ciphertext error"); + mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_ciphertext error"); return -1; } if (retval != buf->len) { - msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_ciphertext incomplete %d/%d", - retval, buf->len); + msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_ciphertext incomplete %d/%d", retval, + buf->len); perf_pop(); return -1; } @@ -1462,7 +1408,7 @@ key_state_write_ciphertext(struct key_state_ssl *ks, struct buffer *buf) /* successful write */ dmsg(D_HANDSHAKE_VERBOSE, "write tls_write_ciphertext %d bytes", retval); - memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ + memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ buf->len = 0; perf_pop(); @@ -1534,25 +1480,20 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) char s2[256]; s1[0] = s2[0] = 0; - snprintf(s1, sizeof(s1), "%s %s, cipher %s", - prefix, - mbedtls_ssl_get_version(ks_ssl->ctx), + snprintf(s1, sizeof(s1), "%s %s, cipher %s", prefix, mbedtls_ssl_get_version(ks_ssl->ctx), mbedtls_ssl_get_ciphersuite(ks_ssl->ctx)); cert = mbedtls_ssl_get_peer_cert(ks_ssl->ctx); if (cert != NULL) { - snprintf(s2, sizeof(s2), ", %u bit key", - (unsigned int) mbedtls_pk_get_bitlen(&cert->pk)); + snprintf(s2, sizeof(s2), ", %u bit key", (unsigned int)mbedtls_pk_get_bitlen(&cert->pk)); } msg(D_HANDSHAKE, "%s%s", s1, s2); } void -show_available_tls_ciphers_list(const char *cipher_list, - const char *tls_cert_profile, - bool tls13) +show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13) { if (tls13) { @@ -1603,8 +1544,8 @@ get_ssl_library_version(void) { static char mbedtls_version[30]; unsigned int pv = mbedtls_version_get_number(); - snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", - (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ); + snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", (pv >> 24) & 0xff, + (pv >> 16) & 0xff, (pv >> 8) & 0xff); return mbedtls_version; } diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index fba766b26..513a07edb 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -43,19 +43,22 @@ typedef struct _buffer_entry buffer_entry; -struct _buffer_entry { +struct _buffer_entry +{ size_t length; uint8_t *data; buffer_entry *next_block; }; -typedef struct { +typedef struct +{ size_t data_start; buffer_entry *first_block; buffer_entry *last_block; } endless_buffer; -typedef struct { +typedef struct +{ endless_buffer in; endless_buffer out; } bio_ctx; @@ -73,12 +76,12 @@ typedef struct { * * @return true if signing succeeded, false otherwise. */ -typedef bool (*external_sign_func)( - void *sign_ctx, const void *src, size_t src_size, - void *dst, size_t dst_size); +typedef bool (*external_sign_func)(void *sign_ctx, const void *src, size_t src_size, void *dst, + size_t dst_size); /** Context used by external_pkcs1_sign() */ -struct external_context { +struct external_context +{ size_t signature_length; external_sign_func sign; void *sign_ctx; @@ -91,13 +94,16 @@ struct external_context { * * The constants 64 and 48 are inherent to TLS 1.2. For TLS 1.3, it is not * possible to obtain the exporter master secret from mbed TLS. */ -struct tls_key_cache { +struct tls_key_cache +{ unsigned char client_server_random[64]; mbedtls_tls_prf_types tls_prf_type; unsigned char master_secret[48]; }; -#else /* !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ -struct tls_key_cache { }; +#else /* !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ +struct tls_key_cache +{ +}; #endif /** @@ -106,30 +112,32 @@ struct tls_key_cache { }; * * Either \c priv_key_pkcs11 or \c priv_key must be filled in. */ -struct tls_root_ctx { - bool initialised; /**< True if the context has been initialised */ - - int endpoint; /**< Whether or not this is a server or a client */ - - mbedtls_dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */ - mbedtls_x509_crt *crt_chain; /**< Local Certificate chain */ - mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */ - mbedtls_pk_context *priv_key; /**< Local private key */ - mbedtls_x509_crl *crl; /**< Certificate Revocation List */ - time_t crl_last_mtime; /**< CRL last modification time */ - off_t crl_last_size; /**< size of last loaded CRL */ +struct tls_root_ctx +{ + bool initialised; /**< True if the context has been initialised */ + + int endpoint; /**< Whether or not this is a server or a client */ + + mbedtls_dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */ + mbedtls_x509_crt *crt_chain; /**< Local Certificate chain */ + mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */ + mbedtls_pk_context *priv_key; /**< Local private key */ + mbedtls_x509_crl *crl; /**< Certificate Revocation List */ + time_t crl_last_mtime; /**< CRL last modification time */ + off_t crl_last_size; /**< size of last loaded CRL */ #ifdef ENABLE_PKCS11 - pkcs11h_certificate_t pkcs11_cert; /**< PKCS11 certificate */ + pkcs11h_certificate_t pkcs11_cert; /**< PKCS11 certificate */ #endif - struct external_context external_key; /**< External key context */ - int *allowed_ciphers; /**< List of allowed ciphers for this connection */ - mbedtls_compat_group_id *groups; /**< List of allowed groups for this connection */ + struct external_context external_key; /**< External key context */ + int *allowed_ciphers; /**< List of allowed ciphers for this connection */ + mbedtls_compat_group_id *groups; /**< List of allowed groups for this connection */ mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */ }; -struct key_state_ssl { - mbedtls_ssl_config *ssl_config; /**< mbedTLS global ssl config */ - mbedtls_ssl_context *ctx; /**< mbedTLS connection context */ +struct key_state_ssl +{ + mbedtls_ssl_config *ssl_config; /**< mbedTLS global ssl config */ + mbedtls_ssl_context *ctx; /**< mbedTLS connection context */ bio_ctx *bio_ctx; struct tls_key_cache tls_key_cache; @@ -145,8 +153,7 @@ struct key_state_ssl { * * @return 0 if successful, 1 if an error occurred. */ -int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, - external_sign_func sign_func, +int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, external_sign_func sign_func, void *sign_ctx); static inline void diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 62fef421e..5e094a25f 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -82,8 +82,7 @@ tls_peer_supports_ncp(const char *peer_info) { return false; } - else if (tls_peer_info_ncp_ver(peer_info) >= 2 - || strstr(peer_info, "IV_CIPHERS=")) + else if (tls_peer_info_ncp_ver(peer_info) >= 2 || strstr(peer_info, "IV_CIPHERS=")) { return true; } @@ -98,7 +97,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) { bool error_found = false; - struct buffer new_list = alloc_buf(MAX_NCP_CIPHERS_LENGTH); + struct buffer new_list = alloc_buf(MAX_NCP_CIPHERS_LENGTH); char *const tmp_ciphers = string_alloc(list, NULL); const char *token = strtok(tmp_ciphers, ":"); @@ -126,22 +125,23 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) if (nonecipher) { msg(M_WARN, "WARNING: cipher 'none' specified for --data-ciphers. " - "This allows negotiation of NO encryption and " - "tunnelled data WILL then be transmitted in clear text " - "over the network! " - "PLEASE DO RECONSIDER THIS SETTING!"); + "This allows negotiation of NO encryption and " + "tunnelled data WILL then be transmitted in clear text " + "over the network! " + "PLEASE DO RECONSIDER THIS SETTING!"); } if (!nonecipher && !cipher_valid(token)) { msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token); error_found = error_found || !optional; } - else if (!nonecipher && !cipher_kt_mode_aead(token) - && !cipher_kt_mode_cbc(token) + else if (!nonecipher && !cipher_kt_mode_aead(token) && !cipher_kt_mode_cbc(token) && !cipher_kt_mode_ofb_cfb(token)) { - msg(M_WARN, "Unsupported %scipher algorithm '%s'. It does not use " - "CFB, OFB, CBC, or a supported AEAD mode", optstr, token); + msg(M_WARN, + "Unsupported %scipher algorithm '%s'. It does not use " + "CFB, OFB, CBC, or a supported AEAD mode", + optstr, token); error_found = error_found || !optional; } else @@ -154,7 +154,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) ovpn_cipher_name = "none"; } - if (buf_len(&new_list)> 0) + if (buf_len(&new_list) > 0) { /* The next if condition ensure there is always space for * a : @@ -163,11 +163,10 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) } /* Ensure buffer has capacity for cipher name + : + \0 */ - if (!(buf_forward_capacity(&new_list) > - strlen(ovpn_cipher_name) + 2)) + if (!(buf_forward_capacity(&new_list) > strlen(ovpn_cipher_name) + 2)) { msg(M_WARN, "Length of --data-ciphers is over the " - "limit of 127 chars"); + "limit of 127 chars"); error_found = true; } else @@ -179,7 +178,6 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) } - char *ret = NULL; if (!error_found && buf_len(&new_list) > 0) { @@ -200,8 +198,7 @@ append_cipher_to_ncp_list(struct options *o, const char *ciphername) size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(ciphername) + 1; char *ncp_ciphers = gc_malloc(newlen, false, &o->gc); - ASSERT(snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers, - ciphername)); + ASSERT(snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers, ciphername)); o->ncp_ciphers = ncp_ciphers; } @@ -233,7 +230,7 @@ tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc) { return iv_ciphers; } - else if (tls_peer_info_ncp_ver(peer_info)>=2) + else if (tls_peer_info_ncp_ver(peer_info) >= 2) { /* If the peer announces IV_NCP=2 then it supports the AES GCM * ciphers */ @@ -246,8 +243,8 @@ tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc) } char * -ncp_get_best_cipher(const char *server_list, const char *peer_info, - const char *remote_cipher, struct gc_arena *gc) +ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, + struct gc_arena *gc) { /* * The gc of the parameter is tied to the VPN session, create a @@ -262,8 +259,7 @@ ncp_get_best_cipher(const char *server_list, const char *peer_info, /* non-NCP clients without OCC? "assume nothing" */ /* For client doing the newer version of NCP (that send IV_CIPHERS) * we cannot assume that they will accept remote_cipher */ - if (remote_cipher == NULL - || (peer_info && strstr(peer_info, "IV_CIPHERS="))) + if (remote_cipher == NULL || (peer_info && strstr(peer_info, "IV_CIPHERS="))) { remote_cipher = ""; } @@ -273,8 +269,7 @@ ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *token; while ((token = strsep(&tmp_ciphers, ":"))) { - if (tls_item_in_cipher_list(token, peer_ncp_list) - || streq(token, remote_cipher)) + if (tls_item_in_cipher_list(token, peer_ncp_list) || streq(token, remote_cipher)) { break; } @@ -302,8 +297,7 @@ ncp_get_best_cipher(const char *server_list, const char *peer_info, static bool tls_poor_mans_ncp(struct options *o, const char *remote_ciphername) { - if (remote_ciphername - && tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) + if (remote_ciphername && tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) { o->ciphername = string_alloc(remote_ciphername, &o->gc); msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername); @@ -338,29 +332,27 @@ check_pull_client_ncp(struct context *c, const int found) /* We failed negotiation, give appropriate error message */ if (c->c2.tls_multi->remote_ciphername) { - msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to negotiate " + msg(D_TLS_ERRORS, + "OPTIONS ERROR: failed to negotiate " "cipher with server. Add the server's " "cipher ('%s') to --data-ciphers (currently '%s'), e.g." "--data-ciphers %s:%s if you want to connect to this server.", - c->c2.tls_multi->remote_ciphername, - c->options.ncp_ciphers_conf, c->options.ncp_ciphers_conf, - c->c2.tls_multi->remote_ciphername); + c->c2.tls_multi->remote_ciphername, c->options.ncp_ciphers_conf, + c->options.ncp_ciphers_conf, c->c2.tls_multi->remote_ciphername); return false; - } else { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to negotiate " - "cipher with server. Configure " - "--data-ciphers-fallback if you want to connect " - "to this server."); + "cipher with server. Configure " + "--data-ciphers-fallback if you want to connect " + "to this server."); return false; } } const char * -get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, - struct gc_arena *gc) +get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc) { /* we use a local gc arena to keep the temporary strings needed by strsep */ struct gc_arena gc_local = gc_new(); @@ -410,8 +402,7 @@ get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, } static void -p2p_ncp_set_options(struct tls_multi *multi, struct tls_session *session, - const char *common_cipher) +p2p_ncp_set_options(struct tls_multi *multi, struct tls_session *session, const char *common_cipher) { /* will return 0 if peer_info is null */ const unsigned int iv_proto_peer = extract_iv_proto(multi->peer_info); @@ -433,8 +424,8 @@ p2p_ncp_set_options(struct tls_multi *multi, struct tls_session *session, session->opt->crypto_flags |= CO_USE_CC_EXIT_NOTIFY; } - if (session->opt->data_epoch_supported && (iv_proto_peer & IV_PROTO_DATA_EPOCH) - && common_cipher && cipher_kt_mode_aead(common_cipher)) + if (session->opt->data_epoch_supported && (iv_proto_peer & IV_PROTO_DATA_EPOCH) && common_cipher + && cipher_kt_mode_aead(common_cipher)) { session->opt->crypto_flags |= CO_EPOCH_DATA_KEY_FORMAT; } @@ -457,20 +448,18 @@ p2p_ncp_set_options(struct tls_multi *multi, struct tls_session *session, uint8_t peerid[3]; if (!key_state_export_keying_material(session, EXPORT_P2P_PEERID_LABEL, - strlen(EXPORT_P2P_PEERID_LABEL), - &peerid, 3)) + strlen(EXPORT_P2P_PEERID_LABEL), &peerid, 3)) { /* Non DCO setup might still work but also this should never * happen or very likely the TLS encryption key exporter will * also fail */ msg(M_NONFATAL, "TLS key export for P2P peer id failed. " - "Continuing anyway, expect problems"); + "Continuing anyway, expect problems"); } else { multi->peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2]; } - } } if (iv_proto_peer & IV_PROTO_DYN_TLS_CRYPT) @@ -511,12 +500,11 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session) common_cipher = BSTR(&out); } - msg(D_TLS_DEBUG_LOW, "P2P mode NCP negotiation result: " + msg(D_TLS_DEBUG_LOW, + "P2P mode NCP negotiation result: " "TLS_export=%d, DATA_v2=%d, peer-id %d, epoch=%d, cipher=%s", - (bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT), - multi->use_peer_id, - multi->peer_id, - (bool)(session->opt->crypto_flags & CO_EPOCH_DATA_KEY_FORMAT), + (bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT), multi->use_peer_id, + multi->peer_id, (bool)(session->opt->crypto_flags & CO_EPOCH_DATA_KEY_FORMAT), common_cipher); gc_free(&gc); @@ -526,16 +514,15 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session) bool check_session_cipher(struct tls_session *session, struct options *options) { - bool cipher_allowed_as_fallback = options->enable_ncp_fallback - && streq(options->ciphername, session->opt->config_ciphername); + bool cipher_allowed_as_fallback = + options->enable_ncp_fallback && streq(options->ciphername, session->opt->config_ciphername); if (!session->opt->server && !cipher_allowed_as_fallback && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) { struct gc_arena gc = gc_new(); msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s%s", - options->ciphername, options->ncp_ciphers_conf, - ncp_expanded_ciphers(options, &gc)); + options->ciphername, options->ncp_ciphers_conf, ncp_expanded_ciphers(options, &gc)); /* undo cipher push, abort connection setup */ options->ciphername = session->opt->config_ciphername; gc_free(&gc); @@ -576,7 +563,7 @@ replace_default_in_ncp_ciphers_option(struct options *o, const char *replace) const char *after_default = def + strlen(search); buf_write(&ncp_ciphers_buf, after_default, strlen(after_default)); - o->ncp_ciphers = (char *) ncp_ciphers; + o->ncp_ciphers = (char *)ncp_ciphers; } /** @@ -587,8 +574,8 @@ replace_default_in_ncp_ciphers_option(struct options *o, const char *replace) void options_postprocess_setdefault_ncpciphers(struct options *o) { - bool default_in_cipher_list = o->ncp_ciphers - && tls_item_in_cipher_list("DEFAULT", o->ncp_ciphers); + bool default_in_cipher_list = + o->ncp_ciphers && tls_item_in_cipher_list("DEFAULT", o->ncp_ciphers); /* preserve the values that the user put into the configuration */ o->ncp_ciphers_conf = o->ncp_ciphers; diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h index b01cd871a..2b2ff85b7 100644 --- a/src/openvpn/ssl_ncp.h +++ b/src/openvpn/ssl_ncp.h @@ -38,8 +38,7 @@ * Returns whether the client supports NCP either by * announcing IV_NCP>=2 or the IV_CIPHERS list */ -bool -tls_peer_supports_ncp(const char *peer_info); +bool tls_peer_supports_ncp(const char *peer_info); /* forward declaration to break include dependency loop */ struct context; @@ -50,8 +49,7 @@ struct context; * * @return Wether the client NCP process suceeded or failed */ -bool -check_pull_client_ncp(struct context *c, int found); +bool check_pull_client_ncp(struct context *c, int found); /** * Iterates through the ciphers in server_list and return the first @@ -73,9 +71,8 @@ check_pull_client_ncp(struct context *c, int found); * @returns NULL if no common cipher is available, otherwise the best common * cipher */ -char * -ncp_get_best_cipher(const char *server_list, const char *peer_info, - const char *remote_cipher, struct gc_arena *gc); +char *ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, + struct gc_arena *gc); /** @@ -86,8 +83,7 @@ ncp_get_best_cipher(const char *server_list, const char *peer_info, * or allocated via gc. If no information is available an empty string * ("") is returned. */ -const char * -tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc); +const char *tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc); /** * Check whether the ciphers in the supplied list are supported. @@ -102,8 +98,7 @@ tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc); * is short than MAX_NCP_CIPHERS_LENGTH. NULL * otherwise. */ -char * -mutate_ncp_cipher_list(const char *list, struct gc_arena *gc); +char *mutate_ncp_cipher_list(const char *list, struct gc_arena *gc); /** * Appends the cipher specified by the ciphernamer parameter to to @@ -147,17 +142,15 @@ void p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session); * @param gc gc arena that will be used to allocate the returned cipher * @return common cipher if one exist. */ -const char * -get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, - struct gc_arena *gc); +const char *get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, + struct gc_arena *gc); /** * Checks if the cipher is allowed, otherwise returns false and reset the * cipher to the config cipher. */ -bool -check_session_cipher(struct tls_session *session, struct options *options); +bool check_session_cipher(struct tls_session *session, struct options *options); /** * Checks for availability of Chacha20-Poly1305 and sets @@ -167,8 +160,7 @@ check_session_cipher(struct tls_session *session, struct options *options); * If DEFAULT is in the ncp_cipher string, it will be replaced * by the default cipher string as defined above. */ -void -options_postprocess_setdefault_ncpciphers(struct options *o); +void options_postprocess_setdefault_ncpciphers(struct options *o); /** returns the o->ncp_ciphers in brackets, e.g. * (AES-256-GCM:CHACHA20-POLY1305) if o->ncp_ciphers_conf @@ -176,6 +168,5 @@ options_postprocess_setdefault_ncpciphers(struct options *o); * * The returned string will be allocated in the passed \c gc */ -const char * -ncp_expanded_ciphers(struct options *o, struct gc_arena *gc); +const char *ncp_expanded_ciphers(struct options *o, struct gc_arena *gc); #endif /* ifndef OPENVPN_SSL_NCP_H */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 1c1649f0e..1948d1288 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -113,7 +113,7 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) if (ERR_peek_error() != 0) { crypto_msg(M_WARN, "Warning: TLS server context initialisation " - "has warnings."); + "has warnings."); } } @@ -131,7 +131,7 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) if (ERR_peek_error() != 0) { crypto_msg(M_WARN, "Warning: TLS client context initialisation " - "has warnings."); + "has warnings."); } } @@ -152,15 +152,13 @@ tls_ctx_initialised(struct tls_root_ctx *ctx) } bool -key_state_export_keying_material(struct tls_session *session, - const char *label, size_t label_size, +key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size) { SSL *ssl = session->key[KS_PRIMARY].ks_ssl.ssl; - if (SSL_export_keying_material(ssl, ekm, ekm_size, label, - label_size, NULL, 0, 0) == 1) + if (SSL_export_keying_material(ssl, ekm, ekm_size, label, label_size, NULL, 0, 0) == 1) { return true; } @@ -184,16 +182,15 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) if (where & SSL_CB_LOOP) { dmsg(D_HANDSHAKE_VERBOSE, "SSL state (%s): %s", - where & SSL_ST_CONNECT ? "connect" : - where &SSL_ST_ACCEPT ? "accept" : - "undefined", SSL_state_string_long(s)); + where & SSL_ST_CONNECT ? "connect" + : where & SSL_ST_ACCEPT ? "accept" + : "undefined", + SSL_state_string_long(s)); } else if (where & SSL_CB_ALERT) { - dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s", - where & SSL_CB_READ ? "Received" : "Sent", - SSL_alert_type_string_long(ret), - SSL_alert_desc_string_long(ret)); + dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s", where & SSL_CB_READ ? "Received" : "Sent", + SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } } @@ -232,7 +229,7 @@ tls_version_max(void) return TLS_VER_1_2; #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1) return TLS_VER_1_1; -#else /* if defined(TLS1_3_VERSION) */ +#else /* if defined(TLS1_3_VERSION) */ return TLS_VER_1_0; #endif } @@ -278,10 +275,10 @@ openssl_tls_version(int ver) static bool tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags) { - int tls_ver_min = openssl_tls_version( - (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK); - int tls_ver_max = openssl_tls_version( - (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK); + int tls_ver_min = + openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK); + int tls_ver_max = + openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK); if (!tls_ver_min) { @@ -372,7 +369,8 @@ convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphe for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) { end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":"); - cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher); + cipher_pair = + tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher); if (NULL == cipher_pair) { @@ -393,11 +391,13 @@ convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphe current_cipher_len = strlen(current_cipher); if (end_of_cipher - begin_of_cipher == current_cipher_len - && 0 != memcmp(&ciphers[begin_of_cipher], cipher_pair->iana_name, - end_of_cipher - begin_of_cipher)) + && 0 + != memcmp(&ciphers[begin_of_cipher], cipher_pair->iana_name, + end_of_cipher - begin_of_cipher)) { /* Non-IANA name used, show warning */ - msg(M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name); + msg(M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", + cipher_pair->openssl_name, cipher_pair->iana_name); } } @@ -405,8 +405,7 @@ convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphe if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len || (len - 1) < (openssl_ciphers_len + current_cipher_len)) { - msg(M_FATAL, - "Failed to set restricted TLS cipher list, too long (>%d).", + msg(M_FATAL, "Failed to set restricted TLS cipher list, too long (>%d).", (int)(len - 1)); } @@ -421,7 +420,7 @@ convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphe if (openssl_ciphers_len > 0) { - openssl_ciphers[openssl_ciphers_len-1] = '\0'; + openssl_ciphers[openssl_ciphers_len - 1] = '\0'; } } @@ -431,17 +430,18 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) if (ciphers == NULL) { /* Use sane default TLS cipher list */ - if (!SSL_CTX_set_cipher_list(ctx->ctx, - /* Use openssl's default list as a basis */ - "DEFAULT" - /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */ - ":!EXP:!LOW:!MEDIUM" - /* Disable static (EC)DH keys (no forward secrecy) */ - ":!kDH:!kECDH" - /* Disable DSA private keys */ - ":!DSS" - /* Disable unsupported TLS modes */ - ":!PSK:!SRP:!kRSA")) + if (!SSL_CTX_set_cipher_list( + ctx->ctx, + /* Use openssl's default list as a basis */ + "DEFAULT" + /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */ + ":!EXP:!LOW:!MEDIUM" + /* Disable static (EC)DH keys (no forward secrecy) */ + ":!kDH:!kECDH" + /* Disable DSA private keys */ + ":!DSS" + /* Disable unsupported TLS modes */ + ":!PSK:!SRP:!kRSA")) { crypto_msg(M_FATAL, "Failed to set default TLS cipher list."); } @@ -461,8 +461,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) } static void -convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len, - const char *ciphers) +convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers) { /* * OpenSSL (and official IANA) cipher names have _ in them. We @@ -471,9 +470,8 @@ convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len, */ if (strlen(ciphers) >= (len - 1)) { - msg(M_FATAL, - "Failed to set restricted TLS 1.3 cipher list, too long (>%d).", - (int) (len - 1)); + msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list, too long (>%d).", + (int)(len - 1)); } strncpy(openssl_ciphers, ciphers, len); @@ -498,20 +496,19 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) } #if !defined(TLS1_3_VERSION) - crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " + crypto_msg(M_WARN, + "Not compiled with OpenSSL 1.1.1 or higher. " "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", ciphers); #else ASSERT(NULL != ctx); char openssl_ciphers[4096]; - convert_tls13_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers), - ciphers); + convert_tls13_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers), ciphers); if (!SSL_CTX_set_ciphersuites(ctx->ctx, openssl_ciphers)) { - crypto_msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list: %s", - openssl_ciphers); + crypto_msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list: %s", openssl_ciphers); } #endif } @@ -520,7 +517,7 @@ void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { #if OPENSSL_VERSION_NUMBER > 0x10100000L \ - && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL) + && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL) /* OpenSSL does not have certificate profiles, but a complex set of * callbacks that we could try to implement to achieve something similar. * For now, use OpenSSL's security levels to achieve similar (but not equal) @@ -549,8 +546,10 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) #else /* if OPENSSL_VERSION_NUMBER > 0x10100000L */ if (profile) { - msg(M_WARN, "WARNING: OpenSSL 1.1.0 and LibreSSL do not support " - "--tls-cert-profile, ignoring user-set profile: '%s'", profile); + msg(M_WARN, + "WARNING: OpenSSL 1.1.0 and LibreSSL do not support " + "--tls-cert-profile, ignoring user-set profile: '%s'", + profile); } #endif /* if OPENSSL_VERSION_NUMBER > 0x10100000L */ } @@ -602,15 +601,13 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) if (!SSL_CTX_set1_groups(ctx->ctx, glist, glistlen)) { - crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", - groups); + crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", groups); } gc_free(&gc); #else /* if OPENSSL_VERSION_NUMBER < 0x30000000L */ if (!SSL_CTX_set1_groups_list(ctx->ctx, groups)) { - crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", - groups); + crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", groups); } #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */ } @@ -652,8 +649,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) } void -tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, - bool dh_file_inline) +tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline) { BIO *bio; @@ -689,8 +685,7 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, crypto_msg(M_FATAL, "SSL_CTX_set0_tmp_dh_pkey"); } - msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", - 8 * EVP_PKEY_get_size(dh)); + msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", 8 * EVP_PKEY_get_size(dh)); #else /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); @@ -705,8 +700,7 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh"); } - msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", - 8 * DH_size(dh)); + msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", 8 * DH_size(dh)); DH_free(dh); #endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */ @@ -719,8 +713,8 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name) if (curve_name != NULL) { msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an " - "ECDH curve with --ecdh-curve, using default curves. Use " - "--tls-groups to specify groups."); + "ECDH curve with --ecdh-curve, using default curves. Use " + "--tls-groups to specify groups."); } #elif !defined(OPENSSL_NO_EC) int nid = NID_undef; @@ -753,10 +747,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name) { /* Creating key failed, fall back on sane default */ ecdh = EC_KEY_new_by_curve_name(NID_secp384r1); - const char *source = (NULL == curve_name) ? - "extract curve from certificate" : "use supplied curve"; - msg(D_TLS_DEBUG_LOW, - "Failed to %s (%s), using secp384r1 instead.", source, sname); + const char *source = + (NULL == curve_name) ? "extract curve from certificate" : "use supplied curve"; + msg(D_TLS_DEBUG_LOW, "Failed to %s (%s), using secp384r1 instead.", source, sname); sname = OBJ_nid2sn(NID_secp384r1); } @@ -770,7 +763,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name) EC_KEY_free(ecdh); #else /* ifndef OPENSSL_NO_EC */ msg(D_LOW, "Your OpenSSL library was built without elliptic curve support." - " Skipping ECDH parameter loading."); + " Skipping ECDH parameter loading."); #endif /* OPENSSL_NO_EC */ } @@ -794,7 +787,8 @@ ui_reader(UI *ui, UI_STRING *uis) { struct user_pass up; CLEAR(up); - get_user_pass(&up, NULL, "PKCS#11 token", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY); + get_user_pass(&up, NULL, "PKCS#11 token", + GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY); UI_set_result(ui, uis, up.password); purge_user_pass(&up, true); } @@ -845,12 +839,11 @@ load_pkey_from_uri(const char *uri, SSL_CTX *ssl_ctx) { return NULL; } - pkey = PEM_read_bio_PrivateKey(in, NULL, - SSL_CTX_get_default_passwd_cb(ssl_ctx), + pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ssl_ctx), SSL_CTX_get_default_passwd_cb_userdata(ssl_ctx)); BIO_free(in); -#else /* defined(HAVE_OPENSSL_STORE_API) */ +#else /* defined(HAVE_OPENSSL_STORE_API) */ OSSL_STORE_CTX *store_ctx = NULL; OSSL_STORE_INFO *info = NULL; @@ -863,8 +856,7 @@ load_pkey_from_uri(const char *uri, SSL_CTX *ssl_ctx) } UI_method_set_reader(ui_method, ui_reader); - store_ctx = OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, ssl_ctx, - NULL, NULL, NULL); + store_ctx = OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, ssl_ctx, NULL, NULL, NULL); if (!store_ctx) { goto end; @@ -904,8 +896,8 @@ end: } int -tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, - bool pkcs12_file_inline, bool load_ca_file) +tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, + bool load_ca_file) { FILE *fp; EVP_PKEY *pkey; @@ -920,8 +912,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, if (pkcs12_file_inline) { BIO *b64 = BIO_new(BIO_f_base64()); - BIO *bio = BIO_new_mem_buf((void *) pkcs12_file, - (int) strlen(pkcs12_file)); + BIO *bio = BIO_new_mem_buf((void *)pkcs12_file, (int)strlen(pkcs12_file)); ASSERT(b64 && bio); BIO_push(b64, bio); p12 = d2i_PKCS12_bio(b64, NULL); @@ -956,7 +947,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) { crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password " - "or unsupported/legacy encryption"); + "or unsupported/legacy encryption"); #ifdef ENABLE_MANAGEMENT if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) { @@ -1002,11 +993,13 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx); if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i))) { - crypto_msg(M_FATAL, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); + crypto_msg(M_FATAL, + "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); } if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i))) { - crypto_msg(M_FATAL, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); + crypto_msg(M_FATAL, + "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); } } } @@ -1024,7 +1017,9 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, { if (!SSL_CTX_add_extra_chain_cert(ctx->ctx, sk_X509_value(ca, i))) { - crypto_msg(M_FATAL, "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)"); + crypto_msg( + M_FATAL, + "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)"); } } } @@ -1041,7 +1036,8 @@ tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert) /* Load Certificate and Private Key */ if (!SSL_CTX_use_CryptoAPI_certificate(ctx->ctx, cryptoapi_cert)) { - crypto_msg(M_FATAL, "Cannot load certificate \"%s\" from Microsoft Certificate Store", cryptoapi_cert); + crypto_msg(M_FATAL, "Cannot load certificate \"%s\" from Microsoft Certificate Store", + cryptoapi_cert); } } #endif /* ENABLE_CRYPTOAPI */ @@ -1059,8 +1055,7 @@ tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional) * is found in the buffer. If loading more certificates is * optional, break without raising an error */ - if (optional - && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE) + if (optional && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE) { /* remove that error from error stack */ (void)ERR_get_error(); @@ -1109,8 +1104,8 @@ tls_ctx_load_cert_uri(struct tls_root_ctx *tls_ctx, const char *uri) } UI_method_set_reader(ui_method, ui_reader); - store_ctx = OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, tls_ctx->ctx, - NULL, NULL, NULL); + store_ctx = + OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, tls_ctx->ctx, NULL, NULL, NULL); if (!store_ctx) { goto end; @@ -1187,14 +1182,13 @@ end: UI_destroy_method(ui_method); OSSL_STORE_INFO_free(info); OSSL_STORE_close(store_ctx); -#else /* defined(HAVE_OPENSSL_STORE_API */ +#else /* defined(HAVE_OPENSSL_STORE_API */ ASSERT(0); #endif /* defined(HAVE_OPENSSL_STORE_API */ } static void -tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, - bool cert_file_inline) +tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline) { BIO *in = NULL; X509 *x = NULL; @@ -1204,11 +1198,11 @@ tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, if (cert_file_inline) { - in = BIO_new_mem_buf((char *) cert_file, -1); + in = BIO_new_mem_buf((char *)cert_file, -1); } else { - in = BIO_new_file((char *) cert_file, "r"); + in = BIO_new_file((char *)cert_file, "r"); } if (in == NULL) @@ -1217,8 +1211,7 @@ tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, goto end; } - x = PEM_read_bio_X509(in, NULL, - SSL_CTX_get_default_passwd_cb(ctx->ctx), + x = PEM_read_bio_X509(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx), SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); if (x == NULL) { @@ -1255,8 +1248,7 @@ end: } void -tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, - bool cert_file_inline) +tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline) { if (cert_uri_supported() && !cert_file_inline) { @@ -1283,13 +1275,12 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, if (priv_key_file_inline) { - in = BIO_new_mem_buf((char *) priv_key_file, -1); + in = BIO_new_mem_buf((char *)priv_key_file, -1); if (in == NULL) { goto end; } - pkey = PEM_read_bio_PrivateKey(in, NULL, - SSL_CTX_get_default_passwd_cb(ctx->ctx), + pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx), SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); } else @@ -1324,8 +1315,7 @@ end: } void -backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, - bool crl_inline) +backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline) { BIO *in = NULL; @@ -1354,7 +1344,7 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, if (crl_inline) { - in = BIO_new_mem_buf((char *) crl_file, -1); + in = BIO_new_mem_buf((char *)crl_file, -1); } else { @@ -1363,8 +1353,7 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, if (in == NULL) { - msg(M_WARN, "CRL: cannot read: %s", - print_key_filename(crl_file, crl_inline)); + msg(M_WARN, "CRL: cannot read: %s", print_key_filename(crl_file, crl_inline)); goto end; } @@ -1477,9 +1466,8 @@ get_rsa_padding_name(const int padding) * @return signature length or -1 on error. */ static int -get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, - unsigned char *sig, unsigned int siglen, - const char *algorithm) +get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, unsigned char *sig, + unsigned int siglen, const char *algorithm) { char *in_b64 = NULL; char *out_b64 = NULL; @@ -1490,7 +1478,6 @@ get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, if (management && bencret > 0) { out_b64 = management_query_pk_sig(management, in_b64, algorithm); - } if (out_b64) { @@ -1504,8 +1491,7 @@ get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, /* sign arbitrary data */ static int -rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, - int padding) +rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { unsigned int len = RSA_size(rsa); int ret = -1; @@ -1533,8 +1519,7 @@ tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey) ASSERT(NULL != pub_rsa); /* allocate custom RSA method object */ - rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", - RSA_METHOD_FLAG_NO_CHECK); + rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", RSA_METHOD_FLAG_NO_CHECK); check_malloc_return(rsa_meth); RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc); RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec); @@ -1594,7 +1579,7 @@ openvpn_extkey_ec_finish(EC_KEY *ec) { /* release the method structure */ const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec); - EC_KEY_METHOD_free((EC_KEY_METHOD *) ec_meth); + EC_KEY_METHOD_free((EC_KEY_METHOD *)ec_meth); } /* EC_KEY_METHOD callback: sign(). @@ -1633,8 +1618,8 @@ ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) * struct or NULL on error. */ static ECDSA_SIG * -ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, - const BIGNUM *in_r, EC_KEY *ec) +ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *ec) { ECDSA_SIG *ecsig = NULL; unsigned int len = ECDSA_size(ec); @@ -1732,8 +1717,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) #ifdef HAVE_XKEY_PROVIDER EVP_PKEY *privkey = xkey_load_management_key(tls_libctx, pkey); - if (!privkey - || !SSL_CTX_use_PrivateKey(ctx->ctx, privkey)) + if (!privkey || !SSL_CTX_use_PrivateKey(ctx->ctx, privkey)) { EVP_PKEY_free(privkey); goto cleanup; @@ -1742,7 +1726,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) #else /* ifdef HAVE_XKEY_PROVIDER */ #if OPENSSL_VERSION_NUMBER < 0x30000000L if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) -#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ if (EVP_PKEY_is_a(pkey, "RSA")) #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ { @@ -1754,7 +1738,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) #if !defined(OPENSSL_NO_EC) #if OPENSSL_VERSION_NUMBER < 0x30000000L else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) -#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ else if (EVP_PKEY_is_a(pkey, "EC")) #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ { @@ -1796,8 +1780,8 @@ sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b) } void -tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, - bool ca_file_inline, const char *ca_path, bool tls_server) +tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, + const char *ca_path, bool tls_server) { STACK_OF(X509_INFO) *info_stack = NULL; STACK_OF(X509_NAME) *cert_names = NULL; @@ -1892,8 +1876,7 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, { crypto_msg(M_WARN, "Cannot load CA certificate file %s (entry %d did not validate)", - print_key_filename(ca_file, ca_file_inline), - added); + print_key_filename(ca_file, ca_file_inline), added); } prev = cnum; } @@ -1909,8 +1892,7 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, if (!added) { - crypto_msg(M_FATAL, - "Cannot load CA certificate file %s (no entries were read)", + crypto_msg(M_FATAL, "Cannot load CA certificate file %s (no entries were read)", print_key_filename(ca_file, ca_file_inline)); } @@ -1918,10 +1900,10 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, { if (cnum != added) { - crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d " + crypto_msg(M_FATAL, + "Cannot load CA certificate file %s (only %d " "of %d entries were valid X509 names)", - print_key_filename(ca_file, ca_file_inline), cnum, - added); + print_key_filename(ca_file, ca_file_inline), cnum, added); } } @@ -1961,9 +1943,7 @@ tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, if (in == NULL) { crypto_msg(M_FATAL, "Cannot load extra-certs file: %s", - print_key_filename(extra_certs_file, - extra_certs_file_inline)); - + print_key_filename(extra_certs_file, extra_certs_file_inline)); } else { @@ -1988,10 +1968,10 @@ tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, #warning BIO_DEBUG defined -static FILE *biofp; /* GLOBAL */ -static bool biofp_toggle; /* GLOBAL */ -static time_t biofp_last_open; /* GLOBAL */ -static const int biofp_reopen_interval = 600; /* GLOBAL */ +static FILE *biofp; /* GLOBAL */ +static bool biofp_toggle; /* GLOBAL */ +static time_t biofp_last_open; /* GLOBAL */ +static const int biofp_reopen_interval = 600; /* GLOBAL */ static void close_biofp(void) @@ -2031,8 +2011,8 @@ bio_debug_data(const char *mode, BIO *bio, const uint8_t *buf, int len, const ch if (len > 0) { open_biofp(); - fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n", - mode, desc, (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc)); + fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n", mode, desc, + (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc)); fflush(biofp); } gc_free(&gc); @@ -2042,8 +2022,8 @@ static void bio_debug_oc(const char *mode, BIO *bio) { open_biofp(); - fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n", - mode, (int64_t)time(NULL), (ptr_type)bio); + fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n", mode, (int64_t)time(NULL), + (ptr_type)bio); fflush(biofp); } @@ -2082,13 +2062,12 @@ bio_write(BIO *bio, const uint8_t *data, int size, const char *desc) } else if (i != size) { - crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s incomplete %d/%d", - desc, i, size); + crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s incomplete %d/%d", desc, i, size); ret = -1; ERR_clear_error(); } else - { /* successful write */ + { /* successful write */ dmsg(D_HANDSHAKE_VERBOSE, "BIO write %s %d bytes", desc, i); ret = 1; } @@ -2104,9 +2083,9 @@ bio_write(BIO *bio, const uint8_t *data, int size, const char *desc) static void bio_write_post(const int status, struct buffer *buf) { - if (status == 1) /* success status return from bio_write? */ + if (status == 1) /* success status return from bio_write? */ { - memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ + memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ buf->len = 0; } } @@ -2132,7 +2111,7 @@ bio_read(BIO *bio, struct buffer *buf, const char *desc) */ int i = BIO_read(bio, BPTR(buf), len); - VALGRIND_MAKE_READABLE((void *) &i, sizeof(i)); + VALGRIND_MAKE_READABLE((void *)&i, sizeof(i)); #ifdef BIO_DEBUG bio_debug_data("read", bio, BPTR(buf), i, desc); @@ -2154,17 +2133,18 @@ bio_read(BIO *bio, struct buffer *buf, const char *desc) buf->len = 0; } else - { /* successful read */ + { /* successful read */ dmsg(D_HANDSHAKE_VERBOSE, "BIO read %s %d bytes", desc, i); buf->len = i; ret = 1; - VALGRIND_MAKE_READABLE((void *) BPTR(buf), BLEN(buf)); + VALGRIND_MAKE_READABLE((void *)BPTR(buf), BLEN(buf)); } return ret; } void -key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session) +key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, + struct tls_session *session) { ASSERT(NULL != ssl_ctx); ASSERT(ks_ssl); @@ -2232,8 +2212,7 @@ key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf) ASSERT(NULL != ks_ssl); - ret = bio_write(ks_ssl->ssl_bio, BPTR(buf), BLEN(buf), - "tls_write_plaintext"); + ret = bio_write(ks_ssl->ssl_bio, BPTR(buf), BLEN(buf), "tls_write_plaintext"); bio_write_post(ret, buf); perf_pop(); @@ -2337,7 +2316,7 @@ print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen) type = OBJ_nid2sn(typeid); /* OpenSSL reports rsaEncryption, dsaEncryption and - * id-ecPublicKey, map these values to nicer ones */ + * id-ecPublicKey, map these values to nicer ones */ if (typeid == EVP_PKEY_RSA) { type = "RSA"; @@ -2355,7 +2334,7 @@ print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen) { type = "unknown type"; } -#else /* OpenSSL >= 3 */ +#else /* OpenSSL >= 3 */ type = EVP_PKEY_get0_type_name(pkey); if (type == NULL) { @@ -2364,8 +2343,7 @@ print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen) #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */ } - snprintf(buf, buflen, "%d bits %s%s", - EVP_PKEY_bits(pkey), type, curve); + snprintf(buf, buflen, "%d bits %s%s", EVP_PKEY_bits(pkey), type, curve); } /** @@ -2385,12 +2363,10 @@ print_cert_details(X509 *cert, char *buf, size_t buflen) int signature_nid = X509_get_signature_nid(cert); if (signature_nid != 0) { - snprintf(sig, sizeof(sig), ", signature: %s", - OBJ_nid2sn(signature_nid)); + snprintf(sig, sizeof(sig), ", signature: %s", OBJ_nid2sn(signature_nid)); } - snprintf(buf, buflen, ", peer certificate: %s%s", - pkeybuf, sig); + snprintf(buf, buflen, ", peer certificate: %s%s", pkeybuf, sig); EVP_PKEY_free(pkey); } @@ -2408,8 +2384,7 @@ print_server_tempkey(SSL *ssl, char *buf, size_t buflen) char pkeybuf[128] = { 0 }; print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf)); - snprintf(buf, buflen, ", peer temporary key: %s", - pkeybuf); + snprintf(buf, buflen, ", peer temporary key: %s", pkeybuf); EVP_PKEY_free(pkey); } @@ -2471,8 +2446,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL) /* LibreSSL 3.7.x and 3.8.x implement this function but do not export it * and fail linking with an unresolved symbol */ - if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid) - && peer_sig_type_nid != NID_undef) + if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid) && peer_sig_type_nid != NID_undef) { peer_sig_type = get_sigtype(peer_sig_type_nid); } @@ -2483,8 +2457,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen) return; } - snprintf(buf, buflen, ", peer signing digest/type: %s %s", - peer_sig, peer_sig_type); + snprintf(buf, buflen, ", peer signing digest/type: %s %s", peer_sig, peer_sig_type); } #if OPENSSL_VERSION_NUMBER >= 0x30000000L @@ -2522,11 +2495,8 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) s1[0] = s2[0] = s3[0] = s4[0] = s5[0] = 0; ciph = SSL_get_current_cipher(ks_ssl->ssl); - snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", - prefix, - SSL_get_version(ks_ssl->ssl), - SSL_CIPHER_get_version(ciph), - SSL_CIPHER_get_name(ciph)); + snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, SSL_get_version(ks_ssl->ssl), + SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph)); X509 *cert = SSL_get_peer_certificate(ks_ssl->ssl); if (cert) @@ -2544,9 +2514,7 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) } void -show_available_tls_ciphers_list(const char *cipher_list, - const char *tls_cert_profile, - bool tls13) +show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13) { struct tls_root_ctx tls_ctx; @@ -2559,8 +2527,7 @@ show_available_tls_ciphers_list(const char *cipher_list, #if defined(TLS1_3_VERSION) if (tls13) { - SSL_CTX_set_min_proto_version(tls_ctx.ctx, - openssl_tls_version(TLS_VER_1_3)); + SSL_CTX_set_min_proto_version(tls_ctx.ctx, openssl_tls_version(TLS_VER_1_3)); tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list); } else @@ -2599,8 +2566,7 @@ show_available_tls_ciphers_list(const char *cipher_list, else if (NULL == pair) { /* No translation found, print warning */ - printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", - cipher_name); + printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name); } else { @@ -2638,7 +2604,7 @@ show_available_curves(void) for (n = 0; n < crv_len; n++) { const char *sname; - sname = OBJ_nid2sn(curves[n].nid); + sname = OBJ_nid2sn(curves[n].nid); if (sname == NULL) { sname = ""; @@ -2654,7 +2620,7 @@ show_available_curves(void) free(curves); #else /* ifndef OPENSSL_NO_EC */ msg(M_WARN, "Your OpenSSL library was built without elliptic curve support. " - "No curves available."); + "No curves available."); #endif /* ifndef OPENSSL_NO_EC */ } @@ -2678,7 +2644,7 @@ provider_load(OSSL_PROVIDER *prov, void *dest_libctx) static int provider_unload(OSSL_PROVIDER *prov, void *unused) { - (void) unused; + (void)unused; OSSL_PROVIDER_unload(prov); return 1; } @@ -2716,7 +2682,7 @@ load_xkey_provider(void) if (!OSSL_PROVIDER_load(tls_libctx, "ovpn.xkey")) { msg(M_NONFATAL, "ERROR: failed loading external key provider: " - "Signing with external keys will not work."); + "Signing with external keys will not work."); } } diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index 966bb4473..08a3d5328 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -36,17 +36,19 @@ * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. */ -struct tls_root_ctx { +struct tls_root_ctx +{ SSL_CTX *ctx; time_t crl_last_mtime; off_t crl_last_size; }; -struct key_state_ssl { - SSL *ssl; /* SSL object -- new obj created for each new key */ - BIO *ssl_bio; /* read/write plaintext from here */ - BIO *ct_in; /* write ciphertext to here */ - BIO *ct_out; /* read ciphertext from here */ +struct key_state_ssl +{ + SSL *ssl; /* SSL object -- new obj created for each new key */ + BIO *ssl_bio; /* read/write plaintext from here */ + BIO *ct_in; /* write ciphertext to here */ + BIO *ct_out; /* read ciphertext from here */ }; /** diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c index e730e3335..b901f87a2 100644 --- a/src/openvpn/ssl_pkt.c +++ b/src/openvpn/ssl_pkt.c @@ -61,8 +61,7 @@ swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming) { ASSERT(co); - const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt : - &co->key_ctx_bi.encrypt); + const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt); ASSERT(ctx->hmac); { @@ -120,8 +119,7 @@ static void tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf, struct session_id *session_id) { - if (ctx->mode == TLS_WRAP_AUTH - || ctx->mode == TLS_WRAP_NONE) + if (ctx->mode == TLS_WRAP_AUTH || ctx->mode == TLS_WRAP_NONE) { ASSERT(session_id_write_prepend(session_id, buf)); ASSERT(buf_write_prepend(buf, &header, sizeof(header))); @@ -148,8 +146,7 @@ tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf, if ((header >> P_OPCODE_SHIFT) == P_CONTROL_HARD_RESET_CLIENT_V3 || (header >> P_OPCODE_SHIFT) == P_CONTROL_WKC_V1) { - if (!buf_copy(&ctx->work, - ctx->tls_crypt_v2_wkc)) + if (!buf_copy(&ctx->work, ctx->tls_crypt_v2_wkc)) { msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key"); buf->len = 0; @@ -164,12 +161,8 @@ tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf, } void -write_control_auth(struct tls_session *session, - struct key_state *ks, - struct buffer *buf, - struct link_socket_actual **to_link_addr, - int opcode, - int max_ack, +write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, + struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack) { uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT); @@ -184,34 +177,30 @@ write_control_auth(struct tls_session *session, } ASSERT(link_socket_actual_defined(&ks->remote_addr)); - ASSERT(reliable_ack_write - (ks->rec_ack, ks->lru_acks, buf, &ks->session_id_remote, - max_ack, prepend_ack)); + ASSERT(reliable_ack_write(ks->rec_ack, ks->lru_acks, buf, &ks->session_id_remote, max_ack, + prepend_ack)); msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode)); - tls_wrap_control(tls_session_get_tls_wrap(session, ks->key_id), header, buf, &session->session_id); + tls_wrap_control(tls_session_get_tls_wrap(session, ks->key_id), header, buf, + &session->session_id); *to_link_addr = &ks->remote_addr; } bool -read_control_auth(struct buffer *buf, - struct tls_wrap_ctx *ctx, - const struct link_socket_actual *from, - const struct tls_options *opt, +read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, + const struct link_socket_actual *from, const struct tls_options *opt, bool initial_packet) { struct gc_arena gc = gc_new(); bool ret = false; const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT; - if ((opcode == P_CONTROL_HARD_RESET_CLIENT_V3 - || opcode == P_CONTROL_WKC_V1) + if ((opcode == P_CONTROL_HARD_RESET_CLIENT_V3 || opcode == P_CONTROL_WKC_V1) && !tls_crypt_v2_extract_client_key(buf, ctx, opt, initial_packet)) { - msg(D_TLS_ERRORS, - "TLS Error: can not extract tls-crypt-v2 client key from %s", + msg(D_TLS_ERRORS, "TLS Error: can not extract tls-crypt-v2 client key from %s", print_link_socket_actual(from, &gc)); goto cleanup; } @@ -223,8 +212,7 @@ read_control_auth(struct buffer *buf, /* move the hmac record to the front of the packet */ if (!swap_hmac(buf, &ctx->opt, true)) { - msg(D_TLS_ERRORS, - "TLS Error: cannot locate HMAC in incoming packet from %s", + msg(D_TLS_ERRORS, "TLS Error: cannot locate HMAC in incoming packet from %s", print_link_socket_actual(from, &gc)); gc_free(&gc); return false; @@ -235,12 +223,10 @@ read_control_auth(struct buffer *buf, openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf)); if (!buf->len) { - msg(D_TLS_ERRORS, - "TLS Error: incoming packet authentication failed from %s", + msg(D_TLS_ERRORS, "TLS Error: incoming packet authentication failed from %s", print_link_socket_actual(from, &gc)); goto cleanup; } - } else if (ctx->mode == TLS_WRAP_CRYPT) { @@ -304,17 +290,14 @@ free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state) * on the UDP port listener in --mode server mode. */ enum first_packet_verdict -tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, - struct tls_pre_decrypt_state *state, - const struct link_socket_actual *from, - const struct buffer *buf) +tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state, + const struct link_socket_actual *from, const struct buffer *buf) { struct gc_arena gc = gc_new(); /* A packet needs to have at least an opcode and session id */ if (buf->len < (1 + SID_SIZE)) { - dmsg(D_TLS_STATE_ERRORS, - "TLS State Error: Too short packet (length %d) received from %s", + dmsg(D_TLS_STATE_ERRORS, "TLS State Error: Too short packet (length %d) received from %s", buf->len, print_link_socket_actual(from, &gc)); goto error; } @@ -328,27 +311,21 @@ tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, * scrutinize carefully */ /* Allow only the reset packet or the first packet of the actual handshake. */ - if (op != P_CONTROL_HARD_RESET_CLIENT_V2 - && op != P_CONTROL_HARD_RESET_CLIENT_V3 - && op != P_CONTROL_V1 - && op != P_CONTROL_WKC_V1 - && op != P_ACK_V1) + if (op != P_CONTROL_HARD_RESET_CLIENT_V2 && op != P_CONTROL_HARD_RESET_CLIENT_V3 + && op != P_CONTROL_V1 && op != P_CONTROL_WKC_V1 && op != P_ACK_V1) { /* * This can occur due to bogus data or DoS packets. */ - dmsg(D_TLS_STATE_ERRORS, - "TLS State Error: No TLS state for client %s, opcode=%d", - print_link_socket_actual(from, &gc), - op); + dmsg(D_TLS_STATE_ERRORS, "TLS State Error: No TLS state for client %s, opcode=%d", + print_link_socket_actual(from, &gc), op); goto error; } if (key_id != 0) { dmsg(D_TLS_STATE_ERRORS, - "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected", - key_id, + "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected", key_id, print_link_socket_actual(from, &gc)); goto error; } @@ -360,8 +337,7 @@ tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, if (!session_id_read(&state->peer_session_id, &tmp) || !session_id_defined(&state->peer_session_id)) { - msg(D_TLS_ERRORS, - "TLS Error: session-id not found in packet from %s", + msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s", print_link_socket_actual(from, &gc)); goto error; } @@ -372,8 +348,7 @@ tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, /* HMAC test and unwrapping the encrypted part of the control message * into newbuf or just setting newbuf to point to the start of control * message */ - bool status = read_control_auth(&state->newbuf, &state->tls_wrap_tmp, - from, NULL, true); + bool status = read_control_auth(&state->newbuf, &state->tls_wrap_tmp, from, NULL, true); if (!status) { @@ -425,11 +400,8 @@ error: struct buffer -tls_reset_standalone(struct tls_wrap_ctx *ctx, - struct tls_auth_standalone *tas, - struct session_id *own_sid, - struct session_id *remote_sid, - uint8_t header, +tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, + struct session_id *own_sid, struct session_id *remote_sid, uint8_t header, bool request_resend_wkc) { /* Copy buffer here to point at the same data but allow tls_wrap_control @@ -484,12 +456,11 @@ session_id_hmac_init(void) } struct session_id -calculate_session_id_hmac(struct session_id client_sid, - const struct openvpn_sockaddr *from, - hmac_ctx_t *hmac, - int handwindow, int offset) +calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from, + hmac_ctx_t *hmac, int handwindow, int offset) { - union { + union + { uint8_t hmac_result[SHA256_DIGEST_LENGTH]; struct session_id sid; } result; @@ -497,23 +468,22 @@ calculate_session_id_hmac(struct session_id client_sid, /* Get the valid time quantisation for our hmac, * we divide time by handwindow/2 and allow the previous * and future session time if specified by offset */ - uint32_t session_id_time = ntohl(now/((handwindow+1)/2) + offset); + uint32_t session_id_time = ntohl(now / ((handwindow + 1) / 2) + offset); hmac_ctx_reset(hmac); /* We do not care about endian here since it does not need to be * portable */ - hmac_ctx_update(hmac, (const uint8_t *) &session_id_time, - sizeof(session_id_time)); + hmac_ctx_update(hmac, (const uint8_t *)&session_id_time, sizeof(session_id_time)); /* add client IP and port */ switch (from->addr.sa.sa_family) { case AF_INET: - hmac_ctx_update(hmac, (const uint8_t *) &from->addr.in4, sizeof(struct sockaddr_in)); + hmac_ctx_update(hmac, (const uint8_t *)&from->addr.in4, sizeof(struct sockaddr_in)); break; case AF_INET6: - hmac_ctx_update(hmac, (const uint8_t *) &from->addr.in6, sizeof(struct sockaddr_in6)); + hmac_ctx_update(hmac, (const uint8_t *)&from->addr.in6, sizeof(struct sockaddr_in6)); break; } @@ -526,10 +496,8 @@ calculate_session_id_hmac(struct session_id client_sid, } bool -check_session_id_hmac(struct tls_pre_decrypt_state *state, - const struct openvpn_sockaddr *from, - hmac_ctx_t *hmac, - int handwindow) +check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, + hmac_ctx_t *hmac, int handwindow) { if (!from) { @@ -574,7 +542,7 @@ extract_command_buffer(struct buffer *buf, struct gc_arena *gc) } /* include the NUL byte and ensure NUL termination */ - cmdlen += 1; + cmdlen += 1; /* Construct a buffer that only holds the current command and * its closing NUL byte */ diff --git a/src/openvpn/ssl_pkt.h b/src/openvpn/ssl_pkt.h index 1e9f4e98f..8fe488043 100644 --- a/src/openvpn/ssl_pkt.h +++ b/src/openvpn/ssl_pkt.h @@ -35,40 +35,40 @@ #include "ssl_common.h" /* packet opcode (high 5 bits) and key-id (low 3 bits) are combined in one byte */ -#define P_KEY_ID_MASK 0x07 -#define P_OPCODE_SHIFT 3 +#define P_KEY_ID_MASK 0x07 +#define P_OPCODE_SHIFT 3 /* packet opcodes -- the V1 is intended to allow protocol changes in the future */ -#define P_CONTROL_HARD_RESET_CLIENT_V1 1 /* initial key from client, forget previous state */ -#define P_CONTROL_HARD_RESET_SERVER_V1 2 /* initial key from server, forget previous state */ -#define P_CONTROL_SOFT_RESET_V1 3 /* new key, graceful transition from old to new key */ -#define P_CONTROL_V1 4 /* control channel packet (usually TLS ciphertext) */ -#define P_ACK_V1 5 /* acknowledgement for packets received */ -#define P_DATA_V1 6 /* data channel packet */ -#define P_DATA_V2 9 /* data channel packet with peer-id */ +#define P_CONTROL_HARD_RESET_CLIENT_V1 1 /* initial key from client, forget previous state */ +#define P_CONTROL_HARD_RESET_SERVER_V1 2 /* initial key from server, forget previous state */ +#define P_CONTROL_SOFT_RESET_V1 3 /* new key, graceful transition from old to new key */ +#define P_CONTROL_V1 4 /* control channel packet (usually TLS ciphertext) */ +#define P_ACK_V1 5 /* acknowledgement for packets received */ +#define P_DATA_V1 6 /* data channel packet */ +#define P_DATA_V2 9 /* data channel packet with peer-id */ /* indicates key_method >= 2 */ -#define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */ -#define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */ +#define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */ +#define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */ /* indicates key_method >= 2 and client-specific tls-crypt key */ -#define P_CONTROL_HARD_RESET_CLIENT_V3 10 /* initial key from client, forget previous state */ +#define P_CONTROL_HARD_RESET_CLIENT_V3 10 /* initial key from client, forget previous state */ /* Variant of P_CONTROL_V1 but with appended wrapped key * like P_CONTROL_HARD_RESET_CLIENT_V3 */ -#define P_CONTROL_WKC_V1 11 +#define P_CONTROL_WKC_V1 11 /* define the range of legal opcodes * Since we do no longer support key-method 1 we consider * the v1 op codes invalid */ -#define P_FIRST_OPCODE 3 -#define P_LAST_OPCODE 11 +#define P_FIRST_OPCODE 3 +#define P_LAST_OPCODE 11 /* * Define number of buffers for send and receive in the reliability layer. */ -#define TLS_RELIABLE_N_SEND_BUFFERS 6 /* also window size for reliability layer */ -#define TLS_RELIABLE_N_REC_BUFFERS 12 +#define TLS_RELIABLE_N_SEND_BUFFERS 6 /* also window size for reliability layer */ +#define TLS_RELIABLE_N_REC_BUFFERS 12 /* * Used in --mode server mode to check tls-auth signature on initial @@ -81,7 +81,8 @@ struct tls_auth_standalone struct frame frame; }; -enum first_packet_verdict { +enum first_packet_verdict +{ /** This packet is a valid reset packet from the peer (all but tls-crypt-v2) */ VERDICT_VALID_RESET_V2, /** This is a valid v3 reset (tls-crypt-v2) */ @@ -101,7 +102,8 @@ enum first_packet_verdict { * struct that stores the temporary data for the tls lite decrypt * functions */ -struct tls_pre_decrypt_state { +struct tls_pre_decrypt_state +{ struct tls_wrap_ctx tls_wrap_tmp; struct buffer newbuf; struct session_id peer_session_id; @@ -144,11 +146,10 @@ void free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state); * @li False if the packet is not valid, did not pass the HMAC firewall * test, or some other error occurred. */ -enum first_packet_verdict -tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, - struct tls_pre_decrypt_state *state, - const struct link_socket_actual *from, - const struct buffer *buf); +enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, + struct tls_pre_decrypt_state *state, + const struct link_socket_actual *from, + const struct buffer *buf); /* Creates an SHA256 HMAC context with a random key that is used for the * session id. @@ -170,11 +171,9 @@ hmac_ctx_t *session_id_hmac_init(void); * @param offset offset to 'now' to use * @return the expected server session id */ -struct session_id -calculate_session_id_hmac(struct session_id client_sid, - const struct openvpn_sockaddr *from, - hmac_ctx_t *hmac, - int handwindow, int offset); +struct session_id calculate_session_id_hmac(struct session_id client_sid, + const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, + int handwindow, int offset); /** * Checks if a control packet has a correct HMAC server session id @@ -185,24 +184,15 @@ calculate_session_id_hmac(struct session_id client_sid, * @param handwindow the quantisation of the current time * @return the expected server session id */ -bool -check_session_id_hmac(struct tls_pre_decrypt_state *state, - const struct openvpn_sockaddr *from, - hmac_ctx_t *hmac, - int handwindow); +bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, + hmac_ctx_t *hmac, int handwindow); /* * Write a control channel authentication record. */ -void -write_control_auth(struct tls_session *session, - struct key_state *ks, - struct buffer *buf, - struct link_socket_actual **to_link_addr, - int opcode, - int max_ack, - bool prepend_ack); - +void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, + struct link_socket_actual **to_link_addr, int opcode, int max_ack, + bool prepend_ack); /** @@ -214,12 +204,9 @@ write_control_auth(struct tls_session *session, * @param initial_packet whether this is the initial packet for the connection * @return if the packet was successfully processed */ -bool -read_control_auth(struct buffer *buf, - struct tls_wrap_ctx *ctx, - const struct link_socket_actual *from, - const struct tls_options *opt, - bool initial_packet); +bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, + const struct link_socket_actual *from, const struct tls_options *opt, + bool initial_packet); /** @@ -227,13 +214,9 @@ read_control_auth(struct buffer *buf, * from the tls pre decrypt state. * */ -struct buffer -tls_reset_standalone(struct tls_wrap_ctx *ctx, - struct tls_auth_standalone *tas, - struct session_id *own_sid, - struct session_id *remote_sid, - uint8_t header, - bool request_resend_wkc); +struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, + struct session_id *own_sid, struct session_id *remote_sid, + uint8_t header, bool request_resend_wkc); /** @@ -246,8 +229,7 @@ tls_reset_standalone(struct tls_wrap_ctx *ctx, * with length 0 if there is no message or the message has * invalid characters. */ -struct buffer -extract_command_buffer(struct buffer *buf, struct gc_arena *gc); +struct buffer extract_command_buffer(struct buffer *buf, struct gc_arena *gc); static inline const char * packet_opcode_name(int op) @@ -323,14 +305,14 @@ tls_session_get_tls_wrap(struct tls_session *session, int key_id) * but the network time part of the packet id takes care of that. And * this is also a rather theoretical scenario as it still needs more than * 2^31 control channel packets to happen */ -#define EARLY_NEG_MASK 0xff000000 -#define EARLY_NEG_START 0x0f000000 +#define EARLY_NEG_MASK 0xff000000 +#define EARLY_NEG_START 0x0f000000 /* Early negotiation that part of the server response in the RESET_V2 packet. * Since clients that announce early negotiation support will treat the payload * of reset packets special and parse it as TLV messages. * as TLV (type, length, value) */ -#define TLV_TYPE_EARLY_NEG_FLAGS 0x0001 -#define EARLY_NEG_FLAG_RESEND_WKC 0x0001 +#define TLV_TYPE_EARLY_NEG_FLAGS 0x0001 +#define EARLY_NEG_FLAG_RESEND_WKC 0x0001 #endif /* ifndef SSL_PKT_H */ diff --git a/src/openvpn/ssl_util.c b/src/openvpn/ssl_util.c index 6e0063054..918a1f191 100644 --- a/src/openvpn/ssl_util.c +++ b/src/openvpn/ssl_util.c @@ -28,8 +28,7 @@ #include "ssl_util.h" char * -extract_var_peer_info(const char *peer_info, const char *var, - struct gc_arena *gc) +extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc) { if (!peer_info) { @@ -77,8 +76,10 @@ const char * options_string_compat_lzo(const char *options, struct gc_arena *gc) { /* Example string without and with comp-lzo, i.e. input/output of this function */ - /* w/o comp: 'V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server' */ - /* comp-lzo: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,auth SHA1,keysize 128,key-method 2,tls-server' */ + /* w/o comp: 'V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize + * 128,key-method 2,tls-server' */ + /* comp-lzo: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,auth SHA1,keysize + * 128,key-method 2,tls-server' */ /* Note: since this function is used only in a very limited scope it makes * assumptions how the string looks. Since we locally generated the string @@ -118,146 +119,156 @@ options_string_compat_lzo(const char *options, struct gc_arena *gc) * SSL/TLS Cipher suite name translation table */ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { - {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"}, - {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"}, - {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"}, - {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"}, - {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"}, - {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"}, - {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"}, - {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"}, - {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"}, - {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"}, - {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"}, - {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"}, - {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"}, - {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"}, - {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"}, - {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"}, - {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"}, - {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"}, - {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"}, - {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"}, - {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"}, - {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"}, - {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"}, - {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"}, - {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"}, - {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"}, - {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, - {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"}, - {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"}, - {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"}, - {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"}, - {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"}, - {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"}, - {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"}, - {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"}, - {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"}, - {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"}, - {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"}, - {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"}, - {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"}, - {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"}, - {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"}, - {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"}, - {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"}, - {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"}, - {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"}, - {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"}, - {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"}, - {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"}, - {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"}, - {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"}, - {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"}, - {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"}, - {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"}, - {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"}, - {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"}, - {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"}, - {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"}, - {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"}, - {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, - {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"}, - {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"}, - {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"}, - {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"}, - {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"}, - {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"}, - {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"}, - {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"}, - {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"}, - {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"}, - {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"}, - {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"}, - {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"}, - {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"}, - {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"}, - {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"}, - {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"}, - {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"}, - {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"}, - {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"}, - {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"}, - {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"}, - {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"}, - {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"}, - {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"}, - {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"}, - {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"}, - {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"}, - {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"}, - {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"}, - {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"}, - {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"}, - {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"}, - {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"}, - {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"}, + { "ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA" }, + { "AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256" }, + { "AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256" }, + { "AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA" }, + { "AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384" }, + { "AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256" }, + { "AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA" }, + { "CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256" }, + { "CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" }, + { "CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256" }, + { "CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA" }, + { "DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA" }, + { "DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA" }, + { "DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA" }, + { "DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256" }, + { "DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256" }, + { "DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA" }, + { "DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384" }, + { "DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256" }, + { "DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA" }, + { "DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256" }, + { "DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA" }, + { "DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256" }, + { "DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA" }, + { "DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA" }, + { "DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" }, + { "DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" }, + { "DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA" }, + { "DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" }, + { "DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" }, + { "DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA" }, + { "DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256" }, + { "DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA" }, + { "DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256" }, + { "DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA" }, + { "DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256" }, + { "DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA" }, + { "DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA" }, + { "ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256" }, + { "ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256" }, + { "ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA" }, + { "ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384" }, + { "ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256" }, + { "ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384" }, + { "ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA" }, + { "ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256" }, + { "ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA" }, + { "ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256" }, + { "ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA" }, + { "ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA" }, + { "ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA" }, + { "ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA" }, + { "ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" }, + { "ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" }, + { "ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384" }, + { "ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA" }, + { "ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" }, + { "ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256" }, + { "ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384" }, + { "ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA" }, + { "ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256" }, + { "ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA" }, + { "ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256" }, + { "ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA" }, + { "ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" }, + { "ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA" }, + { "ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA" }, + { "ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA" }, + { "ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" }, + { "ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" }, + { "ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384" }, + { "ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" }, + { "ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" }, + { "ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256" }, + { "ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" }, + { "ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" }, + { "ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256" }, + { "ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA" }, + { "ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256" }, + { "ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA" }, + { "ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" }, + { "ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA" }, + { "ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA" }, + { "ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA" }, + { "ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256" }, + { "ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256" }, + { "ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384" }, + { "ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA" }, + { "ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384" }, + { "ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256" }, + { "ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384" }, + { "ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA" }, + { "ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256" }, + { "ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA" }, + { "ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256" }, + { "ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA" }, + { "ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA" }, + { "ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA" }, + { "ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA" }, + { "EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA" }, + { "EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA" }, + { "EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA" }, + { "EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA" }, + { "EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA" }, + { "EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA" }, + { "EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA" }, + { "EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5" }, + { "EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5" }, + { "NULL-MD5", "TLS-RSA-WITH-NULL-MD5" }, + { "NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256" }, + { "NULL-SHA", "TLS-RSA-WITH-NULL-SHA" }, + { "PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA" }, + { "PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA" }, + { "PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA" }, + { "PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA" }, + { "RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5" }, + { "RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA" }, + { "SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA" }, + { "SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA" }, + { "SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA" }, + { "SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA" }, + { "SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA" }, + { "SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA" }, + { "SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA" }, #ifdef ENABLE_CRYPTO_OPENSSL /* OpenSSL-specific group names */ - {"DEFAULT", "DEFAULT"}, - {"ALL", "ALL"}, - {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"}, - {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"}, - {"LOW", "LOW"}, {"!LOW", "!LOW"}, - {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"}, - {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"}, - {"EDH", "EDH"}, {"!EDH", "!EDH"}, - {"EXP", "EXP"}, {"!EXP", "!EXP"}, - {"RSA", "RSA"}, {"!RSA", "!RSA"}, - {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"}, - {"SRP", "SRP"}, {"!SRP", "!SRP"}, + { "DEFAULT", "DEFAULT" }, + { "ALL", "ALL" }, + { "HIGH", "HIGH" }, + { "!HIGH", "!HIGH" }, + { "MEDIUM", "MEDIUM" }, + { "!MEDIUM", "!MEDIUM" }, + { "LOW", "LOW" }, + { "!LOW", "!LOW" }, + { "ECDH", "ECDH" }, + { "!ECDH", "!ECDH" }, + { "ECDSA", "ECDSA" }, + { "!ECDSA", "!ECDSA" }, + { "EDH", "EDH" }, + { "!EDH", "!EDH" }, + { "EXP", "EXP" }, + { "!EXP", "!EXP" }, + { "RSA", "RSA" }, + { "!RSA", "!RSA" }, + { "kRSA", "kRSA" }, + { "!kRSA", "!kRSA" }, + { "SRP", "SRP" }, + { "!SRP", "!SRP" }, #endif - {NULL, NULL} + { NULL, NULL } }; const tls_cipher_name_pair * diff --git a/src/openvpn/ssl_util.h b/src/openvpn/ssl_util.h index 189b1d017..007ed69a3 100644 --- a/src/openvpn/ssl_util.h +++ b/src/openvpn/ssl_util.h @@ -43,8 +43,7 @@ * @return The content of the variable as NULL terminated string or NULL if the * variable cannot be found. */ -char *extract_var_peer_info(const char *peer_info, const char *var, - struct gc_arena *gc); +char *extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc); /** * Extracts the IV_PROTO variable and returns its value or 0 @@ -74,7 +73,11 @@ const char *options_string_compat_lzo(const char *options, struct gc_arena *gc); * @param cipher_name Can be either OpenSSL or IANA cipher name * @return tls_cipher_name_pair* if found, NULL otherwise */ -typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair; +typedef struct +{ + const char *openssl_name; + const char *iana_name; +} tls_cipher_name_pair; const tls_cipher_name_pair *tls_get_cipher_name_pair(const char *cipher_name, size_t len); /** @@ -88,7 +91,6 @@ const tls_cipher_name_pair *tls_get_cipher_name_pair(const char *cipher_name, si * @param delimiter the delimiter to count, typically ':' * @return occrrences of delimiter + 1 */ -int -get_num_elements(const char *string, char delimiter); +int get_num_elements(const char *string, char delimiter); #endif /* ifndef SSL_UTIL_H_ */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 82337cf3e..6f85dcae0 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -149,11 +149,12 @@ tls_lock_username(struct tls_multi *multi, const char *username) /* If the username has been overridden, we accept both the original * username and the changed username */ if (strcmp(username, multi->locked_username) != 0 - && (!multi->locked_original_username || strcmp(username, multi->locked_original_username) != 0)) + && (!multi->locked_original_username + || strcmp(username, multi->locked_original_username) != 0)) { - msg(D_TLS_ERRORS, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled", - multi->locked_username, - username); + msg(D_TLS_ERRORS, + "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled", + multi->locked_username, username); /* disable the tunnel */ tls_deauthenticate(multi); @@ -239,8 +240,8 @@ cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set * { continue; } - else if (ch1 && ch2 && !memcmp(ch1->sha256_hash, ch2->sha256_hash, - sizeof(ch1->sha256_hash))) + else if (ch1 && ch2 + && !memcmp(ch1->sha256_hash, ch2->sha256_hash, sizeof(ch1->sha256_hash))) { continue; } @@ -275,8 +276,7 @@ cert_hash_copy(const struct cert_hash_set *chs) if (ch) { ALLOC_OBJ(dest->ch[i], struct cert_hash); - memcpy(dest->ch[i]->sha256_hash, ch->sha256_hash, - sizeof(dest->ch[i]->sha256_hash)); + memcpy(dest->ch[i]->sha256_hash, ch->sha256_hash, sizeof(dest->ch[i]->sha256_hash)); } } } @@ -320,22 +320,21 @@ print_nsCertType(int type) * @param subject the peer's extracted common name */ static result_t -verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, - const char *subject, const char *common_name) +verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, const char *subject, + const char *common_name) { /* verify certificate nsCertType */ if (opt->ns_cert_type != NS_CERT_CHECK_NONE) { if (SUCCESS == x509_verify_ns_cert_type(peer_cert, opt->ns_cert_type)) { - msg(D_HANDSHAKE, "VERIFY OK: nsCertType=%s", - print_nsCertType(opt->ns_cert_type)); + msg(D_HANDSHAKE, "VERIFY OK: nsCertType=%s", print_nsCertType(opt->ns_cert_type)); } else { - msg(D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s", - subject, print_nsCertType(opt->ns_cert_type)); - return FAILURE; /* Reject connection */ + msg(D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s", subject, + print_nsCertType(opt->ns_cert_type)); + return FAILURE; /* Reject connection */ } } @@ -349,7 +348,7 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, else { msg(D_HANDSHAKE, "VERIFY KU ERROR"); - return FAILURE; /* Reject connection */ + return FAILURE; /* Reject connection */ } } @@ -363,28 +362,27 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, else { msg(D_HANDSHAKE, "VERIFY EKU ERROR"); - return FAILURE; /* Reject connection */ + return FAILURE; /* Reject connection */ } } /* verify X509 name or username against --verify-x509-[user]name */ if (opt->verify_x509_type != VERIFY_X509_NONE) { - if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN - && strcmp(opt->verify_x509_name, subject) == 0) - || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN - && strcmp(opt->verify_x509_name, common_name) == 0) - || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX - && strncmp(opt->verify_x509_name, common_name, - strlen(opt->verify_x509_name)) == 0) ) + if ((opt->verify_x509_type == VERIFY_X509_SUBJECT_DN + && strcmp(opt->verify_x509_name, subject) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN + && strcmp(opt->verify_x509_name, common_name) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX + && strncmp(opt->verify_x509_name, common_name, strlen(opt->verify_x509_name)) == 0)) { msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject); } else { - msg(D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", - subject, opt->verify_x509_name); - return FAILURE; /* Reject connection */ + msg(D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", subject, + opt->verify_x509_name); + return FAILURE; /* Reject connection */ } } @@ -397,8 +395,7 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, */ static void verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert_depth, - const char *subject, - const struct x509_track *x509_track) + const char *subject, const struct x509_track *x509_track) { char envname[64]; char *serial = NULL; @@ -424,13 +421,10 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert struct buffer sha256 = x509_get_sha256_fingerprint(peer_cert, &gc); snprintf(envname, sizeof(envname), "tls_digest_%d", cert_depth); - setenv_str(es, envname, - format_hex_ex(BPTR(&sha1), BLEN(&sha1), 0, 1, ":", &gc)); + setenv_str(es, envname, format_hex_ex(BPTR(&sha1), BLEN(&sha1), 0, 1, ":", &gc)); - snprintf(envname, sizeof(envname), "tls_digest_sha256_%d", - cert_depth); - setenv_str(es, envname, - format_hex_ex(BPTR(&sha256), BLEN(&sha256), 0, 1, ":", &gc)); + snprintf(envname, sizeof(envname), "tls_digest_sha256_%d", cert_depth); + setenv_str(es, envname, format_hex_ex(BPTR(&sha256), BLEN(&sha256), 0, 1, ":", &gc)); } /* export serial number as environmental variable */ @@ -474,8 +468,8 @@ verify_cert_cert_delete_env(struct env_set *es, const char *pem_export_fname) * call --tls-verify plug-in(s) */ static result_t -verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, - int cert_depth, openvpn_x509_cert_t *cert, char *subject) +verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, int cert_depth, + openvpn_x509_cert_t *cert, char *subject) { if (plugin_defined(plugins, OPENVPN_PLUGIN_TLS_VERIFY)) { @@ -484,20 +478,19 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, argv_printf(&argv, "%d %s", cert_depth, subject); - ret = plugin_call_ssl(plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert); + ret = + plugin_call_ssl(plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert); argv_free(&argv); if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { - msg(D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", - cert_depth, subject); + msg(D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", cert_depth, subject); } else { - msg(D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", - cert_depth, subject); - return FAILURE; /* Reject connection */ + msg(D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", cert_depth, subject); + return FAILURE; /* Reject connection */ } } return SUCCESS; @@ -507,8 +500,8 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, * run --tls-verify script */ static result_t -verify_cert_call_command(const char *verify_command, struct env_set *es, - int cert_depth, char *subject) +verify_cert_call_command(const char *verify_command, struct env_set *es, int cert_depth, + char *subject) { int ret; struct gc_arena gc = gc_new(); @@ -527,22 +520,20 @@ verify_cert_call_command(const char *verify_command, struct env_set *es, if (ret) { - msg(D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s", - cert_depth, subject); + msg(D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s", cert_depth, subject); return SUCCESS; } - msg(D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s", - cert_depth, subject); - return FAILURE; /* Reject connection */ + msg(D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s", cert_depth, subject); + return FAILURE; /* Reject connection */ } /* * check peer cert against CRL directory */ static result_t -verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert, - const char *subject, int cert_depth) +verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert, const char *subject, + int cert_depth) { result_t ret = FAILURE; char fn[256]; @@ -552,8 +543,8 @@ verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert, char *serial = backend_x509_get_serial(cert, &gc); if (!serial) { - msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial number is not available", - cert_depth, subject); + msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial number is not available", cert_depth, + subject); goto cleanup; } @@ -565,8 +556,8 @@ verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert, fd = platform_open(fn, O_RDONLY, 0); if (fd >= 0) { - msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial=%s is revoked", - cert_depth, subject, serial); + msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial=%s is revoked", cert_depth, subject, + serial); goto cleanup; } @@ -600,8 +591,10 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep char *subject = x509_get_subject(cert, &gc); if (!subject) { - msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 " - "subject string from certificate", cert_depth); + msg(D_TLS_ERRORS, + "VERIFY ERROR: depth=%d, could not extract X509 " + "subject string from certificate", + cert_depth); goto cleanup; } @@ -613,19 +606,19 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep struct buffer buf = alloc_buf_gc(256, &gc); for (int i = 0; opt->x509_username_field[i] != NULL; i++) { - char username[TLS_USERNAME_LEN+1] = {0}; /* null-terminated */ + char username[TLS_USERNAME_LEN + 1] = { 0 }; /* null-terminated */ - if (SUCCESS != backend_x509_get_username(username, sizeof(username), - opt->x509_username_field[i], cert)) + if (SUCCESS + != backend_x509_get_username(username, sizeof(username), opt->x509_username_field[i], + cert)) { if (!cert_depth) { - msg(D_TLS_ERRORS, "VERIFY ERROR: could not extract %s from X509 " + msg(D_TLS_ERRORS, + "VERIFY ERROR: could not extract %s from X509 " "subject string ('%s') -- note that the field length is " "limited to %d characters", - opt->x509_username_field[i], - subject, - TLS_USERNAME_LEN); + opt->x509_username_field[i], subject, TLS_USERNAME_LEN); goto cleanup; } break; @@ -634,11 +627,11 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep { if (!cert_depth) { - msg(D_TLS_ERRORS, "VERIFY ERROR: could not append %s from X509 " + msg(D_TLS_ERRORS, + "VERIFY ERROR: could not append %s from X509 " "certificate -- note that the username length is " "limited to %d characters", - opt->x509_username_field[i], - buf.capacity - 1); + opt->x509_username_field[i], buf.capacity - 1); goto cleanup; } break; @@ -648,8 +641,10 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep char *common_name = BSTR(&buf); if (!common_name) { - msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 " - "username string from certificate", cert_depth); + msg(D_TLS_ERRORS, + "VERIFY ERROR: depth=%d, could not extract X509 " + "username string from certificate", + cert_depth); goto cleanup; } @@ -659,13 +654,15 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep /* warn if cert chain is too deep */ if (cert_depth >= MAX_CERT_DEPTH) { - msg(D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", cert_depth, MAX_CERT_DEPTH); - goto cleanup; /* Reject connection */ + msg(D_TLS_ERRORS, + "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", + cert_depth, MAX_CERT_DEPTH); + goto cleanup; /* Reject connection */ } if (cert_depth == opt->verify_hash_depth && opt->verify_hash) { - struct buffer cert_fp = {0}; + struct buffer cert_fp = { 0 }; switch (opt->verify_hash_algo) { @@ -683,8 +680,10 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep * value in an enumerated type. So if this unlikely scenario * happens, consider this a failure */ - msg(M_WARN, "Unexpected invalid algorithm used with " - "--verify-hash (%i)", opt->verify_hash_algo); + msg(M_WARN, + "Unexpected invalid algorithm used with " + "--verify-hash (%i)", + opt->verify_hash_algo); ret = FAILURE; goto cleanup; } @@ -693,8 +692,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep while (current_hash) { - if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash, - BLEN(&cert_fp)) == 0) + if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash, BLEN(&cert_fp)) == 0) { break; } @@ -703,11 +701,12 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep if (!current_hash) { - const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), - 0, 1, ":", &gc); - msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint " + const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), 0, 1, ":", &gc); + msg(D_TLS_ERRORS, + "TLS Error: --tls-verify/--peer-fingerprint " "certificate hash verification failed. (got certificate " - "fingerprint: %s)", hex_fp); + "fingerprint: %s)", + hex_fp); goto cleanup; } } @@ -722,14 +721,14 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep if (opt->export_peer_cert_dir) { - pem_export_fname = platform_create_temp_file(opt->export_peer_cert_dir, - "pef", &gc); + pem_export_fname = platform_create_temp_file(opt->export_peer_cert_dir, "pef", &gc); - if (!pem_export_fname - || !verify_cert_cert_export_env(opt->es, cert, pem_export_fname)) + if (!pem_export_fname || !verify_cert_cert_export_env(opt->es, cert, pem_export_fname)) { - msg(D_TLS_ERRORS, "TLS Error: Failed to export certificate for " - "--tls-export-cert in %s", opt->export_peer_cert_dir); + msg(D_TLS_ERRORS, + "TLS Error: Failed to export certificate for " + "--tls-export-cert in %s", + opt->export_peer_cert_dir); goto cleanup; } } @@ -752,8 +751,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep } /* run --tls-verify script */ - if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command, - opt->es, cert_depth, subject)) + if (opt->verify_command + && SUCCESS != verify_cert_call_command(opt->verify_command, opt->es, cert_depth, subject)) { goto cleanup; } @@ -786,7 +785,7 @@ cleanup: verify_cert_cert_delete_env(opt->es, pem_export_fname); if (ret != SUCCESS) { - tls_clear_error(); /* always? */ + tls_clear_error(); /* always? */ session->verified = false; /* double sure? */ } @@ -796,9 +795,9 @@ cleanup: } /* *************************************************************************** -* Functions for the management of deferred authentication when using -* user/password authentication. -*************************************************************************** */ + * Functions for the management of deferred authentication when using + * user/password authentication. + *************************************************************************** */ void auth_set_client_reason(struct tls_multi *multi, const char *client_reason) @@ -884,15 +883,13 @@ check_auth_pending_method(const char *peer_info, const char *method) * @returns false The file had an invlaid format or another error occured */ static bool -key_state_check_auth_pending_file(struct auth_deferred_status *ads, - struct tls_multi *multi, +key_state_check_auth_pending_file(struct auth_deferred_status *ads, struct tls_multi *multi, struct tls_session *session) { bool ret = true; if (ads->auth_pending_file) { - struct buffer_list *lines = buffer_list_file(ads->auth_pending_file, - 1024); + struct buffer_list *lines = buffer_list_file(ads->auth_pending_file, 1024); if (lines && lines->head) { /* Must have at least three lines. further lines are ignored for @@ -900,7 +897,7 @@ key_state_check_auth_pending_file(struct auth_deferred_status *ads, if (!lines->head || !lines->head->next || !lines->head->next->next) { msg(M_WARN, "auth pending control file is not at least " - "three lines long."); + "three lines long."); buffer_list_free(lines); return false; } @@ -927,10 +924,13 @@ key_state_check_auth_pending_file(struct auth_deferred_status *ads, char buf[128]; snprintf(buf, sizeof(buf), "Authentication failed, required pending auth " - "method '%s' not supported", pending_method); + "method '%s' not supported", + pending_method); auth_set_client_reason(multi, buf); - msg(M_INFO, "Client does not supported auth pending method " - "'%s'", pending_method); + msg(M_INFO, + "Client does not supported auth pending method " + "'%s'", + pending_method); ret = false; } else @@ -975,8 +975,7 @@ key_state_rm_auth_control_files(struct auth_deferred_status *ads) * @return true if file creation was successful */ static bool -key_state_gen_auth_control_files(struct auth_deferred_status *ads, - const struct tls_options *opt) +key_state_gen_auth_control_files(struct auth_deferred_status *ads, const struct tls_options *opt) { struct gc_arena gc = gc_new(); @@ -1017,7 +1016,6 @@ key_state_check_auth_failed_message_file(const struct auth_deferred_status *ads, { ret = BSTR(&reason); } - } return ret; } @@ -1088,8 +1086,7 @@ update_key_auth_status(bool cached, struct key_state *ks) #endif ASSERT(auth_plugin < 4 && auth_script < 4 && auth_man < 4); - if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED - || auth_man == ACF_FAILED) + if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED || auth_man == ACF_FAILED) { ks->authenticated = KS_AUTH_FALSE; return; @@ -1122,7 +1119,7 @@ update_key_auth_status(bool cached, struct key_state *ks) * with no caching (0) here as well to have the same super quick initial * reaction. */ -static time_t cache_intervals[] = {0, 0, 0, 0, 0, 1, 1, 2, 2, 4, 8}; +static time_t cache_intervals[] = { 0, 0, 0, 0, 0, 1, 1, 2, 2, 4, 8 }; /** * uses cache_intervals times to determine if we should update the @@ -1189,8 +1186,10 @@ tls_authentication_status(struct tls_multi *multi) { struct gc_arena gc = gc_new(); const struct key_state *ks = get_primary_key(multi); - const char *plugin_message = key_state_check_auth_failed_message_file(&ks->plugin_auth, &gc); - const char *script_message = key_state_check_auth_failed_message_file(&ks->script_auth, &gc); + const char *plugin_message = + key_state_check_auth_failed_message_file(&ks->plugin_auth, &gc); + const char *script_message = + key_state_check_auth_failed_message_file(&ks->script_auth, &gc); if (plugin_message) { @@ -1234,7 +1233,8 @@ tls_authentication_status(struct tls_multi *multi) * to indicate auth failure/success. */ bool -tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason) +tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, + const char *client_reason) { bool ret = false; if (multi) @@ -1270,8 +1270,7 @@ tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, con * Check if the script/plugin left a message in the auth failed message * file and relay it to the user */ static void -check_for_client_reason(struct tls_multi *multi, - struct auth_deferred_status *status) +check_for_client_reason(struct tls_multi *multi, struct auth_deferred_status *status) { struct gc_arena gc = gc_new(); const char *msg = key_state_check_auth_failed_message_file(status, &gc); @@ -1292,7 +1291,7 @@ verify_user_pass_script(struct tls_session *session, struct tls_multi *multi, struct argv argv = argv_new(); const char *tmp_file = ""; int retval = OPENVPN_PLUGIN_FUNC_ERROR; - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ /* Set environmental variables prior to calling script */ setenv_str(session->opt->es, "script_type", "user-pass-verify"); @@ -1304,8 +1303,7 @@ verify_user_pass_script(struct tls_session *session, struct tls_multi *multi, { struct status_output *so; - tmp_file = platform_create_temp_file(session->opt->tmp_dir, "up", - &gc); + tmp_file = platform_create_temp_file(session->opt->tmp_dir, "up", &gc); if (tmp_file) { so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE); @@ -1330,15 +1328,17 @@ verify_user_pass_script(struct tls_session *session, struct tls_multi *multi, /* pre-create files for deferred auth control */ if (!key_state_gen_auth_control_files(&ks->script_auth, session->opt)) { - msg(D_TLS_ERRORS, "TLS Auth Error (%s): " - "could not create deferred auth control file", __func__); + msg(D_TLS_ERRORS, + "TLS Auth Error (%s): " + "could not create deferred auth control file", + __func__); retval = OPENVPN_PLUGIN_FUNC_ERROR; goto error; } /* call command */ - int script_ret = openvpn_run_script(&argv, session->opt->es, S_EXITCODE, - "--auth-user-pass-verify"); + int script_ret = + openvpn_run_script(&argv, session->opt->es, S_EXITCODE, "--auth-user-pass-verify"); switch (script_ret) { case 0: @@ -1358,13 +1358,11 @@ verify_user_pass_script(struct tls_session *session, struct tls_multi *multi, { /* Check if we the plugin has written the pending auth control * file and send the pending auth to the client */ - if (!key_state_check_auth_pending_file(&ks->script_auth, - multi, session)) + if (!key_state_check_auth_pending_file(&ks->script_auth, multi, session)) { retval = OPENVPN_PLUGIN_FUNC_ERROR; key_state_rm_auth_control_files(&ks->script_auth); } - } else { @@ -1395,8 +1393,8 @@ verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response) struct tls_session *session = &multi->session[TM_ACTIVE]; setenv_str(session->opt->es, "crresponse", cr_response); - plugin_call(session->opt->plugins, OPENVPN_PLUGIN_CLIENT_CRRESPONSE, NULL, - NULL, session->opt->es); + plugin_call(session->opt->plugins, OPENVPN_PLUGIN_CLIENT_CRRESPONSE, NULL, NULL, + session->opt->es); setenv_del(session->opt->es, "crresponse"); } @@ -1405,7 +1403,6 @@ verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response) void verify_crresponse_script(struct tls_multi *multi, const char *cr_response) { - struct tls_session *session = &multi->session[TM_ACTIVE]; if (!session->opt->client_crresponse_script) @@ -1425,8 +1422,7 @@ verify_crresponse_script(struct tls_multi *multi, const char *cr_response) if (tmp_file) { - struct status_output *so = status_open(tmp_file, 0, -1, NULL, - STATUS_OUTPUT_WRITE); + struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE); status_printf(so, "%s", cr_response); if (!status_close(so)) { @@ -1463,7 +1459,7 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up) { int retval = OPENVPN_PLUGIN_FUNC_ERROR; - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ /* set password in private env space */ setenv_str(session->opt->es, "password", up->password); @@ -1471,13 +1467,16 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi, /* generate filename for deferred auth control file */ if (!key_state_gen_auth_control_files(&ks->plugin_auth, session->opt)) { - msg(D_TLS_ERRORS, "TLS Auth Error (%s): " - "could not create deferred auth control file", __func__); + msg(D_TLS_ERRORS, + "TLS Auth Error (%s): " + "could not create deferred auth control file", + __func__); return retval; } /* call command */ - retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es); + retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, + session->opt->es); if (retval == OPENVPN_PLUGIN_FUNC_DEFERRED) { @@ -1516,18 +1515,18 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi, #define KMDA_DEF 3 static int -verify_user_pass_management(struct tls_session *session, - const struct user_pass *up) +verify_user_pass_management(struct tls_session *session, const struct user_pass *up) { int retval = KMDA_ERROR; - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ /* set username/password in private env space */ setenv_str(session->opt->es, "password", up->password); if (management) { - management_notify_client_needing_auth(management, ks->mda_key_id, session->opt->mda_context, session->opt->es); + management_notify_client_needing_auth(management, ks->mda_key_id, session->opt->mda_context, + session->opt->es); } setenv_del(session->opt->es, "password"); @@ -1539,8 +1538,7 @@ verify_user_pass_management(struct tls_session *session, #endif /* ifdef ENABLE_MANAGEMENT */ static bool -set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi, - struct tls_session *session) +set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi, struct tls_session *session) { /* Is username defined? */ if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) @@ -1576,7 +1574,8 @@ ssl_verify_username_length(struct tls_session *session, const char *username) msg(D_TLS_ERRORS, "TLS Auth Error: --username-as-common name specified and " "username is longer than the maximum permitted Common Name " - "length of %d characters", TLS_USERNAME_LEN); + "length of %d characters", + TLS_USERNAME_LEN); return false; } else @@ -1592,10 +1591,9 @@ ssl_verify_username_length(struct tls_session *session, const char *username) * result of the username/password verification */ void -verify_user_pass(struct user_pass *up, struct tls_multi *multi, - struct tls_session *session) +verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session) { - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ ASSERT(up && !up->protected); @@ -1623,9 +1621,10 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, if (multi->locked_original_username && strncmp(up->username, multi->locked_original_username, sizeof(up->username)) == 0) { - msg(D_MULTI_LOW, "TLS: Replacing client provided username '%s' with " - "username from override-user '%s'", up->username, - multi->locked_username); + msg(D_MULTI_LOW, + "TLS: Replacing client provided username '%s' with " + "username from override-user '%s'", + up->username, multi->locked_username); strncpy(up->username, multi->locked_username, sizeof(up->username)); } @@ -1661,7 +1660,8 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, * We do not want the EXPIRED or EMPTY USER flags here so check * for equality with AUTH_TOKEN_HMAC_OK */ - msg(M_WARN, "TLS: Username/auth-token authentication " + msg(M_WARN, + "TLS: Username/auth-token authentication " "succeeded for username '%s'", up->username); skip_auth = true; @@ -1670,8 +1670,10 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, { wipe_auth_token(multi); ks->authenticated = KS_AUTH_FALSE; - msg(M_WARN, "TLS: Username/auth-token authentication " - "failed for username '%s'", up->username); + msg(M_WARN, + "TLS: Username/auth-token authentication " + "failed for username '%s'", + up->username); return; } } @@ -1716,14 +1718,14 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, bool plugin_ok = plugin_status == OPENVPN_PLUGIN_FUNC_SUCCESS || plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED; - bool script_ok = script_status == OPENVPN_PLUGIN_FUNC_SUCCESS - || script_status == OPENVPN_PLUGIN_FUNC_DEFERRED; + bool script_ok = script_status == OPENVPN_PLUGIN_FUNC_SUCCESS + || script_status == OPENVPN_PLUGIN_FUNC_DEFERRED; if (script_ok && plugin_ok && tls_lock_username(multi, up->username) #ifdef ENABLE_MANAGEMENT && man_def_auth != KMDA_ERROR #endif - ) + ) { ks->authenticated = KS_AUTH_TRUE; if (plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED @@ -1757,8 +1759,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, * to store the auth-token in multi->auth_token, so * the initial timestamp and session id can be extracted from it */ - if (!multi->auth_token - && (ks->auth_token_state_flags & AUTH_TOKEN_HMAC_OK) + if (!multi->auth_token && (ks->auth_token_state_flags & AUTH_TOKEN_HMAC_OK) && !(ks->auth_token_state_flags & AUTH_TOKEN_EXPIRED)) { multi->auth_token = strdup(up->password); @@ -1772,8 +1773,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, } msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s", - (ks->authenticated == KS_AUTH_DEFERRED) ? "deferred" : "succeeded", - up->username, + (ks->authenticated == KS_AUTH_DEFERRED) ? "deferred" : "succeeded", up->username, (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); } else @@ -1786,7 +1786,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) { - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ /* While it shouldn't really happen, don't allow the common name to be NULL */ if (!session->common_name) @@ -1800,9 +1800,9 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) const char *cn = session->common_name; if (cn && strcmp(cn, multi->locked_cn)) { - msg(D_TLS_ERRORS, "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled", - multi->locked_cn, - cn); + msg(D_TLS_ERRORS, + "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled", + multi->locked_cn, cn); /* change the common name back to its original value and disable the tunnel */ set_common_name(session, multi->locked_cn); @@ -1816,7 +1816,8 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) const struct cert_hash_set *chs = session->cert_hash_set; if (chs && !cert_hash_compare(chs, multi->locked_cert_hash_set)) { - msg(D_TLS_ERRORS, "TLS Auth Error: TLS object CN=%s client-provided SSL certs unexpectedly changed during mid-session reauth", + msg(D_TLS_ERRORS, + "TLS Auth Error: TLS object CN=%s client-provided SSL certs unexpectedly changed during mid-session reauth", session->common_name); /* disable the tunnel */ @@ -1830,15 +1831,14 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) struct gc_arena gc = gc_new(); const char *cn = session->common_name; - const char *path = platform_gen_path(session->opt->client_config_dir_exclusive, - cn, &gc); + const char *path = platform_gen_path(session->opt->client_config_dir_exclusive, cn, &gc); if (!cn || !strcmp(cn, CCD_DEFAULT) || !platform_test_file(path)) { ks->authenticated = KS_AUTH_FALSE; wipe_auth_token(multi); - msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", - session->common_name, - path ? path : "UNDEF"); + msg(D_TLS_ERRORS, + "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", + session->common_name, path ? path : "UNDEF"); } gc_free(&gc); @@ -1852,8 +1852,7 @@ tls_x509_clear_env(struct env_set *es) while (item) { struct env_item *next = item->next; - if (item->string - && 0 == strncmp("X509_", item->string, strlen("X509_"))) + if (item->string && 0 == strncmp("X509_", item->string, strlen("X509_"))) { env_set_del(es, item->string); } diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index 76f1e24e0..fdf6bb5b1 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -54,25 +54,27 @@ #define TLS_USERNAME_LEN 64 /** Structure containing the hash for a single certificate */ -struct cert_hash { - unsigned char sha256_hash[256/8]; +struct cert_hash +{ + unsigned char sha256_hash[256 / 8]; }; /** Structure containing the hashes for a full certificate chain */ -struct cert_hash_set { +struct cert_hash_set +{ struct cert_hash *ch[MAX_CERT_DEPTH]; /**< Array of certificate hashes */ }; -#define VERIFY_X509_NONE 0 -#define VERIFY_X509_SUBJECT_DN 1 -#define VERIFY_X509_SUBJECT_RDN 2 -#define VERIFY_X509_SUBJECT_RDN_PREFIX 3 +#define VERIFY_X509_NONE 0 +#define VERIFY_X509_SUBJECT_DN 1 +#define VERIFY_X509_SUBJECT_RDN 2 +#define VERIFY_X509_SUBJECT_RDN_PREFIX 3 enum tls_auth_status { - TLS_AUTHENTICATION_SUCCEEDED=0, - TLS_AUTHENTICATION_FAILED=1, - TLS_AUTHENTICATION_DEFERRED=2 + TLS_AUTHENTICATION_SUCCEEDED = 0, + TLS_AUTHENTICATION_FAILED = 1, + TLS_AUTHENTICATION_DEFERRED = 2 }; /** @@ -91,8 +93,7 @@ enum tls_auth_status * * @return Current authentication status of the tls_multi */ -enum tls_auth_status -tls_authentication_status(struct tls_multi *multi); +enum tls_auth_status tls_authentication_status(struct tls_multi *multi); /** Check whether the \a ks \c key_state has finished the key exchange part * of the OpenVPN hand shake. This is that the key_method_2read/write @@ -155,8 +156,7 @@ const char *tls_common_name(const struct tls_multi *multi, const bool null); * @param session The session to set the common name for * @param common_name The name to set the common name to */ -void -set_common_name(struct tls_session *session, const char *common_name); +void set_common_name(struct tls_session *session, const char *common_name); /** * Returns the username field for the given tunnel @@ -187,8 +187,7 @@ bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_ * @param session The current TLS session * */ -void verify_user_pass(struct user_pass *up, struct tls_multi *multi, - struct tls_session *session); +void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session); /** @@ -203,8 +202,7 @@ void verify_user_pass(struct user_pass *up, struct tls_multi *multi, * @return true if name is under limit or username-as-common-name * is not active */ -bool ssl_verify_username_length(struct tls_session *session, - const char *username); +bool ssl_verify_username_length(struct tls_session *session, const char *username); /** * Runs the --client-crresponse script if one is defined. @@ -214,8 +212,7 @@ bool ssl_verify_username_length(struct tls_session *session, * the files for the deferred auth like the management commands. * */ -void -verify_crresponse_script(struct tls_multi *multi, const char *cr_response); +void verify_crresponse_script(struct tls_multi *multi, const char *cr_response); /** * Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE. @@ -224,8 +221,7 @@ verify_crresponse_script(struct tls_multi *multi, const char *cr_response); * that it does not directly participate in the authentication but rather * should set the files for the deferred auth like the management commands. */ -void -verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response); +void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response); /** * Perform final authentication checks, including locking of the cn, the allowed @@ -242,7 +238,7 @@ struct x509_track { const struct x509_track *next; const char *name; -#define XT_FULL_CHAIN (1<<0) +#define XT_FULL_CHAIN (1 << 0) unsigned int flags; int nid; }; @@ -251,11 +247,11 @@ struct x509_track * Certificate checking for verify_nsCertType */ /** Do not perform Netscape certificate type verification */ -#define NS_CERT_CHECK_NONE (0) +#define NS_CERT_CHECK_NONE (0) /** Do not perform Netscape certificate type verification */ -#define NS_CERT_CHECK_SERVER (1<<0) +#define NS_CERT_CHECK_SERVER (1 << 0) /** Do not perform Netscape certificate type verification */ -#define NS_CERT_CHECK_CLIENT (1<<1) +#define NS_CERT_CHECK_CLIENT (1 << 1) /** Require keyUsage to be present in cert (0xFFFF is an invalid KU value) */ #define OPENVPN_KU_REQUIRED (0xFFFF) @@ -264,7 +260,8 @@ struct x509_track * TODO: document */ #ifdef ENABLE_MANAGEMENT -bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason); +bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, + const char *client_reason); #endif diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index 03f591cc7..a0559c984 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -32,7 +32,11 @@ /** * Result of verification function */ -typedef enum { SUCCESS = 0, FAILURE = 1 } result_t; +typedef enum +{ + SUCCESS = 0, + FAILURE = 1 +} result_t; /* * Backend support functions. @@ -94,8 +98,7 @@ char *x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc); * * @return a string containing the certificate fingerprint */ -struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert, - struct gc_arena *gc); +struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc); /** * Retrieve the certificate's SHA256 fingerprint. @@ -105,8 +108,7 @@ struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert, * * @return a string containing the certificate fingerprint */ -struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, - struct gc_arena *gc); +struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc); /* * Retrieve the certificate's username from the specified field. @@ -121,8 +123,8 @@ struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, * * @return \c FAILURE, \c or SUCCESS */ -result_t backend_x509_get_username(char *common_name, int cn_len, - char *x509_username_field, openvpn_x509_cert_t *peer_cert); +result_t backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field, + openvpn_x509_cert_t *peer_cert); #ifdef ENABLE_X509ALTUSERNAME /** @@ -157,8 +159,7 @@ char *backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc); * @return String representation of the certificate's serial number * in hex notation, or NULL on error. */ -char *backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, - struct gc_arena *gc); +char *backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc); /* * Write the certificate to the file in PEM format. @@ -168,8 +169,7 @@ char *backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, * * @return \c FAILURE, \c or SUCCESS */ -result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, - const char *filename); +result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename); /* * Save X509 fields to environment, using the naming convention: @@ -193,8 +193,8 @@ void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert); * @param gc Garbage collection arena for temp data * */ -void x509_track_add(const struct x509_track **ll_head, const char *name, - int msglevel, struct gc_arena *gc); +void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, + struct gc_arena *gc); /* * Save X509 fields to environment, using the naming convention: @@ -216,8 +216,8 @@ void x509_track_add(const struct x509_track **ll_head, const char *name, * @param cert_depth Depth of the certificate * @param cert Certificate to set the environment for */ -void x509_setenv_track(const struct x509_track *xt, struct env_set *es, - const int depth, openvpn_x509_cert_t *x509); +void x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth, + openvpn_x509_cert_t *x509); /* * Check X.509 Netscape certificate type field, if available. diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 43bbde5ca..cfcfb253c 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -46,10 +46,9 @@ #define MAX_SUBJECT_LENGTH 256 int -verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, - uint32_t *flags) +verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags) { - struct tls_session *session = (struct tls_session *) session_obj; + struct tls_session *session = (struct tls_session *)session_obj; struct gc_arena gc = gc_new(); ASSERT(cert); @@ -71,8 +70,7 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, * Clearing these flags relies on verify_cert will later rejecting a * certificate that has no matching fingerprint. */ - uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED - | MBEDTLS_X509_BADCERT_EXPIRED + uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED | MBEDTLS_X509_BADCERT_EXPIRED | MBEDTLS_X509_BADCERT_FUTURE; *flags = *flags & ~flags_ignore; } @@ -85,9 +83,10 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, char *subject = x509_get_subject(cert, &gc); char *serial = backend_x509_get_serial(cert, &gc); - ret = mbedtls_x509_crt_verify_info(errstr, sizeof(errstr)-1, "", *flags); - if (ret <= 0 && !snprintf(errstr, sizeof(errstr), - "Could not retrieve error string, flags=%" PRIx32, *flags)) + ret = mbedtls_x509_crt_verify_info(errstr, sizeof(errstr) - 1, "", *flags); + if (ret <= 0 + && !snprintf(errstr, sizeof(errstr), "Could not retrieve error string, flags=%" PRIx32, + *flags)) { errstr[0] = '\0'; } @@ -98,13 +97,15 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, if (subject) { - msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s, serial=%s: %s", - cert_depth, subject, serial ? serial : "", errstr); + msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s, serial=%s: %s", cert_depth, + subject, serial ? serial : "", errstr); } else { - msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, (could not extract X509 " - "subject string from certificate): %s", cert_depth, errstr); + msg(D_TLS_ERRORS, + "VERIFY ERROR: depth=%d, (could not extract X509 " + "subject string from certificate): %s", + cert_depth, errstr); } /* Leave flags set to non-zero to indicate that the cert is not ok */ @@ -127,20 +128,18 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, #endif result_t -backend_x509_get_username(char *cn, int cn_len, - char *x509_username_field, mbedtls_x509_crt *cert) +backend_x509_get_username(char *cn, int cn_len, char *x509_username_field, mbedtls_x509_crt *cert) { mbedtls_x509_name *name; - ASSERT( cn != NULL ); + ASSERT(cn != NULL); name = &cert->subject; /* Find common name */ while (name != NULL) { - if (0 == memcmp(name->oid.p, MBEDTLS_OID_AT_CN, - MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN))) + if (0 == memcmp(name->oid.p, MBEDTLS_OID_AT_CN, MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN))) { break; } @@ -157,13 +156,13 @@ backend_x509_get_username(char *cn, int cn_len, /* Found, extract CN */ if (cn_len > name->val.len) { - memcpy( cn, name->val.p, name->val.len ); + memcpy(cn, name->val.p, name->val.len); cn[name->val.len] = '\0'; } else { - memcpy( cn, name->val.p, cn_len); - cn[cn_len-1] = '\0'; + memcpy(cn, name->val.p, cn_len); + cn[cn_len - 1] = '\0'; } return SUCCESS; @@ -178,8 +177,7 @@ backend_x509_get_serial(mbedtls_x509_crt *cert, struct gc_arena *gc) /* Transform asn1 integer serial into mbed TLS MPI */ mbedtls_mpi_init(&serial_mpi); - if (!mbed_ok(mbedtls_mpi_read_binary(&serial_mpi, cert->serial.p, - cert->serial.len))) + if (!mbed_ok(mbedtls_mpi_read_binary(&serial_mpi, cert->serial.p, cert->serial.len))) { msg(M_WARN, "Failed to retrieve serial from certificate."); goto end; @@ -210,7 +208,7 @@ backend_x509_get_serial_hex(mbedtls_x509_crt *cert, struct gc_arena *gc) buf = gc_malloc(len, true, gc); - if (mbedtls_x509_serial_gets(buf, len-1, &cert->serial) < 0) + if (mbedtls_x509_serial_gets(buf, len - 1, &cert->serial) < 0) { buf = NULL; } @@ -234,7 +232,7 @@ backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename) struct buffer der = {}; buf_set_read(&der, cert->raw.p, cert->raw.len); - if (!crypto_pem_encode("CERTIFICATE", &pem, &der, &gc)) + if (!crypto_pem_encode("CERTIFICATE", &pem, &der, &gc)) { goto err; } @@ -247,15 +245,13 @@ backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename) gc_free(&gc); return SUCCESS; err: - msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", - filename); + msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", filename); gc_free(&gc); return FAILURE; } static struct buffer -x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, - struct gc_arena *gc) +x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, struct gc_arena *gc) { const size_t md_size = mbedtls_md_get_size(md_info); struct buffer fingerprint = alloc_buf_gc(md_size, gc); @@ -267,26 +263,24 @@ x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, struct buffer x509_get_sha1_fingerprint(mbedtls_x509_crt *cert, struct gc_arena *gc) { - return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), - cert, gc); + return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), cert, gc); } struct buffer x509_get_sha256_fingerprint(mbedtls_x509_crt *cert, struct gc_arena *gc) { - return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), - cert, gc); + return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), cert, gc); } char * x509_get_subject(mbedtls_x509_crt *cert, struct gc_arena *gc) { - char tmp_subject[MAX_SUBJECT_LENGTH] = {0}; + char tmp_subject[MAX_SUBJECT_LENGTH] = { 0 }; char *subject = NULL; int ret = 0; - ret = mbedtls_x509_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject ); + ret = mbedtls_x509_dn_gets(tmp_subject, MAX_SUBJECT_LENGTH - 1, &cert->subject); if (ret > 0) { /* Allocate the required space for the subject */ @@ -305,7 +299,7 @@ do_setenv_x509(struct env_set *es, const char *name, char *value, int depth) string_mod(value, CC_ANY, CC_CRLF, '?'); msg(D_X509_ATTR, "X509 ATTRIBUTE name='%s' value='%s' depth=%d", name, value, depth); name_expand_size = 64 + strlen(name); - name_expand = (char *) malloc(name_expand_size); + name_expand = (char *)malloc(name_expand_size); check_malloc_return(name_expand); snprintf(name_expand, name_expand_size, "X509_%d_%s", depth, name); setenv_str(es, name_expand, value); @@ -318,8 +312,7 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) size_t i; char *val; - if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING - || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING + if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING || orig->tag == MBEDTLS_ASN1_IA5_STRING)) { /* Only support C-string compatible types */ @@ -333,15 +326,15 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) return string_alloc("ERROR: embedded null value", gc); } } - val = gc_malloc(orig->len+1, false, gc); + val = gc_malloc(orig->len + 1, false, gc); memcpy(val, orig->p, orig->len); val[orig->len] = '\0'; return val; } static void -do_setenv_name(struct env_set *es, const struct x509_track *xt, - const mbedtls_x509_crt *cert, int depth, struct gc_arena *gc) +do_setenv_name(struct env_set *es, const struct x509_track *xt, const mbedtls_x509_crt *cert, + int depth, struct gc_arena *gc) { const mbedtls_x509_name *xn; for (xn = &cert->subject; xn != NULL; xn = xn->next) @@ -357,7 +350,8 @@ do_setenv_name(struct env_set *es, const struct x509_track *xt, } void -x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) +x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, + struct gc_arena *gc) { struct x509_track *xt; ALLOC_OBJ_CLEAR_GC(xt, struct x509_track, gc); @@ -372,8 +366,8 @@ x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel } void -x509_setenv_track(const struct x509_track *xt, struct env_set *es, - const int depth, mbedtls_x509_crt *cert) +x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth, + mbedtls_x509_crt *cert) { struct gc_arena gc = gc_new(); while (xt) @@ -395,8 +389,8 @@ x509_setenv_track(const struct x509_track *xt, struct env_set *es, cert_hash = x509_get_sha256_fingerprint(cert, &gc); } - fingerprint = format_hex_ex(BPTR(&cert_hash), - BLEN(&cert_hash), 0, 1 | FHE_CAPS, ":", &gc); + fingerprint = + format_hex_ex(BPTR(&cert_hash), BLEN(&cert_hash), 0, 1 | FHE_CAPS, ":", &gc); do_setenv_x509(es, xt->name, fingerprint, depth); } else @@ -426,29 +420,27 @@ x509_setenv(struct env_set *es, int cert_depth, mbedtls_x509_crt *cert) while (name != NULL) { - char name_expand[64+8]; + char name_expand[64 + 8]; const char *shortname; - if (0 == mbedtls_oid_get_attr_short_name(&name->oid, &shortname) ) + if (0 == mbedtls_oid_get_attr_short_name(&name->oid, &shortname)) { - snprintf(name_expand, sizeof(name_expand), "X509_%d_%s", - cert_depth, shortname); + snprintf(name_expand, sizeof(name_expand), "X509_%d_%s", cert_depth, shortname); } else { - snprintf(name_expand, sizeof(name_expand), "X509_%d_\?\?", - cert_depth); + snprintf(name_expand, sizeof(name_expand), "X509_%d_\?\?", cert_depth); } for (i = 0; i < name->val.len; i++) { - if (i >= (int) sizeof( s ) - 1) + if (i >= (int)sizeof(s) - 1) { break; } c = name->val.p[i]; - if (c < 32 || c == 127 || ( c > 128 && c < 160 ) ) + if (c < 32 || c == 127 || (c > 128 && c < 160)) { s[i] = '?'; } @@ -482,15 +474,13 @@ x509_verify_ns_cert_type(mbedtls_x509_crt *cert, const int usage) } result_t -x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, - int expected_len) +x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, int expected_len) { msg(D_HANDSHAKE, "Validating certificate key usage"); if (!mbedtls_x509_crt_has_ext_type(cert, MBEDTLS_X509_EXT_KEY_USAGE)) { - msg(D_TLS_ERRORS, - "ERROR: Certificate does not have key usage extension"); + msg(D_TLS_ERRORS, "ERROR: Certificate does not have key usage extension"); return FAILURE; } @@ -501,10 +491,9 @@ x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, } result_t fFound = FAILURE; - for (size_t i = 0; SUCCESS != fFound && i"); + X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject, + serial ? serial : ""); ERR_clear_error(); @@ -120,8 +119,7 @@ x509_username_field_ext_supported(const char *fieldname) return nid == NID_subject_alt_name || nid == NID_issuer_alt_name; } -static -bool +static bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) { bool retval = false; @@ -129,8 +127,7 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) if (!x509_username_field_ext_supported(fieldname)) { - msg(D_TLS_ERRORS, - "ERROR: --x509-username-field 'ext:%s' not supported", fieldname); + msg(D_TLS_ERRORS, "ERROR: --x509-username-field 'ext:%s' not supported", fieldname); return false; } @@ -148,10 +145,10 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) numalts = sk_GENERAL_NAME_num(extensions); /* loop through all alternatives */ - for (i = 0; itype) { @@ -174,8 +171,8 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) break; default: - msg(D_TLS_DEBUG, "%s: ignoring general name field type %i", - __func__, name->type); + msg(D_TLS_DEBUG, "%s: ignoring general name field type %i", __func__, + name->type); break; } } @@ -198,8 +195,7 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) * to contain result is grounds for error). */ static result_t -extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, - int size) +extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, int size) { int lastpos = -1; int tmp = -1; @@ -256,13 +252,12 @@ extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, } result_t -backend_x509_get_username(char *common_name, int cn_len, - char *x509_username_field, X509 *peer_cert) +backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field, X509 *peer_cert) { #ifdef ENABLE_X509ALTUSERNAME if (strncmp("ext:", x509_username_field, 4) == 0) { - if (!extract_x509_extension(peer_cert, x509_username_field+4, common_name, cn_len)) + if (!extract_x509_extension(peer_cert, x509_username_field + 4, common_name, cn_len)) { return FAILURE; } @@ -271,10 +266,9 @@ backend_x509_get_username(char *common_name, int cn_len, { ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert); struct gc_arena gc = gc_new(); - char *serial = format_hex_ex(asn1_i->data, asn1_i->length, - 0, 1 | FHE_CAPS, NULL, &gc); + char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc); - if (!serial || cn_len <= strlen(serial)+2) + if (!serial || cn_len <= strlen(serial) + 2) { gc_free(&gc); return FAILURE; @@ -284,11 +278,12 @@ backend_x509_get_username(char *common_name, int cn_len, } else #endif /* ifdef ENABLE_X509ALTUSERNAME */ - if (FAILURE == extract_x509_field_ssl(X509_get_subject_name(peer_cert), - x509_username_field, common_name, cn_len)) - { - return FAILURE; - } + if (FAILURE + == extract_x509_field_ssl(X509_get_subject_name(peer_cert), x509_username_field, + common_name, cn_len)) + { + return FAILURE; + } return SUCCESS; } @@ -338,8 +333,7 @@ backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename) return SUCCESS; err: BIO_free(out); - crypto_msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", - filename); + crypto_msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", filename); return FAILURE; } @@ -376,9 +370,9 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) goto err; } - X509_NAME_print_ex(subject_bio, X509_get_subject_name(cert), - 0, XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN - |ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_ESC_CTRL); + X509_NAME_print_ex(subject_bio, X509_get_subject_name(cert), 0, + XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN | ASN1_STRFLGS_UTF8_CONVERT + | ASN1_STRFLGS_ESC_CTRL); if (BIO_eof(subject_bio)) { @@ -420,7 +414,8 @@ err: */ void -x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) +x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, + struct gc_arena *gc) { struct x509_track *xt; ALLOC_OBJ_CLEAR_GC(xt, struct x509_track, gc); @@ -452,7 +447,7 @@ do_setenv_x509(struct env_set *es, const char *name, char *value, int depth) string_mod(value, CC_ANY, CC_CRLF, '?'); msg(D_X509_ATTR, "X509 ATTRIBUTE name='%s' value='%s' depth=%d", name, value, depth); name_expand_size = 64 + strlen(name); - name_expand = (char *) malloc(name_expand_size); + name_expand = (char *)malloc(name_expand_size); check_malloc_return(name_expand); snprintf(name_expand, name_expand_size, "X509_%d_%s", depth, name); setenv_str(es, name_expand, value); @@ -487,8 +482,7 @@ x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int dep fp_buf = x509_get_sha256_fingerprint(x509, &gc); } - fp_str = format_hex_ex(BPTR(&fp_buf), BLEN(&fp_buf), 0, - 1 | FHE_CAPS, ":", &gc); + fp_str = format_hex_ex(BPTR(&fp_buf), BLEN(&fp_buf), 0, 1 | FHE_CAPS, ":", &gc); do_setenv_x509(es, xt->name, fp_str, depth); } break; @@ -595,10 +589,9 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) continue; } name_expand_size = 64 + strlen(objbuf); - name_expand = (char *) malloc(name_expand_size); + name_expand = (char *)malloc(name_expand_size); check_malloc_return(name_expand); - snprintf(name_expand, name_expand_size, "X509_%d_%s", cert_depth, - objbuf); + snprintf(name_expand, name_expand_size, "X509_%d_%s", cert_depth, objbuf); string_mod(name_expand, CC_PRINT, CC_CRLF, '_'); string_mod((char *)buf, CC_PRINT, CC_CRLF, '_'); setenv_str_incr(es, name_expand, (char *)buf); @@ -620,8 +613,8 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) * Unfortunately, X509_check_purpose() does some weird thing that * prevent it to take a const argument */ - result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ? - SUCCESS : FAILURE; + result_t result = + X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ? SUCCESS : FAILURE; /* * old versions of OpenSSL allow us to make the less strict check we used to @@ -636,7 +629,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose " - "cannot be verified (check may fail in the future)"); + "cannot be verified (check may fail in the future)"); } ASN1_BIT_STRING_free(ns); } @@ -648,8 +641,8 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) * Unfortunately, X509_check_purpose() does some weird thing that * prevent it to take a const argument */ - result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ? - SUCCESS : FAILURE; + result_t result = + X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ? SUCCESS : FAILURE; /* * old versions of OpenSSL allow us to make the less strict check we used to @@ -664,7 +657,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose " - "cannot be verified (check may fail in the future)"); + "cannot be verified (check may fail in the future)"); } ASN1_BIT_STRING_free(ns); } @@ -675,8 +668,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) } result_t -x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, - int expected_len) +x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_len) { ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL); @@ -722,8 +714,7 @@ x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, if (fFound != SUCCESS) { - msg(D_TLS_ERRORS, - "ERROR: Certificate has key usage %04x, expected one of:", nku); + msg(D_TLS_ERRORS, "ERROR: Certificate has key usage %04x, expected one of:", nku); for (size_t i = 0; i < expected_len && expected_ku[i]; i++) { msg(D_TLS_ERRORS, " * %04x", expected_ku[i]); @@ -741,8 +732,7 @@ x509_verify_cert_eku(X509 *x509, const char *const expected_oid) EXTENDED_KEY_USAGE *eku = NULL; result_t fFound = FAILURE; - if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i(x509, NID_ext_key_usage, - NULL, NULL)) == NULL) + if ((eku = (EXTENDED_KEY_USAGE *)X509_get_ext_d2i(x509, NID_ext_key_usage, NULL, NULL)) == NULL) { msg(D_HANDSHAKE, "Certificate does not have extended key usage extension"); } @@ -758,8 +748,8 @@ x509_verify_cert_eku(X509 *x509, const char *const expected_oid) if (SUCCESS != fFound && OBJ_obj2txt(szOid, sizeof(szOid), oid, 0) != -1) { - msg(D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", - szOid, expected_oid); + msg(D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", szOid, + expected_oid); if (!strcmp(expected_oid, szOid)) { fFound = SUCCESS; @@ -767,8 +757,8 @@ x509_verify_cert_eku(X509 *x509, const char *const expected_oid) } if (SUCCESS != fFound && OBJ_obj2txt(szOid, sizeof(szOid), oid, 1) != -1) { - msg(D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", - szOid, expected_oid); + msg(D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", szOid, + expected_oid); if (!strcmp(expected_oid, szOid)) { fFound = SUCCESS; diff --git a/src/openvpn/status.c b/src/openvpn/status.c index 1f5e67a22..34e5a2fea 100644 --- a/src/openvpn/status.c +++ b/src/openvpn/status.c @@ -48,7 +48,7 @@ print_status_mode(unsigned int flags) case STATUS_OUTPUT_READ: return "READ"; - case STATUS_OUTPUT_READ|STATUS_OUTPUT_WRITE: + case STATUS_OUTPUT_READ | STATUS_OUTPUT_WRITE: return "READ/WRITE"; default: @@ -57,11 +57,8 @@ print_status_mode(unsigned int flags) } struct status_output * -status_open(const char *filename, - const int refresh_freq, - const int msglevel, - const struct virtual_output *vout, - const unsigned int flags) +status_open(const char *filename, const int refresh_freq, const int msglevel, + const struct virtual_output *vout, const unsigned int flags) { struct status_output *so = NULL; if (filename || msglevel >= 0 || vout) @@ -78,21 +75,16 @@ status_open(const char *filename, switch (so->flags) { case STATUS_OUTPUT_WRITE: - so->fd = platform_open(filename, - O_CREAT | O_TRUNC | O_WRONLY, - S_IRUSR | S_IWUSR); + so->fd = + platform_open(filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR); break; case STATUS_OUTPUT_READ: - so->fd = platform_open(filename, - O_RDONLY, - S_IRUSR | S_IWUSR); + so->fd = platform_open(filename, O_RDONLY, S_IRUSR | S_IWUSR); break; - case STATUS_OUTPUT_READ|STATUS_OUTPUT_WRITE: - so->fd = platform_open(filename, - O_CREAT | O_RDWR, - S_IRUSR | S_IWUSR); + case STATUS_OUTPUT_READ | STATUS_OUTPUT_WRITE: + so->fd = platform_open(filename, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR); break; default: @@ -167,10 +159,10 @@ status_flush(struct status_output *so) } #elif defined(HAVE_CHSIZE) { - const long off = (long) lseek(so->fd, (off_t)0, SEEK_CUR); + const long off = (long)lseek(so->fd, (off_t)0, SEEK_CUR); chsize(so->fd, off); } -#else /* if defined(HAVE_FTRUNCATE) */ +#else /* if defined(HAVE_FTRUNCATE) */ #warning both ftruncate and chsize functions appear to be missing from this OS #endif @@ -222,7 +214,7 @@ status_printf(struct status_output *so, const char *format, ...) { if (so && (so->flags & STATUS_OUTPUT_WRITE)) { - char buf[STATUS_PRINTF_MAXLEN+2]; /* leave extra bytes for CR, LF */ + char buf[STATUS_PRINTF_MAXLEN + 2]; /* leave extra bytes for CR, LF */ va_list arglist; int stat; diff --git a/src/openvpn/status.h b/src/openvpn/status.h index ddbaeefb4..0c7a86917 100644 --- a/src/openvpn/status.h +++ b/src/openvpn/status.h @@ -28,10 +28,11 @@ /* * virtual function interface for status output */ -struct virtual_output { +struct virtual_output +{ void *arg; unsigned int flags_default; - void (*func) (void *arg, const unsigned int flags, const char *str); + void (*func)(void *arg, const unsigned int flags, const char *str); }; static inline void @@ -46,8 +47,8 @@ virtual_output_print(const struct virtual_output *vo, const unsigned int flags, struct status_output { -#define STATUS_OUTPUT_READ (1<<0) -#define STATUS_OUTPUT_WRITE (1<<1) +#define STATUS_OUTPUT_READ (1 << 0) +#define STATUS_OUTPUT_WRITE (1 << 1) unsigned int flags; char *filename; @@ -62,11 +63,8 @@ struct status_output bool errors; }; -struct status_output *status_open(const char *filename, - const int refresh_freq, - const int msglevel, - const struct virtual_output *vout, - const unsigned int flags); +struct status_output *status_open(const char *filename, const int refresh_freq, const int msglevel, + const struct virtual_output *vout, const unsigned int flags); bool status_trigger(struct status_output *so); @@ -79,12 +77,12 @@ bool status_close(struct status_output *so); void status_printf(struct status_output *so, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO -__attribute__ ((format(gnu_printf, 2, 3))) + __attribute__((format(gnu_printf, 2, 3))) #else -__attribute__ ((format(__printf__, 2, 3))) + __attribute__((format(__printf__, 2, 3))) #endif #endif -; + ; bool status_read(struct status_output *so, struct buffer *buf); diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index e77f313be..524923b74 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -28,20 +28,20 @@ /* branch prediction hints */ #if defined(__GNUC__) -#define likely(x) __builtin_expect((x), 1) -#define unlikely(x) __builtin_expect((x), 0) +#define likely(x) __builtin_expect((x), 1) +#define unlikely(x) __builtin_expect((x), 0) #else -#define likely(x) (x) -#define unlikely(x) (x) +#define likely(x) (x) +#define unlikely(x) (x) #endif #ifdef _WIN32 #include #include #include -#define sleep(x) Sleep((x)*1000) -#define random rand -#define srandom srand +#define sleep(x) Sleep((x) * 1000) +#define random rand +#define srandom srand #endif #ifdef _MSC_VER /* Visual Studio */ @@ -51,7 +51,7 @@ #if defined(__APPLE__) #if __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ >= 1070 -#define __APPLE_USE_RFC_3542 1 +#define __APPLE_USE_RFC_3542 1 #endif #endif @@ -166,10 +166,10 @@ #endif #if defined(TARGET_HAIKU) -#include /* uint32, etc */ -#include /* ifconf etc */ -#include /* SIOCGRTTABLE, etc */ -#endif /* TARGET_HAIKU */ +#include /* uint32, etc */ +#include /* ifconf etc */ +#include /* SIOCGRTTABLE, etc */ +#endif /* TARGET_HAIKU */ #ifdef HAVE_ARPA_INET_H #include @@ -183,7 +183,7 @@ #include #endif -#if defined(TARGET_LINUX) || defined (TARGET_ANDROID) +#if defined(TARGET_LINUX) || defined(TARGET_ANDROID) #ifdef HAVE_LINUX_IF_TUN_H #include @@ -373,7 +373,9 @@ typedef int MIB_TCP_STATE; * Does this platform support linux-style IP_PKTINFO * or bsd-style IP_RECVDSTADDR ? */ -#if ((defined(HAVE_IN_PKTINFO) && defined(IP_PKTINFO)) || defined(IP_RECVDSTADDR)) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) +#if ((defined(HAVE_IN_PKTINFO) && defined(IP_PKTINFO)) || defined(IP_RECVDSTADDR)) \ + && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) \ + && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) #define ENABLE_IP_PKTINFO 1 #else #define ENABLE_IP_PKTINFO 0 @@ -422,10 +424,10 @@ typedef unsigned short sa_family_t; * Directory separation char */ #ifdef _WIN32 -#define PATH_SEPARATOR '\\' +#define PATH_SEPARATOR '\\' #define PATH_SEPARATOR_STR "\\" #else -#define PATH_SEPARATOR '/' +#define PATH_SEPARATOR '/' #define PATH_SEPARATOR_STR "/" #endif @@ -434,11 +436,11 @@ typedef unsigned short sa_family_t; */ #ifdef _WIN32 #define SOCKET_UNDEFINED (INVALID_SOCKET) -#define SOCKET_PRINTF "%" PRIxPTR +#define SOCKET_PRINTF "%" PRIxPTR typedef SOCKET socket_descriptor_t; #else #define SOCKET_UNDEFINED (-1) -#define SOCKET_PRINTF "%d" +#define SOCKET_PRINTF "%d" typedef int socket_descriptor_t; #endif @@ -459,7 +461,9 @@ socket_defined(const socket_descriptor_t sd) /* * HTTPS port sharing capability */ -#if defined(ENABLE_PORT_SHARE) && defined(SCM_RIGHTS) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) +#if defined(ENABLE_PORT_SHARE) && defined(SCM_RIGHTS) && defined(HAVE_MSGHDR) \ + && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) \ + && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) #define PORT_SHARE 1 #else #define PORT_SHARE 0 @@ -493,8 +497,7 @@ socket_defined(const socket_descriptor_t sd) /* * Do we have CryptoAPI capability? */ -#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) \ - && !defined(ENABLE_CRYPTO_WOLFSSL) +#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_WOLFSSL) #define ENABLE_CRYPTOAPI #endif @@ -521,8 +524,7 @@ socket_defined(const socket_descriptor_t sd) /* * Compression support */ -#if defined(ENABLE_LZO) || defined(ENABLE_LZ4) \ - || defined(ENABLE_COMP_STUB) +#if defined(ENABLE_LZO) || defined(ENABLE_LZ4) || defined(ENABLE_COMP_STUB) #define USE_COMP #endif diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index b0c429166..289219970 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -40,9 +40,9 @@ const char *tls_crypt_v2_cli_pem_name = "OpenVPN tls-crypt-v2 client key"; const char *tls_crypt_v2_srv_pem_name = "OpenVPN tls-crypt-v2 server key"; /** Metadata contains user-specified data */ -static const uint8_t TLS_CRYPT_METADATA_TYPE_USER = 0x00; +static const uint8_t TLS_CRYPT_METADATA_TYPE_USER = 0x00; /** Metadata contains a 64-bit unix timestamp in network byte order */ -static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01; +static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01; static struct key_type tls_crypt_kt(void) @@ -57,11 +57,10 @@ tls_crypt_buf_overhead(void) } void -tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, - const char *key_file, bool key_inline, bool tls_server) +tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, + bool key_inline, bool tls_server) { - const int key_direction = tls_server ? - KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; + const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; struct key_type kt = tls_crypt_kt(); if (!kt.cipher || !kt.digest) { @@ -89,7 +88,6 @@ xor_key2(struct key2 *key, const struct key2 *other) { key->keys[k].hmac[j] = key->keys[k].hmac[j] ^ other->keys[k].hmac[j]; } - } } @@ -98,8 +96,8 @@ tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session) { struct key2 rengokeys; if (!key_state_export_keying_material(session, EXPORT_DYNAMIC_TLS_CRYPT_LABEL, - strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL), - rengokeys.keys, sizeof(rengokeys.keys))) + strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL), rengokeys.keys, + sizeof(rengokeys.keys))) { return false; } @@ -111,27 +109,23 @@ tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session) session->tls_wrap_reneg.work = alloc_buf(BUF_SIZE(&session->opt->frame)); session->tls_wrap_reneg.opt.pid_persist = NULL; - packet_id_init(&session->tls_wrap_reneg.opt.packet_id, - session->opt->replay_window, - session->opt->replay_time, - "TLS_WRAP_RENEG", session->key_id); + packet_id_init(&session->tls_wrap_reneg.opt.packet_id, session->opt->replay_window, + session->opt->replay_time, "TLS_WRAP_RENEG", session->key_id); - if (session->tls_wrap.mode == TLS_WRAP_CRYPT - || session->tls_wrap.mode == TLS_WRAP_AUTH) + if (session->tls_wrap.mode == TLS_WRAP_CRYPT || session->tls_wrap.mode == TLS_WRAP_AUTH) { xor_key2(&rengokeys, &session->tls_wrap.original_wrap_keydata); } - const int key_direction = session->opt->server ? - KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; + const int key_direction = session->opt->server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; struct key_direction_state kds; key_direction_state_init(&kds, key_direction); struct key_type kt = tls_crypt_kt(); - init_key_ctx_bi(&session->tls_wrap_reneg.opt.key_ctx_bi, &rengokeys, key_direction, - &kt, "dynamic tls-crypt"); + init_key_ctx_bi(&session->tls_wrap_reneg.opt.key_ctx_bi, &rengokeys, key_direction, &kt, + "dynamic tls-crypt"); secure_memzero(&rengokeys, sizeof(rengokeys)); return true; @@ -139,8 +133,7 @@ tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session) bool -tls_crypt_wrap(const struct buffer *src, struct buffer *dst, - struct crypto_options *opt) +tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt) { const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; struct gc_arena gc; @@ -149,12 +142,11 @@ tls_crypt_wrap(const struct buffer *src, struct buffer *dst, ASSERT(ctx->cipher); ASSERT(ctx->hmac); ASSERT(packet_id_initialized(&opt->packet_id)); - ASSERT(hmac_ctx_size(ctx->hmac) == 256/8); + ASSERT(hmac_ctx_size(ctx->hmac) == 256 / 8); gc_init(&gc); - dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s", - format_hex(BPTR(src), BLEN(src), 80, &gc)); + dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s", format_hex(BPTR(src), BLEN(src), 80, &gc)); /* Get packet ID */ if (!packet_id_write(&opt->packet_id.send, dst, true, false)) @@ -163,15 +155,15 @@ tls_crypt_wrap(const struct buffer *src, struct buffer *dst, goto err; } - dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s", - format_hex(BPTR(dst), BLEN(dst), 0, &gc)); + dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s", format_hex(BPTR(dst), BLEN(dst), 0, &gc)); /* Buffer overflow check */ if (!buf_safe(dst, BLEN(src) + TLS_CRYPT_BLOCK_SIZE + TLS_CRYPT_TAG_SIZE)) { - msg(D_CRYPT_ERRORS, "TLS-CRYPT WRAP: buffer size error, " - "sc=%d so=%d sl=%d dc=%d do=%d dl=%d", src->capacity, src->offset, - src->len, dst->capacity, dst->offset, dst->len); + msg(D_CRYPT_ERRORS, + "TLS-CRYPT WRAP: buffer size error, " + "sc=%d so=%d sl=%d dc=%d do=%d dl=%d", + src->capacity, src->offset, src->len, dst->capacity, dst->offset, dst->len); goto err; } @@ -195,15 +187,13 @@ tls_crypt_wrap(const struct buffer *src, struct buffer *dst, /* Encrypt src */ { int outlen = 0; - ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen, - BPTR(src), BLEN(src))); + ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen, BPTR(src), BLEN(src))); ASSERT(buf_inc_len(dst, outlen)); ASSERT(cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen)); ASSERT(buf_inc_len(dst, outlen)); } - dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s", - format_hex(BPTR(dst), BLEN(dst), 80, &gc)); + dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s", format_hex(BPTR(dst), BLEN(dst), 80, &gc)); gc_free(&gc); return true; @@ -216,8 +206,7 @@ err: } bool -tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, - struct crypto_options *opt) +tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt) { static const char error_prefix[] = "tls-crypt unwrap error"; const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; @@ -228,11 +217,9 @@ tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, ASSERT(opt); ASSERT(src->len > 0); ASSERT(ctx->cipher); - ASSERT(packet_id_initialized(&opt->packet_id) - || (opt->flags & CO_IGNORE_PACKET_ID)); + ASSERT(packet_id_initialized(&opt->packet_id) || (opt->flags & CO_IGNORE_PACKET_ID)); - dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s", - format_hex(BPTR(src), BLEN(src), 80, &gc)); + dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s", format_hex(BPTR(src), BLEN(src), 80, &gc)); if (buf_len(src) < TLS_CRYPT_OFF_CT) { @@ -253,8 +240,8 @@ tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, { CRYPT_ERROR("cipher reset failed"); } - if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen, - BPTR(src) + TLS_CRYPT_OFF_CT, BLEN(src) - TLS_CRYPT_OFF_CT)) + if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen, BPTR(src) + TLS_CRYPT_OFF_CT, + BLEN(src) - TLS_CRYPT_OFF_CT)) { CRYPT_ERROR("cipher update failed"); } @@ -283,10 +270,8 @@ tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, if (memcmp_constant_time(tag, tag_check, sizeof(tag_check))) { - dmsg(D_CRYPTO_DEBUG, "tag : %s", - format_hex(tag, sizeof(tag_check), 0, &gc)); - dmsg(D_CRYPTO_DEBUG, "tag_check: %s", - format_hex(tag_check, sizeof(tag_check), 0, &gc)); + dmsg(D_CRYPTO_DEBUG, "tag : %s", format_hex(tag, sizeof(tag_check), 0, &gc)); + dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc)); CRYPT_ERROR("packet authentication failed"); } } @@ -315,30 +300,24 @@ error_exit: } static inline void -tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, - bool tls_server) +tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, bool tls_server) { - const int key_direction = tls_server ? - KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; + const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; struct key_type kt = tls_crypt_kt(); if (!kt.cipher || !kt.digest) { msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported"); } - init_key_ctx_bi(key, key2, key_direction, &kt, - "Control Channel Encryption"); + init_key_ctx_bi(key, key2, key_direction, &kt, "Control Channel Encryption"); } void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, - struct buffer *wkc_buf, const char *key_file, - bool key_inline) + struct buffer *wkc_buf, const char *key_file, bool key_inline) { - struct buffer client_key = alloc_buf(TLS_CRYPT_V2_CLIENT_KEY_LEN - + TLS_CRYPT_V2_MAX_WKC_LEN); + struct buffer client_key = alloc_buf(TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_MAX_WKC_LEN); - if (!read_pem_key_file(&client_key, tls_crypt_v2_cli_pem_name, - key_file, key_inline)) + if (!read_pem_key_file(&client_key, tls_crypt_v2_cli_pem_name, key_file, key_inline)) { msg(M_FATAL, "ERROR: invalid tls-crypt-v2 client key format"); } @@ -356,15 +335,14 @@ tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, } void -tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, - const char *key_file, bool key_inline) +tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, + bool key_inline) { struct key srv_key; struct buffer srv_key_buf; buf_set_write(&srv_key_buf, (void *)&srv_key, sizeof(srv_key)); - if (!read_pem_key_file(&srv_key_buf, tls_crypt_v2_srv_pem_name, - key_file, key_inline)) + if (!read_pem_key_file(&srv_key_buf, tls_crypt_v2_srv_pem_name, key_file, key_inline)) { msg(M_FATAL, "ERROR: invalid tls-crypt-v2 server key format"); } @@ -383,14 +361,13 @@ tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, } static bool -tls_crypt_v2_wrap_client_key(struct buffer *wkc, - const struct key2 *src_key, - const struct buffer *src_metadata, - struct key_ctx *server_key, struct gc_arena *gc) +tls_crypt_v2_wrap_client_key(struct buffer *wkc, const struct key2 *src_key, + const struct buffer *src_metadata, struct key_ctx *server_key, + struct gc_arena *gc) { cipher_ctx_t *cipher_ctx = server_key->cipher; - struct buffer work = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN - + cipher_ctx_block_size(cipher_ctx), gc); + struct buffer work = + alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN + cipher_ctx_block_size(cipher_ctx), gc); /* Calculate auth tag and synthetic IV */ uint8_t *tag = buf_write_alloc(&work, TLS_CRYPT_TAG_SIZE); @@ -399,8 +376,8 @@ tls_crypt_v2_wrap_client_key(struct buffer *wkc, msg(M_WARN, "ERROR: could not write tag"); return false; } - uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata) - + TLS_CRYPT_V2_TAG_SIZE + sizeof(uint16_t)); + uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata) + TLS_CRYPT_V2_TAG_SIZE + + sizeof(uint16_t)); hmac_ctx_t *hmac_ctx = server_key->hmac; hmac_ctx_reset(hmac_ctx); hmac_ctx_update(hmac_ctx, (void *)&net_len, sizeof(net_len)); @@ -408,16 +385,13 @@ tls_crypt_v2_wrap_client_key(struct buffer *wkc, hmac_ctx_update(hmac_ctx, BPTR(src_metadata), BLEN(src_metadata)); hmac_ctx_final(hmac_ctx, tag); - dmsg(D_CRYPTO_DEBUG, "TLS-CRYPT WRAP TAG: %s", - format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, gc)); + dmsg(D_CRYPTO_DEBUG, "TLS-CRYPT WRAP TAG: %s", format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, gc)); /* Use the 128 most significant bits of the tag as IV */ ASSERT(cipher_ctx_reset(cipher_ctx, tag)); /* Overflow check (OpenSSL requires an extra block in the dst buffer) */ - if (buf_forward_capacity(&work) < (sizeof(src_key->keys) - + BLEN(src_metadata) - + sizeof(net_len) + if (buf_forward_capacity(&work) < (sizeof(src_key->keys) + BLEN(src_metadata) + sizeof(net_len) + cipher_ctx_block_size(cipher_ctx))) { msg(M_WARN, "ERROR: could not crypt: insufficient space in dst"); @@ -426,11 +400,11 @@ tls_crypt_v2_wrap_client_key(struct buffer *wkc, /* Encrypt */ int outlen = 0; - ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen, - (void *)src_key->keys, sizeof(src_key->keys))); + ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen, (void *)src_key->keys, + sizeof(src_key->keys))); ASSERT(buf_inc_len(&work, outlen)); - ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen, - BPTR(src_metadata), BLEN(src_metadata))); + ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen, BPTR(src_metadata), + BLEN(src_metadata))); ASSERT(buf_inc_len(&work, outlen)); ASSERT(cipher_ctx_final(cipher_ctx, BEND(&work), &outlen)); ASSERT(buf_inc_len(&work, outlen)); @@ -441,8 +415,7 @@ tls_crypt_v2_wrap_client_key(struct buffer *wkc, static bool tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, - struct buffer wrapped_client_key, - struct key_ctx *server_key) + struct buffer wrapped_client_key, struct key_ctx *server_key) { const char *error_prefix = __func__; bool ret = false; @@ -454,9 +427,8 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, struct buffer plaintext = { 0 }; dmsg(D_TLS_DEBUG_MED, "%s: unwrapping client key (len=%d): %s", __func__, - BLEN(&wrapped_client_key), format_hex(BPTR(&wrapped_client_key), - BLEN(&wrapped_client_key), - 0, &gc)); + BLEN(&wrapped_client_key), + format_hex(BPTR(&wrapped_client_key), BLEN(&wrapped_client_key), 0, &gc)); if (TLS_CRYPT_V2_MAX_WKC_LEN < BLEN(&wrapped_client_key)) { @@ -471,13 +443,12 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, { CRYPT_ERROR("failed to read length"); } - memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), - sizeof(net_len)); + memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), sizeof(net_len)); if (ntohs(net_len) != BLEN(&wrapped_client_key)) { - dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__, - ntohs(net_len), BLEN(&wrapped_client_key)); + dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__, ntohs(net_len), + BLEN(&wrapped_client_key)); CRYPT_ERROR("invalid length"); } @@ -494,8 +465,7 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, } buf_set_write(&plaintext, plaintext_buf_data, sizeof(plaintext_buf_data)); int outlen = 0; - if (!cipher_ctx_update(server_key->cipher, BPTR(&plaintext), &outlen, - BPTR(&wrapped_client_key), + if (!cipher_ctx_update(server_key->cipher, BPTR(&plaintext), &outlen, BPTR(&wrapped_client_key), BLEN(&wrapped_client_key))) { CRYPT_ERROR("could not decrypt client key"); @@ -512,19 +482,16 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 }; hmac_ctx_reset(server_key->hmac); hmac_ctx_update(server_key->hmac, (void *)&net_len, sizeof(net_len)); - hmac_ctx_update(server_key->hmac, BPTR(&plaintext), - BLEN(&plaintext)); + hmac_ctx_update(server_key->hmac, BPTR(&plaintext), BLEN(&plaintext)); hmac_ctx_final(server_key->hmac, tag_check); if (memcmp_constant_time(tag, tag_check, sizeof(tag_check))) { - dmsg(D_CRYPTO_DEBUG, "tag : %s", - format_hex(tag, sizeof(tag_check), 0, &gc)); - dmsg(D_CRYPTO_DEBUG, "tag_check: %s", - format_hex(tag_check, sizeof(tag_check), 0, &gc)); + dmsg(D_CRYPTO_DEBUG, "tag : %s", format_hex(tag, sizeof(tag_check), 0, &gc)); + dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc)); CRYPT_ERROR("client key authentication error"); msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for " - "a different tls-crypt-v2 server key)"); + "a different tls-crypt-v2 server key)"); } if (buf_len(&plaintext) < sizeof(client_key->keys)) @@ -552,8 +519,7 @@ error_exit: } static bool -tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, - const struct tls_options *opt) +tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, const struct tls_options *opt) { bool ret = false; struct gc_arena gc = gc_new(); @@ -566,8 +532,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, goto cleanup; } - tmp_file = platform_create_temp_file(opt->tmp_dir, "tls_crypt_v2_metadata_", - &gc); + tmp_file = platform_create_temp_file(opt->tmp_dir, "tls_crypt_v2_metadata_", &gc); if (!tmp_file || !buffer_write_file(tmp_file, &metadata)) { msg(M_WARN, "ERROR: could not write metadata to file"); @@ -575,8 +540,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, } char metadata_type_str[4] = { 0 }; /* Max value: 255 */ - snprintf(metadata_type_str, sizeof(metadata_type_str), - "%i", (uint8_t) metadata_type); + snprintf(metadata_type_str, sizeof(metadata_type_str), "%i", (uint8_t)metadata_type); struct env_set *es = env_set_create(NULL); setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); @@ -611,15 +575,12 @@ cleanup: } bool -tls_crypt_v2_extract_client_key(struct buffer *buf, - struct tls_wrap_ctx *ctx, - const struct tls_options *opt, - bool initial_packet) +tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, + const struct tls_options *opt, bool initial_packet) { if (!ctx->tls_crypt_v2_server_key.cipher) { - msg(D_TLS_ERRORS, - "Client wants tls-crypt-v2, but no server key present."); + msg(D_TLS_ERRORS, "Client wants tls-crypt-v2, but no server key present."); return false; } @@ -633,8 +594,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, msg(D_TLS_ERRORS, "Can not read tls-crypt-v2 client key length"); return false; } - memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), - sizeof(net_len)); + memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), sizeof(net_len)); uint16_t wkc_len = ntohs(net_len); if (!buf_advance(&wrapped_client_key, BLEN(&wrapped_client_key) - wkc_len)) @@ -657,7 +617,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, * basically transforming the CONTROL_WKC_V1 into a normal CONTROL_V1 * packet*/ msg(D_TLS_ERRORS, "control channel security already setup ignoring " - "wrapped key part of packet."); + "wrapped key part of packet."); /* Remove client key from buffer so tls-crypt code can unwrap message */ ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key)))); @@ -665,10 +625,8 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, } ctx->tls_crypt_v2_metadata = alloc_buf(TLS_CRYPT_V2_MAX_METADATA_LEN); - if (!tls_crypt_v2_unwrap_client_key(&ctx->original_wrap_keydata, - &ctx->tls_crypt_v2_metadata, - wrapped_client_key, - &ctx->tls_crypt_v2_server_key)) + if (!tls_crypt_v2_unwrap_client_key(&ctx->original_wrap_keydata, &ctx->tls_crypt_v2_metadata, + wrapped_client_key, &ctx->tls_crypt_v2_server_key)) { msg(D_TLS_ERRORS, "Can not unwrap tls-crypt-v2 client key"); secure_memzero(&ctx->original_wrap_keydata, sizeof(ctx->original_wrap_keydata)); @@ -680,8 +638,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, ctx->cleanup_key_ctx = true; ctx->opt.flags |= CO_PACKET_ID_LONG_FORM; memset(&ctx->opt.key_ctx_bi, 0, sizeof(ctx->opt.key_ctx_bi)); - tls_crypt_v2_load_client_key(&ctx->opt.key_ctx_bi, - &ctx->original_wrap_keydata, true); + tls_crypt_v2_load_client_key(&ctx->opt.key_ctx_bi, &ctx->original_wrap_keydata, true); /* Remove client key from buffer so tls-crypt code can unwrap message */ ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key)))); @@ -701,16 +658,13 @@ tls_crypt_v2_write_server_key_file(const char *filename) } void -tls_crypt_v2_write_client_key_file(const char *filename, - const char *b64_metadata, - const char *server_key_file, - bool server_key_inline) +tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, + const char *server_key_file, bool server_key_inline) { struct gc_arena gc = gc_new(); struct key_ctx server_key = { 0 }; struct buffer client_key_pem = { 0 }; - struct buffer dst = alloc_buf_gc(TLS_CRYPT_V2_CLIENT_KEY_LEN - + TLS_CRYPT_V2_MAX_WKC_LEN, &gc); + struct buffer dst = alloc_buf_gc(TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_MAX_WKC_LEN, &gc); struct key2 client_key = { .n = 2 }; if (!rand_bytes((void *)client_key.keys, sizeof(client_key.keys))) @@ -726,8 +680,7 @@ tls_crypt_v2_write_client_key_file(const char *filename, size_t b64_length = strlen(b64_metadata); metadata = alloc_buf_gc(OPENVPN_BASE64_DECODED_LENGTH(b64_length) + 1, &gc); ASSERT(buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_USER, 1)); - int decoded_len = openvpn_base64_decode(b64_metadata, BEND(&metadata), - BCAP(&metadata)); + int decoded_len = openvpn_base64_decode(b64_metadata, BEND(&metadata), BCAP(&metadata)); if (decoded_len < 0) { msg(M_FATAL, "ERROR: failed to base64 decode provided metadata"); @@ -735,9 +688,8 @@ tls_crypt_v2_write_client_key_file(const char *filename, } if (decoded_len > TLS_CRYPT_V2_MAX_METADATA_LEN - 1) { - msg(M_FATAL, - "ERROR: metadata too long (%d bytes, max %u bytes)", - decoded_len, TLS_CRYPT_V2_MAX_METADATA_LEN - 1); + msg(M_FATAL, "ERROR: metadata too long (%d bytes, max %u bytes)", decoded_len, + TLS_CRYPT_V2_MAX_METADATA_LEN - 1); goto cleanup; } ASSERT(buf_inc_len(&metadata, decoded_len)); @@ -750,18 +702,15 @@ tls_crypt_v2_write_client_key_file(const char *filename, ASSERT(buf_write(&metadata, ×tamp, sizeof(timestamp))); } - tls_crypt_v2_init_server_key(&server_key, true, server_key_file, - server_key_inline); - if (!tls_crypt_v2_wrap_client_key(&dst, &client_key, &metadata, &server_key, - &gc)) + tls_crypt_v2_init_server_key(&server_key, true, server_key_file, server_key_inline); + if (!tls_crypt_v2_wrap_client_key(&dst, &client_key, &metadata, &server_key, &gc)) { msg(M_FATAL, "ERROR: could not wrap generated client key"); goto cleanup; } /* PEM-encode Kc || WKc */ - if (!crypto_pem_encode(tls_crypt_v2_cli_pem_name, &client_key_pem, &dst, - &gc)) + if (!crypto_pem_encode(tls_crypt_v2_cli_pem_name, &client_key_pem, &dst, &gc)) { msg(M_FATAL, "ERROR: could not PEM-encode client key"); goto cleanup; @@ -787,17 +736,15 @@ tls_crypt_v2_write_client_key_file(const char *filename, struct buffer test_wrapped_client_key; struct key2 keydata; msg(D_GENKEY, "Testing client-side key loading..."); - tls_crypt_v2_init_client_key(&test_client_key, &keydata, &test_wrapped_client_key, - client_file, client_inline); + tls_crypt_v2_init_client_key(&test_client_key, &keydata, &test_wrapped_client_key, client_file, + client_inline); free_key_ctx_bi(&test_client_key); /* Sanity check: unwrap and load client key (as "server") */ - struct buffer test_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, - &gc); + struct buffer test_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, &gc); struct key2 test_client_key2 = { 0 }; free_key_ctx(&server_key); - tls_crypt_v2_init_server_key(&server_key, false, server_key_file, - server_key_inline); + tls_crypt_v2_init_server_key(&server_key, false, server_key_file, server_key_inline); msg(D_GENKEY, "Testing server-side key loading..."); ASSERT(tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata, test_wrapped_client_key, &server_key)); diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h index c8bd3841d..87aa8d22a 100644 --- a/src/openvpn/tls_crypt.h +++ b/src/openvpn/tls_crypt.h @@ -85,21 +85,21 @@ #include "session_id.h" #include "ssl_common.h" -#define TLS_CRYPT_TAG_SIZE (256/8) -#define TLS_CRYPT_PID_SIZE (sizeof(packet_id_type) + sizeof(net_time_t)) -#define TLS_CRYPT_BLOCK_SIZE (128/8) +#define TLS_CRYPT_TAG_SIZE (256 / 8) +#define TLS_CRYPT_PID_SIZE (sizeof(packet_id_type) + sizeof(net_time_t)) +#define TLS_CRYPT_BLOCK_SIZE (128 / 8) #define TLS_CRYPT_OFF_PID (1 + SID_SIZE) #define TLS_CRYPT_OFF_TAG (TLS_CRYPT_OFF_PID + TLS_CRYPT_PID_SIZE) -#define TLS_CRYPT_OFF_CT (TLS_CRYPT_OFF_TAG + TLS_CRYPT_TAG_SIZE) +#define TLS_CRYPT_OFF_CT (TLS_CRYPT_OFF_TAG + TLS_CRYPT_TAG_SIZE) -#define TLS_CRYPT_V2_MAX_WKC_LEN (1024) +#define TLS_CRYPT_V2_MAX_WKC_LEN (1024) #define TLS_CRYPT_V2_CLIENT_KEY_LEN (2048 / 8) #define TLS_CRYPT_V2_SERVER_KEY_LEN (sizeof(struct key)) -#define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE) -#define TLS_CRYPT_V2_MAX_METADATA_LEN (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \ - - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \ - + sizeof(uint16_t))) +#define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE) +#define TLS_CRYPT_V2_MAX_METADATA_LEN \ + (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \ + - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE + sizeof(uint16_t))) /** * Initialize a key_ctx_bi structure for use with @c --tls-crypt. @@ -112,8 +112,8 @@ * otherwise. * @param tls_server Must be set to true is this is a TLS server instance. */ -void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, - const char *key_file, bool key_inline, bool tls_server); +void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, + bool key_inline, bool tls_server); /** * Generates a TLS-Crypt key to be used with dynamic tls-crypt using the @@ -124,8 +124,7 @@ void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, * @param session session that will be used for the TLS EKM exporter * @return true iff generating the key was successful */ -bool -tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session); +bool tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session); /** * Returns the maximum overhead (in bytes) added to the destination buffer by @@ -144,8 +143,7 @@ int tls_crypt_buf_overhead(void); * * @returns true iff wrapping succeeded. */ -bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, - struct crypto_options *opt); +bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt); /** * Unwrap a control channel packet (decrypts, authenticates and performs @@ -158,8 +156,7 @@ bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, * @returns true iff unwrapping succeeded (data authenticated correctly and was * no replay). */ -bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, - struct crypto_options *opt); +bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt); /** * Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys). @@ -173,8 +170,8 @@ bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, * otherwise. * */ -void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, - const char *key_file, bool key_inline); +void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, + bool key_inline); /** * Initialize a tls-crypt-v2 client key. @@ -191,10 +188,9 @@ void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, * @param key_inline True if key_file contains an inline key, False * otherwise. */ -void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, - struct key2 *original_key, - struct buffer *wrapped_key_buf, - const char *key_file, bool key_inline); +void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, + struct buffer *wrapped_key_buf, const char *key_file, + bool key_inline); /** * Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 @@ -211,10 +207,8 @@ void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, * * @returns true if a key was successfully extracted. */ -bool tls_crypt_v2_extract_client_key(struct buffer *buf, - struct tls_wrap_ctx *ctx, - const struct tls_options *opt, - bool initial_packet); +bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, + const struct tls_options *opt, bool initial_packet); /** * Generate a tls-crypt-v2 server key, and write to file. @@ -233,8 +227,7 @@ void tls_crypt_v2_write_server_key_file(const char *filename); * @param key_inline True if key_file contains an inline key, False * otherwise. */ -void tls_crypt_v2_write_client_key_file(const char *filename, - const char *b64_metadata, +void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *key_file, bool key_inline); /** @} */ diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index a96a3053d..f54b608d7 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -84,27 +84,25 @@ print_tun_backend_driver(enum tun_driver_type driver) #ifdef _WIN32 -const static GUID GUID_DEVCLASS_NET = { 0x4d36e972L, 0xe325, 0x11ce, { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 } }; -const static GUID GUID_DEVINTERFACE_NET = { 0xcac88484, 0x7515, 0x4c03, { 0x82, 0xe6, 0x71, 0xa8, 0x7a, 0xba, 0xc3, 0x61 } }; +const static GUID GUID_DEVCLASS_NET = { + 0x4d36e972L, 0xe325, 0x11ce, { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 } +}; +const static GUID GUID_DEVINTERFACE_NET = { + 0xcac88484, 0x7515, 0x4c03, { 0x82, 0xe6, 0x71, 0xa8, 0x7a, 0xba, 0xc3, 0x61 } +}; -/* #define SIMULATE_DHCP_FAILED */ /* simulate bad DHCP negotiation */ +/* #define SIMULATE_DHCP_FAILED */ /* simulate bad DHCP negotiation */ -#define NI_TEST_FIRST (1<<0) -#define NI_IP_NETMASK (1<<1) -#define NI_OPTIONS (1<<2) +#define NI_TEST_FIRST (1 << 0) +#define NI_IP_NETMASK (1 << 1) +#define NI_OPTIONS (1 << 2) -static void netsh_ifconfig(const struct tuntap_options *to, - DWORD adapter_index, - const in_addr_t ip, - const in_addr_t netmask, - const unsigned int flags); +static void netsh_ifconfig(const struct tuntap_options *to, DWORD adapter_index, const in_addr_t ip, + const in_addr_t netmask, const unsigned int flags); -static void windows_set_mtu(const int iface_index, - const short family, - const int mtu); +static void windows_set_mtu(const int iface_index, const short family, const int mtu); -static void netsh_set_dns6_servers(const struct in6_addr *addr_list, - const int addr_len, +static void netsh_set_dns6_servers(const struct in6_addr *addr_list, const int addr_len, DWORD adapter_index); static void netsh_command(const struct argv *a, int n, int msglevel); @@ -121,15 +119,10 @@ do_address_service(const bool add, const short family, const struct tuntap *tt) struct gc_arena gc = gc_new(); HANDLE pipe = tt->options.msg_channel; - address_message_t addr = { - .header = { - (add ? msg_add_address : msg_del_address), - sizeof(address_message_t), - 0 - }, - .family = family, - .iface = { .index = tt->adapter_index, .name = "" } - }; + address_message_t addr = { .header = { (add ? msg_add_address : msg_del_address), + sizeof(address_message_t), 0 }, + .family = family, + .iface = { .index = tt->adapter_index, .name = "" } }; if (addr.iface.index == TUN_ADAPTER_INDEX_INVALID) { @@ -141,16 +134,14 @@ do_address_service(const bool add, const short family, const struct tuntap *tt) { addr.address.ipv4.s_addr = htonl(tt->local); addr.prefix_len = netmask_to_netbits2(tt->adapter_netmask); - msg(D_IFCONFIG, "INET address service: %s %s/%d", - add ? "add" : "remove", + msg(D_IFCONFIG, "INET address service: %s %s/%d", add ? "add" : "remove", print_in_addr_t(tt->local, 0, &gc), addr.prefix_len); } else { addr.address.ipv6 = tt->local_ipv6; addr.prefix_len = (tt->type == DEV_TYPE_TUN) ? 128 : tt->netbits_ipv6; - msg(D_IFCONFIG, "INET6 address service: %s %s/%d", - add ? "add" : "remove", + msg(D_IFCONFIG, "INET6 address service: %s %s/%d", add ? "add" : "remove", print_in6_addr(tt->local_ipv6, 0, &gc), addr.prefix_len); } @@ -162,8 +153,8 @@ do_address_service(const bool add, const short family, const struct tuntap *tt) if (ack.error_number != NO_ERROR) { msg(M_WARN, "TUN: %s address failed using service: %s [status=%u if_index=%d]", - (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), - ack.error_number, addr.iface.index); + (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number, + addr.iface.index); goto out; } @@ -189,15 +180,11 @@ do_dns_domain_service(bool add, const struct tuntap *tt) /* Use dns_cfg_msg with addr_len = 0 for setting only the DOMAIN */ dns_cfg_message_t dns = { - .header = { - (add ? msg_add_dns_cfg : msg_del_dns_cfg), - sizeof(dns_cfg_message_t), - 0 - }, + .header = { (add ? msg_add_dns_cfg : msg_del_dns_cfg), sizeof(dns_cfg_message_t), 0 }, .iface = { .index = tt->adapter_index, .name = "" }, - .domains = "", /* set below */ - .family = AF_INET, /* unused */ - .addr_len = 0 /* add/delete only the domain, not DNS servers */ + .domains = "", /* set below */ + .family = AF_INET, /* unused */ + .addr_len = 0 /* add/delete only the domain, not DNS servers */ }; /* interface name is required */ @@ -237,8 +224,8 @@ do_dns_domain_service(bool add, const struct tuntap *tt) if (ack.error_number != NO_ERROR) { msg(M_WARN, "TUN: %s DNS domains failed using service: %s [status=%u if_name=%s]", - (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), - ack.error_number, dns.iface.name); + (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number, + dns.iface.name); goto out; } @@ -265,17 +252,12 @@ do_dns_service(bool add, const short family, const struct tuntap *tt) } /* Use dns_cfg_msg with domain = "" for setting only the DNS servers */ - dns_cfg_message_t dns = { - .header = { - (add ? msg_add_dns_cfg : msg_del_dns_cfg), - sizeof(dns_cfg_message_t), - 0 - }, - .iface = { .index = tt->adapter_index, .name = "" }, - .domains = "", - .family = family, - .addr_len = addr_len - }; + dns_cfg_message_t dns = { .header = { (add ? msg_add_dns_cfg : msg_del_dns_cfg), + sizeof(dns_cfg_message_t), 0 }, + .iface = { .index = tt->adapter_index, .name = "" }, + .domains = "", + .family = family, + .addr_len = addr_len }; /* interface name is required */ strncpy(dns.iface.name, tt->actual_name, sizeof(dns.iface.name)); @@ -285,8 +267,8 @@ do_dns_service(bool add, const short family, const struct tuntap *tt) { addr_len = _countof(dns.addr); dns.addr_len = addr_len; - msg(M_WARN, "Number of %s DNS addresses sent to service truncated to %d", - ip_proto_name, addr_len); + msg(M_WARN, "Number of %s DNS addresses sent to service truncated to %d", ip_proto_name, + addr_len); } for (int i = 0; i < addr_len; ++i) @@ -337,15 +319,10 @@ do_wins_service(bool add, const struct tuntap *tt) goto out; } - wins_cfg_message_t wins = { - .header = { - (add ? msg_add_wins_cfg : msg_del_wins_cfg), - sizeof(wins_cfg_message_t), - 0 - }, - .iface = {.index = tt->adapter_index, .name = "" }, - .addr_len = addr_len - }; + wins_cfg_message_t wins = { .header = { (add ? msg_add_wins_cfg : msg_del_wins_cfg), + sizeof(wins_cfg_message_t), 0 }, + .iface = { .index = tt->adapter_index, .name = "" }, + .addr_len = addr_len }; /* interface name is required */ strncpy(wins.iface.name, tt->actual_name, sizeof(wins.iface.name)); @@ -355,8 +332,7 @@ do_wins_service(bool add, const struct tuntap *tt) { addr_len = _countof(wins.addr); wins.addr_len = addr_len; - msg(M_WARN, "Number of WINS addresses sent to service truncated to %d", - addr_len); + msg(M_WARN, "Number of WINS addresses sent to service truncated to %d", addr_len); } for (int i = 0; i < addr_len; ++i) @@ -375,8 +351,8 @@ do_wins_service(bool add, const struct tuntap *tt) if (ack.error_number != NO_ERROR) { msg(M_WARN, "TUN: %s WINS failed using service: %s [status=%u if_name=%s]", - (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), - ack.error_number, wins.iface.name); + (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number, + wins.iface.name); goto out; } @@ -394,20 +370,15 @@ do_set_mtu_service(const struct tuntap *tt, const short family, const int mtu) struct gc_arena gc = gc_new(); HANDLE pipe = tt->options.msg_channel; const char *family_name = (family == AF_INET6) ? "IPv6" : "IPv4"; - set_mtu_message_t mtu_msg = { - .header = { - msg_set_mtu, - sizeof(set_mtu_message_t), - 0 - }, - .iface = {.index = tt->adapter_index}, - .mtu = mtu, - .family = family - }; + set_mtu_message_t mtu_msg = { .header = { msg_set_mtu, sizeof(set_mtu_message_t), 0 }, + .iface = { .index = tt->adapter_index }, + .mtu = mtu, + .family = family }; strncpynt(mtu_msg.iface.name, tt->actual_name, sizeof(mtu_msg.iface.name)); if (family == AF_INET6 && mtu < 1280) { - msg(M_INFO, "NOTE: IPv6 interface MTU < 1280 conflicts with IETF standards and might not work"); + msg(M_INFO, + "NOTE: IPv6 interface MTU < 1280 conflicts with IETF standards and might not work"); } if (!send_msg_iservice(pipe, &mtu_msg, sizeof(mtu_msg), &ack, "Set_mtu")) @@ -418,11 +389,13 @@ do_set_mtu_service(const struct tuntap *tt, const short family, const int mtu) if (ack.error_number != NO_ERROR) { msg(M_NONFATAL, "TUN: setting %s mtu using service failed: %s [status=%u if_index=%d]", - family_name, strerror_win32(ack.error_number, &gc), ack.error_number, mtu_msg.iface.index); + family_name, strerror_win32(ack.error_number, &gc), ack.error_number, + mtu_msg.iface.index); } else { - msg(M_INFO, "%s MTU set to %d on interface %d using service", family_name, mtu, mtu_msg.iface.index); + msg(M_INFO, "%s MTU set to %d on interface %d using service", family_name, mtu, + mtu_msg.iface.index); ret = true; } @@ -441,7 +414,8 @@ do_dns_domain_wmic(bool add, const struct tuntap *tt) struct argv argv = argv_new(); argv_printf(&argv, "%s%s nicconfig where (InterfaceIndex=%ld) call SetDNSDomain '%s'", - get_win_sys_path(), WMIC_PATH_SUFFIX, tt->adapter_index, add ? tt->options.domain : ""); + get_win_sys_path(), WMIC_PATH_SUFFIX, tt->adapter_index, + add ? tt->options.domain : ""); exec_command("WMIC", &argv, 1, M_WARN); argv_free(&argv); @@ -479,12 +453,7 @@ do_create_adapter_service(HANDLE msg_channel, enum tun_driver_type driver_type) } create_adapter_message_t msg = { - .header = { - msg_create_adapter, - sizeof(create_adapter_message_t), - 0 - }, - .adapter_type = t + .header = { msg_create_adapter, sizeof(create_adapter_message_t), 0 }, .adapter_type = t }; if (!send_msg_iservice(msg_channel, &msg, sizeof(msg), &ack, "create_adapter")) @@ -495,7 +464,8 @@ do_create_adapter_service(HANDLE msg_channel, enum tun_driver_type driver_type) if (ack.error_number != NO_ERROR) { msg(M_NONFATAL, "TUN: creating %s adapter using service failed: %s [status=%u]", - print_tun_backend_driver(driver_type), strerror_win32(ack.error_number, &gc), ack.error_number); + print_tun_backend_driver(driver_type), strerror_win32(ack.error_number, &gc), + ack.error_number); } else { @@ -511,7 +481,8 @@ out: #endif /* ifdef _WIN32 */ #ifdef TARGET_SOLARIS -static void solaris_error_close(struct tuntap *tt, const struct env_set *es, const char *actual, bool unplumb_inet6); +static void solaris_error_close(struct tuntap *tt, const struct env_set *es, const char *actual, + bool unplumb_inet6); #include #endif @@ -582,10 +553,7 @@ dev_type_string(const char *dev, const char *dev_type) * before the device is actually opened. */ const char * -guess_tuntap_dev(const char *dev, - const char *dev_type, - const char *dev_node, - struct gc_arena *gc) +guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc) { #ifdef _WIN32 const int dt = dev_type_enum(dev, dev_type); @@ -619,16 +587,17 @@ ifconfig_sanity_check(bool tun_p2p, in_addr_t addr) { if (looks_like_netmask) { - msg(M_WARN, "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s", - print_in_addr_t(addr, 0, &gc), - ifconfig_warn_how_to_silence); + msg(M_WARN, + "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s", + print_in_addr_t(addr, 0, &gc), ifconfig_warn_how_to_silence); } } else { if (!looks_like_netmask) { - msg(M_WARN, "WARNING: Since you are using subnet topology, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s", + msg(M_WARN, + "WARNING: Since you are using subnet topology, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s", ifconfig_warn_how_to_silence); } } @@ -640,10 +609,7 @@ ifconfig_sanity_check(bool tun_p2p, in_addr_t addr) * clash with ifconfig addresses or subnet. */ static void -check_addr_clash(const char *name, - int type, - in_addr_t public, - in_addr_t local, +check_addr_clash(const char *name, int type, in_addr_t public, in_addr_t local, in_addr_t remote_netmask) { struct gc_arena gc = gc_new(); @@ -660,7 +626,7 @@ check_addr_clash(const char *name, if (type == DEV_TYPE_TUN) { const in_addr_t test_netmask = 0xFFFFFF00; - const in_addr_t public_net = public &test_netmask; + const in_addr_t public_net = public & test_netmask; const in_addr_t local_net = local & test_netmask; const in_addr_t remote_net = remote_netmask & test_netmask; @@ -668,37 +634,28 @@ check_addr_clash(const char *name, { msg(M_WARN, "WARNING: --%s address [%s] conflicts with --ifconfig address pair [%s, %s]. %s", - name, - print_in_addr_t(public, 0, &gc), - print_in_addr_t(local, 0, &gc), - print_in_addr_t(remote_netmask, 0, &gc), - ifconfig_warn_how_to_silence); + name, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc), + print_in_addr_t(remote_netmask, 0, &gc), ifconfig_warn_how_to_silence); } if (public_net == local_net || public_net == remote_net) { msg(M_WARN, "WARNING: potential conflict between --%s address [%s] and --ifconfig address pair [%s, %s] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. %s", - name, - print_in_addr_t(public, 0, &gc), - print_in_addr_t(local, 0, &gc), - print_in_addr_t(remote_netmask, 0, &gc), - ifconfig_warn_how_to_silence); + name, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc), + print_in_addr_t(remote_netmask, 0, &gc), ifconfig_warn_how_to_silence); } } else if (type == DEV_TYPE_TAP) { - const in_addr_t public_network = public &remote_netmask; + const in_addr_t public_network = public & remote_netmask; const in_addr_t virtual_network = local & remote_netmask; if (public_network == virtual_network) { msg(M_WARN, "WARNING: --%s address [%s] conflicts with --ifconfig subnet [%s, %s] -- local and remote addresses cannot be inside of the --ifconfig subnet. %s", - name, - print_in_addr_t(public, 0, &gc), - print_in_addr_t(local, 0, &gc), - print_in_addr_t(remote_netmask, 0, &gc), - ifconfig_warn_how_to_silence); + name, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc), + print_in_addr_t(remote_netmask, 0, &gc), ifconfig_warn_how_to_silence); } } } @@ -710,7 +667,7 @@ warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx) { struct gc_arena gc = gc_new(); struct route_gateway_info rgi; - const unsigned int needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED); + const unsigned int needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED); get_default_gateway(&rgi, 0, ctx); if ((rgi.flags & needed) == needed) @@ -718,7 +675,8 @@ warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx) const in_addr_t lan_network = rgi.gateway.addr & rgi.gateway.netmask; if (lan_network == 0xC0A80000 || lan_network == 0xC0A80100) { - msg(M_WARN, "NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet."); + msg(M_WARN, + "NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet."); } } gc_free(&gc); @@ -736,8 +694,7 @@ ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, stru { if (!is_tun_p2p(tt)) { - buf_printf(&out, "%s %s", - print_in_addr_t(tt->local & tt->remote_netmask, 0, gc), + buf_printf(&out, "%s %s", print_in_addr_t(tt->local & tt->remote_netmask, 0, gc), print_in_addr_t(tt->remote_netmask, 0, gc)); } else if (tt->type == DEV_TYPE_TUN) /* tun p2p topology */ @@ -774,20 +731,16 @@ tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc) { if (rwflags & EVENT_READ) { - buf_printf(&out, "T%s", - (tt->rwflags_debug & EVENT_READ) ? "R" : "r"); + buf_printf(&out, "T%s", (tt->rwflags_debug & EVENT_READ) ? "R" : "r"); #ifdef _WIN32 - buf_printf(&out, "%s", - overlapped_io_state_ascii(&tt->reads)); + buf_printf(&out, "%s", overlapped_io_state_ascii(&tt->reads)); #endif } if (rwflags & EVENT_WRITE) { - buf_printf(&out, "T%s", - (tt->rwflags_debug & EVENT_WRITE) ? "W" : "w"); + buf_printf(&out, "T%s", (tt->rwflags_debug & EVENT_WRITE) ? "W" : "w"); #ifdef _WIN32 - buf_printf(&out, "%s", - overlapped_io_state_ascii(&tt->writes)); + buf_printf(&out, "%s", overlapped_io_state_ascii(&tt->writes)); #endif } } @@ -806,8 +759,7 @@ is_tun_p2p(const struct tuntap *tt) { bool tun_p2p = false; - if (tt->type == DEV_TYPE_TAP - || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) + if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) { tun_p2p = false; } @@ -817,7 +769,8 @@ is_tun_p2p(const struct tuntap *tt) } else { - msg(M_FATAL, "Error: problem with tun vs. tap setting"); /* JYFIXME -- needs to be caught earlier, in init_tun? */ + msg(M_FATAL, "Error: problem with tun vs. tap setting"); /* JYFIXME -- needs to be caught + earlier, in init_tun? */ } return tun_p2p; } @@ -870,20 +823,16 @@ do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es) * but don't execute yet. */ struct tuntap * -init_tun(const char *dev, /* --dev option */ - const char *dev_type, /* --dev-type option */ - int topology, /* one of the TOP_x values */ - const char *ifconfig_local_parm, /* --ifconfig parm 1 */ - const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */ - const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 IPv6 */ +init_tun(const char *dev, /* --dev option */ + const char *dev_type, /* --dev-type option */ + int topology, /* one of the TOP_x values */ + const char *ifconfig_local_parm, /* --ifconfig parm 1 */ + const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */ + const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 IPv6 */ int ifconfig_ipv6_netbits_parm, - const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 IPv6 */ - struct addrinfo *local_public, - struct addrinfo *remote_public, - const bool strict_warn, - struct env_set *es, - openvpn_net_ctx_t *ctx, - struct tuntap *tt) + const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 IPv6 */ + struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, + struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt) { if (!tt) { @@ -905,25 +854,13 @@ init_tun(const char *dev, /* --dev option */ * Convert arguments to binary IPv4 addresses. */ - tt->local = getaddr( - GETADDR_RESOLVE - | GETADDR_HOST_ORDER - | GETADDR_FATAL_ON_SIGNAL - | GETADDR_FATAL, - ifconfig_local_parm, - 0, - NULL, - NULL); - - tt->remote_netmask = getaddr( - (tun_p2p ? GETADDR_RESOLVE : 0) - | GETADDR_HOST_ORDER - | GETADDR_FATAL_ON_SIGNAL - | GETADDR_FATAL, - ifconfig_remote_netmask_parm, - 0, - NULL, - NULL); + tt->local = + getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_FATAL_ON_SIGNAL | GETADDR_FATAL, + ifconfig_local_parm, 0, NULL, NULL); + + tt->remote_netmask = getaddr((tun_p2p ? GETADDR_RESOLVE : 0) | GETADDR_HOST_ORDER + | GETADDR_FATAL_ON_SIGNAL | GETADDR_FATAL, + ifconfig_remote_netmask_parm, 0, NULL, NULL); /* * Look for common errors in --ifconfig parms @@ -942,12 +879,9 @@ init_tun(const char *dev, /* --dev option */ { if (curele->ai_family == AF_INET) { - const in_addr_t local = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr); - check_addr_clash("local", - tt->type, - local, - tt->local, - tt->remote_netmask); + const in_addr_t local = + ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr); + check_addr_clash("local", tt->type, local, tt->local, tt->remote_netmask); } } @@ -955,12 +889,9 @@ init_tun(const char *dev, /* --dev option */ { if (curele->ai_family == AF_INET) { - const in_addr_t remote = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr); - check_addr_clash("remote", - tt->type, - remote, - tt->local, - tt->remote_netmask); + const in_addr_t remote = + ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr); + check_addr_clash("remote", tt->type, remote, tt->local, tt->remote_netmask); } } } @@ -986,15 +917,15 @@ init_tun(const char *dev, /* --dev option */ if (ifconfig_ipv6_local_parm && ifconfig_ipv6_remote_parm) { - /* * Convert arguments to binary IPv6 addresses. */ - if (inet_pton( AF_INET6, ifconfig_ipv6_local_parm, &tt->local_ipv6 ) != 1 - || inet_pton( AF_INET6, ifconfig_ipv6_remote_parm, &tt->remote_ipv6 ) != 1) + if (inet_pton(AF_INET6, ifconfig_ipv6_local_parm, &tt->local_ipv6) != 1 + || inet_pton(AF_INET6, ifconfig_ipv6_remote_parm, &tt->remote_ipv6) != 1) { - msg( M_FATAL, "init_tun: problem converting IPv6 ifconfig addresses %s and %s to binary", ifconfig_ipv6_local_parm, ifconfig_ipv6_remote_parm ); + msg(M_FATAL, "init_tun: problem converting IPv6 ifconfig addresses %s and %s to binary", + ifconfig_ipv6_local_parm, ifconfig_ipv6_remote_parm); } tt->netbits_ipv6 = ifconfig_ipv6_netbits_parm; @@ -1016,9 +947,7 @@ init_tun(const char *dev, /* --dev option */ * Platform specific tun initializations */ void -init_tun_post(struct tuntap *tt, - const struct frame *frame, - const struct tuntap_options *options) +init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options) { tt->options = *options; #ifdef _WIN32 @@ -1045,8 +974,7 @@ init_tun_post(struct tuntap *tt, * -> helper function to simplify code below */ static void -add_route_connected_v6_net(struct tuntap *tt, - const struct env_set *es) +add_route_connected_v6_net(struct tuntap *tt, const struct env_set *es) { struct route_ipv6 r6; @@ -1054,8 +982,8 @@ add_route_connected_v6_net(struct tuntap *tt, r6.network = tt->local_ipv6; r6.netbits = tt->netbits_ipv6; r6.gateway = tt->local_ipv6; - r6.metric = 0; /* connected route */ - r6.flags = RT_DEFINED | RT_METRIC_DEFINED; + r6.metric = 0; /* connected route */ + r6.flags = RT_DEFINED | RT_METRIC_DEFINED; add_route_ipv6(&r6, tt, 0, es, NULL); } @@ -1068,15 +996,16 @@ delete_route_connected_v6_net(const struct tuntap *tt) r6.network = tt->local_ipv6; r6.netbits = tt->netbits_ipv6; r6.gateway = tt->local_ipv6; - r6.metric = 0; /* connected route */ - r6.flags = RT_DEFINED | RT_ADDED | RT_METRIC_DEFINED; + r6.metric = 0; /* connected route */ + r6.flags = RT_DEFINED | RT_ADDED | RT_METRIC_DEFINED; route_ipv6_clear_host_bits(&r6); delete_route_ipv6(&r6, tt, NULL, NULL); } -#endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) */ +#endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || \ + defined(TARGET_OPENBSD) */ -#if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ - || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) +#if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(TARGET_NETBSD) \ + || defined(TARGET_OPENBSD) /* we can't use true subnet mode on tun on all platforms, as that * conflicts with IPv6 (wants to use ND then, which we don't do), * but the OSes want "a remote address that is different from ours" @@ -1087,11 +1016,11 @@ delete_route_connected_v6_net(const struct tuntap *tt) */ in_addr_t -create_arbitrary_remote( struct tuntap *tt ) +create_arbitrary_remote(struct tuntap *tt) { in_addr_t remote; - remote = (tt->local & tt->remote_netmask) +1; + remote = (tt->local & tt->remote_netmask) + 1; if (remote == tt->local) { @@ -1112,8 +1041,8 @@ create_arbitrary_remote( struct tuntap *tt ) * @param ctx the networking API opaque context */ static void -do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, - const struct env_set *es, openvpn_net_ctx_t *ctx) +do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, + openvpn_net_ctx_t *ctx) { #if !defined(TARGET_LINUX) struct argv argv = argv_new(); @@ -1132,16 +1061,14 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, msg(M_FATAL, "Linux can't bring %s up", ifname); } - if (net_addr_v6_add(ctx, ifname, &tt->local_ipv6, - tt->netbits_ipv6) < 0) + if (net_addr_v6_add(ctx, ifname, &tt->local_ipv6, tt->netbits_ipv6) < 0) { msg(M_FATAL, "Linux can't add IPv6 to interface %s", ifname); } #elif defined(TARGET_ANDROID) char out6[64]; - snprintf(out6, sizeof(out6), "%s/%d %d", - ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); + snprintf(out6, sizeof(out6), "%s/%d %d", ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); management_android_control(management, "IFCONFIG6", out6); #elif defined(TARGET_SOLARIS) argv_printf(&argv, "%s %s inet6 unplumb", IFCONFIG_PATH, ifname); @@ -1152,9 +1079,8 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, { const char *ifconfig_ipv6_remote = print_in6_addr(tt->remote_ipv6, 0, &gc); - argv_printf(&argv, "%s %s inet6 plumb %s/%d %s mtu %d up", - IFCONFIG_PATH, ifname, ifconfig_ipv6_local, - tt->netbits_ipv6, ifconfig_ipv6_remote, tun_mtu); + argv_printf(&argv, "%s %s inet6 plumb %s/%d %s mtu %d up", IFCONFIG_PATH, ifname, + ifconfig_ipv6_local, tt->netbits_ipv6, ifconfig_ipv6_remote, tun_mtu); } else /* tap mode */ { @@ -1162,8 +1088,7 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, argv_printf(&argv, "%s %s inet6 plumb up", IFCONFIG_PATH, ifname); argv_msg(M_INFO, &argv); - if (!openvpn_execve_check(&argv, es, 0, - "Solaris ifconfig IPv6 (prepare) failed")) + if (!openvpn_execve_check(&argv, es, 0, "Solaris ifconfig IPv6 (prepare) failed")) { solaris_error_close(tt, es, ifname, true); } @@ -1177,8 +1102,8 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, /* static IPv6 addresses need to go to a subinterface (tap0:1) * and we cannot set an mtu here (must go to the "parent") */ - argv_printf(&argv, "%s %s inet6 addif %s/%d up", IFCONFIG_PATH, - ifname, ifconfig_ipv6_local, tt->netbits_ipv6 ); + argv_printf(&argv, "%s %s inet6 addif %s/%d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local, + tt->netbits_ipv6); } argv_msg(M_INFO, &argv); @@ -1189,23 +1114,19 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, if (tt->type != DEV_TYPE_TUN) { - argv_printf(&argv, "%s %s inet6 mtu %d", IFCONFIG_PATH, - ifname, tun_mtu); + argv_printf(&argv, "%s %s inet6 mtu %d", IFCONFIG_PATH, ifname, tun_mtu); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, 0, "Solaris ifconfig IPv6 mtu failed"); } -#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \ - || defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) \ - || defined(TARGET_DRAGONFLY) - argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, - ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); +#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) || defined(TARGET_DARWIN) \ + || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) + argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local, + tt->netbits_ipv6, tun_mtu); argv_msg(M_INFO, &argv); - openvpn_execve_check(&argv, es, S_FATAL, - "generic BSD ifconfig inet6 failed"); + openvpn_execve_check(&argv, es, S_FATAL, "generic BSD ifconfig inet6 failed"); -#if defined(TARGET_FREEBSD) && __FreeBSD_version >= 1200000 \ - && __FreeBSD_version < 1300000 +#if defined(TARGET_FREEBSD) && __FreeBSD_version >= 1200000 && __FreeBSD_version < 1300000 /* On FreeBSD 12.0-12.4, there is ipv6_activate_all_interfaces="YES" * in rc.conf, which is not set by default. If it is *not* set, * "all new interfaces that are not already up" are configured by @@ -1224,27 +1145,26 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, argv_printf(&argv, "%s %s inet6 -ifdisabled", IFCONFIG_PATH, ifname); argv_msg(M_INFO, &argv); - openvpn_execve_check(&argv, es, S_FATAL, - "FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed"); + openvpn_execve_check(&argv, es, S_FATAL, "FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed"); #endif #elif defined(TARGET_AIX) - argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, - ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); + argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local, + tt->netbits_ipv6, tun_mtu); argv_msg(M_INFO, &argv); /* AIX ifconfig will complain if it can't find ODM path in env */ es = env_set_create(NULL); env_set_add(es, "ODMDIR=/etc/objrepos"); - openvpn_execve_check(&argv, es, S_FATAL, - "generic BSD ifconfig inet6 failed"); + openvpn_execve_check(&argv, es, S_FATAL, "generic BSD ifconfig inet6 failed"); env_set_destroy(es); -#elif defined (_WIN32) +#elif defined(_WIN32) if (tt->options.ip_win32_type == IPW32_SET_MANUAL) { - msg(M_INFO, "******** NOTE: Please manually set the v6 IP of '%s' to %s (if it is not already set)", + msg(M_INFO, + "******** NOTE: Please manually set the v6 IP of '%s' to %s (if it is not already set)", ifname, ifconfig_ipv6_local); } else if (tt->options.msg_channel) @@ -1275,8 +1195,8 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, int netbits = (tt->type == DEV_TYPE_TUN) ? 128 : tt->netbits_ipv6; argv_printf(&argv, "%s%s interface ipv6 set address %lu %s/%d store=active", - get_win_sys_path(), NETSH_PATH_SUFFIX, tt->adapter_index, - ifconfig_ipv6_local, netbits); + get_win_sys_path(), NETSH_PATH_SUFFIX, tt->adapter_index, ifconfig_ipv6_local, + netbits); netsh_command(&argv, 4, M_FATAL); if (tt->type == DEV_TYPE_TUN) { @@ -1291,8 +1211,9 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, do_dns_domain_wmic(true, tt); } } -#else /* platforms we have no IPv6 code for */ - msg(M_FATAL, "Sorry, but I don't know how to do IPv6 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script."); +#else /* platforms we have no IPv6 code for */ + msg(M_FATAL, + "Sorry, but I don't know how to do IPv6 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script."); #endif /* outer "if defined(TARGET_xxx)" conditional */ #if !defined(TARGET_LINUX) @@ -1311,8 +1232,8 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, * @param ctx the networking API opaque context */ static void -do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, - const struct env_set *es, openvpn_net_ctx_t *ctx) +do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, + openvpn_net_ctx_t *ctx) { #if !defined(_WIN32) && !defined(TARGET_ANDROID) /* @@ -1347,16 +1268,14 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, if (tun_p2p) { - if (net_addr_ptp_v4_add(ctx, ifname, &tt->local, - &tt->remote_netmask) < 0) + if (net_addr_ptp_v4_add(ctx, ifname, &tt->local, &tt->remote_netmask) < 0) { msg(M_FATAL, "Linux can't add IP to interface %s", ifname); } } else { - if (net_addr_v4_add(ctx, ifname, &tt->local, - netmask_to_netbits2(tt->remote_netmask)) < 0) + if (net_addr_v4_add(ctx, ifname, &tt->local, netmask_to_netbits2(tt->remote_netmask)) < 0) { msg(M_FATAL, "Linux can't add IP to interface %s", ifname); } @@ -1364,8 +1283,8 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, #elif defined(TARGET_ANDROID) char out[64]; - snprintf(out, sizeof(out), "%s %s %d %s", ifconfig_local, - ifconfig_remote_netmask, tun_mtu, print_topology(tt->topology)); + snprintf(out, sizeof(out), "%s %s %d %s", ifconfig_local, ifconfig_remote_netmask, tun_mtu, + print_topology(tt->topology)); management_android_control(management, "IFCONFIG", out); #elif defined(TARGET_SOLARIS) @@ -1376,8 +1295,8 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, */ if (tun_p2p) { - argv_printf(&argv, "%s %s %s %s mtu %d up", IFCONFIG_PATH, ifname, - ifconfig_local, ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s %s %s mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local, + ifconfig_remote_netmask, tun_mtu); argv_msg(M_INFO, &argv); if (!openvpn_execve_check(&argv, es, 0, "Solaris ifconfig phase-1 failed")) @@ -1385,19 +1304,16 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, solaris_error_close(tt, es, ifname, false); } - argv_printf(&argv, "%s %s netmask 255.255.255.255", IFCONFIG_PATH, - ifname); + argv_printf(&argv, "%s %s netmask 255.255.255.255", IFCONFIG_PATH, ifname); } else if (tt->type == DEV_TYPE_TUN) { - argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", IFCONFIG_PATH, - ifname, ifconfig_local, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", IFCONFIG_PATH, ifname, + ifconfig_local, ifconfig_local, ifconfig_remote_netmask, tun_mtu); } else /* tap */ { - argv_printf(&argv, "%s %s %s netmask %s up", - IFCONFIG_PATH, ifname, ifconfig_local, + argv_printf(&argv, "%s %s %s netmask %s up", IFCONFIG_PATH, ifname, ifconfig_local, ifconfig_remote_netmask); } @@ -1422,7 +1338,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, #elif defined(TARGET_OPENBSD) - in_addr_t remote_end; /* for "virtual" subnet topology */ + in_addr_t remote_end; /* for "virtual" subnet topology */ /* * On OpenBSD, tun interfaces are persistent if created with @@ -1433,24 +1349,20 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ if (tun_p2p) { - argv_printf(&argv, - "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", IFCONFIG_PATH, + ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu); } else if (tt->type == DEV_TYPE_TUN) { - remote_end = create_arbitrary_remote( tt ); - argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", - IFCONFIG_PATH, ifname, ifconfig_local, - print_in_addr_t(remote_end, 0, &gc), tun_mtu, + remote_end = create_arbitrary_remote(tt); + argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", IFCONFIG_PATH, ifname, + ifconfig_local, print_in_addr_t(remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask); } else /* tap */ { - argv_printf(&argv, "%s %s %s netmask %s mtu %d link0", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s %s netmask %s mtu %d link0", IFCONFIG_PATH, ifname, + ifconfig_local, ifconfig_remote_netmask, tun_mtu); } argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "OpenBSD ifconfig failed"); @@ -1468,20 +1380,19 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, } #elif defined(TARGET_NETBSD) - in_addr_t remote_end = INADDR_ANY; /* for "virtual" subnet topology */ + in_addr_t remote_end = INADDR_ANY; /* for "virtual" subnet topology */ if (tun_p2p) { - argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, ifname, + ifconfig_local, ifconfig_remote_netmask, tun_mtu); } else if (tt->type == DEV_TYPE_TUN) { remote_end = create_arbitrary_remote(tt); - argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, - ifname, ifconfig_local, print_in_addr_t(remote_end, 0, &gc), - tun_mtu, ifconfig_remote_netmask); + argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, ifname, + ifconfig_local, print_in_addr_t(remote_end, 0, &gc), tun_mtu, + ifconfig_remote_netmask); } else /* tap */ { @@ -1490,8 +1401,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, * so we don't need the "link0" extra parameter to specify we want to do * tunneling at the ethernet level */ - argv_printf(&argv, "%s %s %s netmask %s mtu %d", - IFCONFIG_PATH, ifname, ifconfig_local, + argv_printf(&argv, "%s %s %s netmask %s mtu %d", IFCONFIG_PATH, ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu); } argv_msg(M_INFO, &argv); @@ -1517,28 +1427,24 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, argv_printf(&argv, "%s %s delete", IFCONFIG_PATH, ifname); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, 0, NULL); - msg(M_INFO, - "NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure"); + msg(M_INFO, "NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure"); /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ if (tun_p2p) { - argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, ifname, + ifconfig_local, ifconfig_remote_netmask, tun_mtu); } else if (tt->type == DEV_TYPE_TUN) { - argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", - IFCONFIG_PATH, ifname, ifconfig_local, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", IFCONFIG_PATH, ifname, + ifconfig_local, ifconfig_local, ifconfig_remote_netmask, tun_mtu); } else /* tap */ { - argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH, - ifname, ifconfig_local, ifconfig_remote_netmask, - tun_mtu); + argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local, + ifconfig_remote_netmask, tun_mtu); } argv_msg(M_INFO, &argv); @@ -1559,17 +1465,16 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ - if (tun_p2p) /* point-to-point tun */ + if (tun_p2p) /* point-to-point tun */ { - argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, ifname, + ifconfig_local, ifconfig_remote_netmask, tun_mtu); } - else /* tun with topology subnet and tap mode (always subnet) */ + else /* tun with topology subnet and tap mode (always subnet) */ { int netbits = netmask_to_netbits2(tt->remote_netmask); - argv_printf(&argv, "%s %s %s/%d mtu %d up", IFCONFIG_PATH, - ifname, ifconfig_local, netbits, tun_mtu ); + argv_printf(&argv, "%s %s %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local, netbits, + tun_mtu); } argv_msg(M_INFO, &argv); @@ -1579,7 +1484,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, { /* AIX ifconfig will complain if it can't find ODM path in env */ struct env_set *aix_es = env_set_create(NULL); - env_set_add( aix_es, "ODMDIR=/etc/objrepos" ); + env_set_add(aix_es, "ODMDIR=/etc/objrepos"); if (tt->type == DEV_TYPE_TUN) { @@ -1587,23 +1492,23 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, } /* example: ifconfig tap0 172.30.1.1 netmask 255.255.254.0 up */ - argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH, - ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local, + ifconfig_remote_netmask, tun_mtu); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, aix_es, S_FATAL, "AIX ifconfig failed"); env_set_destroy(aix_es); } -#elif defined (_WIN32) +#elif defined(_WIN32) if (tt->options.ip_win32_type == IPW32_SET_MANUAL) { msg(M_INFO, "******** NOTE: Please manually set the IP/netmask of '%s' to %s/%s (if it is not already set)", - ifname, ifconfig_local, - ifconfig_remote_netmask); + ifname, ifconfig_local, ifconfig_remote_netmask); } - else if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ || tt->options.ip_win32_type == IPW32_SET_ADAPTIVE) + else if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ + || tt->options.ip_win32_type == IPW32_SET_ADAPTIVE) { /* Let the DHCP configure the interface. */ } @@ -1618,8 +1523,8 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, { if (tt->options.ip_win32_type == IPW32_SET_NETSH) { - netsh_ifconfig(&tt->options, tt->adapter_index, tt->local, - tt->adapter_netmask, NI_IP_NETMASK | NI_OPTIONS); + netsh_ifconfig(&tt->options, tt->adapter_index, tt->local, tt->adapter_netmask, + NI_IP_NETMASK | NI_OPTIONS); } do_dns_domain_wmic(true, tt); @@ -1636,13 +1541,14 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, } #elif defined(TARGET_HAIKU) /* example: ifconfig tun/0 inet 1.1.1.1 255.255.255.0 mtu 1450 up */ - argv_printf(&argv, "%s %s inet %s %s mtu %d up", IFCONFIG_PATH, - ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu); + argv_printf(&argv, "%s %s inet %s %s mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local, + ifconfig_remote_netmask, tun_mtu); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "Haiku ifconfig failed"); #else /* if defined(TARGET_LINUX) */ - msg(M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script."); + msg(M_FATAL, + "Sorry, but I don't know how to do 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script."); #endif /* if defined(TARGET_LINUX) */ #if !defined(TARGET_LINUX) @@ -1653,8 +1559,8 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, /* execute the ifconfig command through the shell */ void -do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, - const struct env_set *es, openvpn_net_ctx_t *ctx) +do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, + openvpn_net_ctx_t *ctx) { msg(D_LOW, "do_ifconfig, ipv4=%d, ipv6=%d", tt->did_ifconfig_setup, tt->did_ifconfig_ipv6_setup); @@ -1662,13 +1568,8 @@ do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, #ifdef ENABLE_MANAGEMENT if (management) { - management_set_state(management, - OPENVPN_STATE_ASSIGN_IP, - NULL, - &tt->local, - &tt->local_ipv6, - NULL, - NULL); + management_set_state(management, OPENVPN_STATE_ASSIGN_IP, NULL, &tt->local, &tt->local_ipv6, + NULL, NULL); } #endif @@ -1694,19 +1595,16 @@ undo_ifconfig_ipv4(struct tuntap *tt, openvpn_net_ctx_t *ctx) if (is_tun_p2p(tt)) { - if (net_addr_ptp_v4_del(ctx, tt->actual_name, &tt->local, - &tt->remote_netmask) < 0) + if (net_addr_ptp_v4_del(ctx, tt->actual_name, &tt->local, &tt->remote_netmask) < 0) { - msg(M_WARN, "Linux can't del IP from iface %s", - tt->actual_name); + msg(M_WARN, "Linux can't del IP from iface %s", tt->actual_name); } } else { if (net_addr_v4_del(ctx, tt->actual_name, &tt->local, netbits) < 0) { - msg(M_WARN, "Linux can't del IP from iface %s", - tt->actual_name); + msg(M_WARN, "Linux can't del IP from iface %s", tt->actual_name); } } #elif defined(TARGET_FREEBSD) @@ -1714,8 +1612,7 @@ undo_ifconfig_ipv4(struct tuntap *tt, openvpn_net_ctx_t *ctx) const char *ifconfig_local = print_in_addr_t(tt->local, 0, &gc); struct argv argv = argv_new(); - argv_printf(&argv, "%s %s %s -alias", IFCONFIG_PATH, - tt->actual_name, ifconfig_local); + argv_printf(&argv, "%s %s %s -alias", IFCONFIG_PATH, tt->actual_name, ifconfig_local); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "FreeBSD ip addr del failed"); @@ -1729,8 +1626,7 @@ static void undo_ifconfig_ipv6(struct tuntap *tt, openvpn_net_ctx_t *ctx) { #if defined(TARGET_LINUX) - if (net_addr_v6_del(ctx, tt->actual_name, &tt->local_ipv6, - tt->netbits_ipv6) < 0) + if (net_addr_v6_del(ctx, tt->actual_name, &tt->local_ipv6, tt->netbits_ipv6) < 0) { msg(M_WARN, "Linux can't del IPv6 from iface %s", tt->actual_name); } @@ -1739,8 +1635,8 @@ undo_ifconfig_ipv6(struct tuntap *tt, openvpn_net_ctx_t *ctx) const char *ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc); struct argv argv = argv_new(); - argv_printf(&argv, "%s %s inet6 %s/%d -alias", IFCONFIG_PATH, - tt->actual_name, ifconfig_ipv6_local, tt->netbits_ipv6); + argv_printf(&argv, "%s %s inet6 %s/%d -alias", IFCONFIG_PATH, tt->actual_name, + ifconfig_ipv6_local, tt->netbits_ipv6); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "FreeBSD ip -6 addr del failed"); @@ -1830,7 +1726,7 @@ write_tun_header(struct tuntap *tt, uint8_t *buf, int len) struct iovec iv[2]; struct openvpn_iphdr *iph; - iph = (struct openvpn_iphdr *) buf; + iph = (struct openvpn_iphdr *)buf; if (OPENVPN_IPH_GET_VER(iph->version_len) == 6) { @@ -1893,8 +1789,7 @@ tun_dco_enabled(struct tuntap *tt) #if !(defined(_WIN32) || defined(TARGET_LINUX) || defined(TARGET_SOLARIS)) static void -open_tun_generic(const char *dev, const char *dev_type, const char *dev_node, - struct tuntap *tt) +open_tun_generic(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { char tunname[256]; char dynamic_name[256]; @@ -1924,10 +1819,8 @@ open_tun_generic(const char *dev, const char *dev_type, const char *dev_node, #if defined(TARGET_HAIKU) sep = "/"; #endif - snprintf(tunname, sizeof(tunname), - "/dev/%s%s%d", dev, sep, i); - snprintf(dynamic_name, sizeof(dynamic_name), - "%s%s%d", dev, sep, i); + snprintf(tunname, sizeof(tunname), "/dev/%s%s%d", dev, sep, i); + snprintf(dynamic_name, sizeof(dynamic_name), "%s%s%d", dev, sep, i); if ((tt->fd = open(tunname, O_RDWR)) > 0) { dynamic_opened = true; @@ -1952,9 +1845,9 @@ open_tun_generic(const char *dev, const char *dev_type, const char *dev_node, if (!dynamic_opened) { /* has named device existed before? if so, don't destroy at end */ - if (if_nametoindex( dev ) > 0) + if (if_nametoindex(dev) > 0) { - msg(M_INFO, "TUN/TAP device %s exists previously, keep at program end", dev ); + msg(M_INFO, "TUN/TAP device %s exists previously, keep at program end", dev); tt->persistent_if = true; } @@ -1970,14 +1863,13 @@ open_tun_generic(const char *dev, const char *dev_type, const char *dev_node, /* tt->actual_name is passed to up and down scripts and used as the ifconfig dev name */ tt->actual_name = string_alloc(dynamic_opened ? dynamic_name : dev, NULL); - } #endif /* !_WIN32 && !TARGET_LINUX && !TARGET_FREEBSD*/ #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) static void -open_tun_dco_generic(const char *dev, const char *dev_type, - struct tuntap *tt, openvpn_net_ctx_t *ctx) +open_tun_dco_generic(const char *dev, const char *dev_type, struct tuntap *tt, + openvpn_net_ctx_t *ctx) { char dynamic_name[256]; bool dynamic_opened = false; @@ -1994,8 +1886,7 @@ open_tun_dco_generic(const char *dev, const char *dev_type, { for (int i = 0; i < 256; ++i) { - snprintf(dynamic_name, sizeof(dynamic_name), - "%s%d", dev, i); + snprintf(dynamic_name, sizeof(dynamic_name), "%s%d", dev, i); int ret = open_tun_dco(tt, ctx, dynamic_name); if (ret == 0) { @@ -2025,14 +1916,12 @@ open_tun_dco_generic(const char *dev, const char *dev_type, int ret = open_tun_dco(tt, ctx, dev); if (ret == -EEXIST) { - msg(M_INFO, "DCO device %s already exists, won't be destroyed at shutdown", - dev); + msg(M_INFO, "DCO device %s already exists, won't be destroyed at shutdown", dev); tt->persistent_if = true; } else if (ret < 0) { - msg(M_ERR, "Cannot open DCO device %s: %s (%d)", dev, - strerror(-ret), ret); + msg(M_ERR, "Cannot open DCO device %s: %s (%d)", dev, strerror(-ret), ret); } else { @@ -2059,7 +1948,7 @@ close_tun_generic(struct tuntap *tt) } #endif /* !_WIN32 */ -#if defined (TARGET_ANDROID) +#if defined(TARGET_ANDROID) void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx) @@ -2099,7 +1988,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun int android_method = managment_android_persisttun_action(management); - if (oldtunfd >=0 && android_method == ANDROID_KEEP_OLD_TUN) + if (oldtunfd >= 0 && android_method == ANDROID_KEEP_OLD_TUN) { /* keep the old fd */ opentun = true; @@ -2210,8 +2099,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun } else { - msg(M_FATAL, "I don't recognize device %s as a tun or tap device", - dev); + msg(M_FATAL, "I don't recognize device %s as a tun or tap device", dev); } /* @@ -2226,7 +2114,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun * Use special ioctl that configures tun/tap device with the parms * we set in ifr */ - if (ioctl(tt->fd, TUNSETIFF, (void *) &ifr) < 0) + if (ioctl(tt->fd, TUNSETIFF, (void *)&ifr) < 0) { msg(M_ERR, "ERROR: Cannot ioctl TUNSETIFF %s", dev); } @@ -2247,7 +2135,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun CLEAR(netifr); strncpynt(netifr.ifr_name, ifr.ifr_name, IFNAMSIZ); netifr.ifr_qlen = tt->options.txqueuelen; - if (ioctl(ctl_fd, SIOCSIFTXQLEN, (void *) &netifr) >= 0) + if (ioctl(ctl_fd, SIOCSIFTXQLEN, (void *)&netifr) >= 0) { msg(D_OSBUF, "TUN/TAP TX queue length set to %d", tt->options.txqueuelen); } @@ -2286,13 +2174,13 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun /* TUNSETGROUP appeared in 2.6.23 */ #ifndef TUNSETGROUP -#define TUNSETGROUP _IOW('T', 206, int) +#define TUNSETGROUP _IOW('T', 206, int) #endif void -tuncfg(const char *dev, const char *dev_type, const char *dev_node, - int persist_mode, const char *username, const char *groupname, - const struct tuntap_options *options, openvpn_net_ctx_t *ctx) +tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, + const char *username, const char *groupname, const struct tuntap_options *options, + openvpn_net_ctx_t *ctx) { struct tuntap *tt; @@ -2412,8 +2300,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun } else { - msg(M_FATAL, "I don't recognize device %s as a tun or tap device", - dev); + msg(M_FATAL, "I don't recognize device %s as a tun or tap device", dev); } if ((tt->ip_fd = open(ip_node, O_RDWR, 0)) < 0) @@ -2431,7 +2318,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun /* get unit number */ if (*ptr) { - while (*ptr && !isdigit((int) *ptr)) + while (*ptr && !isdigit((int)*ptr)) { ptr++; } @@ -2444,7 +2331,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun strioc_ppa.ic_len = sizeof(ppa); strioc_ppa.ic_dp = (char *)&ppa; - if (*ptr == '\0') /* no number given, try dynamic */ + if (*ptr == '\0') /* no number given, try dynamic */ { bool found_one = false; while (!found_one && ppa < 64) @@ -2452,27 +2339,28 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun int new_ppa = ioctl(tt->fd, I_STR, &strioc_ppa); if (new_ppa >= 0) { - msg( M_INFO, "open_tun: got dynamic interface '%s%d'", dev_tuntap_type, new_ppa ); + msg(M_INFO, "open_tun: got dynamic interface '%s%d'", dev_tuntap_type, new_ppa); ppa = new_ppa; found_one = true; break; } if (errno != EEXIST) { - msg(M_ERR, "open_tun: unexpected error trying to find free %s interface", dev_tuntap_type ); + msg(M_ERR, "open_tun: unexpected error trying to find free %s interface", + dev_tuntap_type); } ppa++; } if (!found_one) { - msg(M_ERR, "open_tun: could not find free %s interface, give up.", dev_tuntap_type ); + msg(M_ERR, "open_tun: could not find free %s interface, give up.", dev_tuntap_type); } } - else /* try this particular one */ + else /* try this particular one */ { if ((ppa = ioctl(tt->fd, I_STR, &strioc_ppa)) < 0) { - msg(M_ERR, "Can't assign PPA for new interface (%s%d)", dev_tuntap_type, ppa ); + msg(M_ERR, "Can't assign PPA for new interface (%s%d)", dev_tuntap_type, ppa); } } @@ -2489,13 +2377,13 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun if (tt->type == DEV_TYPE_TUN) { /* Assign ppa according to the unit number returned by tun device */ - if (ioctl(if_fd, IF_UNITSEL, (char *) &ppa) < 0) + if (ioctl(if_fd, IF_UNITSEL, (char *)&ppa) < 0) { msg(M_ERR, "Can't set PPA %d", ppa); } } - tt->actual_name = (char *) malloc(32); + tt->actual_name = (char *)malloc(32); check_malloc_return(tt->actual_name); snprintf(tt->actual_name, 32, "%s%d", dev_tuntap_type, ppa); @@ -2513,7 +2401,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun { msg(M_ERR, "Can't set PPA %d", ppa); } - if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) <0) + if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) { msg(M_ERR, "Can't get flags\n"); } @@ -2575,7 +2463,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun CLEAR(ifr); strncpynt(ifr.lifr_name, tt->actual_name, sizeof(ifr.lifr_name)); - ifr.lifr_ip_muxid = ip_muxid; + ifr.lifr_ip_muxid = ip_muxid; if (tt->type == DEV_TYPE_TAP) { ifr.lifr_arp_muxid = arp_muxid; @@ -2605,8 +2493,7 @@ solaris_close_tun(struct tuntap *tt) if (tt->did_ifconfig_ipv6_setup) { struct argv argv = argv_new(); - argv_printf( &argv, "%s %s inet6 unplumb", - IFCONFIG_PATH, tt->actual_name ); + argv_printf(&argv, "%s %s inet6 unplumb", IFCONFIG_PATH, tt->actual_name); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "Solaris ifconfig inet6 unplumb failed"); argv_free(&argv); @@ -2669,23 +2556,19 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) } static void -solaris_error_close(struct tuntap *tt, const struct env_set *es, - const char *actual, bool unplumb_inet6 ) +solaris_error_close(struct tuntap *tt, const struct env_set *es, const char *actual, + bool unplumb_inet6) { struct argv argv = argv_new(); if (unplumb_inet6) { - argv_printf( &argv, "%s %s inet6 unplumb", - IFCONFIG_PATH, actual ); + argv_printf(&argv, "%s %s inet6 unplumb", IFCONFIG_PATH, actual); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, 0, "Solaris ifconfig inet6 unplumb failed"); } - argv_printf(&argv, - "%s %s unplumb", - IFCONFIG_PATH, - actual); + argv_printf(&argv, "%s %s unplumb", IFCONFIG_PATH, actual); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, 0, "Solaris ifconfig unplumb failed"); @@ -2771,8 +2654,7 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) /* setup command, close tun dev (clears tt->actual_name!), run command */ - argv_printf(&argv, "%s %s destroy", - IFCONFIG_PATH, tt->actual_name); + argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); close_tun_generic(tt); @@ -2822,11 +2704,11 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun if (strcmp(dev, "tap") == 0) { struct ifreq ifr; - if ((tt->fd = open( "/dev/tap", O_RDWR)) < 0) + if ((tt->fd = open("/dev/tap", O_RDWR)) < 0) { msg(M_FATAL, "Cannot allocate NetBSD TAP dev dynamically"); } - if (ioctl( tt->fd, TAPGIFNAME, (void *)&ifr ) < 0) + if (ioctl(tt->fd, TAPGIFNAME, (void *)&ifr) < 0) { msg(M_FATAL, "Cannot query NetBSD TAP device name"); } @@ -2846,15 +2728,15 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun if (tt->fd >= 0) { - int i = IFF_POINTOPOINT|IFF_MULTICAST; - ioctl(tt->fd, TUNSIFMODE, &i); /* multicast on */ + int i = IFF_POINTOPOINT | IFF_MULTICAST; + ioctl(tt->fd, TUNSIFMODE, &i); /* multicast on */ i = 0; - ioctl(tt->fd, TUNSLMODE, &i); /* link layer mode off */ + ioctl(tt->fd, TUNSLMODE, &i); /* link layer mode off */ if (tt->type == DEV_TYPE_TUN) { i = 1; - if (ioctl(tt->fd, TUNSIFHEAD, &i) < 0) /* multi-af mode on */ + if (ioctl(tt->fd, TUNSIFHEAD, &i) < 0) /* multi-af mode on */ { msg(M_WARN | M_ERRNO, "ioctl(TUNSIFHEAD)"); } @@ -2885,8 +2767,7 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) /* setup command, close tun dev (clears tt->actual_name!), run command */ - argv_printf(&argv, "%s %s destroy", - IFCONFIG_PATH, tt->actual_name); + argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); close_tun_generic(tt); @@ -2919,7 +2800,7 @@ write_tun(struct tuntap *tt, uint8_t *buf, int len) struct iovec iv[2]; struct openvpn_iphdr *iph; - iph = (struct openvpn_iphdr *) buf; + iph = (struct openvpn_iphdr *)buf; if (OPENVPN_IPH_GET_VER(iph->version_len) == 6) { @@ -3027,7 +2908,7 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) { ASSERT(tt); - if (tt->persistent_if) /* keep pre-existing if around */ + if (tt->persistent_if) /* keep pre-existing if around */ { close_tun_generic(tt); free(tt); @@ -3040,14 +2921,12 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) /* setup command, close tun dev (clears tt->actual_name!), run command */ - argv_printf(&argv, "%s %s destroy", - IFCONFIG_PATH, tt->actual_name); + argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); close_tun_generic(tt); argv_msg(M_INFO, &argv); - openvpn_execve_check(&argv, NULL, 0, - "FreeBSD 'destroy tun interface' failed (non-critical)"); + openvpn_execve_check(&argv, NULL, 0, "FreeBSD 'destroy tun interface' failed (non-critical)"); free(tt); argv_free(&argv); @@ -3062,7 +2941,7 @@ write_tun(struct tuntap *tt, uint8_t *buf, int len) struct iovec iv[2]; struct ip *iph; - iph = (struct ip *) buf; + iph = (struct ip *)buf; if (iph->ip_v == 6) { @@ -3157,7 +3036,7 @@ write_tun(struct tuntap *tt, uint8_t *buf, int len) struct iovec iv[2]; struct ip *iph; - iph = (struct ip *) buf; + iph = (struct ip *)buf; if (iph->ip_v == 6) { @@ -3233,16 +3112,14 @@ utun_open_helper(struct ctl_info ctlInfo, int utunnum) if (fd < 0) { - msg(M_INFO | M_ERRNO, "Opening utun%d failed (socket(SYSPROTO_CONTROL))", - utunnum); + msg(M_INFO | M_ERRNO, "Opening utun%d failed (socket(SYSPROTO_CONTROL))", utunnum); return -2; } if (ioctl(fd, CTLIOCGINFO, &ctlInfo) == -1) { close(fd); - msg(M_INFO | M_ERRNO, "Opening utun%d failed (ioctl(CTLIOCGINFO))", - utunnum); + msg(M_INFO | M_ERRNO, "Opening utun%d failed (ioctl(CTLIOCGINFO))", utunnum); return -2; } @@ -3252,7 +3129,7 @@ utun_open_helper(struct ctl_info ctlInfo, int utunnum) sc.sc_family = AF_SYSTEM; sc.ss_sysaddr = AF_SYS_CONTROL; - sc.sc_unit = utunnum+1; + sc.sc_unit = utunnum + 1; /* If the connect is successful, a utun%d device will be created, where "%d" @@ -3260,8 +3137,7 @@ utun_open_helper(struct ctl_info ctlInfo, int utunnum) if (connect(fd, (struct sockaddr *)&sc, sizeof(sc)) < 0) { - msg(M_INFO | M_ERRNO, "Opening utun%d failed (connect(AF_SYS_CONTROL))", - utunnum); + msg(M_INFO | M_ERRNO, "Opening utun%d failed (connect(AF_SYS_CONTROL))", utunnum); close(fd); return -1; } @@ -3283,20 +3159,21 @@ open_darwin_utun(const char *dev, const char *dev_type, const char *dev_node, st /* dev_node is simply utun, do the normal dynamic utun * otherwise try to parse the utun number */ - if (dev_node && (strcmp("utun", dev_node) != 0 )) + if (dev_node && (strcmp("utun", dev_node) != 0)) { if (sscanf(dev_node, "utun%d", &utunnum) != 1) { - msg(M_FATAL, "Cannot parse 'dev-node %s' please use 'dev-node utunX'" - "to use a utun device number X", dev_node); + msg(M_FATAL, + "Cannot parse 'dev-node %s' please use 'dev-node utunX'" + "to use a utun device number X", + dev_node); } } - CLEAR(ctlInfo); - if (strlcpy(ctlInfo.ctl_name, UTUN_CONTROL_NAME, sizeof(ctlInfo.ctl_name)) >= - sizeof(ctlInfo.ctl_name)) + if (strlcpy(ctlInfo.ctl_name, UTUN_CONTROL_NAME, sizeof(ctlInfo.ctl_name)) + >= sizeof(ctlInfo.ctl_name)) { msg(M_ERR, "Opening utun: UTUN_CONTROL_NAME too long"); } @@ -3316,7 +3193,7 @@ open_darwin_utun(const char *dev, const char *dev_type, const char *dev_node, st fd = utun_open_helper(ctlInfo, utunnum); /* Break if the fd is valid, * or if early initialization failed (-2) */ - if (fd !=-1) + if (fd != -1) { break; } @@ -3352,13 +3229,11 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun openvpn_net_ctx_t *ctx) { /* If dev_node does not start start with utun assume regular tun/tap */ - if ((!dev_node && tt->type==DEV_TYPE_TUN) - || (dev_node && !strncmp(dev_node, "utun", 4))) + if ((!dev_node && tt->type == DEV_TYPE_TUN) || (dev_node && !strncmp(dev_node, "utun", 4))) { - /* Check if user has specific dev_type tap and forced utun with * dev-node utun */ - if (tt->type!=DEV_TYPE_TUN) + if (tt->type != DEV_TYPE_TUN) { msg(M_FATAL, "Cannot use utun devices with --dev-type %s", dev_type_string(dev, dev_type)); @@ -3386,12 +3261,11 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun } else { - /* Use plain dev-node tun to select /dev/tun style * Unset dev_node variable prior to passing to open_tun_generic to * let open_tun_generic pick the first available tun device */ - if (dev_node && strcmp(dev_node, "tun")==0) + if (dev_node && strcmp(dev_node, "tun") == 0) { dev_node = NULL; } @@ -3410,11 +3284,9 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) if (tt->did_ifconfig_ipv6_setup) { - const char *ifconfig_ipv6_local = - print_in6_addr(tt->local_ipv6, 0, &gc); + const char *ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc); - argv_printf(&argv, "%s delete -inet6 %s", - ROUTE_PATH, ifconfig_ipv6_local ); + argv_printf(&argv, "%s delete -inet6 %s", ROUTE_PATH, ifconfig_ipv6_local); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "MacOS X 'remove inet6 route' failed (non-critical)"); } @@ -3463,44 +3335,46 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun if (tt->type == DEV_TYPE_TUN) { - msg(M_FATAL, "no support for 'tun' devices on AIX" ); + msg(M_FATAL, "no support for 'tun' devices on AIX"); } - if (strncmp( dev, "tap", 3 ) != 0 || dev_node) + if (strncmp(dev, "tap", 3) != 0 || dev_node) { - msg(M_FATAL, "'--dev %s' and/or '--dev-node' not supported on AIX, use '--dev tap0', 'tap1', etc.", dev ); + msg(M_FATAL, + "'--dev %s' and/or '--dev-node' not supported on AIX, use '--dev tap0', 'tap1', etc.", + dev); } - if (strcmp( dev, "tap" ) == 0) /* find first free tap dev */ - { /* (= no /dev/tapN node) */ + if (strcmp(dev, "tap") == 0) /* find first free tap dev */ + { /* (= no /dev/tapN node) */ int i; - for (i = 0; i<99; i++) + for (i = 0; i < 99; i++) { snprintf(tunname, sizeof(tunname), "/dev/tap%d", i); - if (access( tunname, F_OK ) < 0 && errno == ENOENT) + if (access(tunname, F_OK) < 0 && errno == ENOENT) { break; } } if (i >= 99) { - msg( M_FATAL, "cannot find unused tap device" ); + msg(M_FATAL, "cannot find unused tap device"); } - snprintf( dynamic_name, sizeof(dynamic_name), "tap%d", i ); + snprintf(dynamic_name, sizeof(dynamic_name), "tap%d", i); dev = dynamic_name; } - else /* name given, sanity check */ + else /* name given, sanity check */ { /* ensure that dev name is "tap+" *only* */ p = &dev[3]; - while (isdigit(*p) ) + while (isdigit(*p)) { p++; } if (*p != '\0') { - msg( M_FATAL, "TAP device name must be '--dev tapNNNN'" ); + msg(M_FATAL, "TAP device name must be '--dev tapNNNN'"); } snprintf(tunname, sizeof(tunname), "/dev/%s", dev); @@ -3508,16 +3382,15 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun /* pre-existing device? */ - if (access( tunname, F_OK ) < 0 && errno == ENOENT) + if (access(tunname, F_OK) < 0 && errno == ENOENT) { - /* tunnel device must be created with 'ifconfig tapN create' */ struct argv argv = argv_new(); struct env_set *es = env_set_create(NULL); argv_printf(&argv, "%s %s create", IFCONFIG_PATH, dev); argv_msg(M_INFO, &argv); - env_set_add( es, "ODMDIR=/etc/objrepos" ); + env_set_add(es, "ODMDIR=/etc/objrepos"); openvpn_execve_check(&argv, es, S_FATAL, "AIX 'create tun interface' failed"); env_set_destroy(es); argv_free(&argv); @@ -3555,18 +3428,16 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) */ if (tt->persistent_if) { - argv_printf(&argv, "%s %s 0.0.0.0 down", - IFCONFIG_PATH, tt->actual_name); + argv_printf(&argv, "%s %s 0.0.0.0 down", IFCONFIG_PATH, tt->actual_name); } else { - argv_printf(&argv, "%s %s destroy", - IFCONFIG_PATH, tt->actual_name); + argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); } close_tun_generic(tt); argv_msg(M_INFO, &argv); - env_set_add( es, "ODMDIR=/etc/objrepos" ); + env_set_add(es, "ODMDIR=/etc/objrepos"); openvpn_execve_check(&argv, es, 0, "AIX 'destroy tap interface' failed (non-critical)"); free(tt); @@ -3606,13 +3477,8 @@ tun_read_queue(struct tuntap *tt, int maxsize) /* the overlapped read will signal this event on I/O completion */ ASSERT(ResetEvent(tt->reads.overlapped.hEvent)); - status = ReadFile( - tt->hand, - BPTR(&tt->reads.buf), - len, - &tt->reads.size, - &tt->reads.overlapped - ); + status = + ReadFile(tt->hand, BPTR(&tt->reads.buf), len, &tt->reads.size, &tt->reads.overlapped); if (status) /* operation completed immediately? */ { @@ -3622,9 +3488,8 @@ tun_read_queue(struct tuntap *tt, int maxsize) tt->reads.iostate = IOSTATE_IMMEDIATE_RETURN; tt->reads.status = 0; - dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read immediate return [%d,%d]", - (int) len, - (int) tt->reads.size); + dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read immediate return [%d,%d]", (int)len, + (int)tt->reads.size); } else { @@ -3633,8 +3498,7 @@ tun_read_queue(struct tuntap *tt, int maxsize) { tt->reads.iostate = IOSTATE_QUEUED; tt->reads.status = err; - dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read queued [%d]", - (int) len); + dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read queued [%d]", (int)len); } else /* error occurred */ { @@ -3642,8 +3506,7 @@ tun_read_queue(struct tuntap *tt, int maxsize) ASSERT(SetEvent(tt->reads.overlapped.hEvent)); tt->reads.iostate = IOSTATE_IMMEDIATE_RETURN; tt->reads.status = err; - dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read error [%d] : %s", - (int) len, + dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read error [%d] : %s", (int)len, strerror_win32(status, &gc)); gc_free(&gc); } @@ -3668,13 +3531,8 @@ tun_write_queue(struct tuntap *tt, struct buffer *buf) /* the overlapped write will signal this event on I/O completion */ ASSERT(ResetEvent(tt->writes.overlapped.hEvent)); - status = WriteFile( - tt->hand, - BPTR(&tt->writes.buf), - BLEN(&tt->writes.buf), - &tt->writes.size, - &tt->writes.overlapped - ); + status = WriteFile(tt->hand, BPTR(&tt->writes.buf), BLEN(&tt->writes.buf), &tt->writes.size, + &tt->writes.overlapped); if (status) /* operation completed immediately? */ { @@ -3685,9 +3543,8 @@ tun_write_queue(struct tuntap *tt, struct buffer *buf) tt->writes.status = 0; - dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write immediate return [%d,%d]", - BLEN(&tt->writes.buf), - (int) tt->writes.size); + dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write immediate return [%d,%d]", BLEN(&tt->writes.buf), + (int)tt->writes.size); } else { @@ -3696,8 +3553,7 @@ tun_write_queue(struct tuntap *tt, struct buffer *buf) { tt->writes.iostate = IOSTATE_QUEUED; tt->writes.status = err; - dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write queued [%d]", - BLEN(&tt->writes.buf)); + dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write queued [%d]", BLEN(&tt->writes.buf)); } else /* error occurred */ { @@ -3705,8 +3561,7 @@ tun_write_queue(struct tuntap *tt, struct buffer *buf) ASSERT(SetEvent(tt->writes.overlapped.hEvent)); tt->writes.iostate = IOSTATE_IMMEDIATE_RETURN; tt->writes.status = err; - dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write error [%d] : %s", - BLEN(&tt->writes.buf), + dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write error [%d] : %s", BLEN(&tt->writes.buf), strerror_win32(err, &gc)); gc_free(&gc); } @@ -3749,11 +3604,13 @@ get_device_instance_id_interface(struct gc_arena *gc) struct device_instance_id_interface *first = NULL; struct device_instance_id_interface *last = NULL; - dev_info_set = SetupDiGetClassDevsEx(&GUID_DEVCLASS_NET, NULL, NULL, DIGCF_PRESENT, NULL, NULL, NULL); + dev_info_set = + SetupDiGetClassDevsEx(&GUID_DEVCLASS_NET, NULL, NULL, DIGCF_PRESENT, NULL, NULL, NULL); if (dev_info_set == INVALID_HANDLE_VALUE) { err = GetLastError(); - msg(M_FATAL, "Error [%u] opening device information set key: %s", (unsigned int)err, strerror_win32(err, gc)); + msg(M_FATAL, "Error [%u] opening device information set key: %s", (unsigned int)err, + strerror_win32(err, gc)); } msg(D_TAP_WIN_DEBUG, "Enumerate device interface lists:"); @@ -3786,7 +3643,8 @@ get_device_instance_id_interface(struct gc_arena *gc) } } - dev_key = SetupDiOpenDevRegKey(dev_info_set, &device_info_data, DICS_FLAG_GLOBAL, 0, DIREG_DRV, KEY_QUERY_VALUE); + dev_key = SetupDiOpenDevRegKey(dev_info_set, &device_info_data, DICS_FLAG_GLOBAL, 0, + DIREG_DRV, KEY_QUERY_VALUE); if (dev_key == INVALID_HANDLE_VALUE) { continue; @@ -3794,27 +3652,23 @@ get_device_instance_id_interface(struct gc_arena *gc) len = sizeof(net_cfg_instance_id); data_type = REG_SZ; - status = RegQueryValueEx(dev_key, - net_cfg_instance_id_string, - NULL, - &data_type, - net_cfg_instance_id, - &len); + status = RegQueryValueEx(dev_key, net_cfg_instance_id_string, NULL, &data_type, + net_cfg_instance_id, &len); if (status != ERROR_SUCCESS) { goto next; } len = sizeof(device_instance_id); - res = SetupDiGetDeviceInstanceId(dev_info_set, &device_info_data, device_instance_id, len, &len); + res = SetupDiGetDeviceInstanceId(dev_info_set, &device_info_data, device_instance_id, len, + &len); if (!res) { goto next; } cr = CM_Get_Device_Interface_List_Size(&dev_interface_list_size, - (LPGUID)&GUID_DEVINTERFACE_NET, - device_instance_id, + (LPGUID)&GUID_DEVINTERFACE_NET, device_instance_id, CM_GET_DEVICE_INTERFACE_LIST_PRESENT); if (cr != CR_SUCCESS) @@ -3824,8 +3678,7 @@ get_device_instance_id_interface(struct gc_arena *gc) char *dev_interface_list = gc_malloc(dev_interface_list_size, false, gc); cr = CM_Get_Device_Interface_List((LPGUID)&GUID_DEVINTERFACE_NET, device_instance_id, - dev_interface_list, - dev_interface_list_size, + dev_interface_list, dev_interface_list_size, CM_GET_DEVICE_INTERFACE_LIST_PRESENT); if (cr != CR_SUCCESS) { @@ -3839,12 +3692,12 @@ get_device_instance_id_interface(struct gc_arena *gc) { struct device_instance_id_interface *dev_iif; ALLOC_OBJ_CLEAR_GC(dev_iif, struct device_instance_id_interface, gc); - dev_iif->net_cfg_instance_id = (unsigned char *)string_alloc((char *)net_cfg_instance_id, gc); + dev_iif->net_cfg_instance_id = + (unsigned char *)string_alloc((char *)net_cfg_instance_id, gc); dev_iif->device_interface = string_alloc(dev_if, gc); msg(D_TAP_WIN_DEBUG, "NetCfgInstanceId: %s, Device Interface: %s", - dev_iif->net_cfg_instance_id, - dev_iif->device_interface); + dev_iif->net_cfg_instance_id, dev_iif->device_interface); /* link into return list */ if (!first) @@ -3879,12 +3732,7 @@ get_tap_reg(struct gc_arena *gc) struct tap_reg *last = NULL; int i = 0; - status = RegOpenKeyEx( - HKEY_LOCAL_MACHINE, - ADAPTER_KEY, - 0, - KEY_READ, - &adapter_key); + status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, ADAPTER_KEY, 0, KEY_READ, &adapter_key); if (status != ERROR_SUCCESS) { @@ -3904,34 +3752,19 @@ get_tap_reg(struct gc_arena *gc) DWORD data_type; len = sizeof(enum_name); - status = RegEnumKeyEx( - adapter_key, - i, - enum_name, - &len, - NULL, - NULL, - NULL, - NULL); + status = RegEnumKeyEx(adapter_key, i, enum_name, &len, NULL, NULL, NULL, NULL); if (status == ERROR_NO_MORE_ITEMS) { break; } else if (status != ERROR_SUCCESS) { - msg(M_FATAL, "Error enumerating registry subkeys of key: %s", - ADAPTER_KEY); + msg(M_FATAL, "Error enumerating registry subkeys of key: %s", ADAPTER_KEY); } - snprintf(unit_string, sizeof(unit_string), "%s\\%s", - ADAPTER_KEY, enum_name); + snprintf(unit_string, sizeof(unit_string), "%s\\%s", ADAPTER_KEY, enum_name); - status = RegOpenKeyEx( - HKEY_LOCAL_MACHINE, - unit_string, - 0, - KEY_READ, - &unit_key); + status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, unit_string, 0, KEY_READ, &unit_key); if (status != ERROR_SUCCESS) { @@ -3940,29 +3773,19 @@ get_tap_reg(struct gc_arena *gc) else { len = sizeof(component_id); - status = RegQueryValueEx( - unit_key, - component_id_string, - NULL, - &data_type, - (LPBYTE)component_id, - &len); + status = RegQueryValueEx(unit_key, component_id_string, NULL, &data_type, + (LPBYTE)component_id, &len); if (status != ERROR_SUCCESS || data_type != REG_SZ) { - dmsg(D_REGISTRY, "Error opening registry key: %s\\%s", - unit_string, component_id_string); + dmsg(D_REGISTRY, "Error opening registry key: %s\\%s", unit_string, + component_id_string); } else { len = sizeof(net_cfg_instance_id); - status = RegQueryValueEx( - unit_key, - net_cfg_instance_id_string, - NULL, - &data_type, - net_cfg_instance_id, - &len); + status = RegQueryValueEx(unit_key, net_cfg_instance_id_string, NULL, &data_type, + net_cfg_instance_id, &len); if (status == ERROR_SUCCESS && data_type == REG_SZ) { @@ -3996,8 +3819,8 @@ get_tap_reg(struct gc_arena *gc) } last = reg; - msg(D_TAP_WIN_DEBUG, "NetCfgInstanceId: %s, Driver: %s", - reg->guid, print_tun_backend_driver(reg->windows_driver)); + msg(D_TAP_WIN_DEBUG, "NetCfgInstanceId: %s, Driver: %s", reg->guid, + print_tun_backend_driver(reg->windows_driver)); } } } @@ -4020,12 +3843,8 @@ get_panel_reg(struct gc_arena *gc) struct panel_reg *last = NULL; int i = 0; - status = RegOpenKeyEx( - HKEY_LOCAL_MACHINE, - NETWORK_CONNECTIONS_KEY, - 0, - KEY_READ, - &network_connections_key); + status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, NETWORK_CONNECTIONS_KEY, 0, KEY_READ, + &network_connections_key); if (status != ERROR_SUCCESS) { @@ -4042,35 +3861,20 @@ get_panel_reg(struct gc_arena *gc) const WCHAR name_string[] = L"Name"; len = sizeof(enum_name); - status = RegEnumKeyEx( - network_connections_key, - i, - enum_name, - &len, - NULL, - NULL, - NULL, - NULL); + status = RegEnumKeyEx(network_connections_key, i, enum_name, &len, NULL, NULL, NULL, NULL); if (status == ERROR_NO_MORE_ITEMS) { break; } else if (status != ERROR_SUCCESS) { - msg(M_FATAL, "Error enumerating registry subkeys of key: %s", - NETWORK_CONNECTIONS_KEY); + msg(M_FATAL, "Error enumerating registry subkeys of key: %s", NETWORK_CONNECTIONS_KEY); } - snprintf(connection_string, sizeof(connection_string), - "%s\\%s\\Connection", + snprintf(connection_string, sizeof(connection_string), "%s\\%s\\Connection", NETWORK_CONNECTIONS_KEY, enum_name); - status = RegOpenKeyEx( - HKEY_LOCAL_MACHINE, - connection_string, - 0, - KEY_READ, - &connection_key); + status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, connection_string, 0, KEY_READ, &connection_key); if (status != ERROR_SUCCESS) { @@ -4079,18 +3883,13 @@ get_panel_reg(struct gc_arena *gc) else { len = sizeof(name_data); - status = RegQueryValueExW( - connection_key, - name_string, - NULL, - &name_type, - (LPBYTE) name_data, - &len); + status = RegQueryValueExW(connection_key, name_string, NULL, &name_type, + (LPBYTE)name_data, &len); if (status != ERROR_SUCCESS || name_type != REG_SZ) { - dmsg(D_REGISTRY, "Error opening registry key: %s\\%s\\%ls", - NETWORK_CONNECTIONS_KEY, connection_string, name_string); + dmsg(D_REGISTRY, "Error opening registry key: %s\\%s\\%ls", NETWORK_CONNECTIONS_KEY, + connection_string, name_string); } else { @@ -4143,15 +3942,14 @@ verify_255_255_255_252(in_addr_t local, in_addr_t remote) } if ((local & (~mask)) != (remote & (~mask))) { - err = "must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver"; + err = + "must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver"; goto error; } - if ((local & mask) == 0 - || (local & mask) == 3 - || (remote & mask) == 0 - || (remote & mask) == 3) + if ((local & mask) == 0 || (local & mask) == 3 || (remote & mask) == 0 || (remote & mask) == 3) { - err = "cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver"; + err = + "cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver"; goto error; } @@ -4159,10 +3957,10 @@ verify_255_255_255_252(in_addr_t local, in_addr_t remote) return; error: - msg(M_FATAL, "There is a problem in your selection of --ifconfig endpoints [local=%s, remote=%s]. The local and remote VPN endpoints %s. Try '" PACKAGE " --show-valid-subnets' option for more info.", - print_in_addr_t(local, 0, &gc), - print_in_addr_t(remote, 0, &gc), - err); + msg(M_FATAL, + "There is a problem in your selection of --ifconfig endpoints [local=%s, remote=%s]. The local and remote VPN endpoints %s. Try '" PACKAGE + " --show-valid-subnets' option for more info.", + print_in_addr_t(local, 0, &gc), print_in_addr_t(remote, 0, &gc), err); gc_free(&gc); } @@ -4186,7 +3984,7 @@ show_valid_win32_tun_subnets(void) for (i = 0; i < 256; i += 4) { - printf("[%3d,%3d] ", i+1, i+2); + printf("[%3d,%3d] ", i + 1, i + 2); if (++col > 4) { col = 0; @@ -4229,7 +4027,8 @@ show_tap_win_adapters(int msglev, int warnlev) { if (!strcmp(tr->guid, pr->guid)) { - msg(msglev, "'%s' %s %s", pr->name, tr->guid, print_tun_backend_driver(tr->windows_driver)); + msg(msglev, "'%s' %s %s", pr->name, tr->guid, + print_tun_backend_driver(tr->windows_driver)); ++links; } } @@ -4267,12 +4066,14 @@ show_tap_win_adapters(int msglev, int warnlev) if (warn_panel_dup) { - msg(warnlev, "WARNING: Some TAP-Windows adapters have duplicate links from the Network Connections control panel"); + msg(warnlev, + "WARNING: Some TAP-Windows adapters have duplicate links from the Network Connections control panel"); } if (warn_panel_null) { - msg(warnlev, "WARNING: Some TAP-Windows adapters have no link from the Network Connections control panel"); + msg(warnlev, + "WARNING: Some TAP-Windows adapters have no link from the Network Connections control panel"); } gc_free(&gc); @@ -4314,7 +4115,8 @@ guid_to_name(const char *guid, const struct panel_reg *panel_reg) } static const struct tap_reg * -get_adapter_by_name(const char *name, const struct tap_reg *tap_reg, const struct panel_reg *panel_reg) +get_adapter_by_name(const char *name, const struct tap_reg *tap_reg, + const struct panel_reg *panel_reg) { const struct panel_reg *pr; @@ -4335,8 +4137,8 @@ at_least_one_tap_win(const struct tap_reg *tap_reg) if (!tap_reg) { msg(M_FATAL, "There are no TAP-Windows or ovpn-dco adapters " - "on this system. You should be able to create an adapter " - "by using tapctl.exe utility."); + "on this system. You should be able to create an adapter " + "by using tapctl.exe utility."); } } @@ -4345,13 +4147,10 @@ at_least_one_tap_win(const struct tap_reg *tap_reg) * registry for the TAP device # = device_number. */ static const char * -get_unspecified_device_guid(const int device_number, - uint8_t *actual_name, - int actual_name_size, +get_unspecified_device_guid(const int device_number, uint8_t *actual_name, int actual_name_size, const struct tap_reg *tap_reg_src, const struct panel_reg *panel_reg_src, - enum tun_driver_type *windows_driver, - struct gc_arena *gc) + enum tun_driver_type *windows_driver, struct gc_arena *gc) { const struct tap_reg *tap_reg = tap_reg_src; struct buffer actual = clear_buf(); @@ -4411,13 +4210,9 @@ get_unspecified_device_guid(const int device_number, * returning the GUID and optional actual_name and device type */ static const char * -get_device_guid(const char *name, - uint8_t *actual_name, - int actual_name_size, - enum tun_driver_type *windows_driver, - const struct tap_reg *tap_reg, - const struct panel_reg *panel_reg, - struct gc_arena *gc) +get_device_guid(const char *name, uint8_t *actual_name, int actual_name_size, + enum tun_driver_type *windows_driver, const struct tap_reg *tap_reg, + const struct panel_reg *panel_reg, struct gc_arena *gc) { struct buffer ret = alloc_buf_gc(256, gc); struct buffer actual = clear_buf(); @@ -4487,17 +4282,15 @@ get_adapter_info_list(struct gc_arena *gc) if ((status = GetAdaptersInfo(NULL, &size)) != ERROR_BUFFER_OVERFLOW) { - msg(M_INFO, "GetAdaptersInfo #1 failed (status=%u) : %s", - (unsigned int)status, + msg(M_INFO, "GetAdaptersInfo #1 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } else { - pi = (PIP_ADAPTER_INFO) gc_malloc(size, false, gc); + pi = (PIP_ADAPTER_INFO)gc_malloc(size, false, gc); if ((status = GetAdaptersInfo(pi, &size)) != NO_ERROR) { - msg(M_INFO, "GetAdaptersInfo #2 failed (status=%u) : %s", - (unsigned int)status, + msg(M_INFO, "GetAdaptersInfo #2 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); pi = NULL; } @@ -4516,21 +4309,19 @@ get_per_adapter_info(const DWORD index, struct gc_arena *gc) { if ((status = GetPerAdapterInfo(index, NULL, &size)) != ERROR_BUFFER_OVERFLOW) { - msg(M_INFO, "GetPerAdapterInfo #1 failed (status=%u) : %s", - (unsigned int)status, + msg(M_INFO, "GetPerAdapterInfo #1 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } else { - pi = (PIP_PER_ADAPTER_INFO) gc_malloc(size, false, gc); + pi = (PIP_PER_ADAPTER_INFO)gc_malloc(size, false, gc); if ((status = GetPerAdapterInfo((ULONG)index, pi, &size)) == ERROR_SUCCESS) { return pi; } else { - msg(M_INFO, "GetPerAdapterInfo #2 failed (status=%u) : %s", - (unsigned int)status, + msg(M_INFO, "GetPerAdapterInfo #2 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } } @@ -4547,21 +4338,19 @@ get_interface_info_list(struct gc_arena *gc) if ((status = GetInterfaceInfo(NULL, &size)) != ERROR_INSUFFICIENT_BUFFER) { - msg(M_INFO, "GetInterfaceInfo #1 failed (status=%u) : %s", - (unsigned int)status, + msg(M_INFO, "GetInterfaceInfo #1 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } else { - ii = (PIP_INTERFACE_INFO) gc_malloc(size, false, gc); + ii = (PIP_INTERFACE_INFO)gc_malloc(size, false, gc); if ((status = GetInterfaceInfo(ii, &size)) == NO_ERROR) { return ii; } else { - msg(M_INFO, "GetInterfaceInfo #2 failed (status=%u) : %s", - (unsigned int)status, + msg(M_INFO, "GetInterfaceInfo #2 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } } @@ -4749,7 +4538,6 @@ is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list) else { ret = true; /* this can occur when TAP adapter is bridged */ - } return ret; } @@ -4773,7 +4561,8 @@ is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t in_addr_t adapter_ip, adapter_netmask; if (get_adapter_ip_netmask(ai, i, &adapter_ip, &adapter_netmask)) { - if (adapter_ip && adapter_netmask && (ip & adapter_netmask) == (adapter_ip & adapter_netmask)) + if (adapter_ip && adapter_netmask + && (ip & adapter_netmask) == (adapter_ip & adapter_netmask)) { if (highest_netmask && adapter_netmask > *highest_netmask) { @@ -4788,10 +4577,7 @@ is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t } DWORD -adapter_index_of_ip(const IP_ADAPTER_INFO *list, - const in_addr_t ip, - int *count, - in_addr_t *netmask) +adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask) { struct gc_arena gc = gc_new(); DWORD ret = TUN_ADAPTER_INDEX_INVALID; @@ -4842,11 +4628,8 @@ adapter_index_of_ip(const IP_ADAPTER_INFO *list, } dmsg(D_ROUTE_DEBUG, "DEBUG: IP Locate: ip=%s nm=%s index=%d count=%d metric=%d", - print_in_addr_t(ip, 0, &gc), - print_in_addr_t(highest_netmask, 0, &gc), - (int)ret, - count ? *count : -1, - lowest_metric); + print_in_addr_t(ip, 0, &gc), print_in_addr_t(highest_netmask, 0, &gc), (int)ret, + count ? *count : -1, lowest_metric); if (ret == TUN_ADAPTER_INDEX_INVALID && count) { @@ -4867,9 +4650,9 @@ adapter_index_of_ip(const IP_ADAPTER_INFO *list, * is DHCP disabled. */ -#define DHCP_STATUS_UNDEF 0 -#define DHCP_STATUS_ENABLED 1 -#define DHCP_STATUS_DISABLED 2 +#define DHCP_STATUS_UNDEF 0 +#define DHCP_STATUS_ENABLED 1 +#define DHCP_STATUS_DISABLED 2 static int dhcp_status(DWORD index) @@ -4914,22 +4697,19 @@ delete_temp_addresses(DWORD index) DWORD status; const DWORD context = ip->Context; - if ((status = DeleteIPAddress((ULONG) context)) == NO_ERROR) + if ((status = DeleteIPAddress((ULONG)context)) == NO_ERROR) { msg(M_INFO, "Successfully deleted previously set dynamic IP/netmask: %s/%s", - ip->IpAddress.String, - ip->IpMask.String); + ip->IpAddress.String, ip->IpMask.String); } else { const char *empty = "0.0.0.0"; - if (strcmp(ip->IpAddress.String, empty) - || strcmp(ip->IpMask.String, empty)) + if (strcmp(ip->IpAddress.String, empty) || strcmp(ip->IpMask.String, empty)) { - msg(M_INFO, "NOTE: could not delete previously set dynamic IP/netmask: %s/%s (status=%u)", - ip->IpAddress.String, - ip->IpMask.String, - (unsigned int)status); + msg(M_INFO, + "NOTE: could not delete previously set dynamic IP/netmask: %s/%s (status=%u)", + ip->IpAddress.String, ip->IpMask.String, (unsigned int)status); } } ip = ip->Next; @@ -5099,7 +4879,7 @@ tap_allow_nonadmin_access_handle(const char *device_path, HANDLE hand) } else { - msg(M_INFO|M_NOPREFIX, "TAP-Windows device: %s [Non-admin access allowed]", device_path); + msg(M_INFO | M_NOPREFIX, "TAP-Windows device: %s [Non-admin access allowed]", device_path); } } @@ -5119,7 +4899,8 @@ tap_allow_nonadmin_access(const char *dev_node) if (dev_node) { /* Get the device GUID for the device specified with --dev-node. */ - device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), NULL, tap_reg, panel_reg, &gc); + device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), NULL, tap_reg, + panel_reg, &gc); if (!device_guid) { @@ -5127,20 +4908,11 @@ tap_allow_nonadmin_access(const char *dev_node) } /* Open Windows TAP-Windows adapter */ - snprintf(device_path, sizeof(device_path), "%s%s%s", - USERMODEDEVICEDIR, - device_guid, + snprintf(device_path, sizeof(device_path), "%s%s%s", USERMODEDEVICEDIR, device_guid, TAP_WIN_SUFFIX); - hand = CreateFile( - device_path, - MAXIMUM_ALLOWED, - 0, /* was: FILE_SHARE_READ */ - 0, - OPEN_EXISTING, - FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, - 0 - ); + hand = CreateFile(device_path, MAXIMUM_ALLOWED, 0, /* was: FILE_SHARE_READ */ + 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0); if (hand == INVALID_HANDLE_VALUE) { @@ -5157,13 +4929,8 @@ tap_allow_nonadmin_access(const char *dev_node) /* Try opening all TAP devices */ while (true) { - device_guid = get_unspecified_device_guid(device_number, - actual_buffer, - sizeof(actual_buffer), - tap_reg, - panel_reg, - NULL, - &gc); + device_guid = get_unspecified_device_guid( + device_number, actual_buffer, sizeof(actual_buffer), tap_reg, panel_reg, NULL, &gc); if (!device_guid) { @@ -5171,20 +4938,11 @@ tap_allow_nonadmin_access(const char *dev_node) } /* Open Windows TAP-Windows adapter */ - snprintf(device_path, sizeof(device_path), "%s%s%s", - USERMODEDEVICEDIR, - device_guid, + snprintf(device_path, sizeof(device_path), "%s%s%s", USERMODEDEVICEDIR, device_guid, TAP_WIN_SUFFIX); - hand = CreateFile( - device_path, - MAXIMUM_ALLOWED, - 0, /* was: FILE_SHARE_READ */ - 0, - OPEN_EXISTING, - FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, - 0 - ); + hand = CreateFile(device_path, MAXIMUM_ALLOWED, 0, /* was: FILE_SHARE_READ */ + 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0); if (hand == INVALID_HANDLE_VALUE) { @@ -5222,9 +4980,9 @@ dhcp_release_by_adapter_index(const DWORD adapter_index) } else { - msg(M_WARN, "NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: %s (code=%u)", - strerror_win32(status, &gc), - (unsigned int)status); + msg(M_WARN, + "NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: %s (code=%u)", + strerror_win32(status, &gc), (unsigned int)status); } } @@ -5235,7 +4993,8 @@ dhcp_release_by_adapter_index(const DWORD adapter_index) static bool dhcp_release(const struct tuntap *tt) { - if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID) + if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ + && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID) { return dhcp_release_by_adapter_index(tt->adapter_index); } @@ -5262,9 +5021,9 @@ dhcp_renew_by_adapter_index(const DWORD adapter_index) } else { - msg(M_WARN, "WARNING: Failed to renew DHCP IP address lease on TAP-Windows adapter: %s (code=%u)", - strerror_win32(status, &gc), - (unsigned int)status); + msg(M_WARN, + "WARNING: Failed to renew DHCP IP address lease on TAP-Windows adapter: %s (code=%u)", + strerror_win32(status, &gc), (unsigned int)status); } } gc_free(&gc); @@ -5274,7 +5033,8 @@ dhcp_renew_by_adapter_index(const DWORD adapter_index) static bool dhcp_renew(const struct tuntap *tt) { - if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID) + if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ + && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID) { return dhcp_renew_by_adapter_index(tt->adapter_index); } @@ -5320,15 +5080,11 @@ ipconfig_register_dns(const struct env_set *es) msg(D_TUNTAP_INFO, "Start ipconfig commands for register-dns..."); netcmd_semaphore_lock(); - argv_printf(&argv, "%s%s /flushdns", - get_win_sys_path(), - WIN_IPCONFIG_PATH_SUFFIX); + argv_printf(&argv, "%s%s /flushdns", get_win_sys_path(), WIN_IPCONFIG_PATH_SUFFIX); argv_msg(D_TUNTAP_INFO, &argv); openvpn_execve_check(&argv, es, 0, err); - argv_printf(&argv, "%s%s /registerdns", - get_win_sys_path(), - WIN_IPCONFIG_PATH_SUFFIX); + argv_printf(&argv, "%s%s /registerdns", get_win_sys_path(), WIN_IPCONFIG_PATH_SUFFIX); argv_msg(D_TUNTAP_INFO, &argv); openvpn_execve_check(&argv, es, 0, err); argv_free(&argv); @@ -5429,34 +5185,28 @@ ip_addr_member_of(const in_addr_t addr, const IP_ADDR_STRING *ias) * are cleared first. */ static void -netsh_set_dns6_servers(const struct in6_addr *addr_list, - const int addr_len, - DWORD adapter_index) +netsh_set_dns6_servers(const struct in6_addr *addr_list, const int addr_len, DWORD adapter_index) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); /* delete existing DNS settings from TAP interface */ - argv_printf(&argv, "%s%s interface ipv6 delete dns %lu all", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - adapter_index); + argv_printf(&argv, "%s%s interface ipv6 delete dns %lu all", get_win_sys_path(), + NETSH_PATH_SUFFIX, adapter_index); netsh_command(&argv, 2, M_FATAL); for (int i = 0; i < addr_len; ++i) { - const char *fmt = (i == 0) ? - "%s%s interface ipv6 set dns %lu static %s" - : "%s%s interface ipv6 add dns %lu %s"; - argv_printf(&argv, fmt, get_win_sys_path(), - NETSH_PATH_SUFFIX, adapter_index, + const char *fmt = (i == 0) ? "%s%s interface ipv6 set dns %lu static %s" + : "%s%s interface ipv6 add dns %lu %s"; + argv_printf(&argv, fmt, get_win_sys_path(), NETSH_PATH_SUFFIX, adapter_index, print_in6_addr(addr_list[i], 0, &gc)); /* disable slow address validation */ argv_printf_cat(&argv, "%s", "validate=no"); /* Treat errors while adding as non-fatal as we do not check for duplicates */ - netsh_command(&argv, 1, (i==0) ? M_FATAL : M_NONFATAL); + netsh_command(&argv, 1, (i == 0) ? M_FATAL : M_NONFATAL); } argv_free(&argv); @@ -5464,12 +5214,8 @@ netsh_set_dns6_servers(const struct in6_addr *addr_list, } static void -netsh_ifconfig_options(const char *type, - const in_addr_t *addr_list, - const int addr_len, - const IP_ADDR_STRING *current, - DWORD adapter_index, - const bool test_first) +netsh_ifconfig_options(const char *type, const in_addr_t *addr_list, const int addr_len, + const IP_ADDR_STRING *current, DWORD adapter_index, const bool test_first) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); @@ -5492,11 +5238,8 @@ netsh_ifconfig_options(const char *type, /* delete existing DNS/WINS settings from TAP interface */ if (delete_first) { - argv_printf(&argv, "%s%s interface ip delete %s %lu all", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - type, - adapter_index); + argv_printf(&argv, "%s%s interface ip delete %s %lu all", get_win_sys_path(), + NETSH_PATH_SUFFIX, type, adapter_index); netsh_command(&argv, 2, M_FATAL); } @@ -5508,15 +5251,10 @@ netsh_ifconfig_options(const char *type, { if (delete_first || !test_first || !ip_addr_member_of(addr_list[i], current)) { - const char *fmt = count ? - "%s%s interface ip add %s %lu %s" - : "%s%s interface ip set %s %lu static %s"; - - argv_printf(&argv, fmt, - get_win_sys_path(), - NETSH_PATH_SUFFIX, - type, - adapter_index, + const char *fmt = count ? "%s%s interface ip add %s %lu %s" + : "%s%s interface ip set %s %lu static %s"; + + argv_printf(&argv, fmt, get_win_sys_path(), NETSH_PATH_SUFFIX, type, adapter_index, print_in_addr_t(addr_list[i], 0, &gc)); /* disable slow address validation for DNS */ @@ -5531,9 +5269,7 @@ netsh_ifconfig_options(const char *type, } else { - msg(M_INFO, "NETSH: %lu %s %s [already set]", - adapter_index, - type, + msg(M_INFO, "NETSH: %lu %s %s [already set]", adapter_index, type, print_in_addr_t(addr_list[i], 0, &gc)); } } @@ -5562,11 +5298,8 @@ init_ip_addr_string2(IP_ADDR_STRING *dest, const IP_ADDR_STRING *src1, const IP_ } static void -netsh_ifconfig(const struct tuntap_options *to, - DWORD adapter_index, - const in_addr_t ip, - const in_addr_t netmask, - const unsigned int flags) +netsh_ifconfig(const struct tuntap_options *to, DWORD adapter_index, const in_addr_t ip, + const in_addr_t netmask, const unsigned int flags) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); @@ -5584,19 +5317,14 @@ netsh_ifconfig(const struct tuntap_options *to, { if (test_adapter_ip_netmask(ai, ip, netmask)) { - msg(M_INFO, "NETSH: %lu %s/%s [already set]", - adapter_index, - print_in_addr_t(ip, 0, &gc), - print_in_addr_t(netmask, 0, &gc)); + msg(M_INFO, "NETSH: %lu %s/%s [already set]", adapter_index, + print_in_addr_t(ip, 0, &gc), print_in_addr_t(netmask, 0, &gc)); } else { /* example: netsh interface ip set address 42 static 10.3.0.1 255.255.255.0 */ - argv_printf(&argv, "%s%s interface ip set address %lu static %s %s", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - adapter_index, - print_in_addr_t(ip, 0, &gc), + argv_printf(&argv, "%s%s interface ip set address %lu static %s %s", get_win_sys_path(), + NETSH_PATH_SUFFIX, adapter_index, print_in_addr_t(ip, 0, &gc), print_in_addr_t(netmask, 0, &gc)); netsh_command(&argv, 4, M_FATAL); @@ -5610,22 +5338,14 @@ netsh_ifconfig(const struct tuntap_options *to, CLEAR(wins[0]); CLEAR(wins[1]); - netsh_ifconfig_options("dns", - to->dns, - to->dns_len, - pai ? &pai->DnsServerList : NULL, - adapter_index, - BOOL_CAST(flags & NI_TEST_FIRST)); + netsh_ifconfig_options("dns", to->dns, to->dns_len, pai ? &pai->DnsServerList : NULL, + adapter_index, BOOL_CAST(flags & NI_TEST_FIRST)); if (ai && ai->HaveWins) { init_ip_addr_string2(wins, &ai->PrimaryWinsServer, &ai->SecondaryWinsServer); } - netsh_ifconfig_options("wins", - to->wins, - to->wins_len, - ai ? wins : NULL, - adapter_index, + netsh_ifconfig_options("wins", to->wins, to->wins_len, ai ? wins : NULL, adapter_index, BOOL_CAST(flags & NI_TEST_FIRST)); } @@ -5639,11 +5359,8 @@ netsh_enable_dhcp(DWORD adapter_index) struct argv argv = argv_new(); /* example: netsh interface ip set address 42 dhcp */ - argv_printf(&argv, - "%s%s interface ip set address %lu dhcp", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - adapter_index); + argv_printf(&argv, "%s%s interface ip set address %lu dhcp", get_win_sys_path(), + NETSH_PATH_SUFFIX, adapter_index); netsh_command(&argv, 4, M_FATAL); @@ -5659,14 +5376,8 @@ service_enable_dhcp(const struct tuntap *tt) struct gc_arena gc = gc_new(); HANDLE pipe = tt->options.msg_channel; - enable_dhcp_message_t dhcp = { - .header = { - msg_enable_dhcp, - sizeof(enable_dhcp_message_t), - 0 - }, - .iface = { .index = tt->adapter_index, .name = "" } - }; + enable_dhcp_message_t dhcp = { .header = { msg_enable_dhcp, sizeof(enable_dhcp_message_t), 0 }, + .iface = { .index = tt->adapter_index, .name = "" } }; if (!send_msg_iservice(pipe, &dhcp, sizeof(dhcp), &ack, "Enable_dhcp")) { @@ -5690,8 +5401,7 @@ out: } static void -windows_set_mtu(const int iface_index, const short family, - const int mtu) +windows_set_mtu(const int iface_index, const short family, const int mtu) { DWORD err = 0; struct gc_arena gc = gc_new(); @@ -5702,7 +5412,8 @@ windows_set_mtu(const int iface_index, const short family, ipiface.InterfaceIndex = iface_index; if (family == AF_INET6 && mtu < 1280) { - msg(M_INFO, "NOTE: IPv6 interface MTU < 1280 conflicts with IETF standards and might not work"); + msg(M_INFO, + "NOTE: IPv6 interface MTU < 1280 conflicts with IETF standards and might not work"); } err = GetIpInterfaceEntry(&ipiface); @@ -5718,12 +5429,13 @@ windows_set_mtu(const int iface_index, const short family, if (err != NO_ERROR) { - msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%lu if_index=%d]", - family_name, strerror_win32(err, &gc), err, iface_index); + msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%lu if_index=%d]", family_name, + strerror_win32(err, &gc), err, iface_index); } else { - msg(M_INFO, "%s MTU set to %d on interface %d using SetIpInterfaceEntry()", family_name, mtu, iface_index); + msg(M_INFO, "%s MTU set to %d on interface %d using SetIpInterfaceEntry()", family_name, + mtu, iface_index); } } @@ -5743,13 +5455,16 @@ netsh_get_id(const char *dev_node, struct gc_arena *gc) if (dev_node) { - guid = get_device_guid(dev_node, BPTR(&actual), BCAP(&actual), NULL, tap_reg, panel_reg, gc); + guid = + get_device_guid(dev_node, BPTR(&actual), BCAP(&actual), NULL, tap_reg, panel_reg, gc); } else { - guid = get_unspecified_device_guid(0, BPTR(&actual), BCAP(&actual), tap_reg, panel_reg, NULL, gc); + guid = get_unspecified_device_guid(0, BPTR(&actual), BCAP(&actual), tap_reg, panel_reg, + NULL, gc); - if (get_unspecified_device_guid(1, NULL, 0, tap_reg, panel_reg, NULL, gc)) /* ambiguous if more than one TAP-Windows adapter */ + if (get_unspecified_device_guid(1, NULL, 0, tap_reg, panel_reg, NULL, + gc)) /* ambiguous if more than one TAP-Windows adapter */ { guid = NULL; } @@ -5757,7 +5472,7 @@ netsh_get_id(const char *dev_node, struct gc_arena *gc) if (!guid) { - return "NULL"; /* not found */ + return "NULL"; /* not found */ } else if (strcmp(BSTR(&actual), "NULL")) { @@ -5765,7 +5480,7 @@ netsh_get_id(const char *dev_node, struct gc_arena *gc) } else { - return guid; /* no control panel name, return GUID instead */ + return guid; /* no control panel name, return GUID instead */ } } @@ -5788,13 +5503,10 @@ tun_standby(struct tuntap *tt) if (tt->standby_iter == IPW32_SET_ADAPTIVE_TRY_NETSH) { msg(M_INFO, "NOTE: now trying netsh (this may take some time)"); - netsh_ifconfig(&tt->options, - tt->adapter_index, - tt->local, - tt->adapter_netmask, - NI_TEST_FIRST|NI_IP_NETMASK|NI_OPTIONS); + netsh_ifconfig(&tt->options, tt->adapter_index, tt->local, tt->adapter_netmask, + NI_TEST_FIRST | NI_IP_NETMASK | NI_OPTIONS); } - else if (tt->standby_iter >= IPW32_SET_ADAPTIVE_TRY_NETSH*2) + else if (tt->standby_iter >= IPW32_SET_ADAPTIVE_TRY_NETSH * 2) { ret = false; } @@ -5822,7 +5534,8 @@ write_dhcp_u8(struct buffer *buf, const int type, const int data, bool *error) } static void -write_dhcp_u32_array(struct buffer *buf, const int type, const uint32_t *data, const unsigned int len, bool *error) +write_dhcp_u32_array(struct buffer *buf, const int type, const uint32_t *data, + const unsigned int len, bool *error) { if (len > 0) { @@ -5890,7 +5603,7 @@ write_dhcp_search_str(struct buffer *buf, const int type, const char *const *str for (i = 0; i < array_len; i++) { - const char *ptr = str_array[i]; + const char *ptr = str_array[i]; if (strlen(ptr) + len + 1 > sizeof(tmp_buf)) { @@ -5909,7 +5622,7 @@ write_dhcp_search_str(struct buffer *buf, const int type, const char *const *str { if (*ptr == '.' || *ptr == '\0') { - tmp_buf[label_length_pos] = (len-label_length_pos)-1; + tmp_buf[label_length_pos] = (len - label_length_pos) - 1; label_length_pos = len; if (*ptr == '\0') { @@ -5966,9 +5679,7 @@ build_dhcp_options_string(struct buffer *buf, const struct tuntap_options *o) if (o->domain_search_list_len > 0) { - write_dhcp_search_str(buf, 119, o->domain_search_list, - o->domain_search_list_len, - &error); + write_dhcp_search_str(buf, 119, o->domain_search_list, o->domain_search_list_len, &error); } /* the MS DHCP server option 'Disable Netbios-over-TCP/IP @@ -5981,10 +5692,10 @@ build_dhcp_options_string(struct buffer *buf, const struct tuntap_options *o) msg(M_WARN, "build_dhcp_options_string: buffer overflow building DHCP options"); return false; } - buf_write_u8(buf, 43); - buf_write_u8(buf, 6);/* total length field */ - buf_write_u8(buf, 0x001); - buf_write_u8(buf, 4);/* length of the vendor specified field */ + buf_write_u8(buf, 43); + buf_write_u8(buf, 6); /* total length field */ + buf_write_u8(buf, 0x001); + buf_write_u8(buf, 4); /* length of the vendor specified field */ buf_write_u32(buf, 0x002); } return !error; @@ -6081,7 +5792,9 @@ dhcp_masq_addr(const in_addr_t local, const in_addr_t netmask, const int offset) if (dsa == local) { - msg(M_FATAL, "ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to %s -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server", print_in_addr_t(dsa, 0, &gc)); + msg(M_FATAL, + "ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to %s -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server", + print_in_addr_t(dsa, 0, &gc)); } if ((local & netmask) != (dsa & netmask)) @@ -6099,38 +5812,38 @@ tuntap_get_version_info(const struct tuntap *tt) ULONG info[3]; DWORD len; CLEAR(info); - if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_VERSION, - &info, sizeof(info), - &info, sizeof(info), &len, NULL)) + if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_VERSION, &info, sizeof(info), &info, + sizeof(info), &len, NULL)) { - msg(D_TUNTAP_INFO, "TAP-Windows Driver Version %d.%d %s", - (int)info[0], - (int)info[1], + msg(D_TUNTAP_INFO, "TAP-Windows Driver Version %d.%d %s", (int)info[0], (int)info[1], (info[2] ? "(DEBUG)" : "")); - } if (!(info[0] == TAP_WIN_MIN_MAJOR && info[1] >= TAP_WIN_MIN_MINOR)) { - msg(M_FATAL, "ERROR: This version of " PACKAGE_NAME " requires a TAP-Windows driver that is at least version %d.%d -- If you recently upgraded your " PACKAGE_NAME " distribution, a reboot is probably required at this point to get Windows to see the new driver.", - TAP_WIN_MIN_MAJOR, - TAP_WIN_MIN_MINOR); + msg(M_FATAL, + "ERROR: This version of " PACKAGE_NAME + " requires a TAP-Windows driver that is at least version %d.%d -- If you recently upgraded your " PACKAGE_NAME + " distribution, a reboot is probably required at this point to get Windows to see the new driver.", + TAP_WIN_MIN_MAJOR, TAP_WIN_MIN_MINOR); } /* usage of numeric constants is ugly, but this is really tied to * *this* version of the driver */ - if (tt->type == DEV_TYPE_TUN - && info[0] == 9 && info[1] < 8) + if (tt->type == DEV_TYPE_TUN && info[0] == 9 && info[1] < 8) { - msg(M_INFO, "WARNING: Tap-Win32 driver version %d.%d does not support IPv6 in TUN mode. IPv6 will not work. Upgrade your Tap-Win32 driver.", (int)info[0], (int)info[1]); + msg(M_INFO, + "WARNING: Tap-Win32 driver version %d.%d does not support IPv6 in TUN mode. IPv6 will not work. Upgrade your Tap-Win32 driver.", + (int)info[0], (int)info[1]); } /* tap driver 9.8 (2.2.0 and 2.2.1 release) is buggy */ - if (tt->type == DEV_TYPE_TUN - && info[0] == 9 && info[1] == 8) + if (tt->type == DEV_TYPE_TUN && info[0] == 9 && info[1] == 8) { - msg(M_FATAL, "ERROR: Tap-Win32 driver version %d.%d is buggy regarding small IPv4 packets in TUN mode. Upgrade your Tap-Win32 driver.", (int)info[0], (int)info[1]); + msg(M_FATAL, + "ERROR: Tap-Win32 driver version %d.%d is buggy regarding small IPv4 packets in TUN mode. Upgrade your Tap-Win32 driver.", + (int)info[0], (int)info[1]); } } @@ -6139,43 +5852,33 @@ tuntap_get_mtu(struct tuntap *tt) { ULONG mtu = 0; DWORD len; - if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_MTU, - &mtu, sizeof(mtu), - &mtu, sizeof(mtu), &len, NULL)) + if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_MTU, &mtu, sizeof(mtu), &mtu, sizeof(mtu), &len, + NULL)) { msg(D_MTU_INFO, "TAP-Windows MTU=%d", (int)mtu); } } static void -tuntap_set_ip_addr(struct tuntap *tt, - const char *device_guid, - bool dhcp_masq_post) +tuntap_set_ip_addr(struct tuntap *tt, const char *device_guid, bool dhcp_masq_post) { struct gc_arena gc = gc_new(); const DWORD index = tt->adapter_index; /* flush arp cache */ - if (tt->backend_driver == WINDOWS_DRIVER_TAP_WINDOWS6 - && index != TUN_ADAPTER_INDEX_INVALID) + if (tt->backend_driver == WINDOWS_DRIVER_TAP_WINDOWS6 && index != TUN_ADAPTER_INDEX_INVALID) { DWORD status = -1; if (tt->options.msg_channel) { ack_message_t ack; - flush_neighbors_message_t msg = { - .header = { - msg_flush_neighbors, - sizeof(flush_neighbors_message_t), - 0 - }, - .family = AF_INET, - .iface = {.index = index, .name = "" } - }; - - if (send_msg_iservice(tt->options.msg_channel, &msg, sizeof(msg), - &ack, "TUN")) + flush_neighbors_message_t msg = { .header = { msg_flush_neighbors, + sizeof(flush_neighbors_message_t), 0 }, + .family = AF_INET, + .iface = { .index = index, .name = "" } }; + + if (send_msg_iservice(tt->options.msg_channel, &msg, sizeof(msg), &ack, "TUN")) { status = ack.error_number; } @@ -6187,17 +5890,13 @@ tuntap_set_ip_addr(struct tuntap *tt, if (status == NO_ERROR) { - msg(M_INFO, "Successful ARP Flush on interface [%lu] %s", - index, - device_guid); + msg(M_INFO, "Successful ARP Flush on interface [%lu] %s", index, device_guid); } else if (status != -1) { - msg(D_TUNTAP_INFO, "NOTE: FlushIpNetTable failed on interface [%lu] %s (status=%lu) : %s", - index, - device_guid, - status, - strerror_win32(status, &gc)); + msg(D_TUNTAP_INFO, + "NOTE: FlushIpNetTable failed on interface [%lu] %s (status=%lu) : %s", index, + device_guid, status, strerror_win32(status, &gc)); } /* @@ -6210,7 +5909,8 @@ tuntap_set_ip_addr(struct tuntap *tt, /* check dhcp enable status */ if (dhcp_status(index) == DHCP_STATUS_DISABLED) { - msg(M_WARN, "WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'"); + msg(M_WARN, + "WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'"); } /* force an explicit DHCP lease renewal on TAP adapter? */ @@ -6232,20 +5932,21 @@ tuntap_set_ip_addr(struct tuntap *tt, if (tt->did_ifconfig_setup && tt->options.ip_win32_type == IPW32_SET_IPAPI) { DWORD status; - const char *error_suffix = "I am having trouble using the Windows 'IP helper API' to automatically set the IP address -- consider using other --ip-win32 methods (not 'ipapi')"; + const char *error_suffix = + "I am having trouble using the Windows 'IP helper API' to automatically set the IP address -- consider using other --ip-win32 methods (not 'ipapi')"; /* couldn't get adapter index */ if (index == TUN_ADAPTER_INDEX_INVALID) { - msg(M_FATAL, "ERROR: unable to get adapter index for interface %s -- %s", - device_guid, + msg(M_FATAL, "ERROR: unable to get adapter index for interface %s -- %s", device_guid, error_suffix); } /* check dhcp enable status */ if (dhcp_status(index) == DHCP_STATUS_DISABLED) { - msg(M_WARN, "NOTE: You have selected (explicitly or by default) '--ip-win32 ipapi', which has a better chance of working correctly if the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'"); + msg(M_WARN, + "NOTE: You have selected (explicitly or by default) '--ip-win32 ipapi', which has a better chance of working correctly if the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'"); } /* delete previously added IP addresses which were not @@ -6253,28 +5954,21 @@ tuntap_set_ip_addr(struct tuntap *tt, delete_temp_addresses(index); /* add a new IP address */ - if ((status = AddIPAddress(htonl(tt->local), - htonl(tt->adapter_netmask), - index, - &tt->ipapi_context, - &tt->ipapi_instance)) == NO_ERROR) - { - msg(M_INFO, "Succeeded in adding a temporary IP/netmask of %s/%s to interface %s using the Win32 IP Helper API", - print_in_addr_t(tt->local, 0, &gc), - print_in_addr_t(tt->adapter_netmask, 0, &gc), - device_guid - ); + if ((status = AddIPAddress(htonl(tt->local), htonl(tt->adapter_netmask), index, + &tt->ipapi_context, &tt->ipapi_instance)) + == NO_ERROR) + { + msg(M_INFO, + "Succeeded in adding a temporary IP/netmask of %s/%s to interface %s using the Win32 IP Helper API", + print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->adapter_netmask, 0, &gc), + device_guid); } else { - msg(M_FATAL, "ERROR: AddIPAddress %s/%s failed on interface %s, index=%lu, status=%lu (windows error: '%s') -- %s", - print_in_addr_t(tt->local, 0, &gc), - print_in_addr_t(tt->adapter_netmask, 0, &gc), - device_guid, - index, - status, - strerror_win32(status, &gc), - error_suffix); + msg(M_FATAL, + "ERROR: AddIPAddress %s/%s failed on interface %s, index=%lu, status=%lu (windows error: '%s') -- %s", + print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->adapter_netmask, 0, &gc), + device_guid, index, status, strerror_win32(status, &gc), error_suffix); } tt->ipapi_context_defined = true; } @@ -6287,11 +5981,11 @@ tuntap_set_connected(const struct tuntap *tt) { ULONG status = TRUE; DWORD len; - if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_SET_MEDIA_STATUS, - &status, sizeof(status), - &status, sizeof(status), &len, NULL)) + if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_SET_MEDIA_STATUS, &status, sizeof(status), &status, + sizeof(status), &len, NULL)) { - msg(M_WARN, "WARNING: The TAP-Windows driver rejected a TAP_WIN_IOCTL_SET_MEDIA_STATUS DeviceIoControl call."); + msg(M_WARN, + "WARNING: The TAP-Windows driver rejected a TAP_WIN_IOCTL_SET_MEDIA_STATUS DeviceIoControl call."); } int s = tt->options.tap_sleep; @@ -6325,17 +6019,16 @@ tuntap_set_ptp(const struct tuntap *tt) ep[1] = htonl(tt->local & tt->remote_netmask); ep[2] = htonl(tt->remote_netmask); - status = DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_TUN, - ep, sizeof(ep), - ep, sizeof(ep), &len, NULL); + status = DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_TUN, ep, sizeof(ep), ep, sizeof(ep), + &len, NULL); if (tt->did_ifconfig_setup) { - msg(status ? M_INFO : M_FATAL, "Set TAP-Windows TUN subnet mode network/local/netmask = %s/%s/%s [%s]", + msg(status ? M_INFO : M_FATAL, + "Set TAP-Windows TUN subnet mode network/local/netmask = %s/%s/%s [%s]", print_in_addr_t(ep[1], IA_NET_ORDER, &gc), print_in_addr_t(ep[0], IA_NET_ORDER, &gc), - print_in_addr_t(ep[2], IA_NET_ORDER, &gc), - status ? "SUCCEEDED" : "FAILED"); + print_in_addr_t(ep[2], IA_NET_ORDER, &gc), status ? "SUCCEEDED" : "FAILED"); } else { @@ -6349,11 +6042,11 @@ tuntap_set_ptp(const struct tuntap *tt) ep[0] = htonl(tt->local); ep[1] = htonl(tt->remote_netmask); - if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT, - ep, sizeof(ep), - ep, sizeof(ep), &len, NULL)) + if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT, ep, sizeof(ep), ep, + sizeof(ep), &len, NULL)) { - msg(M_FATAL, "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set Point-to-Point mode, which is required for --dev tun"); + msg(M_FATAL, + "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set Point-to-Point mode, which is required for --dev tun"); } } @@ -6376,7 +6069,9 @@ tuntap_dhcp_mask(const struct tuntap *tt, const char *device_guid) { if (tt->topology == TOP_SUBNET) { - ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0); + ep[2] = dhcp_masq_addr( + tt->local, tt->remote_netmask, + tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0); } else { @@ -6386,7 +6081,9 @@ tuntap_dhcp_mask(const struct tuntap *tt, const char *device_guid) else { ASSERT(tt->type == DEV_TYPE_TAP); - ep[2] = dhcp_masq_addr(tt->local, tt->adapter_netmask, tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0); + ep[2] = + dhcp_masq_addr(tt->local, tt->adapter_netmask, + tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0); } /* lease time in seconds */ @@ -6395,20 +6092,17 @@ tuntap_dhcp_mask(const struct tuntap *tt, const char *device_guid) ASSERT(ep[3] > 0); #ifndef SIMULATE_DHCP_FAILED /* this code is disabled to simulate bad DHCP negotiation */ - if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_MASQ, - ep, sizeof(ep), - ep, sizeof(ep), &len, NULL)) + if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_MASQ, ep, sizeof(ep), ep, sizeof(ep), + &len, NULL)) { - msg(M_FATAL, "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set TAP_WIN_IOCTL_CONFIG_DHCP_MASQ mode"); + msg(M_FATAL, + "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set TAP_WIN_IOCTL_CONFIG_DHCP_MASQ mode"); } - msg(M_INFO, "Notified TAP-Windows driver to set a DHCP IP/netmask of %s/%s on interface %s [DHCP-serv: %s, lease-time: %d]", - print_in_addr_t(tt->local, 0, &gc), - print_in_addr_t(tt->adapter_netmask, 0, &gc), - device_guid, - print_in_addr_t(ep[2], IA_NET_ORDER, &gc), - ep[3] - ); + msg(M_INFO, + "Notified TAP-Windows driver to set a DHCP IP/netmask of %s/%s on interface %s [DHCP-serv: %s, lease-time: %d]", + print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->adapter_netmask, 0, &gc), + device_guid, print_in_addr_t(ep[2], IA_NET_ORDER, &gc), ep[3]); /* user-supplied DHCP options capability */ if (tt->options.dhcp_options) @@ -6417,11 +6111,11 @@ tuntap_dhcp_mask(const struct tuntap *tt, const char *device_guid) if (build_dhcp_options_string(&buf, &tt->options)) { msg(D_DHCP_OPT, "DHCP option string: %s", format_hex(BPTR(&buf), BLEN(&buf), 0, &gc)); - if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT, - BPTR(&buf), BLEN(&buf), - BPTR(&buf), BLEN(&buf), &len, NULL)) + if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT, BPTR(&buf), + BLEN(&buf), BPTR(&buf), BLEN(&buf), &len, NULL)) { - msg(M_FATAL, "ERROR: The TAP-Windows driver rejected a TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT DeviceIoControl call"); + msg(M_FATAL, + "ERROR: The TAP-Windows driver rejected a TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT DeviceIoControl call"); } } else @@ -6430,13 +6124,14 @@ tuntap_dhcp_mask(const struct tuntap *tt, const char *device_guid) } free_buf(&buf); } -#endif /* ifndef SIMULATE_DHCP_FAILED */ +#endif /* ifndef SIMULATE_DHCP_FAILED */ gc_free(&gc); } static bool -tun_try_open_device(struct tuntap *tt, const char *device_guid, const struct device_instance_id_interface *device_instance_id_interface) +tun_try_open_device(struct tuntap *tt, const char *device_guid, + const struct device_instance_id_interface *device_instance_id_interface) { const char *path = NULL; char tuntap_device_path[256]; @@ -6455,8 +6150,7 @@ tun_try_open_device(struct tuntap *tt, const char *device_guid, const struct dev if (tt->backend_driver == DRIVER_DCO) { char *last_sep = strrchr(dev_if->device_interface, '\\'); - if (!last_sep - || strcmp(last_sep + 1, DCO_WIN_REFERENCE_STRING) != 0) + if (!last_sep || strcmp(last_sep + 1, DCO_WIN_REFERENCE_STRING) != 0) { continue; } @@ -6473,25 +6167,19 @@ tun_try_open_device(struct tuntap *tt, const char *device_guid, const struct dev else { /* Open TAP-Windows */ - snprintf(tuntap_device_path, sizeof(tuntap_device_path), "%s%s%s", - USERMODEDEVICEDIR, - device_guid, - TAP_WIN_SUFFIX); + snprintf(tuntap_device_path, sizeof(tuntap_device_path), "%s%s%s", USERMODEDEVICEDIR, + device_guid, TAP_WIN_SUFFIX); path = tuntap_device_path; } msg(D_TAP_WIN_DEBUG, "Using device interface: %s", path); - tt->hand = CreateFile(path, - GENERIC_READ | GENERIC_WRITE, - 0, /* was: FILE_SHARE_READ */ - 0, - OPEN_EXISTING, - FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, - 0); + tt->hand = CreateFile(path, GENERIC_READ | GENERIC_WRITE, 0, /* was: FILE_SHARE_READ */ + 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0); if (tt->hand == INVALID_HANDLE_VALUE) { - msg(D_TUNTAP_INFO | M_ERRNO, "CreateFile failed on %s device: %s", print_tun_backend_driver(tt->backend_driver), path); + msg(D_TUNTAP_INFO | M_ERRNO, "CreateFile failed on %s device: %s", + print_tun_backend_driver(tt->backend_driver), path); return false; } @@ -6499,11 +6187,13 @@ tun_try_open_device(struct tuntap *tt, const char *device_guid, const struct dev } void -tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid, struct gc_arena *gc) +tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid, + struct gc_arena *gc) { const struct tap_reg *tap_reg = get_tap_reg(gc); const struct panel_reg *panel_reg = get_panel_reg(gc); - const struct device_instance_id_interface *device_instance_id_interface = get_device_instance_id_interface(gc); + const struct device_instance_id_interface *device_instance_id_interface = + get_device_instance_id_interface(gc); uint8_t actual_buffer[256]; @@ -6515,7 +6205,8 @@ tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_gui enum tun_driver_type windows_driver = WINDOWS_DRIVER_UNSPECIFIED; /* Get the device GUID for the device specified with --dev-node. */ - *device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), &windows_driver, tap_reg, panel_reg, gc); + *device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), + &windows_driver, tap_reg, panel_reg, gc); if (!*device_guid) { @@ -6524,13 +6215,16 @@ tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_gui if (tt->backend_driver != windows_driver) { - msg(M_FATAL, "Adapter '%s' is using %s driver, %s expected. If you want to use this device, adjust --windows-driver.", - dev_node, print_tun_backend_driver(windows_driver), print_tun_backend_driver(tt->backend_driver)); + msg(M_FATAL, + "Adapter '%s' is using %s driver, %s expected. If you want to use this device, adjust --windows-driver.", + dev_node, print_tun_backend_driver(windows_driver), + print_tun_backend_driver(tt->backend_driver)); } if (!tun_try_open_device(tt, *device_guid, device_instance_id_interface)) { - msg(M_FATAL, "Failed to open %s adapter: %s", print_tun_backend_driver(tt->backend_driver), dev_node); + msg(M_FATAL, "Failed to open %s adapter: %s", + print_tun_backend_driver(tt->backend_driver), dev_node); } } else @@ -6542,20 +6236,18 @@ tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_gui while (true) { enum tun_driver_type windows_driver = WINDOWS_DRIVER_UNSPECIFIED; - *device_guid = get_unspecified_device_guid(device_number, - actual_buffer, - sizeof(actual_buffer), - tap_reg, - panel_reg, - &windows_driver, - gc); + *device_guid = + get_unspecified_device_guid(device_number, actual_buffer, sizeof(actual_buffer), + tap_reg, panel_reg, &windows_driver, gc); if (!*device_guid) { /* try to create an adapter a few times if we have a service pipe handle */ - if ((++adapters_created > 10) || !do_create_adapter_service(tt->options.msg_channel, tt->backend_driver)) + if ((++adapters_created > 10) + || !do_create_adapter_service(tt->options.msg_channel, tt->backend_driver)) { - msg(M_FATAL, "All %s adapters on this system are currently in use or disabled.", print_tun_backend_driver(tt->backend_driver)); + msg(M_FATAL, "All %s adapters on this system are currently in use or disabled.", + print_tun_backend_driver(tt->backend_driver)); } else { @@ -6622,10 +6314,7 @@ tuntap_set_ip_props(const struct tuntap *tt, bool *dhcp_masq, bool *dhcp_masq_po */ if (dhcp_status(tt->adapter_index) != DHCP_STATUS_ENABLED) { - netsh_ifconfig(&tt->options, - tt->adapter_index, - tt->local, - tt->adapter_netmask, + netsh_ifconfig(&tt->options, tt->adapter_index, tt->local, tt->adapter_netmask, NI_TEST_FIRST | NI_IP_NETMASK | NI_OPTIONS); } else @@ -6686,9 +6375,11 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun if ((tt->options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED) && tt->backend_driver != WINDOWS_DRIVER_TAP_WINDOWS6) { - msg(M_WARN, "Some --dhcp-option or --dns options require DHCP server," + msg(M_WARN, + "Some --dhcp-option or --dns options require DHCP server," " which is not supported by the selected %s driver. They will be" - " ignored.", print_tun_backend_driver(tt->backend_driver)); + " ignored.", + print_tun_backend_driver(tt->backend_driver)); } /* dco-win already opened the device, which handle we treat as socket */ @@ -6701,11 +6392,11 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun /*netcmd_semaphore_lock ();*/ - msg( M_INFO, "open_tun"); + msg(M_INFO, "open_tun"); if (tt->type != DEV_TYPE_TAP && tt->type != DEV_TYPE_TUN) { - msg(M_FATAL|M_NOPREFIX, "Unknown virtual device type: '%s'", dev); + msg(M_FATAL | M_NOPREFIX, "Unknown virtual device type: '%s'", dev); } struct gc_arena gc = gc_new(); /* used also for device_guid allocation */ @@ -6725,10 +6416,8 @@ tap_win_getinfo(const struct tuntap *tt, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); DWORD len; - if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_INFO, - BSTR(&out), BCAP(&out), - BSTR(&out), BCAP(&out), - &len, NULL)) + if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_INFO, BSTR(&out), BCAP(&out), BSTR(&out), + BCAP(&out), &len, NULL)) { return BSTR(&out); } @@ -6743,10 +6432,8 @@ tun_show_debug(struct tuntap *tt) { struct buffer out = alloc_buf(1024); DWORD len; - while (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_LOG_LINE, - BSTR(&out), BCAP(&out), - BSTR(&out), BCAP(&out), - &len, NULL)) + while (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_LOG_LINE, BSTR(&out), BCAP(&out), + BSTR(&out), BCAP(&out), &len, NULL)) { msg(D_TAP_WIN_DEBUG, "TAP-Windows: %s", BSTR(&out)); } @@ -6764,22 +6451,15 @@ netsh_delete_address_dns(const struct tuntap *tt, bool ipv6, struct gc_arena *gc int len = ipv6 ? tt->options.dns6_len : tt->options.dns_len; if (len > 0) { - argv_printf(&argv, - "%s%s interface %s delete dns %lu all", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - ipv6 ? "ipv6" : "ipv4", - tt->adapter_index); + argv_printf(&argv, "%s%s interface %s delete dns %lu all", get_win_sys_path(), + NETSH_PATH_SUFFIX, ipv6 ? "ipv6" : "ipv4", tt->adapter_index); netsh_command(&argv, 1, M_WARN); } if (!ipv6 && tt->options.wins_len > 0) { - argv_printf(&argv, - "%s%s interface ipv4 delete winsservers %lu all", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - tt->adapter_index); + argv_printf(&argv, "%s%s interface ipv4 delete winsservers %lu all", get_win_sys_path(), + NETSH_PATH_SUFFIX, tt->adapter_index); netsh_command(&argv, 1, M_WARN); } @@ -6801,13 +6481,8 @@ netsh_delete_address_dns(const struct tuntap *tt, bool ipv6, struct gc_arena *gc { ifconfig_ip_local = print_in_addr_t(tt->local, 0, gc); } - argv_printf(&argv, - "%s%s interface %s delete address %lu %s store=active", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - ipv6 ? "ipv6" : "ipv4", - tt->adapter_index, - ifconfig_ip_local); + argv_printf(&argv, "%s%s interface %s delete address %lu %s store=active", get_win_sys_path(), + NETSH_PATH_SUFFIX, ipv6 ? "ipv6" : "ipv4", tt->adapter_index, ifconfig_ip_local); netsh_command(&argv, 1, M_WARN); argv_free(&argv); @@ -6885,7 +6560,8 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) { /* We didn't do ifconfig. */ } - else if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ || tt->options.ip_win32_type == IPW32_SET_ADAPTIVE) + else if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ + || tt->options.ip_win32_type == IPW32_SET_ADAPTIVE) { /* We don't have to clean the configuration with DHCP. */ } @@ -6912,10 +6588,9 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) DWORD status; if ((status = DeleteIPAddress(tt->ipapi_context)) != NO_ERROR) { - msg(M_WARN, "Warning: DeleteIPAddress[%u] failed on TAP-Windows adapter, status=%u : %s", - (unsigned int)tt->ipapi_context, - (unsigned int)status, - strerror_win32(status, &gc)); + msg(M_WARN, + "Warning: DeleteIPAddress[%u] failed on TAP-Windows adapter, status=%u : %s", + (unsigned int)tt->ipapi_context, (unsigned int)status, strerror_win32(status, &gc)); } } @@ -6934,17 +6609,14 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx) * Convert --ip-win32 constants between index and ascii form. */ -struct ipset_names { +struct ipset_names +{ const char *short_form; }; /* Indexed by IPW32_SET_x */ static const struct ipset_names ipset_names[] = { - {"manual"}, - {"netsh"}, - {"ipapi"}, - {"dynamic"}, - {"adaptive"} + { "manual" }, { "netsh" }, { "ipapi" }, { "dynamic" }, { "adaptive" } }; int @@ -6994,7 +6666,7 @@ ipset2ascii_all(struct gc_arena *gc) return BSTR(&out); } -#else /* generic */ +#else /* generic */ void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, @@ -7024,4 +6696,4 @@ read_tun(struct tuntap *tt, uint8_t *buf, int len) return read(tt->fd, buf, len); } -#endif /* if defined (TARGET_ANDROID) */ +#endif /* if defined (TARGET_ANDROID) */ diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index c53fdc00a..06fc729cd 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -40,7 +40,8 @@ #include "networking.h" #include "dco.h" -enum tun_driver_type { +enum tun_driver_type +{ WINDOWS_DRIVER_UNSPECIFIED, WINDOWS_DRIVER_TAP_WINDOWS6, DRIVER_GENERIC_TUNTAP, @@ -67,19 +68,20 @@ enum tun_driver_type { #define IPW32_SET_ADAPTIVE_TRY_NETSH 20 /* bit flags for DHCP options */ -#define DHCP_OPTIONS_DHCP_OPTIONAL (1<<0) -#define DHCP_OPTIONS_DHCP_REQUIRED (1<<1) +#define DHCP_OPTIONS_DHCP_OPTIONAL (1 << 0) +#define DHCP_OPTIONS_DHCP_REQUIRED (1 << 1) -struct tuntap_options { +struct tuntap_options +{ /* --ip-win32 options */ bool ip_win32_defined; -#define IPW32_SET_MANUAL 0 /* "--ip-win32 manual" */ -#define IPW32_SET_NETSH 1 /* "--ip-win32 netsh" */ -#define IPW32_SET_IPAPI 2 /* "--ip-win32 ipapi" */ -#define IPW32_SET_DHCP_MASQ 3 /* "--ip-win32 dynamic" */ -#define IPW32_SET_ADAPTIVE 4 /* "--ip-win32 adaptive" */ -#define IPW32_SET_N 5 +#define IPW32_SET_MANUAL 0 /* "--ip-win32 manual" */ +#define IPW32_SET_NETSH 1 /* "--ip-win32 netsh" */ +#define IPW32_SET_IPAPI 2 /* "--ip-win32 ipapi" */ +#define IPW32_SET_DHCP_MASQ 3 /* "--ip-win32 dynamic" */ +#define IPW32_SET_ADAPTIVE 4 /* "--ip-win32 adaptive" */ +#define IPW32_SET_N 5 int ip_win32_type; #ifdef _WIN32 @@ -98,14 +100,15 @@ struct tuntap_options { int dhcp_options; - const char *domain; /* DOMAIN (15) */ + const char *domain; /* DOMAIN (15) */ const char *netbios_scope; /* NBS (47) */ - int netbios_node_type; /* NBT 1,2,4,8 (46) */ + int netbios_node_type; /* NBT 1,2,4,8 (46) */ -#define N_DHCP_ADDR 4 /* Max # of addresses allowed for - * DNS, WINS, etc. */ +#define N_DHCP_ADDR \ + 4 /* Max # of addresses allowed for \ + * DNS, WINS, etc. */ /* DNS (6) */ in_addr_t dns[N_DHCP_ADDR]; @@ -147,13 +150,15 @@ struct tuntap_options { #elif defined(TARGET_LINUX) -struct tuntap_options { +struct tuntap_options +{ int txqueuelen; }; #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ -struct tuntap_options { +struct tuntap_options +{ int dummy; /* not used */ }; @@ -169,7 +174,8 @@ typedef struct afunix_context } afunix_context_t; #else /* ifndef WIN32 */ -typedef struct { +typedef struct +{ int dummy; } afunix_context_t; #endif @@ -195,11 +201,11 @@ struct tuntap * been set up. This does NOT mean ifconfig has been called */ bool did_ifconfig_ipv6_setup; - bool persistent_if; /* if existed before, keep on program end */ + bool persistent_if; /* if existed before, keep on program end */ struct tuntap_options options; /* options set on command line */ - char *actual_name; /* actual name of TUN/TAP dev, usually including unit number */ + char *actual_name; /* actual name of TUN/TAP dev, usually including unit number */ /* ifconfig parameters */ in_addr_t local; @@ -230,7 +236,7 @@ struct tuntap int standby_iter; - #else /* ifdef _WIN32 */ +#else /* ifdef _WIN32 */ int fd; /* file descriptor for TUN/TAP dev */ #endif /* ifdef _WIN32 */ @@ -259,13 +265,13 @@ tuntap_defined(const struct tuntap *tt) * Function prototypes */ -void open_tun(const char *dev, const char *dev_type, const char *dev_node, - struct tuntap *tt, openvpn_net_ctx_t *ctx); +void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, + openvpn_net_ctx_t *ctx); void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx); -void tun_open_device(struct tuntap *tt, const char *dev_node, - const char **device_guid, struct gc_arena *gc); +void tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid, + struct gc_arena *gc); void close_tun_handle(struct tuntap *tt); @@ -273,37 +279,29 @@ int write_tun(struct tuntap *tt, uint8_t *buf, int len); int read_tun(struct tuntap *tt, uint8_t *buf, int len); -void tuncfg(const char *dev, const char *dev_type, const char *dev_node, - int persist_mode, const char *username, - const char *groupname, const struct tuntap_options *options, +void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, + const char *username, const char *groupname, const struct tuntap_options *options, openvpn_net_ctx_t *ctx); -const char *guess_tuntap_dev(const char *dev, - const char *dev_type, - const char *dev_node, +const char *guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc); -struct tuntap *init_tun(const char *dev, /* --dev option */ - const char *dev_type, /* --dev-type option */ - int topology, /* one of the TOP_x values */ - const char *ifconfig_local_parm, /* --ifconfig parm 1 */ - const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */ - const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 / IPv6 */ - int ifconfig_ipv6_netbits_parm, /* --ifconfig parm 1 / bits */ - const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 / IPv6 */ - struct addrinfo *local_public, - struct addrinfo *remote_public, - const bool strict_warn, - struct env_set *es, - openvpn_net_ctx_t *ctx, +struct tuntap *init_tun(const char *dev, /* --dev option */ + const char *dev_type, /* --dev-type option */ + int topology, /* one of the TOP_x values */ + const char *ifconfig_local_parm, /* --ifconfig parm 1 */ + const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */ + const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 / IPv6 */ + int ifconfig_ipv6_netbits_parm, /* --ifconfig parm 1 / bits */ + const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 / IPv6 */ + struct addrinfo *local_public, struct addrinfo *remote_public, + const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt); -void init_tun_post(struct tuntap *tt, - const struct frame *frame, +void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options); -void do_ifconfig_setenv(const struct tuntap *tt, - struct env_set *es); +void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es); /** * do_ifconfig - configure the tunnel interface @@ -314,8 +312,8 @@ void do_ifconfig_setenv(const struct tuntap *tt, * @param es the environment to be used when executing the commands * @param ctx the networking API opaque context */ -void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, - const struct env_set *es, openvpn_net_ctx_t *ctx); +void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, + openvpn_net_ctx_t *ctx); /** * undo_ifconfig - undo configuration of the tunnel interface @@ -331,7 +329,8 @@ int dev_type_enum(const char *dev, const char *dev_type); const char *dev_type_string(const char *dev, const char *dev_type); -const char *ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc); +const char *ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, + struct gc_arena *gc); bool is_tun_p2p(const struct tuntap *tt); @@ -340,8 +339,7 @@ void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx); /** * Return a string representation of the tun backed driver type */ -const char * -print_tun_backend_driver(enum tun_driver_type driver); +const char *print_tun_backend_driver(enum tun_driver_type driver); /* * Should ifconfig be called before or after @@ -351,7 +349,7 @@ print_tun_backend_driver(enum tun_driver_type driver); #define IFCONFIG_BEFORE_TUN_OPEN 0 #define IFCONFIG_AFTER_TUN_OPEN 1 -#define IFCONFIG_DEFAULT IFCONFIG_AFTER_TUN_OPEN +#define IFCONFIG_DEFAULT IFCONFIG_AFTER_TUN_OPEN static inline int ifconfig_order(struct tuntap *tt) @@ -374,13 +372,13 @@ ifconfig_order(struct tuntap *tt) return IFCONFIG_AFTER_TUN_OPEN; #elif defined(TARGET_ANDROID) return IFCONFIG_BEFORE_TUN_OPEN; -#else /* if defined(TARGET_LINUX) */ +#else /* if defined(TARGET_LINUX) */ return IFCONFIG_DEFAULT; #endif } -#define ROUTE_BEFORE_TUN 0 -#define ROUTE_AFTER_TUN 1 +#define ROUTE_BEFORE_TUN 0 +#define ROUTE_AFTER_TUN 1 #define ROUTE_ORDER_DEFAULT ROUTE_AFTER_TUN static inline int @@ -441,11 +439,10 @@ const IP_ADAPTER_INFO *get_adapter(const IP_ADAPTER_INFO *ai, DWORD index); bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list); -bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask); +bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, + in_addr_t *highest_netmask); -DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, - const in_addr_t ip, - int *count, +DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask); void show_tap_win_adapters(int msglev, int warnlev); @@ -599,10 +596,7 @@ tun_event_handle(const struct tuntap *tt) } static inline void -tun_set(struct tuntap *tt, - struct event_set *es, - unsigned int rwflags, - void *arg, +tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent) { if (!tuntap_defined(tt) || tuntap_is_dco_win(tt)) @@ -626,7 +620,6 @@ tun_set(struct tuntap *tt, } #endif tt->rwflags_debug = rwflags; - } const char *tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc); diff --git a/src/openvpn/tun_afunix.c b/src/openvpn/tun_afunix.c index ac120704d..4d48a318a 100644 --- a/src/openvpn/tun_afunix.c +++ b/src/openvpn/tun_afunix.c @@ -47,7 +47,6 @@ #include - static void tun_afunix_exec_child(const char *dev_node, struct tuntap *tt, struct env_set *env) { @@ -60,8 +59,7 @@ tun_afunix_exec_child(const char *dev_node, struct tuntap *tt, struct env_set *e argv_printf(&argv, "%s", program); - tt->afunix.childprocess = openvpn_execve_check(&argv, env, S_NOWAITPID, - msgprefix); + tt->afunix.childprocess = openvpn_execve_check(&argv, env, S_NOWAITPID, msgprefix); if (!openvpn_waitpid_check(tt->afunix.childprocess, msgprefix, M_WARN)) { tt->afunix.childprocess = 0; @@ -70,10 +68,7 @@ tun_afunix_exec_child(const char *dev_node, struct tuntap *tt, struct env_set *e } void -open_tun_afunix(struct options *o, - int mtu, - struct tuntap *tt, - struct env_set *orig_env) +open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *orig_env) { struct gc_arena gc = gc_new(); @@ -81,14 +76,14 @@ open_tun_afunix(struct options *o, if (!(socketpair(AF_UNIX, SOCK_DGRAM, 0, fds) == 0)) { msg(M_ERR, "Cannot create socket pair for AF_UNIX socket to external " - "program"); + "program"); return; } /* Ensure that the buffer sizes are decently sized. Otherwise macOS will * just have 2048 */ - struct socket_buffer_size newsizes = {65536, 65536 }; + struct socket_buffer_size newsizes = { 65536, 65536 }; socket_set_buffers(fds[0], &newsizes, false); socket_set_buffers(fds[1], &newsizes, false); @@ -167,8 +162,8 @@ read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len) } #else /* ifndef WIN32 */ void -open_tun_afunix(const char *dev, const char *dev_type, int mtu, - struct tuntap *tt, struct env_set env) +open_tun_afunix(const char *dev, const char *dev_type, int mtu, struct tuntap *tt, + struct env_set env) { msg(M_ERR, "AF_UNIX socket support not available on this platform"); } diff --git a/src/openvpn/tun_afunix.h b/src/openvpn/tun_afunix.h index faca142dd..33464031c 100644 --- a/src/openvpn/tun_afunix.h +++ b/src/openvpn/tun_afunix.h @@ -31,31 +31,24 @@ * the user provided taking care of implementing the actual tun * device. */ -void -open_tun_afunix(struct options *o, - int mtu, - struct tuntap *tt, - struct env_set *env); +void open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *env); /** * Closes the socket used for the AF_UNIX based device. Also sends a * SIGINT to the child process that was spawned to handle the tun device */ -void -close_tun_afunix(struct tuntap *tt); +void close_tun_afunix(struct tuntap *tt); /** * Writes a packet to a AF_UNIX based tun device. */ -ssize_t -write_tun_afunix(struct tuntap *tt, uint8_t *buf, int len); +ssize_t write_tun_afunix(struct tuntap *tt, uint8_t *buf, int len); /** * Reads a packet from a AF_UNIX based tun device. */ -ssize_t -read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len); +ssize_t read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len); #endif /* AFUNIX_TUN_H */ diff --git a/src/openvpn/vlan.c b/src/openvpn/vlan.c index 5cc23f402..a6a6e93c6 100644 --- a/src/openvpn/vlan.c +++ b/src/openvpn/vlan.c @@ -52,8 +52,8 @@ vlanhdr_get_vid(const struct openvpn_8021qhdr *hdr) static void vlanhdr_set_vid(struct openvpn_8021qhdr *hdr, const uint16_t vid) { - hdr->pcp_cfi_vid = (hdr->pcp_cfi_vid & ~OPENVPN_8021Q_MASK_VID) - | (htons(vid) & OPENVPN_8021Q_MASK_VID); + hdr->pcp_cfi_vid = + (hdr->pcp_cfi_vid & ~OPENVPN_8021Q_MASK_VID) | (htons(vid) & OPENVPN_8021Q_MASK_VID); } /* @@ -96,15 +96,13 @@ vlan_decapsulate(const struct context *c, struct buffer *buf) /* reject untagged frame */ if (c->options.vlan_accept == VLAN_ONLY_TAGGED) { - msg(D_VLAN_DEBUG, - "dropping frame without vlan-tag (proto/len 0x%04x)", + msg(D_VLAN_DEBUG, "dropping frame without vlan-tag (proto/len 0x%04x)", ntohs(ethhdr->proto)); goto drop; } /* untagged frame is accepted and associated with the global VID */ - msg(D_VLAN_DEBUG, - "assuming pvid for frame without vlan-tag, pvid: %u (proto/len 0x%04x)", + msg(D_VLAN_DEBUG, "assuming pvid for frame without vlan-tag, pvid: %u (proto/len 0x%04x)", c->options.vlan_pvid, ntohs(ethhdr->proto)); return c->options.vlan_pvid; @@ -125,8 +123,8 @@ vlan_decapsulate(const struct context *c, struct buffer *buf) /* VLAN-tagged frame: drop packet */ if (vid != 0) { - msg(D_VLAN_DEBUG, "dropping frame with vlan-tag, vid: %u (proto/len 0x%04x)", - vid, ntohs(vlanhdr->proto)); + msg(D_VLAN_DEBUG, "dropping frame with vlan-tag, vid: %u (proto/len 0x%04x)", vid, + ntohs(vlanhdr->proto)); goto drop; } @@ -148,8 +146,7 @@ vlan_decapsulate(const struct context *c, struct buffer *buf) /* here we have a proper VLAN tagged frame: perform decapsulation * and return embedded VID */ - msg(D_VLAN_DEBUG, - "removing vlan-tag from frame: vid: %u, wrapped proto/len: 0x%04x", + msg(D_VLAN_DEBUG, "removing vlan-tag from frame: vid: %u, wrapped proto/len: 0x%04x", vid, ntohs(vlanhdr->proto)); /* save inner protocol to be restored later after decapsulation */ @@ -224,8 +221,7 @@ vlan_encapsulate(const struct context *c, struct buffer *buf) goto drop; } - vlanhdr = (struct openvpn_8021qhdr *)buf_prepend(buf, - SIZE_ETH_TO_8021Q_HDR); + vlanhdr = (struct openvpn_8021qhdr *)buf_prepend(buf, SIZE_ETH_TO_8021Q_HDR); /* Initialise VLAN/802.1q header. * Move the Eth header so to keep dst/src addresses the same and then @@ -244,8 +240,8 @@ vlan_encapsulate(const struct context *c, struct buffer *buf) /* set the VID corresponding to the current context (client) */ vlanhdr_set_vid(vlanhdr, c->options.vlan_pvid); - msg(D_VLAN_DEBUG, "tagging frame: vid %u (wrapping proto/len: %04x)", - c->options.vlan_pvid, vlanhdr->proto); + msg(D_VLAN_DEBUG, "tagging frame: vid %u (wrapping proto/len: %04x)", c->options.vlan_pvid, + vlanhdr->proto); return; drop: diff --git a/src/openvpn/vlan.h b/src/openvpn/vlan.h index 760258540..e2c9c4479 100644 --- a/src/openvpn/vlan.h +++ b/src/openvpn/vlan.h @@ -31,13 +31,10 @@ struct multi_context; struct multi_instance; -int16_t -vlan_decapsulate(const struct context *c, struct buffer *buf); +int16_t vlan_decapsulate(const struct context *c, struct buffer *buf); -bool -vlan_is_tagged(const struct buffer *buf); +bool vlan_is_tagged(const struct buffer *buf); -void -vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi); +void vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi); #endif /* VLAN_H */ diff --git a/src/openvpn/wfp_block.c b/src/openvpn/wfp_block.c index ce5cef2c1..506d41be0 100644 --- a/src/openvpn/wfp_block.c +++ b/src/openvpn/wfp_block.c @@ -48,68 +48,33 @@ #endif /* c38d57d1-05a7-4c33-904f-7fbceee60e82 */ -DEFINE_GUID( - FWPM_LAYER_ALE_AUTH_CONNECT_V4, - 0xc38d57d1, - 0x05a7, - 0x4c33, - 0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82 - ); +DEFINE_GUID(FWPM_LAYER_ALE_AUTH_CONNECT_V4, 0xc38d57d1, 0x05a7, 0x4c33, 0x90, 0x4f, 0x7f, 0xbc, + 0xee, 0xe6, 0x0e, 0x82); /* 4a72393b-319f-44bc-84c3-ba54dcb3b6b4 */ -DEFINE_GUID( - FWPM_LAYER_ALE_AUTH_CONNECT_V6, - 0x4a72393b, - 0x319f, - 0x44bc, - 0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4 - ); +DEFINE_GUID(FWPM_LAYER_ALE_AUTH_CONNECT_V6, 0x4a72393b, 0x319f, 0x44bc, 0x84, 0xc3, 0xba, 0x54, + 0xdc, 0xb3, 0xb6, 0xb4); /* d78e1e87-8644-4ea5-9437-d809ecefc971 */ -DEFINE_GUID( - FWPM_CONDITION_ALE_APP_ID, - 0xd78e1e87, - 0x8644, - 0x4ea5, - 0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71 - ); +DEFINE_GUID(FWPM_CONDITION_ALE_APP_ID, 0xd78e1e87, 0x8644, 0x4ea5, 0x94, 0x37, 0xd8, 0x09, 0xec, + 0xef, 0xc9, 0x71); /* c35a604d-d22b-4e1a-91b4-68f674ee674b */ -DEFINE_GUID( - FWPM_CONDITION_IP_REMOTE_PORT, - 0xc35a604d, - 0xd22b, - 0x4e1a, - 0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b - ); +DEFINE_GUID(FWPM_CONDITION_IP_REMOTE_PORT, 0xc35a604d, 0xd22b, 0x4e1a, 0x91, 0xb4, 0x68, 0xf6, 0x74, + 0xee, 0x67, 0x4b); /* 4cd62a49-59c3-4969-b7f3-bda5d32890a4 */ -DEFINE_GUID( - FWPM_CONDITION_IP_LOCAL_INTERFACE, - 0x4cd62a49, - 0x59c3, - 0x4969, - 0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4 - ); +DEFINE_GUID(FWPM_CONDITION_IP_LOCAL_INTERFACE, 0x4cd62a49, 0x59c3, 0x4969, 0xb7, 0xf3, 0xbd, 0xa5, + 0xd3, 0x28, 0x90, 0xa4); /* 632ce23b-5167-435c-86d7-e903684aa80c */ -DEFINE_GUID( - FWPM_CONDITION_FLAGS, - 0x632ce23b, - 0x5167, - 0x435c, - 0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a, 0xa8, 0x0c - ); +DEFINE_GUID(FWPM_CONDITION_FLAGS, 0x632ce23b, 0x5167, 0x435c, 0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a, + 0xa8, 0x0c); /* UUID of WFP sublayer used by all instances of openvpn * 2f660d7e-6a37-11e6-a181-001e8c6e04a2 */ -DEFINE_GUID( - OPENVPN_WFP_BLOCK_SUBLAYER, - 0x2f660d7e, - 0x6a37, - 0x11e6, - 0xa1, 0x81, 0x00, 0x1e, 0x8c, 0x6e, 0x04, 0xa2 - ); +DEFINE_GUID(OPENVPN_WFP_BLOCK_SUBLAYER, 0x2f660d7e, 0x6a37, 0x11e6, 0xa1, 0x81, 0x00, 0x1e, 0x8c, + 0x6e, 0x04, 0xa2); static WCHAR *FIREWALL_NAME = L"OpenVPN"; @@ -123,7 +88,11 @@ default_msg_handler(DWORD err, const char *msg) } #define OUT_ON_ERROR(err, msg) \ - if (err) { msg_handler(err, msg); goto out; } + if (err) \ + { \ + msg_handler(err, msg); \ + goto out; \ + } /* * Add a persistent sublayer with specified uuid. @@ -181,24 +150,21 @@ out: */ DWORD -add_wfp_block_filters(HANDLE *engine_handle, - int index, - const WCHAR *exe_path, - wfp_block_msg_handler_t msg_handler, - BOOL dns_only) +add_wfp_block_filters(HANDLE *engine_handle, int index, const WCHAR *exe_path, + wfp_block_msg_handler_t msg_handler, BOOL dns_only) { - FWPM_SESSION0 session = {0}; + FWPM_SESSION0 session = { 0 }; FWPM_SUBLAYER0 *sublayer_ptr = NULL; NET_LUID itf_luid; UINT64 filterid; FWP_BYTE_BLOB *openvpnblob = NULL; - FWPM_FILTER0 Filter = {0}; + FWPM_FILTER0 Filter = { 0 }; FWPM_FILTER_CONDITION0 Condition[2]; - FWPM_FILTER_CONDITION0 match_openvpn = {0}; - FWPM_FILTER_CONDITION0 match_port_53 = {0}; - FWPM_FILTER_CONDITION0 match_interface = {0}; - FWPM_FILTER_CONDITION0 match_loopback = {0}; - FWPM_FILTER_CONDITION0 match_not_loopback = {0}; + FWPM_FILTER_CONDITION0 match_openvpn = { 0 }; + FWPM_FILTER_CONDITION0 match_port_53 = { 0 }; + FWPM_FILTER_CONDITION0 match_interface = { 0 }; + FWPM_FILTER_CONDITION0 match_loopback = { 0 }; + FWPM_FILTER_CONDITION0 match_not_loopback = { 0 }; DWORD err = 0; if (!msg_handler) @@ -223,8 +189,8 @@ add_wfp_block_filters(HANDLE *engine_handle, FwpmFreeMemory0((void **)&sublayer_ptr); } else - { /* Add a new sublayer -- as another process may add it in the meantime, - * do not treat "already exists" as an error */ + { /* Add a new sublayer -- as another process may add it in the meantime, + * do not treat "already exists" as an error */ err = add_sublayer(OPENVPN_WFP_BLOCK_SUBLAYER); if (err == FWP_E_ALREADY_EXISTS || err == ERROR_SUCCESS) @@ -439,8 +405,7 @@ get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, int * */ DWORD -set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, - const ULONG metric) +set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, const ULONG metric) { DWORD err = 0; MIB_IPINTERFACE_ROW ipiface; diff --git a/src/openvpn/wfp_block.h b/src/openvpn/wfp_block.h index 6de39f52a..5ca093ca4 100644 --- a/src/openvpn/wfp_block.h +++ b/src/openvpn/wfp_block.h @@ -32,7 +32,7 @@ /* Any value less than 5 should work fine. 3 is chosen without any real reason. */ #define WFP_BLOCK_IFACE_METRIC 3 -typedef void (*wfp_block_msg_handler_t) (DWORD err, const char *msg); +typedef void (*wfp_block_msg_handler_t)(DWORD err, const char *msg); DWORD delete_wfp_block_filters(HANDLE engine); @@ -51,8 +51,7 @@ add_wfp_block_filters(HANDLE *engine, int iface_index, const WCHAR *exe_path, * * @return positive interface metric on success or -1 on error */ -int -get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, int *is_auto); +int get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, int *is_auto); /** * Sets interface metric value for specified interface index. @@ -65,8 +64,7 @@ get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, int * */ DWORD -set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, - const ULONG metric); +set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, const ULONG metric); #endif /* ifndef WFP_BLOCK_H */ #endif /* ifdef _WIN32 */ diff --git a/src/openvpn/win32-util.c b/src/openvpn/win32-util.c index c23d066f0..0d6d02908 100644 --- a/src/openvpn/win32-util.c +++ b/src/openvpn/win32-util.c @@ -161,7 +161,7 @@ win_get_tempdir(void) if (WideCharToMultiByte(CP_UTF8, 0, wtmpdir, -1, NULL, 0, NULL, NULL) > sizeof(tmpdir)) { msg(M_WARN, "Could not get temporary directory. Path is too long." - " Consider using --tmp-dir"); + " Consider using --tmp-dir"); return NULL; } diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 0524c57d4..15bcf3787 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -101,8 +101,7 @@ static char *win_sys_path = NULL; /* GLOBAL */ /** * Set OpenSSL environment variables to a safe directory */ -static void -set_openssl_env_vars(void); +static void set_openssl_env_vars(void); void init_win32(void) @@ -167,9 +166,7 @@ init_security_attributes_allow_all(struct security_attributes *obj) } void -overlapped_io_init(struct overlapped_io *o, - const struct frame *frame, - BOOL event_state) +overlapped_io_init(struct overlapped_io *o, const struct frame *frame, BOOL event_state) { CLEAR(*o); @@ -219,7 +216,8 @@ overlapped_io_state_ascii(const struct overlapped_io *o) */ void -init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd, unsigned int flags) +init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd, + unsigned int flags) { /* manual reset events, initially set to unsignaled */ @@ -292,7 +290,8 @@ close_net_event_win32(struct rw_handle *event, socket_descriptor_t sd, unsigned { if (!CloseHandle(event->read)) { - msg(M_WARN | M_ERRNO, "Warning: CloseHandle (read) failed in close_net_event_win32"); + msg(M_WARN | M_ERRNO, + "Warning: CloseHandle (read) failed in close_net_event_win32"); } event->read = NULL; } @@ -308,7 +307,8 @@ close_net_event_win32(struct rw_handle *event, socket_descriptor_t sd, unsigned { if (!CloseHandle(event->write)) { - msg(M_WARN | M_ERRNO, "Warning: CloseHandle (write) failed in close_net_event_win32"); + msg(M_WARN | M_ERRNO, + "Warning: CloseHandle (write) failed in close_net_event_win32"); } event->write = NULL; } @@ -332,7 +332,7 @@ net_event_win32_start(struct net_event_win32 *ne, long network_events, socket_de ASSERT(!socket_defined(ne->sd)); ne->sd = sd; ne->event_mask = 0; - init_net_event_win32(&ne->handle, network_events, sd, NE32_PERSIST_EVENT|NE32_WRITE_EVENT); + init_net_event_win32(&ne->handle, network_events, sd, NE32_PERSIST_EVENT | NE32_WRITE_EVENT); } void @@ -406,7 +406,7 @@ win_trigger_event(struct win32_signal *ws) ir.Event.KeyEvent.bKeyDown = true; if (!stdin_handle || !WriteConsoleInput(stdin_handle, &ir, 1, &tmp)) { - msg(M_WARN|M_ERRNO, "WARN: win_trigger_event: WriteConsoleInput"); + msg(M_WARN | M_ERRNO, "WARN: win_trigger_event: WriteConsoleInput"); } } } @@ -417,7 +417,7 @@ win_trigger_event(struct win32_signal *ws) static bool WINAPI win_ctrl_handler(DWORD signum) { - msg(D_LOW, "win_ctrl_handler: signal received (code=%lu)", (unsigned long) signum); + msg(D_LOW, "win_ctrl_handler: signal received (code=%lu)", (unsigned long)signum); if (siginfo_static.signal_received == SIGTERM) { @@ -435,7 +435,7 @@ win_ctrl_handler(DWORD signum) break; default: - msg(D_LOW, "win_ctrl_handler: signal (code=%lu) not handled", (unsigned long) signum); + msg(D_LOW, "win_ctrl_handler: signal (code=%lu) not handled", (unsigned long)signum); break; } /* pass all other signals to the next handler */ @@ -449,9 +449,7 @@ win32_signal_clear(struct win32_signal *ws) } void -win32_signal_open(struct win32_signal *ws, - int force, - const char *exit_event_name, +win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state) { CLEAR(*ws); @@ -473,12 +471,10 @@ win32_signal_open(struct win32_signal *ws, if (GetConsoleMode(ws->in.read, &ws->console_mode_save)) { /* running on a console */ - const DWORD new_console_mode = ws->console_mode_save - & ~(ENABLE_WINDOW_INPUT - | ENABLE_PROCESSED_INPUT - | ENABLE_LINE_INPUT - | ENABLE_ECHO_INPUT - | ENABLE_MOUSE_INPUT); + const DWORD new_console_mode = + ws->console_mode_save + & ~(ENABLE_WINDOW_INPUT | ENABLE_PROCESSED_INPUT | ENABLE_LINE_INPUT + | ENABLE_ECHO_INPUT | ENABLE_MOUSE_INPUT); if (new_console_mode != ws->console_mode_save) { @@ -501,8 +497,8 @@ win32_signal_open(struct win32_signal *ws, * If console open failed, assume we are running * as a service. */ - if ((force == WSO_NOFORCE || force == WSO_FORCE_SERVICE) - && !HANDLE_DEFINED(ws->in.read) && exit_event_name) + if ((force == WSO_NOFORCE || force == WSO_FORCE_SERVICE) && !HANDLE_DEFINED(ws->in.read) + && exit_event_name) { struct security_attributes sa; struct gc_arena gc = gc_new(); @@ -513,11 +509,11 @@ win32_signal_open(struct win32_signal *ws, msg(M_ERR, "Error: win32_signal_open: init SA failed"); } - ws->in.read = CreateEventW(&sa.sa, TRUE, exit_event_initial_state ? TRUE : FALSE, - exit_event_nameW); + ws->in.read = + CreateEventW(&sa.sa, TRUE, exit_event_initial_state ? TRUE : FALSE, exit_event_nameW); if (ws->in.read == NULL) { - msg(M_WARN|M_ERRNO, "NOTE: CreateEventW '%s' failed", exit_event_name); + msg(M_WARN | M_ERRNO, "NOTE: CreateEventW '%s' failed", exit_event_name); } else { @@ -533,9 +529,9 @@ win32_signal_open(struct win32_signal *ws, gc_free(&gc); } /* set the ctrl handler in both console and service modes */ - if (!SetConsoleCtrlHandler((PHANDLER_ROUTINE) win_ctrl_handler, true)) + if (!SetConsoleCtrlHandler((PHANDLER_ROUTINE)win_ctrl_handler, true)) { - msg(M_WARN|M_ERRNO, "WARN: SetConsoleCtrlHandler failed"); + msg(M_WARN | M_ERRNO, "WARN: SetConsoleCtrlHandler failed"); } } @@ -562,8 +558,7 @@ keyboard_ir_to_key(INPUT_RECORD *ir) return ir->Event.KeyEvent.wVirtualScanCode; } - if ((ir->Event.KeyEvent.dwControlKeyState - & (LEFT_ALT_PRESSED | RIGHT_ALT_PRESSED)) + if ((ir->Event.KeyEvent.dwControlKeyState & (LEFT_ALT_PRESSED | RIGHT_ALT_PRESSED)) && (ir->Event.KeyEvent.wVirtualKeyCode != 18)) { return ir->Event.KeyEvent.wVirtualScanCode * 256; @@ -625,8 +620,7 @@ win32_service_interrupt(struct win32_signal *ws) { if (ws->mode == WSO_MODE_SERVICE) { - if (HANDLE_DEFINED(ws->in.read) - && WaitForSingleObject(ws->in.read, 0) == WAIT_OBJECT_0) + if (HANDLE_DEFINED(ws->in.read) && WaitForSingleObject(ws->in.read, 0) == WAIT_OBJECT_0) { return true; } @@ -683,7 +677,7 @@ win32_pause(struct win32_signal *ws) { if (ws->mode == WSO_MODE_CONSOLE && HANDLE_DEFINED(ws->in.read)) { - msg(M_INFO|M_NOPREFIX, "Press any key to continue..."); + msg(M_INFO | M_NOPREFIX, "Press any key to continue..."); do { WaitForSingleObject(ws->in.read, INFINITE); @@ -734,7 +728,8 @@ window_title_generate(const char *title) { title = ""; } - buf_printf(&out, "[%s] " PACKAGE_NAME " " PACKAGE_VERSION " F4:EXIT F1:USR1 F2:USR2 F3:HUP", title); + buf_printf(&out, "[%s] " PACKAGE_NAME " " PACKAGE_VERSION " F4:EXIT F1:USR1 F2:USR2 F3:HUP", + title); SetConsoleTitle(BSTR(&out)); gc_free(&gc); } @@ -763,7 +758,7 @@ semaphore_open(struct semaphore *s, const char *name) if (s->hand == NULL) { - msg(M_WARN|M_ERRNO, "WARNING: Cannot create Win32 semaphore '%s'", name); + msg(M_WARN | M_ERRNO, "WARNING: Cannot create Win32 semaphore '%s'", name); } else { @@ -781,9 +776,10 @@ semaphore_lock(struct semaphore *s, int timeout_milliseconds) DWORD status; ASSERT(!s->locked); - dmsg(D_SEMAPHORE_LOW, "Attempting to lock Win32 semaphore '%s' prior to net shell command (timeout = %d sec)", - s->name, - timeout_milliseconds / 1000); + dmsg( + D_SEMAPHORE_LOW, + "Attempting to lock Win32 semaphore '%s' prior to net shell command (timeout = %d sec)", + s->name, timeout_milliseconds / 1000); status = WaitForSingleObject(s->hand, timeout_milliseconds); if (status == WAIT_FAILED) { @@ -798,8 +794,7 @@ semaphore_lock(struct semaphore *s, int timeout_milliseconds) else { dmsg(D_SEMAPHORE, "Wait on Win32 semaphore '%s' timed out after %d milliseconds", - s->name, - timeout_milliseconds); + s->name, timeout_milliseconds); } } return ret; @@ -814,8 +809,7 @@ semaphore_release(struct semaphore *s) dmsg(D_SEMAPHORE, "Releasing Win32 semaphore '%s'", s->name); if (!ReleaseSemaphore(s->hand, 1, NULL)) { - msg(M_WARN | M_ERRNO, "ReleaseSemaphore failed on Win32 semaphore '%s'", - s->name); + msg(M_WARN | M_ERRNO, "ReleaseSemaphore failed on Win32 semaphore '%s'", s->name); } s->locked = false; } @@ -906,9 +900,9 @@ env_block(const struct env_set *es) nchars += strlen(e->string) + 1; } - nchars += strlen(force_path)+1; + nchars += strlen(force_path) + 1; - ret = (char *) malloc(nchars); + ret = (char *)malloc(nchars); check_malloc_return(ret); p = ret; @@ -919,7 +913,7 @@ env_block(const struct env_set *es) strcpy(p, e->string); p += strlen(e->string) + 1; } - if (strncmp(e->string, "PATH=", 5 ) == 0) + if (strncmp(e->string, "PATH=", 5) == 0) { path_seen = true; } @@ -928,8 +922,8 @@ env_block(const struct env_set *es) /* make sure PATH is set */ if (!path_seen) { - msg( M_INFO, "env_block: add %s", force_path ); - strcpy( p, force_path ); + msg(M_INFO, "env_block: add %s", force_path); + strcpy(p, force_path); p += strlen(force_path) + 1; } @@ -975,7 +969,7 @@ wide_cmd_line(const struct argv *a, struct gc_arena *gc) { const char *arg = a->argv[i]; strcpy(work, arg); - string_mod(work, CC_PRINT, CC_DOUBLE_QUOTE|CC_CRLF, '_'); + string_mod(work, CC_PRINT, CC_DOUBLE_QUOTE | CC_CRLF, '_'); if (i) { buf_printf(&buf, " "); @@ -1026,7 +1020,8 @@ openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned in start_info.dwFlags = STARTF_USESHOWWINDOW; start_info.wShowWindow = SW_HIDE; - if (CreateProcessW(cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info)) + if (CreateProcessW(cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, + &proc_info)) { DWORD exit_status = 0; CloseHandle(proc_info.hThread); @@ -1037,13 +1032,13 @@ openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned in } else { - msg(M_WARN|M_ERRNO, "openvpn_execve: GetExitCodeProcess %ls failed", cmd); + msg(M_WARN | M_ERRNO, "openvpn_execve: GetExitCodeProcess %ls failed", cmd); } CloseHandle(proc_info.hProcess); } else { - msg(M_WARN|M_ERRNO, "openvpn_execve: CreateProcess %ls failed", cmd); + msg(M_WARN | M_ERRNO, "openvpn_execve: CreateProcess %ls failed", cmd); } free(env); gc_free(&gc); @@ -1084,7 +1079,8 @@ fork_to_self(const char *cmdline) status = GetModuleFileName(NULL, self_exe, sizeof(self_exe)); if (status == 0 || status == sizeof(self_exe)) { - msg(M_WARN|M_ERRNO, "fork_to_self: CreateProcess failed: cannot get module name via GetModuleFileName"); + msg(M_WARN | M_ERRNO, + "fork_to_self: CreateProcess failed: cannot get module name via GetModuleFileName"); goto done; } @@ -1101,7 +1097,7 @@ fork_to_self(const char *cmdline) } else { - msg(M_WARN|M_ERRNO, "fork_to_self: CreateProcess failed: %s", cmdline); + msg(M_WARN | M_ERRNO, "fork_to_self: CreateProcess failed: %s", cmdline); } done: @@ -1134,7 +1130,8 @@ set_win_sys_path_via_env(struct env_set *es) } if (status > sizeof(buf) - 1) { - msg(M_FATAL, "String overflow attempting to read environmental variable %s", SYS_PATH_ENV_VAR_NAME); + msg(M_FATAL, "String overflow attempting to read environmental variable %s", + SYS_PATH_ENV_VAR_NAME); } set_win_sys_path(buf, es); } @@ -1145,7 +1142,7 @@ win_get_exe_path(PWCHAR path, DWORD size) DWORD status = GetModuleFileNameW(NULL, path, size); if (status == 0 || status == size) { - msg(M_WARN|M_ERRNO, "cannot get executable path"); + msg(M_WARN | M_ERRNO, "cannot get executable path"); return false; } return true; @@ -1162,8 +1159,7 @@ win_wfp_msg_handler(DWORD err, const char *msg) } else { - msg(M_WARN, "Error in WFP: %s : %s [status=0x%lx]", - msg, strerror_win32(err, &gc), err); + msg(M_WARN, "Error in WFP: %s : %s [status=0x%lx]", msg, strerror_win32(err, &gc), err); } gc_free(&gc); @@ -1176,15 +1172,10 @@ win_wfp_block_service(bool add, bool dns_only, int index, const HANDLE pipe) ack_message_t ack; struct gc_arena gc = gc_new(); - wfp_block_message_t data = { - .header = { - (add ? msg_add_wfp_block : msg_del_wfp_block), - sizeof(wfp_block_message_t), - 0 - }, - .flags = dns_only ? wfp_block_dns : wfp_block_local, - .iface = { .index = index, .name = "" } - }; + wfp_block_message_t data = { .header = { (add ? msg_add_wfp_block : msg_del_wfp_block), + sizeof(wfp_block_message_t), 0 }, + .flags = dns_only ? wfp_block_dns : wfp_block_local, + .iface = { .index = index, .name = "" } }; if (!send_msg_iservice(pipe, &data, sizeof(data), &ack, "WFP block")) { @@ -1193,9 +1184,10 @@ win_wfp_block_service(bool add, bool dns_only, int index, const HANDLE pipe) if (ack.error_number != NO_ERROR) { - msg(M_WARN, "WFP block: %s block filters using service failed: %s [status=0x%x if_index=%d]", - (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), - ack.error_number, data.iface.index); + msg(M_WARN, + "WFP block: %s block filters using service failed: %s [status=0x%x if_index=%d]", + (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number, + data.iface.index); goto out; } @@ -1226,8 +1218,8 @@ win_wfp_block(const NET_IFINDEX index, const HANDLE msg_channel, BOOL dns_only) goto out; } - status = add_wfp_block_filters(&m_hEngineHandle, index, openvpnpath, - win_wfp_msg_handler, dns_only); + status = + add_wfp_block_filters(&m_hEngineHandle, index, openvpnpath, win_wfp_msg_handler, dns_only); if (status == 0) { int is_auto = 0; @@ -1282,7 +1274,8 @@ win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel) return true; } -typedef enum { +typedef enum +{ ARCH_X86, ARCH_AMD64, ARCH_ARM64, @@ -1296,9 +1289,9 @@ win32_get_arch(arch_t *process_arch, arch_t *host_arch) *process_arch = ARCH_UNKNOWN; *host_arch = ARCH_NATIVE; - typedef BOOL (WINAPI *is_wow64_process2_t)(HANDLE, USHORT *, USHORT *); - is_wow64_process2_t is_wow64_process2 = (is_wow64_process2_t) - GetProcAddress(GetModuleHandle("Kernel32.dll"), "IsWow64Process2"); + typedef BOOL(WINAPI * is_wow64_process2_t)(HANDLE, USHORT *, USHORT *); + is_wow64_process2_t is_wow64_process2 = + (is_wow64_process2_t)GetProcAddress(GetModuleHandle("Kernel32.dll"), "IsWow64Process2"); USHORT process_machine = 0; USHORT native_machine = 0; @@ -1310,8 +1303,7 @@ win32_get_arch(arch_t *process_arch, arch_t *host_arch) if (is_wow64_process2) { /* this could be amd64 on arm64 */ - BOOL is_wow64 = is_wow64_process2(GetCurrentProcess(), - &process_machine, &native_machine); + BOOL is_wow64 = is_wow64_process2(GetCurrentProcess(), &process_machine, &native_machine); if (is_wow64 && native_machine == IMAGE_FILE_MACHINE_ARM64) { *host_arch = ARCH_ARM64; @@ -1323,8 +1315,7 @@ win32_get_arch(arch_t *process_arch, arch_t *host_arch) if (is_wow64_process2) { /* check if we're running on arm64 or amd64 machine */ - BOOL is_wow64 = is_wow64_process2(GetCurrentProcess(), - &process_machine, &native_machine); + BOOL is_wow64 = is_wow64_process2(GetCurrentProcess(), &process_machine, &native_machine); if (is_wow64) { switch (native_machine) @@ -1383,7 +1374,7 @@ win32_print_arch(arch_t arch, struct buffer *out) } } -typedef LONG (WINAPI *RtlGetVersionPtr)(PRTL_OSVERSIONINFOW); +typedef LONG(WINAPI *RtlGetVersionPtr)(PRTL_OSVERSIONINFOW); const char * win32_version_string(struct gc_arena *gc) @@ -1428,18 +1419,16 @@ win32_version_string(struct gc_arena *gc) } bool -send_msg_iservice(HANDLE pipe, const void *data, size_t size, - ack_message_t *ack, const char *context) +send_msg_iservice(HANDLE pipe, const void *data, size_t size, ack_message_t *ack, + const char *context) { struct gc_arena gc = gc_new(); DWORD len; bool ret = true; - if (!WriteFile(pipe, data, size, &len, NULL) - || !ReadFile(pipe, ack, sizeof(*ack), &len, NULL)) + if (!WriteFile(pipe, data, size, &len, NULL) || !ReadFile(pipe, ack, sizeof(*ack), &len, NULL)) { - msg(M_WARN, "%s: could not talk to service: %s [%lu]", - context ? context : "Unknown", + msg(M_WARN, "%s: could not talk to service: %s [%lu]", context ? context : "Unknown", strerror_win32(GetLastError(), &gc), GetLastError()); ret = false; } @@ -1487,14 +1476,13 @@ set_openssl_env_vars(void) install_path[wcslen(install_path) - 1] = L'\0'; } - static struct { + static struct + { WCHAR *name; WCHAR *value; - } ossl_env[] = { - {L"OPENSSL_CONF", L"openssl.cnf"}, - {L"OPENSSL_ENGINES", L"engines"}, - {L"OPENSSL_MODULES", L"modules"} - }; + } ossl_env[] = { { L"OPENSSL_CONF", L"openssl.cnf" }, + { L"OPENSSL_ENGINES", L"engines" }, + { L"OPENSSL_MODULES", L"modules" } }; for (size_t i = 0; i < SIZE(ossl_env); ++i) { @@ -1503,7 +1491,7 @@ set_openssl_env_vars(void) _wgetenv_s(&size, NULL, 0, ossl_env[i].name); if (size == 0) { - WCHAR val[MAX_PATH] = {0}; + WCHAR val[MAX_PATH] = { 0 }; swprintf(val, _countof(val), L"%ls\\ssl\\%ls", install_path, ossl_env[i].value); _wputenv_s(ossl_env[i].name, val); } @@ -1524,7 +1512,7 @@ win32_sleep(const int n) { if (n > 0) { - Sleep(n*1000); + Sleep(n * 1000); } return; } @@ -1534,9 +1522,8 @@ win32_sleep(const int n) while (expire >= now) { - DWORD status = WaitForSingleObject(win32_signal.in.read, (expire-now)*1000); - if ((status == WAIT_OBJECT_0 && win32_signal_get(&win32_signal)) - || status == WAIT_TIMEOUT) + DWORD status = WaitForSingleObject(win32_signal.in.read, (expire - now) * 1000); + if ((status == WAIT_OBJECT_0 && win32_signal_get(&win32_signal)) || status == WAIT_TIMEOUT) { return; } @@ -1547,7 +1534,7 @@ win32_sleep(const int n) { if (expire > now) { - Sleep((expire-now)*1000); + Sleep((expire - now) * 1000); } return; } @@ -1599,8 +1586,8 @@ plugin_in_trusted_dir(const WCHAR *plugin_path) } /* Check if the plugin path resides within the plugin/install directory */ - if ((wcslen(normalized_plugin_dir) > 0) && (wcsnicmp(normalized_plugin_dir, - plugin_path, wcslen(normalized_plugin_dir)) == 0)) + if ((wcslen(normalized_plugin_dir) > 0) + && (wcsnicmp(normalized_plugin_dir, plugin_path, wcslen(normalized_plugin_dir)) == 0)) { return true; } diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h index 34d18c658..dbfa5bc74 100644 --- a/src/openvpn/win32.h +++ b/src/openvpn/win32.h @@ -34,12 +34,13 @@ #include "win32-util.h" /* location of executables */ -#define SYS_PATH_ENV_VAR_NAME "SystemRoot" /* environmental variable name that normally contains the system path */ -#define NETSH_PATH_SUFFIX "\\system32\\netsh.exe" -#define WIN_ROUTE_PATH_SUFFIX "\\system32\\route.exe" +#define SYS_PATH_ENV_VAR_NAME \ + "SystemRoot" /* environmental variable name that normally contains the system path */ +#define NETSH_PATH_SUFFIX "\\system32\\netsh.exe" +#define WIN_ROUTE_PATH_SUFFIX "\\system32\\route.exe" #define WIN_IPCONFIG_PATH_SUFFIX "\\system32\\ipconfig.exe" -#define WIN_NET_PATH_SUFFIX "\\system32\\net.exe" -#define WMIC_PATH_SUFFIX "\\system32\\wbem\\wmic.exe" +#define WIN_NET_PATH_SUFFIX "\\system32\\net.exe" +#define WMIC_PATH_SUFFIX "\\system32\\wbem\\wmic.exe" /* * Win32-specific OpenVPN code, targeted at the mingw @@ -75,7 +76,8 @@ struct window_title char old_window_title[256]; }; -struct rw_handle { +struct rw_handle +{ HANDLE read; HANDLE write; }; @@ -84,8 +86,8 @@ struct rw_handle { * Event-based notification of incoming TCP connections */ -#define NE32_PERSIST_EVENT (1<<0) -#define NE32_WRITE_EVENT (1<<1) +#define NE32_PERSIST_EVENT (1 << 0) +#define NE32_WRITE_EVENT (1 << 1) static inline bool defined_net_event_win32(const struct rw_handle *event) @@ -93,7 +95,8 @@ defined_net_event_win32(const struct rw_handle *event) return event->read != NULL; } -void init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd, unsigned int flags); +void init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd, + unsigned int flags); long reset_net_event_win32(struct rw_handle *event, socket_descriptor_t sd); @@ -149,7 +152,8 @@ net_event_win32_clear_selected_events(struct net_event_win32 *ne, long selected_ /* * Signal handling */ -struct win32_signal { +struct win32_signal +{ #define WSO_MODE_UNDEF 0 #define WSO_MODE_SERVICE 1 #define WSO_MODE_CONSOLE 2 @@ -169,10 +173,8 @@ void win32_signal_clear(struct win32_signal *ws); #define WSO_FORCE_SERVICE 1 #define WSO_FORCE_CONSOLE 2 -void win32_signal_open(struct win32_signal *ws, - int force, /* set to WSO force parm */ - const char *exit_event_name, - bool exit_event_initial_state); +void win32_signal_open(struct win32_signal *ws, int force, /* set to WSO force parm */ + const char *exit_event_name, bool exit_event_initial_state); void win32_signal_close(struct win32_signal *ws); @@ -198,17 +200,19 @@ void window_title_generate(const char *title); * We try to do all Win32 I/O using overlapped * (i.e. asynchronous) I/O for a performance win. */ -struct overlapped_io { +struct overlapped_io +{ #define IOSTATE_INITIAL 0 -#define IOSTATE_QUEUED 1 /* overlapped I/O has been queued */ -#define IOSTATE_IMMEDIATE_RETURN 2 /* I/O function returned immediately without queueing */ +#define IOSTATE_QUEUED 1 /* overlapped I/O has been queued */ +#define IOSTATE_IMMEDIATE_RETURN 2 /* I/O function returned immediately without queueing */ int iostate; OVERLAPPED overlapped; DWORD size; DWORD flags; int status; bool addr_defined; - union { + union + { struct sockaddr_in addr; struct sockaddr_in6 addr6; }; @@ -217,9 +221,7 @@ struct overlapped_io { struct buffer buf; }; -void overlapped_io_init(struct overlapped_io *o, - const struct frame *frame, - BOOL event_state); +void overlapped_io_init(struct overlapped_io *o, const struct frame *frame, BOOL event_state); void overlapped_io_close(struct overlapped_io *o); @@ -304,14 +306,13 @@ const char *win32_version_string(struct gc_arena *gc); * and read the result in |ack|. Returns false on communication error. * The string in |context| is used to prefix error messages. */ -bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, - ack_message_t *ack, const char *context); +bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, ack_message_t *ack, + const char *context); /* * Attempt to simulate fork/execve on Windows */ -int -openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags); +int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags); /* Sleep that can be interrupted by signals and exit event */ void win32_sleep(const int n); @@ -324,8 +325,7 @@ void win32_sleep(const int n); * @param size Size of `value` buffer in bytes. * @return `true` if successful, `false` otherwise. */ -bool -get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size); +bool get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size); /** * @brief Checks if a plugin is located in a trusted directory. @@ -340,8 +340,7 @@ get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size); * @param plugin_path Normalized path to the plugin. * @return \c true if the plugin is in a trusted directory and not a UNC path; \c false otherwise. */ -bool -plugin_in_trusted_dir(const WCHAR *plugin_path); +bool plugin_in_trusted_dir(const WCHAR *plugin_path); /** * Encrypt a region of memory using CryptProtectMemory() @@ -351,8 +350,7 @@ plugin_in_trusted_dir(const WCHAR *plugin_path); * - len number of bytes to encrypt -- must be a multiple of * CRYPTPROTECTMEMORY_BLOCK_SIZE = 16 */ -bool -protect_buffer_win32(char *buf, size_t len); +bool protect_buffer_win32(char *buf, size_t len); /** * Decrypt a previously encrypted region of memory using CryptUnProtectMemory() @@ -362,8 +360,7 @@ protect_buffer_win32(char *buf, size_t len); * - len number of bytes to encrypt -- must be a multiple of * CRYPTPROTECTMEMORY_BLOCK_SIZE = 16 */ -bool -unprotect_buffer_win32(char *buf, size_t len); +bool unprotect_buffer_win32(char *buf, size_t len); #endif /* ifndef OPENVPN_WIN32_H */ #endif /* ifdef _WIN32 */ diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h index 111596ea8..3d65e1f82 100644 --- a/src/openvpn/xkey_common.h +++ b/src/openvpn/xkey_common.h @@ -46,12 +46,13 @@ OSSL_provider_init_fn xkey_provider_init; * Struct to encapsulate signature algorithm parameters to pass * to sign operation. */ -typedef struct { +typedef struct +{ const char *padmode; /**< "pkcs1", "pss" or "none" */ - const char *mdname; /**< "SHA256" or "SHA2-256" etc. */ + const char *mdname; /**< "SHA256" or "SHA2-256" etc. */ const char *saltlen; /**< "digest", "auto" or "max" */ const char *keytype; /**< "EC" or "RSA" */ - const char *op; /**< "Sign" or "DigestSign" */ + const char *op; /**< "Sign" or "DigestSign" */ } XKEY_SIGALG; /** @@ -78,15 +79,14 @@ typedef struct { * before signing. The digest algorithm used (or to be used) is passed in the sigalg * structure. */ -typedef int (XKEY_EXTERNAL_SIGN_fn)(void *handle, unsigned char *sig, size_t *siglen, - const unsigned char *tbs, size_t tbslen, - XKEY_SIGALG sigalg); +typedef int(XKEY_EXTERNAL_SIGN_fn)(void *handle, unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg); /** * Signature of private key free function callback used * to free the opaque private key handle obtained from the * backend. Not required for management-external-key. */ -typedef void (XKEY_PRIVKEY_FREE_fn)(void *handle); +typedef void(XKEY_PRIVKEY_FREE_fn)(void *handle); /** * Generate an encapsulated EVP_PKEY for management-external-key @@ -115,9 +115,8 @@ EVP_PKEY *xkey_load_management_key(OSSL_LIB_CTX *libctx, EVP_PKEY *pubkey); * to the required size and false is returned. * */ -bool -encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, - const unsigned char *tbs, size_t tbslen); +bool encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, const unsigned char *tbs, + size_t tbslen); /** * Compute message digest @@ -133,9 +132,8 @@ encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, * On successful return *buflen is set to the actual size of the result. * TIP: EVP_MD_MAX_SIZE should be enough capacity of buf for al algorithms. */ -int -xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, - size_t *buflen, const char *mdname); +int xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, size_t *buflen, + const char *mdname); /** * Load a generic external key with custom sign and free ops @@ -150,9 +148,8 @@ xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, * IMPORTANT: a reference to the handle is retained by the provider and * relased by calling free_op. The caller should not free it. */ -EVP_PKEY * -xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey, - XKEY_EXTERNAL_SIGN_fn *sign_op, XKEY_PRIVKEY_FREE_fn *free_op); +EVP_PKEY *xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey, + XKEY_EXTERNAL_SIGN_fn *sign_op, XKEY_PRIVKEY_FREE_fn *free_op); extern OSSL_LIB_CTX *tls_libctx; /* Global */ @@ -166,7 +163,7 @@ extern OSSL_LIB_CTX *tls_libctx; /* Global */ static inline int xkey_max_saltlen(int modBits, int hLen) { - int emLen = (modBits - 1 + 7)/8; /* ceil((modBits - 1)/8) */ + int emLen = (modBits - 1 + 7) / 8; /* ceil((modBits - 1)/8) */ return emLen - hLen - 2; } @@ -181,8 +178,7 @@ xkey_max_saltlen(int modBits, int hLen) * @returns the size of the converted signature or <= 0 on error. * On success, buf is overwritten by its DER encoding */ -int -ecdsa_bin2der(unsigned char *buf, int len, size_t capacity); +int ecdsa_bin2der(unsigned char *buf, int len, size_t capacity); #endif /* HAVE_XKEY_PROVIDER */ diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index 487bfe644..f4a994824 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -59,8 +59,8 @@ print_openssl_errors(void) /** helper to compute digest */ int -xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, - size_t *buflen, const char *mdname) +xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, size_t *buflen, + const char *mdname) { dmsg(D_XKEY, "In xkey_digest"); EVP_MD *md = EVP_MD_fetch(NULL, mdname, NULL); /* from default context */ @@ -70,7 +70,7 @@ xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, return 0; } - unsigned int len = (unsigned int) *buflen; + unsigned int len = (unsigned int)*buflen; if (EVP_Digest(src, srclen, buf, &len, md, NULL) != 1) { msg(M_WARN, "WARN: xkey_digest: EVP_Digest failed"); @@ -121,18 +121,17 @@ xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey, /* UTF8 string pointers in here are only read from, so cast is safe */ OSSL_PARAM params[] = { - {"xkey-origin", OSSL_PARAM_UTF8_STRING, (char *) origin, 0, 0}, - {"pubkey", OSSL_PARAM_OCTET_STRING, &pubkey, sizeof(pubkey), 0}, - {"handle", OSSL_PARAM_OCTET_PTR, &handle, sizeof(handle), 0}, - {"sign_op", OSSL_PARAM_OCTET_PTR, (void **) &sign_op, sizeof(sign_op), 0}, - {"free_op", OSSL_PARAM_OCTET_PTR, (void **) &free_op, sizeof(free_op), 0}, - {NULL, 0, NULL, 0, 0} + { "xkey-origin", OSSL_PARAM_UTF8_STRING, (char *)origin, 0, 0 }, + { "pubkey", OSSL_PARAM_OCTET_STRING, &pubkey, sizeof(pubkey), 0 }, + { "handle", OSSL_PARAM_OCTET_PTR, &handle, sizeof(handle), 0 }, + { "sign_op", OSSL_PARAM_OCTET_PTR, (void **)&sign_op, sizeof(sign_op), 0 }, + { "free_op", OSSL_PARAM_OCTET_PTR, (void **)&free_op, sizeof(free_op), 0 }, + { NULL, 0, NULL, 0, 0 } }; /* Do not use EVP_PKEY_new_from_pkey as that will take keymgmt from pubkey */ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(libctx, EVP_PKEY_get0_type_name(pubkey), props); - if (!ctx - || EVP_PKEY_fromdata_init(ctx) != 1 + if (!ctx || EVP_PKEY_fromdata_init(ctx) != 1 || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) != 1) { print_openssl_errors(); @@ -161,13 +160,12 @@ xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey, * @return signature length or -1 on error. */ int -xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, - const unsigned char *tbs, size_t tbslen, XKEY_SIGALG alg) +xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, const unsigned char *tbs, + size_t tbslen, XKEY_SIGALG alg) { - dmsg(D_XKEY, "In xkey_management_sign with keytype = %s, op = %s", - alg.keytype, alg.op); + dmsg(D_XKEY, "In xkey_management_sign with keytype = %s, op = %s", alg.keytype, alg.op); - (void) unused; + (void)unused; char alg_str[128]; unsigned char buf[EVP_MAX_MD_SIZE]; /* for computing digest if required */ size_t buflen = sizeof(buf); @@ -228,8 +226,7 @@ xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, /* For undigested message, add hashalg=digest parameter */ else { - snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s", - "RSA_PKCS1_PADDING", alg.mdname); + snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s", "RSA_PKCS1_PADDING", alg.mdname); } } else if (!strcmp(alg.padmode, "none") && (flags & MF_EXTERNAL_KEY_NOPADDING) @@ -239,13 +236,12 @@ xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, } else if (!strcmp(alg.padmode, "pss") && (flags & MF_EXTERNAL_KEY_PSSPAD)) { - snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s,saltlen=%s", - "RSA_PKCS1_PSS_PADDING", alg.mdname, alg.saltlen); + snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s,saltlen=%s", "RSA_PKCS1_PSS_PADDING", + alg.mdname, alg.saltlen); } else { - msg(M_NONFATAL, "RSA padding mode not supported by management-client <%s>", - alg.padmode); + msg(M_NONFATAL, "RSA padding mode not supported by management-client <%s>", alg.padmode); return 0; } @@ -260,7 +256,7 @@ xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, char *out_b64 = NULL; int len = -1; - int bencret = openvpn_base64_encode(tbs, (int) tbslen, &in_b64); + int bencret = openvpn_base64_encode(tbs, (int)tbslen, &in_b64); if (management && bencret > 0) { @@ -268,7 +264,7 @@ xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, } if (out_b64) { - len = openvpn_base64_decode(out_b64, sig, (int) *siglen); + len = openvpn_base64_decode(out_b64, sig, (int)*siglen); } free(in_b64); free(out_b64); @@ -295,8 +291,8 @@ xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, * to the required size and false is returned. */ bool -encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, - const unsigned char *tbs, size_t tbslen) +encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, const unsigned char *tbs, + size_t tbslen) { ASSERT(enc_len != NULL); ASSERT(tbs != NULL); @@ -309,32 +305,34 @@ encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, * Also see the table in RFC 8017 section 9.2, Note 1. */ - const unsigned char sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, - 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}; - const unsigned char sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, - 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; - const unsigned char sha384[] = {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, - 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; - const unsigned char sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, - 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; - const unsigned char sha224[] = {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, - 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}; - const unsigned char sha512_224[] = {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, - 0x01, 0x65, 0x03, 0x04, 0x02, 0x05, 0x05, 0x00, 0x04, 0x1c}; - const unsigned char sha512_256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, - 0x01, 0x65, 0x03, 0x04, 0x02, 0x06, 0x05, 0x00, 0x04, 0x20}; - - typedef struct { + const unsigned char sha1[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, + 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 }; + const unsigned char sha256[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 }; + const unsigned char sha384[] = { 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30 }; + const unsigned char sha512[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 }; + const unsigned char sha224[] = { 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c }; + const unsigned char sha512_224[] = { 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x02, 0x05, 0x05, 0x00, 0x04, 0x1c }; + const unsigned char sha512_256[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x02, 0x06, 0x05, 0x00, 0x04, 0x20 }; + + typedef struct + { const int nid; const unsigned char *header; size_t sz; } DIG_INFO; -#define MAKE_DI(x) {NID_ ## x, x, sizeof(x)} +#define MAKE_DI(x) { NID_##x, x, sizeof(x) } - DIG_INFO dinfo[] = {MAKE_DI(sha1), MAKE_DI(sha256), MAKE_DI(sha384), - MAKE_DI(sha512), MAKE_DI(sha224), MAKE_DI(sha512_224), - MAKE_DI(sha512_256), {0, NULL, 0}}; + DIG_INFO dinfo[] = { + MAKE_DI(sha1), MAKE_DI(sha256), MAKE_DI(sha384), MAKE_DI(sha512), + MAKE_DI(sha224), MAKE_DI(sha512_224), MAKE_DI(sha512_256), { 0, NULL, 0 } + }; size_t out_len = 0; bool ret = false; @@ -387,8 +385,7 @@ encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, /* combine header and digest */ memcpy(enc, di->header, di->sz); memcpy(enc + di->sz, tbs, tbslen); - dmsg(D_XKEY, "encode_pkcs1: digest length = %zu encoded length = %zu", - tbslen, out_len); + dmsg(D_XKEY, "encode_pkcs1: digest length = %zu encoded length = %zu", tbslen, out_len); ret = true; } @@ -408,9 +405,9 @@ int ecdsa_bin2der(unsigned char *buf, int len, size_t capacity) { ECDSA_SIG *ecsig = NULL; - int rlen = len/2; + int rlen = len / 2; BIGNUM *r = BN_bin2bn(buf, rlen, NULL); - BIGNUM *s = BN_bin2bn(buf+rlen, rlen, NULL); + BIGNUM *s = BN_bin2bn(buf + rlen, rlen, NULL); if (!r || !s) { goto err; @@ -427,7 +424,7 @@ ecdsa_bin2der(unsigned char *buf, int len, size_t capacity) } int derlen = i2d_ECDSA_SIG(ecsig, NULL); - if (derlen > (int) capacity) + if (derlen > (int)capacity) { ECDSA_SIG_free(ecsig); msg(M_NONFATAL, "Error: DER encoded ECDSA signature is too long (%d)\n", derlen); diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c index edd64d3d6..1819ab00f 100644 --- a/src/openvpn/xkey_provider.c +++ b/src/openvpn/xkey_provider.c @@ -46,15 +46,16 @@ static const char *provname = "OpenVPN External Key Provider"; typedef struct { - OSSL_LIB_CTX *libctx; /**< a child libctx for our own use */ + OSSL_LIB_CTX *libctx; /**< a child libctx for our own use */ } XKEY_PROVIDER_CTX; /* helper to print debug messages */ -#define xkey_dmsg(f, ...) \ - do { \ - dmsg(f|M_NOLF, "xkey_provider: In %s: ", __func__); \ - dmsg(f|M_NOPREFIX, __VA_ARGS__); \ - } while(0) +#define xkey_dmsg(f, ...) \ + do \ + { \ + dmsg(f | M_NOLF, "xkey_provider: In %s: ", __func__); \ + dmsg(f | M_NOPREFIX, __VA_ARGS__); \ + } while (0) typedef enum { @@ -93,7 +94,7 @@ typedef struct /** keydata handle free function of backend */ XKEY_PRIVKEY_FREE_fn *free; XKEY_PROVIDER_CTX *prov; - int refcount; /**< reference count */ + int refcount; /**< reference count */ } XKEY_KEYDATA; static inline const char * @@ -128,9 +129,8 @@ KEYSIZE(const XKEY_KEYDATA *key) * Helper sign function for native keys * Implemented using OpenSSL calls. */ -int -xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen, - const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg); +int xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg); /* keymgmt provider */ @@ -150,8 +150,7 @@ static OSSL_FUNC_keymgmt_set_params_fn keymgmt_set_params; static OSSL_FUNC_keymgmt_query_operation_name_fn rsa_keymgmt_name; static OSSL_FUNC_keymgmt_query_operation_name_fn ec_keymgmt_name; -static int -keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]); +static int keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]); static XKEY_KEYDATA * keydata_new(void) @@ -273,9 +272,8 @@ keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[], const ch int selection_pub = selection & ~OSSL_KEYMGMT_SELECT_PRIVATE_KEY; EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(key->prov->libctx, name, NULL); - if (!ctx - || (EVP_PKEY_fromdata_init(ctx) != 1) - || (EVP_PKEY_fromdata(ctx, &pkey, selection_pub, (OSSL_PARAM *) params) !=1)) + if (!ctx || (EVP_PKEY_fromdata_init(ctx) != 1) + || (EVP_PKEY_fromdata(ctx, &pkey, selection_pub, (OSSL_PARAM *)params) != 1)) { msg(M_WARN, "Error: keymgmt_import failed for key type <%s>", name); if (pkey) @@ -295,10 +293,10 @@ keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[], const ch { /* create private key */ pkey = NULL; - if (EVP_PKEY_fromdata(ctx, &pkey, selection, (OSSL_PARAM *) params) == 1) + if (EVP_PKEY_fromdata(ctx, &pkey, selection, (OSSL_PARAM *)params) == 1) { key->handle = pkey; - key->free = (XKEY_PRIVKEY_FREE_fn *) EVP_PKEY_free; + key->free = (XKEY_PRIVKEY_FREE_fn *)EVP_PKEY_free; } } EVP_PKEY_CTX_free(ctx); @@ -419,12 +417,10 @@ keymgmt_gettable_params(void *provctx) { xkey_dmsg(D_XKEY, "entry"); - static OSSL_PARAM gettable[] = { - OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), - OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), - OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), - OSSL_PARAM_END - }; + static OSSL_PARAM gettable[] = { OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), + OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), + OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), + OSSL_PARAM_END }; return gettable; } @@ -471,14 +467,14 @@ keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM *params) /* only check params we understand and ignore the rest */ p = OSSL_PARAM_locate_const(params, "pubkey"); /*setting pubkey on our keydata */ - if (p && p->data_type == OSSL_PARAM_OCTET_STRING - && p->data_size == sizeof(pkey)) + if (p && p->data_type == OSSL_PARAM_OCTET_STRING && p->data_size == sizeof(pkey)) { pkey = *(EVP_PKEY **)p->data; ASSERT(pkey); int id = EVP_PKEY_get_id(pkey); - if (id != EVP_PKEY_RSA && id != EVP_PKEY_EC && id != EVP_PKEY_ED25519 && id != EVP_PKEY_ED448) + if (id != EVP_PKEY_RSA && id != EVP_PKEY_EC && id != EVP_PKEY_ED25519 + && id != EVP_PKEY_ED448) { msg(M_WARN, "Error: xkey keymgmt_import: unknown key type (%d)", id); return 0; @@ -493,8 +489,7 @@ keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM *params) } p = OSSL_PARAM_locate_const(params, "handle"); /*setting privkey */ - if (p && p->data_type == OSSL_PARAM_OCTET_PTR - && p->data_size == sizeof(key->handle)) + if (p && p->data_type == OSSL_PARAM_OCTET_PTR && p->data_size == sizeof(key->handle)) { key->handle = *(void **)p->data; /* caller should keep the reference alive until we call free */ @@ -502,8 +497,7 @@ keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM *params) } p = OSSL_PARAM_locate_const(params, "sign_op"); /*setting sign_op */ - if (p && p->data_type == OSSL_PARAM_OCTET_PTR - && p->data_size == sizeof(key->sign)) + if (p && p->data_type == OSSL_PARAM_OCTET_PTR && p->data_size == sizeof(key->sign)) { key->sign = *(void **)p->data; ASSERT(key->sign); /* fix your params array */ @@ -511,8 +505,7 @@ keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM *params) /* optional parameters */ p = OSSL_PARAM_locate_const(params, "free_op"); /*setting free_op */ - if (p && p->data_type == OSSL_PARAM_OCTET_PTR - && p->data_size == sizeof(key->free)) + if (p && p->data_type == OSSL_PARAM_OCTET_PTR && p->data_size == sizeof(key->free)) { key->free = *(void **)p->data; } @@ -586,75 +579,80 @@ ec_keymgmt_name(int id) } static const OSSL_DISPATCH rsa_keymgmt_functions[] = { - {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new}, - {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free}, - {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load}, - {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has}, - {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match}, - {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))rsa_keymgmt_import}, - {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types}, - {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, - {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params}, - {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params}, - {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */ - {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))rsa_keymgmt_name}, - {0, NULL } + { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new }, + { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free }, + { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load }, + { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has }, + { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match }, + { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))rsa_keymgmt_import }, + { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types }, + { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params }, + { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params }, + { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params }, + { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, + (void (*)(void))keymgmt_gettable_params }, /* same as gettable */ + { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))rsa_keymgmt_name }, + { 0, NULL } }; static const OSSL_DISPATCH ec_keymgmt_functions[] = { - {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new}, - {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free}, - {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load}, - {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has}, - {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match}, - {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ec_keymgmt_import}, - {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types}, - {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, - {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params}, - {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params}, - {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */ - {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))ec_keymgmt_name}, - {0, NULL } + { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new }, + { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free }, + { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load }, + { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has }, + { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match }, + { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ec_keymgmt_import }, + { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types }, + { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params }, + { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params }, + { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params }, + { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, + (void (*)(void))keymgmt_gettable_params }, /* same as gettable */ + { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))ec_keymgmt_name }, + { 0, NULL } }; static const OSSL_DISPATCH ed448_keymgmt_functions[] = { - {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new}, - {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free}, - {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load}, - {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has}, - {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match}, - {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ed448_keymgmt_import}, - {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types}, - {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, - {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params}, - {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params}, - {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */ - {0, NULL } + { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new }, + { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free }, + { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load }, + { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has }, + { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match }, + { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ed448_keymgmt_import }, + { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types }, + { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params }, + { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params }, + { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params }, + { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, + (void (*)(void))keymgmt_gettable_params }, /* same as gettable */ + { 0, NULL } }; static const OSSL_DISPATCH ed25519_keymgmt_functions[] = { - {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new}, - {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free}, - {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load}, - {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has}, - {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match}, - {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ed25519_keymgmt_import}, - {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types}, - {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, - {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params}, - {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params}, - {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */ - {0, NULL } + { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new }, + { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free }, + { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load }, + { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has }, + { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match }, + { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ed25519_keymgmt_import }, + { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types }, + { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params }, + { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params }, + { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params }, + { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, + (void (*)(void))keymgmt_gettable_params }, /* same as gettable */ + { 0, NULL } }; const OSSL_ALGORITHM keymgmts[] = { - {"RSA:rsaEncryption", XKEY_PROV_PROPS, rsa_keymgmt_functions, "OpenVPN xkey RSA Key Manager"}, - {"RSA-PSS:RSASSA-PSS", XKEY_PROV_PROPS, rsa_keymgmt_functions, "OpenVPN xkey RSA-PSS Key Manager"}, - {"EC:id-ecPublicKey", XKEY_PROV_PROPS, ec_keymgmt_functions, "OpenVPN xkey EC Key Manager"}, - {"ED448", XKEY_PROV_PROPS, ed448_keymgmt_functions, "OpenVPN xkey ED448 Key Manager"}, - {"ED25519", XKEY_PROV_PROPS, ed25519_keymgmt_functions, "OpenVPN xkey ED25519 Key Manager"}, - {NULL, NULL, NULL, NULL} + { "RSA:rsaEncryption", XKEY_PROV_PROPS, rsa_keymgmt_functions, "OpenVPN xkey RSA Key Manager" }, + { "RSA-PSS:RSASSA-PSS", XKEY_PROV_PROPS, rsa_keymgmt_functions, + "OpenVPN xkey RSA-PSS Key Manager" }, + { "EC:id-ecPublicKey", XKEY_PROV_PROPS, ec_keymgmt_functions, "OpenVPN xkey EC Key Manager" }, + { "ED448", XKEY_PROV_PROPS, ed448_keymgmt_functions, "OpenVPN xkey ED448 Key Manager" }, + { "ED25519", XKEY_PROV_PROPS, ed25519_keymgmt_functions, "OpenVPN xkey ED25519 Key Manager" }, + { NULL, NULL, NULL, NULL } }; @@ -681,29 +679,39 @@ typedef struct XKEY_SIGALG sigalg; } XKEY_SIGNATURE_CTX; -static const XKEY_SIGALG default_sigalg = { .mdname = "MD5-SHA1", .saltlen = "digest", - .padmode = "pkcs1", .keytype = "RSA"}; +static const XKEY_SIGALG default_sigalg = { + .mdname = "MD5-SHA1", .saltlen = "digest", .padmode = "pkcs1", .keytype = "RSA" +}; -const struct { +const struct +{ int nid; const char *name; -} digest_names[] = {{NID_md5_sha1, "MD5-SHA1"}, {NID_sha1, "SHA1"}, - {NID_sha224, "SHA224", }, {NID_sha256, "SHA256"}, {NID_sha384, "SHA384"}, - {NID_sha512, "SHA512"}, {0, NULL}}; +} digest_names[] = { { NID_md5_sha1, "MD5-SHA1" }, + { NID_sha1, "SHA1" }, + { + NID_sha224, + "SHA224", + }, + { NID_sha256, "SHA256" }, + { NID_sha384, "SHA384" }, + { NID_sha512, "SHA512" }, + { 0, NULL } }; /* Use of NIDs as opposed to EVP_MD_fetch is okay here * as these are only used for converting names passed in * by OpenSSL to const strings. */ -static struct { +static struct +{ int id; const char *name; -} padmode_names[] = {{RSA_PKCS1_PADDING, "pkcs1"}, - {RSA_PKCS1_PSS_PADDING, "pss"}, - {RSA_NO_PADDING, "none"}, - {0, NULL}}; +} padmode_names[] = { { RSA_PKCS1_PADDING, "pkcs1" }, + { RSA_PKCS1_PSS_PADDING, "pss" }, + { RSA_NO_PADDING, "none" }, + { 0, NULL } }; -static const char *saltlen_names[] = {"digest", "max", "auto", NULL}; +static const char *saltlen_names[] = { "digest", "max", "auto", NULL }; /* Return a string literal for digest name - normalizes * alternate names like SHA2-256 to SHA256 etc. @@ -724,7 +732,7 @@ xkey_mdname(const char *name) { i++; } - return digest_names[i].name ? digest_names[i].name : "MD5-SHA1"; + return digest_names[i].name ? digest_names[i].name : "MD5-SHA1"; } static void * @@ -732,7 +740,7 @@ signature_newctx(void *provctx, const char *propq) { xkey_dmsg(D_XKEY, "entry"); - (void) propq; /* unused */ + (void)propq; /* unused */ XKEY_SIGNATURE_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx)); if (!sctx) @@ -767,8 +775,7 @@ signature_settable_ctx_params(void *ctx, void *provctx) static OSSL_PARAM settable[] = { OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), - OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), - OSSL_PARAM_END + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), OSSL_PARAM_END }; return settable; @@ -784,7 +791,7 @@ signature_set_ctx_params(void *ctx, const OSSL_PARAM params[]) if (params == NULL) { - return 1; /* not an error */ + return 1; /* not an error */ } p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE); if (p && p->data_type == OSSL_PARAM_UTF8_STRING) @@ -800,8 +807,7 @@ signature_set_ctx_params(void *ctx, const OSSL_PARAM params[]) } if (sctx->sigalg.padmode == NULL) { - msg(M_WARN, "xkey signature_ctx: padmode <%s>, treating as ", - (char *)p->data); + msg(M_WARN, "xkey signature_ctx: padmode <%s>, treating as ", (char *)p->data); sctx->sigalg.padmode = "none"; } xkey_dmsg(D_XKEY, "setting padmode as %s", sctx->sigalg.padmode); @@ -834,7 +840,7 @@ signature_set_ctx_params(void *ctx, const OSSL_PARAM params[]) } p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); - if (p && p->data_type == OSSL_PARAM_UTF8_STRING) + if (p && p->data_type == OSSL_PARAM_UTF8_STRING) { sctx->sigalg.mdname = xkey_mdname(p->data); xkey_dmsg(D_XKEY, "setting hashalg as %s", sctx->sigalg.mdname); @@ -858,8 +864,7 @@ signature_set_ctx_params(void *ctx, const OSSL_PARAM params[]) } if (sctx->sigalg.saltlen == NULL) { - msg(M_WARN, "xkey_signature_params: unknown saltlen <%s>", - (char *)p->data); + msg(M_WARN, "xkey_signature_params: unknown saltlen <%s>", (char *)p->data); sctx->sigalg.saltlen = "digest"; /* most common */ } xkey_dmsg(D_XKEY, "setting saltlen to %s", sctx->sigalg.saltlen); @@ -924,7 +929,8 @@ xkey_sign_dispatch(XKEY_SIGNATURE_CTX *sctx, unsigned char *sig, size_t *siglen, else if (sign) { ret = sign(sctx->keydata->handle, sig, siglen, tbs, tbslen, sctx->sigalg); - xkey_dmsg(D_XKEY, "xkey_provider: external sign op returned ret = %d siglen = %d", ret, (int) *siglen); + xkey_dmsg(D_XKEY, "xkey_provider: external sign op returned ret = %d siglen = %d", ret, + (int)*siglen); } else { @@ -979,8 +985,7 @@ signature_digest_verify(void *ctx, const unsigned char *sig, size_t siglen, } static int -signature_digest_sign_init(void *ctx, const char *mdname, - void *provkey, const OSSL_PARAM params[]) +signature_digest_sign_init(void *ctx, const char *mdname, void *provkey, const OSSL_PARAM params[]) { xkey_dmsg(D_XKEY, "mdname = <%s>", mdname); @@ -1022,8 +1027,8 @@ signature_digest_sign_init(void *ctx, const char *mdname, } static int -signature_digest_sign(void *ctx, unsigned char *sig, size_t *siglen, - size_t sigsize, const unsigned char *tbs, size_t tbslen) +signature_digest_sign(void *ctx, unsigned char *sig, size_t *siglen, size_t sigsize, + const unsigned char *tbs, size_t tbslen) { xkey_dmsg(D_XKEY, "entry"); @@ -1072,8 +1077,8 @@ signature_digest_sign(void *ctx, unsigned char *sig, size_t *siglen, /* Sign digest using native sign function -- will only work for native keys */ int -xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen, - const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg) +xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen, const unsigned char *tbs, + size_t tbslen, XKEY_SIGALG sigalg) { xkey_dmsg(D_XKEY, "entry"); @@ -1100,13 +1105,17 @@ xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen, OSSL_PARAM params[6]; if (EVP_PKEY_get_id(pkey) == EVP_PKEY_RSA) { - params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, (char *)mdname, 0); - params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, (char *)padmode, 0); + params[i++] = + OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, (char *)mdname, 0); + params[i++] = + OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, (char *)padmode, 0); if (!strcmp(sigalg.padmode, "pss")) { - params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, (char *) saltlen, 0); + params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, + (char *)saltlen, 0); /* same digest for mgf1 */ - params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, (char *) mdname, 0); + params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, + (char *)mdname, 0); } } params[i++] = OSSL_PARAM_construct_end(); @@ -1133,27 +1142,27 @@ xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen, } static const OSSL_DISPATCH signature_functions[] = { - {OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))signature_newctx}, - {OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))signature_freectx}, - {OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))signature_sign_init}, - {OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))signature_sign}, - {OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, (void (*)(void))signature_digest_verify_init}, - {OSSL_FUNC_SIGNATURE_DIGEST_VERIFY, (void (*)(void))signature_digest_verify}, - {OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, (void (*)(void))signature_digest_sign_init}, - {OSSL_FUNC_SIGNATURE_DIGEST_SIGN, (void (*)(void))signature_digest_sign}, - {OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))signature_set_ctx_params}, - {OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, (void (*)(void))signature_settable_ctx_params}, - {OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))signature_get_ctx_params}, - {OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, (void (*)(void))signature_gettable_ctx_params}, - {0, NULL } + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))signature_newctx }, + { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))signature_freectx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))signature_sign_init }, + { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))signature_sign }, + { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, (void (*)(void))signature_digest_verify_init }, + { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY, (void (*)(void))signature_digest_verify }, + { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, (void (*)(void))signature_digest_sign_init }, + { OSSL_FUNC_SIGNATURE_DIGEST_SIGN, (void (*)(void))signature_digest_sign }, + { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))signature_set_ctx_params }, + { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, (void (*)(void))signature_settable_ctx_params }, + { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))signature_get_ctx_params }, + { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, (void (*)(void))signature_gettable_ctx_params }, + { 0, NULL } }; const OSSL_ALGORITHM signatures[] = { - {"RSA:rsaEncryption", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey RSA Signature"}, - {"ECDSA", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey ECDSA Signature"}, - {"ED448", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey Ed448 Signature"}, - {"ED25519", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey Ed25519 Signature"}, - {NULL, NULL, NULL, NULL} + { "RSA:rsaEncryption", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey RSA Signature" }, + { "ECDSA", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey ECDSA Signature" }, + { "ED448", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey Ed448 Signature" }, + { "ED25519", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey Ed25519 Signature" }, + { NULL, NULL, NULL, NULL } }; /* main provider interface */ @@ -1192,8 +1201,7 @@ gettable_params(void *provctx) xkey_dmsg(D_XKEY, "entry"); static const OSSL_PARAM param_types[] = { - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), - OSSL_PARAM_END + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_END }; return param_types; @@ -1228,11 +1236,11 @@ teardown(void *provctx) } static const OSSL_DISPATCH dispatch_table[] = { - {OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))gettable_params}, - {OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))get_params}, - {OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))query_operation}, - {OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))teardown}, - {0, NULL} + { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))gettable_params }, + { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))get_params }, + { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))query_operation }, + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))teardown }, + { 0, NULL } }; int diff --git a/src/openvpnmsica/dllmain.c b/src/openvpnmsica/dllmain.c index 7121c0210..e7d4a4b95 100644 --- a/src/openvpnmsica/dllmain.c +++ b/src/openvpnmsica/dllmain.c @@ -41,10 +41,7 @@ DWORD openvpnmsica_thread_data_idx = TLS_OUT_OF_INDEXES; * DLL entry point */ BOOL WINAPI -DllMain( - _In_ HINSTANCE hinstDLL, - _In_ DWORD dwReason, - _In_ LPVOID lpReserved) +DllMain(_In_ HINSTANCE hinstDLL, _In_ DWORD dwReason, _In_ LPVOID lpReserved) { UNREFERENCED_PARAMETER(hinstDLL); UNREFERENCED_PARAMETER(lpReserved); @@ -58,12 +55,13 @@ DllMain( { return FALSE; } - /* Fall through. */ + /* Fall through. */ case DLL_THREAD_ATTACH: { /* Create thread local storage data. */ - struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)calloc(1, sizeof(struct openvpnmsica_thread_data)); + struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)calloc( + 1, sizeof(struct openvpnmsica_thread_data)); if (s == NULL) { return FALSE; @@ -107,7 +105,8 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) /* Secure last error before it is overridden. */ DWORD dwResult = (flags & M_ERRNO) != 0 ? GetLastError() : ERROR_SUCCESS; - struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx); + struct openvpnmsica_thread_data *s = + (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx); if (s->hInstall == 0) { /* No MSI session, no fun. */ @@ -160,16 +159,13 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) /* Field 4: The Windows error description. */ LPWSTR szErrMessage = NULL; - if (FormatMessage( - FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS, - 0, - dwResult, - 0, - (LPWSTR)&szErrMessage, - 0, - NULL) && szErrMessage) + if (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER + | FORMAT_MESSAGE_IGNORE_INSERTS, + 0, dwResult, 0, (LPWSTR)&szErrMessage, 0, NULL) + && szErrMessage) { - /* Trim trailing whitespace. Set terminator after the last non-whitespace character. This prevents excessive trailing line breaks. */ + /* Trim trailing whitespace. Set terminator after the last non-whitespace character. + * This prevents excessive trailing line breaks. */ for (size_t i = 0, i_last = 0;; i++) { if (szErrMessage[i]) @@ -190,6 +186,7 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) } } - MsiProcessMessage(s->hInstall, (flags & M_WARN) ? INSTALLMESSAGE_INFO : INSTALLMESSAGE_ERROR, hRecordProg); + MsiProcessMessage(s->hInstall, (flags & M_WARN) ? INSTALLMESSAGE_INFO : INSTALLMESSAGE_ERROR, + hRecordProg); MsiCloseHandle(hRecordProg); } diff --git a/src/openvpnmsica/msica_arg.c b/src/openvpnmsica/msica_arg.c index 46bef2bef..d750fb057 100644 --- a/src/openvpnmsica/msica_arg.c +++ b/src/openvpnmsica/msica_arg.c @@ -51,15 +51,14 @@ msica_arg_seq_free(_Inout_ struct msica_arg_seq *seq) void -msica_arg_seq_add_head( - _Inout_ struct msica_arg_seq *seq, - _In_z_ LPCWSTR argument) +msica_arg_seq_add_head(_Inout_ struct msica_arg_seq *seq, _In_z_ LPCWSTR argument) { size_t argument_size = (wcslen(argument) + 1) * sizeof(WCHAR); struct msica_arg *p = malloc(sizeof(struct msica_arg) + argument_size); if (p == NULL) { - msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, sizeof(struct msica_arg) + argument_size); + msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, + sizeof(struct msica_arg) + argument_size); } memcpy(p->val, argument, argument_size); p->next = seq->head; @@ -72,15 +71,14 @@ msica_arg_seq_add_head( void -msica_arg_seq_add_tail( - _Inout_ struct msica_arg_seq *seq, - _Inout_ LPCWSTR argument) +msica_arg_seq_add_tail(_Inout_ struct msica_arg_seq *seq, _Inout_ LPCWSTR argument) { size_t argument_size = (wcslen(argument) + 1) * sizeof(WCHAR); struct msica_arg *p = malloc(sizeof(struct msica_arg) + argument_size); if (p == NULL) { - msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, sizeof(struct msica_arg) + argument_size); + msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, + sizeof(struct msica_arg) + argument_size); } memcpy(p->val, argument, argument_size); p->next = NULL; @@ -110,10 +108,13 @@ msica_arg_seq_join(_In_ const struct msica_arg_seq *seq) #ifdef _MSC_VER #pragma warning(push) -#pragma warning(disable: 4996) /* Using unsafe string functions: The space in s and termination of p->val has been implicitly verified at the beginning of this function. */ +#pragma warning( \ + disable : 4996) /* Using unsafe string functions: The space in s and termination of p->val has \ + been implicitly verified at the beginning of this function. */ #endif - /* Dummy argv[0] (i.e. executable name), for CommandLineToArgvW to work correctly when parsing this string. */ + /* Dummy argv[0] (i.e. executable name), for CommandLineToArgvW to work correctly when parsing + * this string. */ wcscpy(str, L"x"); /* Join. */ diff --git a/src/openvpnmsica/msica_arg.h b/src/openvpnmsica/msica_arg.h index c8f7595ac..858fdb6be 100644 --- a/src/openvpnmsica/msica_arg.h +++ b/src/openvpnmsica/msica_arg.h @@ -27,7 +27,7 @@ #ifdef _MSC_VER #pragma warning(push) -#pragma warning(disable: 4200) /* Using zero-sized arrays in struct/union. */ +#pragma warning(disable : 4200) /* Using zero-sized arrays in struct/union. */ #endif @@ -56,8 +56,7 @@ struct msica_arg_seq * * @param seq Pointer to uninitialized argument sequence */ -void -msica_arg_seq_init(_Inout_ struct msica_arg_seq *seq); +void msica_arg_seq_init(_Inout_ struct msica_arg_seq *seq); /** @@ -65,8 +64,7 @@ msica_arg_seq_init(_Inout_ struct msica_arg_seq *seq); * * @param seq Pointer to the argument sequence */ -void -msica_arg_seq_free(_Inout_ struct msica_arg_seq *seq); +void msica_arg_seq_free(_Inout_ struct msica_arg_seq *seq); /** @@ -76,10 +74,7 @@ msica_arg_seq_free(_Inout_ struct msica_arg_seq *seq); * * @param argument Zero-terminated argument string to insert. */ -void -msica_arg_seq_add_head( - _Inout_ struct msica_arg_seq *seq, - _In_z_ LPCWSTR argument); +void msica_arg_seq_add_head(_Inout_ struct msica_arg_seq *seq, _In_z_ LPCWSTR argument); /** @@ -89,10 +84,7 @@ msica_arg_seq_add_head( * * @param argument Zero-terminated argument string to append. */ -void -msica_arg_seq_add_tail( - _Inout_ struct msica_arg_seq *seq, - _Inout_ LPCWSTR argument); +void msica_arg_seq_add_tail(_Inout_ struct msica_arg_seq *seq, _Inout_ LPCWSTR argument); /** * Join arguments of the argument sequence into a space delimited string diff --git a/src/openvpnmsica/msiex.c b/src/openvpnmsica/msiex.c index 3529e9a3e..12dc0db23 100644 --- a/src/openvpnmsica/msiex.c +++ b/src/openvpnmsica/msiex.c @@ -34,10 +34,7 @@ UINT -msi_get_string( - _In_ MSIHANDLE hInstall, - _In_z_ LPCWSTR szName, - _Out_ LPWSTR *pszValue) +msi_get_string(_In_ MSIHANDLE hInstall, _In_z_ LPCWSTR szName, _Out_ LPWSTR *pszValue) { if (pszValue == NULL) { @@ -84,7 +81,8 @@ msi_get_string( } else { - SetLastError(uiResult); /* MSDN does not mention MsiGetProperty() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(uiResult); /* MSDN does not mention MsiGetProperty() to set GetLastError(). But + we do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: MsiGetProperty failed", __FUNCTION__); return uiResult; } @@ -92,10 +90,7 @@ msi_get_string( UINT -msi_get_record_string( - _In_ MSIHANDLE hRecord, - _In_ unsigned int iField, - _Out_ LPWSTR *pszValue) +msi_get_record_string(_In_ MSIHANDLE hRecord, _In_ unsigned int iField, _Out_ LPWSTR *pszValue) { if (pszValue == NULL) { @@ -142,7 +137,8 @@ msi_get_record_string( } else { - SetLastError(uiResult); /* MSDN does not mention MsiRecordGetString() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(uiResult); /* MSDN does not mention MsiRecordGetString() to set GetLastError(). + But we do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: MsiRecordGetString failed", __FUNCTION__); return uiResult; } @@ -150,10 +146,7 @@ msi_get_record_string( UINT -msi_format_record( - _In_ MSIHANDLE hInstall, - _In_ MSIHANDLE hRecord, - _Out_ LPWSTR *pszValue) +msi_format_record(_In_ MSIHANDLE hInstall, _In_ MSIHANDLE hRecord, _Out_ LPWSTR *pszValue) { if (pszValue == NULL) { @@ -200,7 +193,8 @@ msi_format_record( } else { - SetLastError(uiResult); /* MSDN does not mention MsiFormatRecord() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(uiResult); /* MSDN does not mention MsiFormatRecord() to set GetLastError(). + But we do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: MsiFormatRecord failed", __FUNCTION__); return uiResult; } @@ -208,11 +202,8 @@ msi_format_record( UINT -msi_format_field( - _In_ MSIHANDLE hInstall, - _In_ MSIHANDLE hRecord, - _In_ unsigned int iField, - _Out_ LPWSTR *pszValue) +msi_format_field(_In_ MSIHANDLE hInstall, _In_ MSIHANDLE hRecord, _In_ unsigned int iField, + _Out_ LPWSTR *pszValue) { if (pszValue == NULL) { @@ -246,7 +237,8 @@ msi_format_field( uiResult = MsiRecordSetString(hRecordEx, 0, szValue); if (uiResult != ERROR_SUCCESS) { - SetLastError(uiResult); /* MSDN does not mention MsiRecordSetString() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(uiResult); /* MSDN does not mention MsiRecordSetString() to set GetLastError(). + But we do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: MsiRecordSetString failed", __FUNCTION__); goto cleanup_hRecordEx; } diff --git a/src/openvpnmsica/msiex.h b/src/openvpnmsica/msiex.h index d9afeb574..60c26b518 100644 --- a/src/openvpnmsica/msiex.h +++ b/src/openvpnmsica/msiex.h @@ -37,11 +37,7 @@ * * @return ERROR_SUCCESS on success; Win32 error code otherwise */ -UINT -msi_get_string( - _In_ MSIHANDLE hInstall, - _In_z_ LPCWSTR szName, - _Out_ LPWSTR *pszValue); +UINT msi_get_string(_In_ MSIHANDLE hInstall, _In_z_ LPCWSTR szName, _Out_ LPWSTR *pszValue); /** @@ -56,11 +52,8 @@ msi_get_string( * * @return ERROR_SUCCESS on success; Win32 error code otherwise */ -UINT -msi_get_record_string( - _In_ MSIHANDLE hRecord, - _In_ unsigned int iField, - _Out_ LPWSTR *pszValue); +UINT msi_get_record_string(_In_ MSIHANDLE hRecord, _In_ unsigned int iField, + _Out_ LPWSTR *pszValue); /** @@ -78,11 +71,7 @@ msi_get_record_string( * * @return ERROR_SUCCESS on success; Win32 error code otherwise */ -UINT -msi_format_record( - _In_ MSIHANDLE hInstall, - _In_ MSIHANDLE hRecord, - _Out_ LPWSTR *pszValue); +UINT msi_format_record(_In_ MSIHANDLE hInstall, _In_ MSIHANDLE hRecord, _Out_ LPWSTR *pszValue); /** @@ -101,11 +90,7 @@ msi_format_record( * * @return ERROR_SUCCESS on success; Win32 error code otherwise */ -UINT -msi_format_field( - _In_ MSIHANDLE hInstall, - _In_ MSIHANDLE hRecord, - _In_ unsigned int iField, - _Out_ LPWSTR *pszValue); +UINT msi_format_field(_In_ MSIHANDLE hInstall, _In_ MSIHANDLE hRecord, _In_ unsigned int iField, + _Out_ LPWSTR *pszValue); #endif /* ifndef MSIHLP_H */ diff --git a/src/openvpnmsica/openvpnmsica.c b/src/openvpnmsica/openvpnmsica.c index 8d860e2e9..7779a1e00 100644 --- a/src/openvpnmsica/openvpnmsica.c +++ b/src/openvpnmsica/openvpnmsica.c @@ -59,9 +59,9 @@ */ /** Amount of tick space to reserve for one TAP/TUN adapter creation/deletition. */ -#define MSICA_ADAPTER_TICK_SIZE (16 * 1024) +#define MSICA_ADAPTER_TICK_SIZE (16 * 1024) -#define FILE_NEED_REBOOT L".ovpn_need_reboot" +#define FILE_NEED_REBOOT L".ovpn_need_reboot" #define OPENVPN_CONNECT_ADAPTER_SUBSTR L"OpenVPN Connect" @@ -77,10 +77,7 @@ * @return ERROR_SUCCESS on success; An error code otherwise */ static UINT -setup_sequence( - _In_ MSIHANDLE hInstall, - _In_z_ LPCWSTR szProperty, - _In_ struct msica_arg_seq *seq) +setup_sequence(_In_ MSIHANDLE hInstall, _In_z_ LPCWSTR szProperty, _In_ struct msica_arg_seq *seq) { UINT uiResult; LPWSTR szSequence = msica_arg_seq_join(seq); @@ -110,12 +107,11 @@ setup_sequence( static void _debug_popup(_In_z_ LPCSTR szFunctionName) { - WCHAR szTitle[0x100], szMessage[0x100+MAX_PATH], szProcessPath[MAX_PATH]; + WCHAR szTitle[0x100], szMessage[0x100 + MAX_PATH], szProcessPath[MAX_PATH]; /* Compose pop-up title. The dialog title will contain function name to ease the process * locating. Mind that Visual Studio displays window titles on the process list. */ - swprintf_s(szTitle, _countof(szTitle), L"%hs v%ls", - szFunctionName, _L(PACKAGE_VERSION)); + swprintf_s(szTitle, _countof(szTitle), L"%hs v%ls", szFunctionName, _L(PACKAGE_VERSION)); /* Get process name. */ GetModuleFileName(NULL, szProcessPath, _countof(szProcessPath)); @@ -131,9 +127,7 @@ _debug_popup(_In_z_ LPCSTR szFunctionName) L"If you would like to debug the custom action, attach a debugger to this process and set breakpoints before dismissing this dialog.\r\n" L"\r\n" L"If you are not debugging this custom action, you can safely ignore this message.", - szProcessName, - GetCurrentProcessId(), - szFunctionName); + szProcessName, GetCurrentProcessId(), szFunctionName); MessageBox(NULL, szMessage, szTitle, MB_OK); } @@ -144,11 +138,8 @@ _debug_popup(_In_z_ LPCSTR szFunctionName) #endif /* ifdef _DEBUG */ static void -find_adapters( - _In_ MSIHANDLE hInstall, - _In_z_ LPCWSTR szzHardwareIDs, - _In_z_ LPCWSTR szAdaptersPropertyName, - _In_z_ LPCWSTR szActiveAdaptersPropertyName) +find_adapters(_In_ MSIHANDLE hInstall, _In_z_ LPCWSTR szzHardwareIDs, + _In_z_ LPCWSTR szAdaptersPropertyName, _In_z_ LPCWSTR szActiveAdaptersPropertyName) { UINT uiResult; @@ -165,24 +156,26 @@ find_adapters( return; } - /* Get IPv4/v6 info for all network adapters. Actually, we're interested in link status only: up/down? */ + /* Get IPv4/v6 info for all network adapters. Actually, we're interested in link status only: + * up/down? */ PIP_ADAPTER_ADDRESSES pAdapterAdresses = NULL; - ULONG ulAdapterAdressesSize = 16*1024; + ULONG ulAdapterAdressesSize = 16 * 1024; for (size_t iteration = 0; iteration < 2; iteration++) { pAdapterAdresses = (PIP_ADAPTER_ADDRESSES)malloc(ulAdapterAdressesSize); if (pAdapterAdresses == NULL) { msg(M_NONFATAL, "%s: malloc(%u) failed", __FUNCTION__, ulAdapterAdressesSize); - uiResult = ERROR_OUTOFMEMORY; goto cleanup_pAdapterList; + uiResult = ERROR_OUTOFMEMORY; + goto cleanup_pAdapterList; } ULONG ulResult = GetAdaptersAddresses( AF_UNSPEC, - GAA_FLAG_SKIP_UNICAST | GAA_FLAG_SKIP_ANYCAST | GAA_FLAG_SKIP_MULTICAST | GAA_FLAG_SKIP_DNS_SERVER | GAA_FLAG_SKIP_FRIENDLY_NAME | GAA_FLAG_INCLUDE_ALL_INTERFACES, - NULL, - pAdapterAdresses, - &ulAdapterAdressesSize); + GAA_FLAG_SKIP_UNICAST | GAA_FLAG_SKIP_ANYCAST | GAA_FLAG_SKIP_MULTICAST + | GAA_FLAG_SKIP_DNS_SERVER | GAA_FLAG_SKIP_FRIENDLY_NAME + | GAA_FLAG_INCLUDE_ALL_INTERFACES, + NULL, pAdapterAdresses, &ulAdapterAdressesSize); if (ulResult == ERROR_SUCCESS) { @@ -192,9 +185,12 @@ find_adapters( free(pAdapterAdresses); if (ulResult != ERROR_BUFFER_OVERFLOW) { - SetLastError(ulResult); /* MSDN does not mention GetAdaptersAddresses() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError( + ulResult); /* MSDN does not mention GetAdaptersAddresses() to set GetLastError(). + But we do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: GetAdaptersAddresses() failed", __FUNCTION__); - uiResult = ulResult; goto cleanup_pAdapterList; + uiResult = ulResult; + goto cleanup_pAdapterList; } } @@ -207,26 +203,33 @@ find_adapters( /* Prepare semicolon delimited list of TAP adapter ID(s) and active TAP adapter ID(s). */ LPWSTR - szAdapters = (LPWSTR)malloc(adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)), - szAdaptersTail = szAdapters; + szAdapters = + (LPWSTR)malloc(adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)), + szAdaptersTail = szAdapters; if (szAdapters == NULL) { - msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)); - uiResult = ERROR_OUTOFMEMORY; goto cleanup_pAdapterAdresses; + msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, + adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)); + uiResult = ERROR_OUTOFMEMORY; + goto cleanup_pAdapterAdresses; } LPWSTR - szAdaptersActive = (LPWSTR)malloc(adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)), - szAdaptersActiveTail = szAdaptersActive; + szAdaptersActive = + (LPWSTR)malloc(adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)), + szAdaptersActiveTail = szAdaptersActive; if (szAdaptersActive == NULL) { - msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)); - uiResult = ERROR_OUTOFMEMORY; goto cleanup_szAdapters; + msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, + adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)); + uiResult = ERROR_OUTOFMEMORY; + goto cleanup_szAdapters; } for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter; pAdapter = pAdapter->pNext) { - /* exclude adapters created by OpenVPN Connect, since they're removed on Connect uninstallation */ + /* exclude adapters created by OpenVPN Connect, since they're removed on Connect + * uninstallation */ if (wcsstr(pAdapter->szName, OPENVPN_CONNECT_ADAPTER_SUBSTR)) { msg(M_WARN, "%s: skip OpenVPN Connect adapter '%ls'", __FUNCTION__, pAdapter->szName); @@ -250,7 +253,9 @@ find_adapters( { OLECHAR szId[38 /*GUID*/ + 1 /*terminator*/]; GUID guid; - if (MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, p->AdapterName, -1, szId, _countof(szId)) > 0 + if (MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, p->AdapterName, -1, szId, + _countof(szId)) + > 0 && SUCCEEDED(IIDFromString(szId, &guid)) && memcmp(&guid, &pAdapter->guid, sizeof(GUID)) == 0) { @@ -269,22 +274,26 @@ find_adapters( } CoTaskMemFree(szAdapterId); } - szAdaptersTail [0] = 0; + szAdaptersTail[0] = 0; szAdaptersActiveTail[0] = 0; /* Set Installer properties. */ uiResult = MsiSetProperty(hInstall, szAdaptersPropertyName, szAdapters); if (uiResult != ERROR_SUCCESS) { - SetLastError(uiResult); /* MSDN does not mention MsiSetProperty() to set GetLastError(). But we do have an error code. Set last error manually. */ - msg(M_NONFATAL | M_ERRNO, "%s: MsiSetProperty(\"%s\") failed", __FUNCTION__, szAdaptersPropertyName); + SetLastError(uiResult); /* MSDN does not mention MsiSetProperty() to set GetLastError(). But + we do have an error code. Set last error manually. */ + msg(M_NONFATAL | M_ERRNO, "%s: MsiSetProperty(\"%s\") failed", __FUNCTION__, + szAdaptersPropertyName); goto cleanup_szAdaptersActive; } uiResult = MsiSetProperty(hInstall, szActiveAdaptersPropertyName, szAdaptersActive); if (uiResult != ERROR_SUCCESS) { - SetLastError(uiResult); /* MSDN does not mention MsiSetProperty() to set GetLastError(). But we do have an error code. Set last error manually. */ - msg(M_NONFATAL | M_ERRNO, "%s: MsiSetProperty(\"%s\") failed", __FUNCTION__, szActiveAdaptersPropertyName); + SetLastError(uiResult); /* MSDN does not mention MsiSetProperty() to set GetLastError(). But + we do have an error code. Set last error manually. */ + msg(M_NONFATAL | M_ERRNO, "%s: MsiSetProperty(\"%s\") failed", __FUNCTION__, + szActiveAdaptersPropertyName); goto cleanup_szAdaptersActive; } @@ -299,8 +308,7 @@ cleanup_pAdapterList: } -UINT __stdcall -FindSystemInfo(_In_ MSIHANDLE hInstall) +UINT __stdcall FindSystemInfo(_In_ MSIHANDLE hInstall) { #ifdef DLLEXP_EXPORT #pragma comment(linker, DLLEXP_EXPORT) @@ -312,16 +320,12 @@ FindSystemInfo(_In_ MSIHANDLE hInstall) OPENVPNMSICA_SAVE_MSI_SESSION(hInstall); - find_adapters( - hInstall, - L"root\\" _L(TAP_WIN_COMPONENT_ID) L"\0" _L(TAP_WIN_COMPONENT_ID) L"\0", - L"TAPWINDOWS6ADAPTERS", - L"ACTIVETAPWINDOWS6ADAPTERS"); - find_adapters( - hInstall, - L"ovpn-dco" L"\0", - L"OVPNDCOADAPTERS", - L"ACTIVEOVPNDCOADAPTERS"); + find_adapters(hInstall, L"root\\" _L(TAP_WIN_COMPONENT_ID) L"\0" _L(TAP_WIN_COMPONENT_ID) L"\0", + L"TAPWINDOWS6ADAPTERS", L"ACTIVETAPWINDOWS6ADAPTERS"); + find_adapters(hInstall, + L"ovpn-dco" + L"\0", + L"OVPNDCOADAPTERS", L"ACTIVEOVPNDCOADAPTERS"); if (bIsCoInitialized) { @@ -331,13 +335,13 @@ FindSystemInfo(_In_ MSIHANDLE hInstall) } -UINT __stdcall -CloseOpenVPNGUI(_In_ MSIHANDLE hInstall) +UINT __stdcall CloseOpenVPNGUI(_In_ MSIHANDLE hInstall) { #ifdef DLLEXP_EXPORT #pragma comment(linker, DLLEXP_EXPORT) #endif - UNREFERENCED_PARAMETER(hInstall); /* This CA is does not interact with MSI session (report errors, access properties, tables, etc.). */ + UNREFERENCED_PARAMETER(hInstall); /* This CA is does not interact with MSI session (report + errors, access properties, tables, etc.). */ debug_popup(__FUNCTION__); @@ -345,7 +349,8 @@ CloseOpenVPNGUI(_In_ MSIHANDLE hInstall) HWND hWnd = FindWindow(L"OpenVPN-GUI", NULL); if (hWnd) { - /* Ask it to close and wait for 100ms. Unfortunately, this will succeed only for recent OpenVPN GUI that do not run elevated. */ + /* Ask it to close and wait for 100ms. Unfortunately, this will succeed only for recent + * OpenVPN GUI that do not run elevated. */ SendMessage(hWnd, WM_CLOSE, 0, 0); Sleep(100); } @@ -354,8 +359,7 @@ CloseOpenVPNGUI(_In_ MSIHANDLE hInstall) } -UINT __stdcall -StartOpenVPNGUI(_In_ MSIHANDLE hInstall) +UINT __stdcall StartOpenVPNGUI(_In_ MSIHANDLE hInstall) { #ifdef DLLEXP_EXPORT #pragma comment(linker, DLLEXP_EXPORT) @@ -379,7 +383,8 @@ StartOpenVPNGUI(_In_ MSIHANDLE hInstall) uiResult = MsiRecordSetString(hRecord, 0, L"\"[#bin.openvpn_gui.exe]\""); if (uiResult != ERROR_SUCCESS) { - SetLastError(uiResult); /* MSDN does not mention MsiRecordSetString() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(uiResult); /* MSDN does not mention MsiRecordSetString() to set GetLastError(). + But we do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: MsiRecordSetString failed", __FUNCTION__); goto cleanup_MsiCreateRecord; } @@ -396,25 +401,26 @@ StartOpenVPNGUI(_In_ MSIHANDLE hInstall) if (szPath == NULL) { msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, dwPathSize * sizeof(WCHAR)); - uiResult = ERROR_OUTOFMEMORY; goto cleanup_MsiCreateRecord; + uiResult = ERROR_OUTOFMEMORY; + goto cleanup_MsiCreateRecord; } uiResult = MsiFormatRecord(hInstall, hRecord, szPath, &dwPathSize); } if (uiResult != ERROR_SUCCESS) { - SetLastError(uiResult); /* MSDN does not mention MsiFormatRecord() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(uiResult); /* MSDN does not mention MsiFormatRecord() to set GetLastError(). + But we do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: MsiFormatRecord failed", __FUNCTION__); goto cleanup_malloc_szPath; } /* Launch the OpenVPN GUI. */ - SHELLEXECUTEINFO sei = { - .cbSize = sizeof(SHELLEXECUTEINFO), - .fMask = SEE_MASK_FLAG_NO_UI, /* Don't show error UI, we'll display it. */ - .lpFile = szPath, - .nShow = SW_SHOWNORMAL - }; + SHELLEXECUTEINFO sei = { .cbSize = sizeof(SHELLEXECUTEINFO), + .fMask = + SEE_MASK_FLAG_NO_UI, /* Don't show error UI, we'll display it. */ + .lpFile = szPath, + .nShow = SW_SHOWNORMAL }; if (!ShellExecuteEx(&sei)) { uiResult = GetLastError(); @@ -461,12 +467,9 @@ cleanup_CoInitialize: * @return ERROR_SUCCESS on success; An error code otherwise */ static DWORD -schedule_adapter_create( - _Inout_ struct msica_arg_seq *seq, - _Inout_opt_ struct msica_arg_seq *seqRollback, - _In_z_ LPCWSTR szDisplayName, - _In_z_ LPCWSTR szHardwareId, - _Inout_ int *iTicks) +schedule_adapter_create(_Inout_ struct msica_arg_seq *seq, + _Inout_opt_ struct msica_arg_seq *seqRollback, _In_z_ LPCWSTR szDisplayName, + _In_z_ LPCWSTR szHardwareId, _Inout_ int *iTicks) { /* Get existing network adapters. */ struct tap_adapter_node *pAdapterList = NULL; @@ -477,28 +480,25 @@ schedule_adapter_create( } /* Does adapter exist? */ - for (struct tap_adapter_node *pAdapterOther = pAdapterList;; pAdapterOther = pAdapterOther->pNext) + for (struct tap_adapter_node *pAdapterOther = pAdapterList;; + pAdapterOther = pAdapterOther->pNext) { if (pAdapterOther == NULL) { /* No adapter with a same name found. */ - WCHAR szArgument[10 /*create=""|deleteN=""*/ + MAX_PATH /*szDisplayName*/ + 1 /*|*/ + MAX_PATH /*szHardwareId*/ + 1 /*terminator*/]; + WCHAR szArgument[10 /*create=""|deleteN=""*/ + MAX_PATH /*szDisplayName*/ + 1 /*|*/ + + MAX_PATH /*szHardwareId*/ + 1 /*terminator*/]; /* InstallTUNTAPAdapters will create the adapter. */ - swprintf_s( - szArgument, _countof(szArgument), - L"create=\"%.*s|%.*s\"", - MAX_PATH, szDisplayName, - MAX_PATH, szHardwareId); + swprintf_s(szArgument, _countof(szArgument), L"create=\"%.*s|%.*s\"", MAX_PATH, + szDisplayName, MAX_PATH, szHardwareId); msica_arg_seq_add_tail(seq, szArgument); if (seqRollback) { /* InstallTUNTAPAdaptersRollback will delete the adapter. */ - swprintf_s( - szArgument, _countof(szArgument), - L"deleteN=\"%.*s\"", - MAX_PATH, szDisplayName); + swprintf_s(szArgument, _countof(szArgument), L"deleteN=\"%.*s\"", MAX_PATH, + szDisplayName); msica_arg_seq_add_head(seqRollback, szArgument); } @@ -513,13 +513,15 @@ schedule_adapter_create( if (hwid[0] == 0) { /* This adapter has a different hardware ID. */ - msg(M_NONFATAL, "%s: Adapter with name \"%ls\" already exists", __FUNCTION__, pAdapterOther->szName); + msg(M_NONFATAL, "%s: Adapter with name \"%ls\" already exists", __FUNCTION__, + pAdapterOther->szName); dwResult = ERROR_ALREADY_EXISTS; goto cleanup_pAdapterList; } else if (wcsicmp(hwid, szHardwareId) == 0) { - /* This is an adapter with the requested hardware ID. We already have what we want! */ + /* This is an adapter with the requested hardware ID. We already have what we + * want! */ break; } } @@ -561,13 +563,10 @@ cleanup_pAdapterList: * @return ERROR_SUCCESS on success; An error code otherwise */ static DWORD -schedule_adapter_delete( - _Inout_ struct msica_arg_seq *seq, - _Inout_opt_ struct msica_arg_seq *seqCommit, - _Inout_opt_ struct msica_arg_seq *seqRollback, - _In_z_ LPCWSTR szDisplayName, - _In_z_ LPCWSTR szzHardwareIDs, - _Inout_ int *iTicks) +schedule_adapter_delete(_Inout_ struct msica_arg_seq *seq, + _Inout_opt_ struct msica_arg_seq *seqCommit, + _Inout_opt_ struct msica_arg_seq *seqRollback, _In_z_ LPCWSTR szDisplayName, + _In_z_ LPCWSTR szzHardwareIDs, _Inout_ int *iTicks) { /* Get adapters with given hardware ID. */ struct tap_adapter_node *pAdapterList = NULL; @@ -578,42 +577,36 @@ schedule_adapter_delete( } /* Does adapter exist? */ - for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter != NULL; pAdapter = pAdapter->pNext) + for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter != NULL; + pAdapter = pAdapter->pNext) { if (wcsicmp(szDisplayName, pAdapter->szName) == 0) { /* Adapter found. */ - WCHAR szArgument[8 /*disable=|enable=|delete=*/ + 38 /*{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}*/ + 1 /*terminator*/]; + WCHAR szArgument[8 /*disable=|enable=|delete=*/ + + 38 /*{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}*/ + 1 /*terminator*/]; if (seqCommit && seqRollback) { /* UninstallTUNTAPAdapters will disable the adapter. */ - swprintf_s( - szArgument, _countof(szArgument), - L"disable=" _L(PRIXGUID), - PRIGUID_PARAM(pAdapter->guid)); + swprintf_s(szArgument, _countof(szArgument), L"disable=" _L(PRIXGUID), + PRIGUID_PARAM(pAdapter->guid)); msica_arg_seq_add_tail(seq, szArgument); /* UninstallTUNTAPAdaptersRollback will re-enable the adapter. */ - swprintf_s( - szArgument, _countof(szArgument), - L"enable=" _L(PRIXGUID), - PRIGUID_PARAM(pAdapter->guid)); + swprintf_s(szArgument, _countof(szArgument), L"enable=" _L(PRIXGUID), + PRIGUID_PARAM(pAdapter->guid)); msica_arg_seq_add_head(seqRollback, szArgument); /* UninstallTUNTAPAdaptersCommit will delete the adapter. */ - swprintf_s( - szArgument, _countof(szArgument), - L"delete=" _L(PRIXGUID), - PRIGUID_PARAM(pAdapter->guid)); + swprintf_s(szArgument, _countof(szArgument), L"delete=" _L(PRIXGUID), + PRIGUID_PARAM(pAdapter->guid)); msica_arg_seq_add_tail(seqCommit, szArgument); } else { /* UninstallTUNTAPAdapters will delete the adapter. */ - swprintf_s( - szArgument, _countof(szArgument), - L"delete=" _L(PRIXGUID), - PRIGUID_PARAM(pAdapter->guid)); + swprintf_s(szArgument, _countof(szArgument), L"delete=" _L(PRIXGUID), + PRIGUID_PARAM(pAdapter->guid)); msica_arg_seq_add_tail(seq, szArgument); } @@ -627,8 +620,7 @@ schedule_adapter_delete( } -UINT __stdcall -EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) +UINT __stdcall EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) { #ifdef DLLEXP_EXPORT #pragma comment(linker, DLLEXP_EXPORT) @@ -641,13 +633,8 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) OPENVPNMSICA_SAVE_MSI_SESSION(hInstall); - struct msica_arg_seq - seqInstall, - seqInstallCommit, - seqInstallRollback, - seqUninstall, - seqUninstallCommit, - seqUninstallRollback; + struct msica_arg_seq seqInstall, seqInstallCommit, seqInstallRollback, seqUninstall, + seqUninstallCommit, seqUninstallRollback; msica_arg_seq_init(&seqInstall); msica_arg_seq_init(&seqInstallCommit); msica_arg_seq_init(&seqInstallRollback); @@ -656,7 +643,8 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) msica_arg_seq_init(&seqUninstallRollback); /* Check rollback state. */ - bool bRollbackEnabled = MsiEvaluateCondition(hInstall, L"RollbackDisabled") != MSICONDITION_TRUE; + bool bRollbackEnabled = + MsiEvaluateCondition(hInstall, L"RollbackDisabled") != MSICONDITION_TRUE; /* Open MSI database. */ MSIHANDLE hDatabase = MsiGetActiveDatabase(hInstall); @@ -671,7 +659,8 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) switch (MsiDatabaseIsTablePersistent(hDatabase, L"TUNTAPAdapter")) { case MSICONDITION_FALSE: - case MSICONDITION_TRUE: break; + case MSICONDITION_TRUE: + break; default: uiResult = ERROR_SUCCESS; @@ -680,11 +669,14 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) /* Prepare a query to get a list/view of adapters. */ MSIHANDLE hViewST = 0; - LPCWSTR szQuery = L"SELECT `Adapter`,`DisplayName`,`Condition`,`Component_`,`HardwareId` FROM `TUNTAPAdapter`"; + LPCWSTR szQuery = + L"SELECT `Adapter`,`DisplayName`,`Condition`,`Component_`,`HardwareId` FROM `TUNTAPAdapter`"; uiResult = MsiDatabaseOpenView(hDatabase, szQuery, &hViewST); if (uiResult != ERROR_SUCCESS) { - SetLastError(uiResult); /* MSDN does not mention MsiDatabaseOpenView() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError( + uiResult); /* MSDN does not mention MsiDatabaseOpenView() to set GetLastError(). But we + do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: MsiDatabaseOpenView(\"%ls\") failed", __FUNCTION__, szQuery); goto cleanup_hDatabase; } @@ -693,7 +685,8 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) uiResult = MsiViewExecute(hViewST, 0); if (uiResult != ERROR_SUCCESS) { - SetLastError(uiResult); /* MSDN does not mention MsiViewExecute() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(uiResult); /* MSDN does not mention MsiViewExecute() to set GetLastError(). But + we do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: MsiViewExecute(\"%ls\") failed", __FUNCTION__, szQuery); goto cleanup_hViewST; } @@ -707,7 +700,7 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) goto cleanup_hViewST_close; } - for (;; ) + for (;;) { /* Fetch one record from the view. */ MSIHANDLE hRecord = 0; @@ -719,7 +712,8 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) } else if (uiResult != ERROR_SUCCESS) { - SetLastError(uiResult); /* MSDN does not mention MsiViewFetch() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(uiResult); /* MSDN does not mention MsiViewFetch() to set GetLastError(). + But we do have an error code. Set last error manually. */ msg(M_NONFATAL | M_ERRNO, "%s: MsiViewFetch failed", __FUNCTION__); goto cleanup_hRecordProg; } @@ -738,8 +732,11 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) uiResult = MsiGetComponentState(hInstall, szValue, &iInstalled, &iAction); if (uiResult != ERROR_SUCCESS) { - SetLastError(uiResult); /* MSDN does not mention MsiGetComponentState() to set GetLastError(). But we do have an error code. Set last error manually. */ - msg(M_NONFATAL | M_ERRNO, "%s: MsiGetComponentState(\"%ls\") failed", __FUNCTION__, szValue); + SetLastError(uiResult); /* MSDN does not mention MsiGetComponentState() to set + GetLastError(). But we do have an error code. Set last + error manually. */ + msg(M_NONFATAL | M_ERRNO, "%s: MsiGetComponentState(\"%ls\") failed", __FUNCTION__, + szValue); free(szValue); goto cleanup_hRecord; } @@ -753,7 +750,9 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) { goto cleanup_hRecord; } - /* `DisplayName` field type is [Filename](https://docs.microsoft.com/en-us/windows/win32/msi/filename), which is either "8.3|long name" or "8.3". */ + /* `DisplayName` field type is + * [Filename](https://docs.microsoft.com/en-us/windows/win32/msi/filename), which is either + * "8.3|long name" or "8.3". */ LPWSTR szDisplayNameEx = wcschr(szDisplayName, L'|'); szDisplayNameEx = szDisplayNameEx != NULL ? szDisplayNameEx + 1 : szDisplayName; @@ -766,7 +765,10 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) { goto cleanup_szDisplayName; } - memcpy_s(szzHardwareIDs, sizeof(szzHardwareIDs) - 2*sizeof(WCHAR) /*requires double zero termination*/, szHwId, wcslen(szHwId)*sizeof(WCHAR)); + memcpy_s(szzHardwareIDs, + sizeof(szzHardwareIDs) + - 2 * sizeof(WCHAR) /*requires double zero termination*/, + szHwId, wcslen(szHwId) * sizeof(WCHAR)); free(szHwId); } @@ -799,7 +801,8 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) case MSICONDITION_ERROR: uiResult = ERROR_INVALID_FIELD; - msg(M_NONFATAL | M_ERRNO, "%s: MsiEvaluateCondition(\"%ls\") failed", __FUNCTION__, szValue); + msg(M_NONFATAL | M_ERRNO, "%s: MsiEvaluateCondition(\"%ls\") failed", + __FUNCTION__, szValue); free(szValue); goto cleanup_szDisplayName; } @@ -809,12 +812,10 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) free(szValue); /* Component is or should be installed. Schedule adapter creation. */ - if (schedule_adapter_create( - &seqInstall, - bRollbackEnabled ? &seqInstallRollback : NULL, - szDisplayNameEx, - szzHardwareIDs, - &iTicks) != ERROR_SUCCESS) + if (schedule_adapter_create(&seqInstall, + bRollbackEnabled ? &seqInstallRollback : NULL, + szDisplayNameEx, szzHardwareIDs, &iTicks) + != ERROR_SUCCESS) { uiResult = ERROR_INSTALL_FAILED; goto cleanup_szDisplayName; @@ -822,18 +823,16 @@ EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall) } else { - /* Component is installed, but should be degraded to advertised/removed. Schedule adapter deletition. + /* Component is installed, but should be degraded to advertised/removed. Schedule + * adapter deletition. * - * Note: On adapter removal (product is being uninstalled), we tolerate dwResult error. - * Better a partial uninstallation than no uninstallation at all. + * Note: On adapter removal (product is being uninstalled), we tolerate dwResult + * error. Better a partial uninstallation than no uninstallation at all. */ - schedule_adapter_delete( - &seqUninstall, - bRollbackEnabled ? &seqUninstallCommit : NULL, - bRollbackEnabled ? &seqUninstallRollback : NULL, - szDisplayNameEx, - szzHardwareIDs, - &iTicks); + schedule_adapter_delete(&seqUninstall, + bRollbackEnabled ? &seqUninstallCommit : NULL, + bRollbackEnabled ? &seqUninstallRollback : NULL, + szDisplayNameEx, szzHardwareIDs, &iTicks); } /* Arrange the amount of tick space to add to the progress indicator. @@ -871,12 +870,21 @@ cleanup_hRecord: msica_arg_seq_add_tail(&seqUninstallRollback, str); /* Store deferred custom action parameters. */ - if ((uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdapters", &seqInstall )) != ERROR_SUCCESS - || (uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdaptersCommit", &seqInstallCommit )) != ERROR_SUCCESS - || (uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdaptersRollback", &seqInstallRollback )) != ERROR_SUCCESS - || (uiResult = setup_sequence(hInstall, L"UninstallTUNTAPAdapters", &seqUninstall )) != ERROR_SUCCESS - || (uiResult = setup_sequence(hInstall, L"UninstallTUNTAPAdaptersCommit", &seqUninstallCommit )) != ERROR_SUCCESS - || (uiResult = setup_sequence(hInstall, L"UninstallTUNTAPAdaptersRollback", &seqUninstallRollback)) != ERROR_SUCCESS) + if ((uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdapters", &seqInstall)) + != ERROR_SUCCESS + || (uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdaptersCommit", &seqInstallCommit)) + != ERROR_SUCCESS + || (uiResult = + setup_sequence(hInstall, L"InstallTUNTAPAdaptersRollback", &seqInstallRollback)) + != ERROR_SUCCESS + || (uiResult = setup_sequence(hInstall, L"UninstallTUNTAPAdapters", &seqUninstall)) + != ERROR_SUCCESS + || (uiResult = + setup_sequence(hInstall, L"UninstallTUNTAPAdaptersCommit", &seqUninstallCommit)) + != ERROR_SUCCESS + || (uiResult = + setup_sequence(hInstall, L"UninstallTUNTAPAdaptersRollback", &seqUninstallRollback)) + != ERROR_SUCCESS) { goto cleanup_hRecordProg; } @@ -916,9 +924,7 @@ cleanup_exec_seq: * @return TRUE on success; FALSE otherwise */ static BOOL -parse_guid( - _In_z_ LPCWSTR szArg, - _Out_ GUID *guid) +parse_guid(_In_z_ LPCWSTR szArg, _Out_ GUID *guid) { if (swscanf_s(szArg, _L(PRIXGUID), PRIGUID_PARAM_REF(*guid)) != 11) { @@ -945,7 +951,8 @@ CreateRebootFile(_In_z_ LPCWSTR szTmpDir) msg(M_WARN, "%s: Reboot required, create reboot indication file \"%ls\"", __FUNCTION__, path); - HANDLE file = CreateFileW(path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + HANDLE file = + CreateFileW(path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { msg(M_NONFATAL | M_ERRNO, "%s: CreateFile(\"%ls\") failed", __FUNCTION__, path); @@ -956,8 +963,7 @@ CreateRebootFile(_In_z_ LPCWSTR szTmpDir) } } -UINT __stdcall -ProcessDeferredAction(_In_ MSIHANDLE hInstall) +UINT __stdcall ProcessDeferredAction(_In_ MSIHANDLE hInstall) { #ifdef DLLEXP_EXPORT #pragma comment(linker, DLLEXP_EXPORT) @@ -967,13 +973,15 @@ ProcessDeferredAction(_In_ MSIHANDLE hInstall) UINT uiResult; BOOL bIsCoInitialized = SUCCEEDED(CoInitialize(NULL)); - WCHAR tmpDir[MAX_PATH] = {0}; + WCHAR tmpDir[MAX_PATH] = { 0 }; OPENVPNMSICA_SAVE_MSI_SESSION(hInstall); - BOOL bIsCleanup = MsiGetMode(hInstall, MSIRUNMODE_COMMIT) || MsiGetMode(hInstall, MSIRUNMODE_ROLLBACK); + BOOL bIsCleanup = + MsiGetMode(hInstall, MSIRUNMODE_COMMIT) || MsiGetMode(hInstall, MSIRUNMODE_ROLLBACK); - /* Get sequence arguments. Always Unicode as CommandLineToArgvW() is available as Unicode-only. */ + /* Get sequence arguments. Always Unicode as CommandLineToArgvW() is available as Unicode-only. + */ LPWSTR szSequence = NULL; uiResult = msi_get_string(hInstall, L"CustomActionData", &szSequence); if (uiResult != ERROR_SUCCESS) @@ -985,7 +993,8 @@ ProcessDeferredAction(_In_ MSIHANDLE hInstall) if (szArg == NULL) { uiResult = GetLastError(); - msg(M_NONFATAL | M_ERRNO, "%s: CommandLineToArgvW(\"%ls\") failed", __FUNCTION__, szSequence); + msg(M_NONFATAL | M_ERRNO, "%s: CommandLineToArgvW(\"%ls\") failed", __FUNCTION__, + szSequence); goto cleanup_szSequence; } @@ -1037,8 +1046,8 @@ ProcessDeferredAction(_In_ MSIHANDLE hInstall) dwResult = tap_create_adapter(NULL, NULL, szHardwareId, &bRebootRequired, &guidAdapter); if (dwResult == ERROR_SUCCESS) { - /* Set adapter name. May fail on some machines, but that is not critical - use silent - * flag to mute messagebox and print error only to log */ + /* Set adapter name. May fail on some machines, but that is not critical - use + * silent flag to mute messagebox and print error only to log */ tap_set_adapter_name(&guidAdapter, szName, TRUE); } } @@ -1067,7 +1076,8 @@ ProcessDeferredAction(_In_ MSIHANDLE hInstall) if (dwResult == ERROR_SUCCESS) { /* Does the adapter exist? */ - for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter != NULL; pAdapter = pAdapter->pNext) + for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter != NULL; + pAdapter = pAdapter->pNext) { if (wcsicmp(szName, pAdapter->szName) == 0) { @@ -1156,8 +1166,7 @@ cleanup_CoInitialize: return uiResult; } -UINT __stdcall -CheckAndScheduleReboot(_In_ MSIHANDLE hInstall) +UINT __stdcall CheckAndScheduleReboot(_In_ MSIHANDLE hInstall) { #ifdef DLLEXP_EXPORT #pragma comment(linker, DLLEXP_EXPORT) diff --git a/src/openvpnmsica/openvpnmsica.h b/src/openvpnmsica/openvpnmsica.h index d07554f4e..c3e044560 100644 --- a/src/openvpnmsica/openvpnmsica.h +++ b/src/openvpnmsica/openvpnmsica.h @@ -50,10 +50,11 @@ extern DWORD openvpnmsica_thread_data_idx; /** * Set MSI session handle in thread local storage. */ -#define OPENVPNMSICA_SAVE_MSI_SESSION(hInstall) \ - { \ - struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx); \ - s->hInstall = (hInstall); \ +#define OPENVPNMSICA_SAVE_MSI_SESSION(hInstall) \ + { \ + struct openvpnmsica_thread_data *s = \ + (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx); \ + s->hInstall = (hInstall); \ } @@ -62,7 +63,8 @@ extern DWORD openvpnmsica_thread_data_idx; */ #ifdef __cplusplus -extern "C" { +extern "C" +{ #endif /* Ensure that clang-cl, which does not understand the cl specific @@ -77,90 +79,84 @@ extern "C" { #endif -/** - * Determines Windows information: - * - * - Sets `OPENVPNSERVICE` MSI property to PID of OpenVPN Service if running, or its EXE path if - * configured for auto-start. - * - * - Finds existing TAP-Windows6 adapters and set TAPWINDOWS6ADAPTERS and - * ACTIVETAPWINDOWS6ADAPTERS properties with semicolon delimited list of all installed adapter - * GUIDs and active adapter GUIDs respectively. - * - * - Finds existing ovpn-dco adapters and set OVPNDCOADAPTERS and ACTIVEOVPNDCOADAPTERS properties - * with semicolon delimited list of all installed adapter GUIDs and active adapter GUIDs - * respectively. - * - * @param hInstall Handle to the installation provided to the DLL custom action - * - * @return ERROR_SUCCESS on success; An error code otherwise - * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx - */ -DLLEXP_DECL UINT __stdcall -FindSystemInfo(_In_ MSIHANDLE hInstall); - - -/** - * Find OpenVPN GUI window and send it a WM_CLOSE message. - * - * @param hInstall Handle to the installation provided to the DLL custom action - * - * @return ERROR_SUCCESS on success; An error code otherwise - * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx - */ -DLLEXP_DECL UINT __stdcall -CloseOpenVPNGUI(_In_ MSIHANDLE hInstall); - - -/** - * Launches OpenVPN GUI. It's path is obtained by expanding the `[#bin.openvpn_gui.exe]` - * therefore, its Id field in File table must be "bin.openvpn_gui.exe". - * - * @param hInstall Handle to the installation provided to the DLL custom action - * - * @return ERROR_SUCCESS on success; An error code otherwise - * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx - */ -DLLEXP_DECL UINT __stdcall -StartOpenVPNGUI(_In_ MSIHANDLE hInstall); - - -/** - * Evaluate the TUNTAPAdapter table of the MSI package database and prepare a list of TAP - * adapters to install/remove. - * - * @param hInstall Handle to the installation provided to the DLL custom action - * - * @return ERROR_SUCCESS on success; An error code otherwise - * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx - */ -DLLEXP_DECL UINT __stdcall -EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall); - - -/** - * Perform scheduled deferred action. - * - * @param hInstall Handle to the installation provided to the DLL custom action - * - * @return ERROR_SUCCESS on success; An error code otherwise - * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx - */ -DLLEXP_DECL UINT __stdcall -ProcessDeferredAction(_In_ MSIHANDLE hInstall); - - -/** - * Schedule reboot after installation if reboot - * indication file is found in user's temp directory - * - * @param hInstall Handle to the installation provided to the DLL custom action - * - * @return ERROR_SUCCESS on success; An error code otherwise - * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx - */ -DLLEXP_DECL UINT __stdcall -CheckAndScheduleReboot(_In_ MSIHANDLE hInstall); + /** + * Determines Windows information: + * + * - Sets `OPENVPNSERVICE` MSI property to PID of OpenVPN Service if running, or its EXE path if + * configured for auto-start. + * + * - Finds existing TAP-Windows6 adapters and set TAPWINDOWS6ADAPTERS and + * ACTIVETAPWINDOWS6ADAPTERS properties with semicolon delimited list of all installed adapter + * GUIDs and active adapter GUIDs respectively. + * + * - Finds existing ovpn-dco adapters and set OVPNDCOADAPTERS and ACTIVEOVPNDCOADAPTERS + * properties with semicolon delimited list of all installed adapter GUIDs and active adapter + * GUIDs respectively. + * + * @param hInstall Handle to the installation provided to the DLL custom action + * + * @return ERROR_SUCCESS on success; An error code otherwise + * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx + */ + DLLEXP_DECL UINT __stdcall FindSystemInfo(_In_ MSIHANDLE hInstall); + + + /** + * Find OpenVPN GUI window and send it a WM_CLOSE message. + * + * @param hInstall Handle to the installation provided to the DLL custom action + * + * @return ERROR_SUCCESS on success; An error code otherwise + * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx + */ + DLLEXP_DECL UINT __stdcall CloseOpenVPNGUI(_In_ MSIHANDLE hInstall); + + + /** + * Launches OpenVPN GUI. It's path is obtained by expanding the `[#bin.openvpn_gui.exe]` + * therefore, its Id field in File table must be "bin.openvpn_gui.exe". + * + * @param hInstall Handle to the installation provided to the DLL custom action + * + * @return ERROR_SUCCESS on success; An error code otherwise + * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx + */ + DLLEXP_DECL UINT __stdcall StartOpenVPNGUI(_In_ MSIHANDLE hInstall); + + + /** + * Evaluate the TUNTAPAdapter table of the MSI package database and prepare a list of TAP + * adapters to install/remove. + * + * @param hInstall Handle to the installation provided to the DLL custom action + * + * @return ERROR_SUCCESS on success; An error code otherwise + * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx + */ + DLLEXP_DECL UINT __stdcall EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall); + + + /** + * Perform scheduled deferred action. + * + * @param hInstall Handle to the installation provided to the DLL custom action + * + * @return ERROR_SUCCESS on success; An error code otherwise + * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx + */ + DLLEXP_DECL UINT __stdcall ProcessDeferredAction(_In_ MSIHANDLE hInstall); + + + /** + * Schedule reboot after installation if reboot + * indication file is found in user's temp directory + * + * @param hInstall Handle to the installation provided to the DLL custom action + * + * @return ERROR_SUCCESS on success; An error code otherwise + * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx + */ + DLLEXP_DECL UINT __stdcall CheckAndScheduleReboot(_In_ MSIHANDLE hInstall); #ifdef __cplusplus } diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c index 5543c3747..a42c65d29 100644 --- a/src/openvpnserv/common.c +++ b/src/openvpnserv/common.c @@ -29,12 +29,11 @@ static wchar_t win_sys_path[MAX_PATH]; static DWORD GetRegString(HKEY key, LPCWSTR value, LPWSTR data, DWORD size, LPCWSTR default_value) { - LONG status = RegGetValue(key, NULL, value, RRF_RT_REG_SZ, - NULL, (LPBYTE) data, &size); + LONG status = RegGetValue(key, NULL, value, RRF_RT_REG_SZ, NULL, (LPBYTE)data, &size); if (status == ERROR_FILE_NOT_FOUND && default_value) { - size_t len = size/sizeof(data[0]); + size_t len = size / sizeof(data[0]); if (swprintf(data, len, default_value)) { status = ERROR_SUCCESS; @@ -44,7 +43,10 @@ GetRegString(HKEY key, LPCWSTR value, LPWSTR data, DWORD size, LPCWSTR default_v if (status != ERROR_SUCCESS) { SetLastError(status); - return MsgToEventLog(M_SYSERR, L"Error querying registry value: HKLM\\SOFTWARE\\" _L(PACKAGE_NAME) L"%ls\\%ls", service_instance, value); + return MsgToEventLog( + M_SYSERR, + L"Error querying registry value: HKLM\\SOFTWARE\\" _L(PACKAGE_NAME) L"%ls\\%ls", + service_instance, value); } return ERROR_SUCCESS; @@ -68,7 +70,8 @@ GetOpenvpnSettings(settings_t *s) if (status != ERROR_SUCCESS) { SetLastError(status); - return MsgToEventLog(M_SYSERR, L"Could not open Registry key HKLM\\%ls not found", reg_path); + return MsgToEventLog(M_SYSERR, L"Could not open Registry key HKLM\\%ls not found", + reg_path); } /* The default value of REG_KEY is the install path */ @@ -79,8 +82,7 @@ GetOpenvpnSettings(settings_t *s) goto out; } - swprintf(default_value, _countof(default_value), L"%ls\\bin\\openvpn.exe", - install_path); + swprintf(default_value, _countof(default_value), L"%ls\\bin\\openvpn.exe", install_path); error = GetRegString(key, L"exe_path", s->exe_path, sizeof(s->exe_path), default_value); if (error != ERROR_SUCCESS) { @@ -88,23 +90,20 @@ GetOpenvpnSettings(settings_t *s) } swprintf(default_value, _countof(default_value), L"%ls\\config", install_path); - error = GetRegString(key, L"config_dir", s->config_dir, sizeof(s->config_dir), - default_value); + error = GetRegString(key, L"config_dir", s->config_dir, sizeof(s->config_dir), default_value); if (error != ERROR_SUCCESS) { goto out; } swprintf(default_value, _countof(default_value), L"%ls\\bin", install_path); - error = GetRegString(key, L"bin_dir", s->bin_dir, sizeof(s->bin_dir), - default_value); + error = GetRegString(key, L"bin_dir", s->bin_dir, sizeof(s->bin_dir), default_value); if (error != ERROR_SUCCESS) { goto out; } - error = GetRegString(key, L"config_ext", s->ext_string, sizeof(s->ext_string), - L".ovpn"); + error = GetRegString(key, L"config_ext", s->ext_string, sizeof(s->ext_string), L".ovpn"); if (error != ERROR_SUCCESS) { goto out; @@ -117,8 +116,7 @@ GetOpenvpnSettings(settings_t *s) goto out; } - error = GetRegString(key, L"priority", priority, sizeof(priority), - L"NORMAL_PRIORITY_CLASS"); + error = GetRegString(key, L"priority", priority, sizeof(priority), L"NORMAL_PRIORITY_CLASS"); if (error != ERROR_SUCCESS) { goto out; @@ -131,8 +129,8 @@ GetOpenvpnSettings(settings_t *s) } /* read if present, else use default */ - error = GetRegString(key, L"ovpn_admin_group", s->ovpn_admin_group, - sizeof(s->ovpn_admin_group), OVPN_ADMIN_GROUP); + error = GetRegString(key, L"ovpn_admin_group", s->ovpn_admin_group, sizeof(s->ovpn_admin_group), + OVPN_ADMIN_GROUP); if (error != ERROR_SUCCESS) { goto out; @@ -185,7 +183,8 @@ GetOpenvpnSettings(settings_t *s) else { SetLastError(ERROR_INVALID_DATA); - error = MsgToEventLog(M_ERR, L"Log file append flag (given as '%ls') must be '0' or '1'", append); + error = MsgToEventLog(M_ERR, L"Log file append flag (given as '%ls') must be '0' or '1'", + append); goto out; } @@ -204,10 +203,11 @@ GetLastErrorText(void) LPWSTR tmp = NULL; error = GetLastError(); - len = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, + len = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM + | FORMAT_MESSAGE_ARGUMENT_ARRAY, NULL, error, LANG_NEUTRAL, tmp, 0, NULL); - if (len == 0 || (long) _countof(buf) < (long) len + 14) + if (len == 0 || (long)_countof(buf) < (long)len + 14) { buf[0] = L'\0'; } @@ -244,8 +244,7 @@ MsgToEventLog(DWORD flags, LPCWSTR format, ...) hEventSource = RegisterEventSource(NULL, APPNAME); if (hEventSource != NULL) { - swprintf(msg[0], _countof(msg[0]), - L"%ls%ls%ls: %ls", APPNAME, service_instance, + swprintf(msg[0], _countof(msg[0]), L"%ls%ls%ls: %ls", APPNAME, service_instance, (flags & MSG_FLAGS_ERROR) ? L" error" : L"", err_msg); va_start(arglist, format); @@ -253,9 +252,9 @@ MsgToEventLog(DWORD flags, LPCWSTR format, ...) va_end(arglist); const WCHAR *mesg[] = { msg[0], msg[1] }; - ReportEvent(hEventSource, flags & MSG_FLAGS_ERROR ? - EVENTLOG_ERROR_TYPE : EVENTLOG_INFORMATION_TYPE, - 0, 0, NULL, 2, 0, mesg, NULL); + ReportEvent(hEventSource, + flags & MSG_FLAGS_ERROR ? EVENTLOG_ERROR_TYPE : EVENTLOG_INFORMATION_TYPE, 0, 0, + NULL, 2, 0, mesg, NULL); DeregisterEventSource(hEventSource); } diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index bc63296ba..0983e5912 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -40,32 +40,30 @@ #include "validate.h" #include "wfp_block.h" -#define IO_TIMEOUT 2000 /*ms*/ +#define IO_TIMEOUT 2000 /*ms*/ -#define ERROR_OPENVPN_STARTUP 0x20000000 -#define ERROR_STARTUP_DATA 0x20000001 -#define ERROR_MESSAGE_DATA 0x20000002 -#define ERROR_MESSAGE_TYPE 0x20000003 +#define ERROR_OPENVPN_STARTUP 0x20000000 +#define ERROR_STARTUP_DATA 0x20000001 +#define ERROR_MESSAGE_DATA 0x20000002 +#define ERROR_MESSAGE_TYPE 0x20000003 static SERVICE_STATUS_HANDLE service; static SERVICE_STATUS status = { .dwServiceType = SERVICE_WIN32_SHARE_PROCESS }; static HANDLE exit_event = NULL; static settings_t settings; static HANDLE rdns_semaphore = NULL; -#define RDNS_TIMEOUT 600 /* seconds to wait for the semaphore */ +#define RDNS_TIMEOUT 600 /* seconds to wait for the semaphore */ -#define TUN_IOCTL_REGISTER_RINGS CTL_CODE(51820U, 0x970U, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) +#define TUN_IOCTL_REGISTER_RINGS \ + CTL_CODE(51820U, 0x970U, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) -openvpn_service_t interactive_service = { - interactive, - _L(PACKAGE_NAME) L"ServiceInteractive", - _L(PACKAGE_NAME) L" Interactive Service", - SERVICE_DEPENDENCIES, - SERVICE_AUTO_START -}; +openvpn_service_t interactive_service = { interactive, _L(PACKAGE_NAME) L"ServiceInteractive", + _L(PACKAGE_NAME) L" Interactive Service", + SERVICE_DEPENDENCIES, SERVICE_AUTO_START }; -typedef struct { +typedef struct +{ WCHAR *directory; WCHAR *options; WCHAR *std_input; @@ -73,14 +71,16 @@ typedef struct { /* Datatype for linked lists */ -typedef struct _list_item { +typedef struct _list_item +{ struct _list_item *next; LPVOID data; } list_item_t; /* Datatypes for undo information */ -typedef enum { +typedef enum +{ address, route, wfp_block, @@ -93,19 +93,22 @@ typedef enum { } undo_type_t; typedef list_item_t *undo_lists_t[_undo_type_max]; -typedef struct { +typedef struct +{ HANDLE engine; int index; int metric_v4; int metric_v6; } wfp_block_data_t; -typedef struct { +typedef struct +{ char itf_name[256]; PWSTR domains; } dns_domains_undo_data_t; -typedef union { +typedef union +{ message_header_t header; address_message_t address; route_message_t route; @@ -119,7 +122,8 @@ typedef union { create_adapter_message_t create_adapter; } pipe_message_t; -typedef struct { +typedef struct +{ CHAR addresses[NRPT_ADDR_NUM * NRPT_ADDR_SIZE]; WCHAR domains[512]; /* MULTI_SZ string */ DWORD domains_size; /* bytes in domains */ @@ -142,7 +146,7 @@ AddListItem(list_item_t **pfirst, LPVOID data) return NO_ERROR; } -typedef BOOL (*match_fn_t) (LPVOID item, LPVOID ctx); +typedef BOOL (*match_fn_t)(LPVOID item, LPVOID ctx); static LPVOID RemoveListItem(list_item_t **pfirst, match_fn_t match, LPVOID ctx) @@ -201,7 +205,8 @@ ResetOverlapped(LPOVERLAPPED overlapped) } -typedef enum { +typedef enum +{ peek, read, write @@ -248,8 +253,7 @@ AsyncPipeOp(async_op_t op, HANDLE pipe, LPVOID buffer, DWORD size, DWORD count, handles[i + 1] = events[i]; } - res = WaitForMultipleObjects(count + 1, handles, FALSE, - op == peek ? INFINITE : IO_TIMEOUT); + res = WaitForMultipleObjects(count + 1, handles, FALSE, op == peek ? INFINITE : IO_TIMEOUT); if (res != WAIT_OBJECT_0) { CancelIo(pipe); @@ -309,32 +313,25 @@ ReturnError(HANDLE pipe, DWORD error, LPCWSTR func, DWORD count, LPHANDLE events { DWORD result_len; LPWSTR result = L"0xffffffff\nFormatMessage failed\nCould not return result"; - DWORD_PTR args[] = { - (DWORD_PTR) error, - (DWORD_PTR) func, - (DWORD_PTR) "" - }; + DWORD_PTR args[] = { (DWORD_PTR)error, (DWORD_PTR)func, (DWORD_PTR) "" }; if (error != ERROR_OPENVPN_STARTUP) { - FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM - |FORMAT_MESSAGE_ALLOCATE_BUFFER - |FORMAT_MESSAGE_IGNORE_INSERTS, - 0, error, 0, (LPWSTR) &args[2], 0, NULL); + FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER + | FORMAT_MESSAGE_IGNORE_INSERTS, + 0, error, 0, (LPWSTR)&args[2], 0, NULL); } - result_len = FormatMessageW(FORMAT_MESSAGE_FROM_STRING - |FORMAT_MESSAGE_ALLOCATE_BUFFER - |FORMAT_MESSAGE_ARGUMENT_ARRAY, - L"0x%1!08x!\n%2!s!\n%3!s!", 0, 0, - (LPWSTR) &result, 0, (va_list *) args); + result_len = FormatMessageW( + FORMAT_MESSAGE_FROM_STRING | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_ARGUMENT_ARRAY, + L"0x%1!08x!\n%2!s!\n%3!s!", 0, 0, (LPWSTR)&result, 0, (va_list *)args); WritePipeAsync(pipe, result, (DWORD)(wcslen(result) * 2), count, events); MsgToEventLog(MSG_FLAGS_ERROR, result); if (error != ERROR_OPENVPN_STARTUP) { - LocalFree((LPVOID) args[2]); + LocalFree((LPVOID)args[2]); } if (result_len) { @@ -355,7 +352,8 @@ ReturnLastError(HANDLE pipe, LPCWSTR func) * Returns true on success, false on error with reason set in errmsg. */ static BOOL -ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options, WCHAR *errmsg, DWORD capacity) +ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options, WCHAR *errmsg, + DWORD capacity) { WCHAR **argv; int argc; @@ -380,7 +378,7 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options, WCHAR * } /* Note: argv[0] is the first option */ - if (argc < 1) /* no options */ + if (argc < 1) /* no options */ { ret = TRUE; goto out; @@ -395,8 +393,7 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options, WCHAR * if (!CheckOption(workdir, 2, argv_tmp, &settings)) { - swprintf(errmsg, capacity, msg1, argv[0], workdir, - settings.ovpn_admin_group); + swprintf(errmsg, capacity, msg1, argv[0], workdir, settings.ovpn_admin_group); } goto out; } @@ -408,17 +405,15 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options, WCHAR * continue; } - if (!CheckOption(workdir, argc-i, &argv[i], &settings)) + if (!CheckOption(workdir, argc - i, &argv[i], &settings)) { - if (wcscmp(L"--config", argv[i]) == 0 && argc-i > 1) + if (wcscmp(L"--config", argv[i]) == 0 && argc - i > 1) { - swprintf(errmsg, capacity, msg1, argv[i+1], workdir, - settings.ovpn_admin_group); + swprintf(errmsg, capacity, msg1, argv[i + 1], workdir, settings.ovpn_admin_group); } else { - swprintf(errmsg, capacity, msg2, argv[i], - settings.ovpn_admin_group); + swprintf(errmsg, capacity, msg2, argv[i], settings.ovpn_admin_group); } goto out; } @@ -505,7 +500,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) return TRUE; err: - sud->directory = NULL; /* caller must not free() */ + sud->directory = NULL; /* caller must not free() */ free(data); return FALSE; } @@ -580,7 +575,7 @@ HandleAddressMessage(address_message_t *msg, undo_lists_t *lists) InitializeUnicastIpAddressEntry(addr_row); addr_row->Address = sockaddr_inet(msg->family, &msg->address); - addr_row->OnLinkPrefixLength = (UINT8) msg->prefix_len; + addr_row->OnLinkPrefixLength = (UINT8)msg->prefix_len; if (msg->iface.index != -1) { @@ -662,7 +657,7 @@ HandleRouteMessage(route_message_t *msg, undo_lists_t *lists) fwd_row->Protocol = MIB_IPPROTO_NETMGMT; fwd_row->Metric = msg->metric; fwd_row->DestinationPrefix.Prefix = sockaddr_inet(msg->family, &msg->prefix); - fwd_row->DestinationPrefix.PrefixLength = (UINT8) msg->prefix_len; + fwd_row->DestinationPrefix.PrefixLength = (UINT8)msg->prefix_len; fwd_row->NextHop = sockaddr_inet(msg->family, &msg->gateway); if (msg->iface.index != -1) @@ -740,7 +735,7 @@ BlockDNSErrHandler(DWORD err, const char *msg) err_str = L"Unknown Win32 Error"; if (FormatMessage(FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM - | FORMAT_MESSAGE_ARGUMENT_ARRAY, + | FORMAT_MESSAGE_ARGUMENT_ARRAY, NULL, err, 0, buf, sizeof(buf), NULL)) { err_str = buf; @@ -767,13 +762,11 @@ DeleteWfpBlock(const wfp_block_message_t *msg, undo_lists_t *lists) err = delete_wfp_block_filters(block_data->engine); if (block_data->metric_v4 >= 0) { - set_interface_metric(msg->iface.index, AF_INET, - block_data->metric_v4); + set_interface_metric(msg->iface.index, AF_INET, block_data->metric_v4); } if (block_data->metric_v6 >= 0) { - set_interface_metric(msg->iface.index, AF_INET6, - block_data->metric_v6); + set_interface_metric(msg->iface.index, AF_INET6, block_data->metric_v6); } free(block_data); } @@ -809,14 +802,12 @@ AddWfpBlock(const wfp_block_message_t *msg, undo_lists_t *lists) block_data->engine = engine; block_data->index = msg->iface.index; int is_auto = 0; - block_data->metric_v4 = get_interface_metric(msg->iface.index, - AF_INET, &is_auto); + block_data->metric_v4 = get_interface_metric(msg->iface.index, AF_INET, &is_auto); if (is_auto) { block_data->metric_v4 = 0; } - block_data->metric_v6 = get_interface_metric(msg->iface.index, - AF_INET6, &is_auto); + block_data->metric_v6 = get_interface_metric(msg->iface.index, AF_INET6, &is_auto); if (is_auto) { block_data->metric_v6 = 0; @@ -825,8 +816,7 @@ AddWfpBlock(const wfp_block_message_t *msg, undo_lists_t *lists) err = AddListItem(&(*lists)[wfp_block], block_data); if (!err) { - err = set_interface_metric(msg->iface.index, AF_INET, - WFP_BLOCK_IFACE_METRIC); + err = set_interface_metric(msg->iface.index, AF_INET, WFP_BLOCK_IFACE_METRIC); if (!err) { /* for IPv6, we intentionally ignore errors, because @@ -834,8 +824,7 @@ AddWfpBlock(const wfp_block_message_t *msg, undo_lists_t *lists) * admin has disabled IPv6 on the tun/tap/dco interface * (if OpenVPN wants IPv6 ifconfig, we'll fail there) */ - set_interface_metric(msg->iface.index, AF_INET6, - WFP_BLOCK_IFACE_METRIC); + set_interface_metric(msg->iface.index, AF_INET6, WFP_BLOCK_IFACE_METRIC); } if (err) { @@ -880,7 +869,7 @@ ExecCommand(const WCHAR *argv0, const WCHAR *cmdline, DWORD timeout) DWORD exit_code; STARTUPINFOW si; PROCESS_INFORMATION pi; - DWORD proc_flags = CREATE_NO_WINDOW|CREATE_UNICODE_ENVIRONMENT; + DWORD proc_flags = CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT; WCHAR *cmdline_dup = NULL; ZeroMemory(&si, sizeof(si)); @@ -890,8 +879,8 @@ ExecCommand(const WCHAR *argv0, const WCHAR *cmdline, DWORD timeout) /* CreateProcess needs a modifiable cmdline: make a copy */ cmdline_dup = _wcsdup(cmdline); - if (cmdline_dup && CreateProcessW(argv0, cmdline_dup, NULL, NULL, FALSE, - proc_flags, NULL, NULL, &si, &pi) ) + if (cmdline_dup + && CreateProcessW(argv0, cmdline_dup, NULL, NULL, FALSE, proc_flags, NULL, NULL, &si, &pi)) { WaitForSingleObject(pi.hProcess, timeout ? timeout : INFINITE); if (!GetExitCodeProcess(pi.hProcess, &exit_code)) @@ -905,13 +894,12 @@ ExecCommand(const WCHAR *argv0, const WCHAR *cmdline, DWORD timeout) /* kill without impunity */ TerminateProcess(pi.hProcess, exit_code); - MsgToEventLog(M_ERR, L"ExecCommand: \"%ls %ls\" killed after timeout", - argv0, cmdline); + MsgToEventLog(M_ERR, L"ExecCommand: \"%ls %ls\" killed after timeout", argv0, cmdline); } else if (exit_code) { - MsgToEventLog(M_ERR, L"ExecCommand: \"%ls %ls\" exited with status = %lu", - argv0, cmdline, exit_code); + MsgToEventLog(M_ERR, L"ExecCommand: \"%ls %ls\" exited with status = %lu", argv0, + cmdline, exit_code); } else { @@ -924,8 +912,7 @@ ExecCommand(const WCHAR *argv0, const WCHAR *cmdline, DWORD timeout) else { exit_code = GetLastError(); - MsgToEventLog(M_SYSERR, L"ExecCommand: could not run \"%ls %ls\" :", - argv0, cmdline); + MsgToEventLog(M_SYSERR, L"ExecCommand: could not run \"%ls %ls\" :", argv0, cmdline); } free(cmdline_dup); @@ -950,12 +937,12 @@ RegisterDNS(LPVOID unused) WCHAR *argv0; WCHAR *cmdline; DWORD timeout; - } cmds [] = { - { ipcfg, L"ipconfig /flushdns", timeout }, + } cmds[] = { + { ipcfg, L"ipconfig /flushdns", timeout }, { ipcfg, L"ipconfig /registerdns", timeout }, }; - HANDLE wait_handles[2] = {rdns_semaphore, exit_event}; + HANDLE wait_handles[2] = { rdns_semaphore, exit_event }; swprintf(ipcfg, MAX_PATH, L"%ls\\%ls", get_win_sys_path(), L"ipconfig.exe"); @@ -967,9 +954,10 @@ RegisterDNS(LPVOID unused) ExecCommand(cmds[i].argv0, cmds[i].cmdline, cmds[i].timeout); } err = 0; - if (!ReleaseSemaphore(rdns_semaphore, 1, NULL) ) + if (!ReleaseSemaphore(rdns_semaphore, 1, NULL)) { - err = MsgToEventLog(M_SYSERR, L"RegisterDNS: Failed to release regsiter-dns semaphore:"); + err = + MsgToEventLog(M_SYSERR, L"RegisterDNS: Failed to release regsiter-dns semaphore:"); } } else @@ -1046,7 +1034,7 @@ netsh_wins_cmd(const wchar_t *action, const wchar_t *if_name, const wchar_t *add /* max cmdline length in wchars -- include room for worst case and some */ size_t ncmdline = wcslen(fmt) + wcslen(if_name) + wcslen(action) + wcslen(addr) - +wcslen(addr_static) + 32 + 1; + + wcslen(addr_static) + 32 + 1; cmdline = malloc(ncmdline * sizeof(wchar_t)); if (!cmdline) { @@ -1078,13 +1066,8 @@ CmpWString(LPVOID item, LPVOID str) static BOOL ApplyGpolSettings32(void) { - typedef NTSTATUS (__stdcall *publish_fn_t)( - DWORD StateNameLo, - DWORD StateNameHi, - DWORD TypeId, - DWORD Buffer, - DWORD Length, - DWORD ExplicitScope); + typedef NTSTATUS(__stdcall * publish_fn_t)(DWORD StateNameLo, DWORD StateNameHi, DWORD TypeId, + DWORD Buffer, DWORD Length, DWORD ExplicitScope); publish_fn_t RtlPublishWnfStateData; const DWORD WNF_GPOL_SYSTEM_CHANGES_HI = 0x0D891E2A; const DWORD WNF_GPOL_SYSTEM_CHANGES_LO = 0xA3BC0875; @@ -1095,13 +1078,14 @@ ApplyGpolSettings32(void) return FALSE; } - RtlPublishWnfStateData = (publish_fn_t) GetProcAddress(ntdll, "RtlPublishWnfStateData"); + RtlPublishWnfStateData = (publish_fn_t)GetProcAddress(ntdll, "RtlPublishWnfStateData"); if (RtlPublishWnfStateData == NULL) { return FALSE; } - if (RtlPublishWnfStateData(WNF_GPOL_SYSTEM_CHANGES_LO, WNF_GPOL_SYSTEM_CHANGES_HI, 0, 0, 0, 0) != ERROR_SUCCESS) + if (RtlPublishWnfStateData(WNF_GPOL_SYSTEM_CHANGES_LO, WNF_GPOL_SYSTEM_CHANGES_HI, 0, 0, 0, 0) + != ERROR_SUCCESS) { return FALSE; } @@ -1118,12 +1102,8 @@ ApplyGpolSettings32(void) static BOOL ApplyGpolSettings64(void) { - typedef NTSTATUS (*publish_fn_t)( - INT64 StateName, - INT64 TypeId, - INT64 Buffer, - unsigned int Length, - INT64 ExplicitScope); + typedef NTSTATUS (*publish_fn_t)(INT64 StateName, INT64 TypeId, INT64 Buffer, + unsigned int Length, INT64 ExplicitScope); publish_fn_t RtlPublishWnfStateData; const INT64 WNF_GPOL_SYSTEM_CHANGES = 0x0D891E2AA3BC0875; @@ -1133,7 +1113,7 @@ ApplyGpolSettings64(void) return FALSE; } - RtlPublishWnfStateData = (publish_fn_t) GetProcAddress(ntdll, "RtlPublishWnfStateData"); + RtlPublishWnfStateData = (publish_fn_t)GetProcAddress(ntdll, "RtlPublishWnfStateData"); if (RtlPublishWnfStateData == NULL) { return FALSE; @@ -1183,24 +1163,21 @@ ApplyDnsSettings(BOOL apply_gpol) scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (scm == NULL) { - MsgToEventLog(M_ERR, L"%S: OpenSCManager call failed (%lu)", - __func__, GetLastError()); + MsgToEventLog(M_ERR, L"%S: OpenSCManager call failed (%lu)", __func__, GetLastError()); goto out; } dnssvc = OpenServiceA(scm, "Dnscache", SERVICE_PAUSE_CONTINUE); if (dnssvc == NULL) { - MsgToEventLog(M_ERR, L"%S: OpenService call failed (%lu)", - __func__, GetLastError()); + MsgToEventLog(M_ERR, L"%S: OpenService call failed (%lu)", __func__, GetLastError()); goto out; } SERVICE_STATUS status; if (ControlService(dnssvc, SERVICE_CONTROL_PARAMCHANGE, &status) == 0) { - MsgToEventLog(M_ERR, L"%S: ControlService call failed (%lu)", - __func__, GetLastError()); + MsgToEventLog(M_ERR, L"%S: ControlService call failed (%lu)", __func__, GetLastError()); goto out; } @@ -1328,8 +1305,7 @@ GetDnsSearchListKey(PCSTR itf_name, PBOOL gpol, PHKEY key) *gpol = FALSE; /* Try the group policy search list */ - err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, - "SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient", + err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient", 0, KEY_ALL_ACCESS, key); if (!err) { @@ -1342,9 +1318,9 @@ GetDnsSearchListKey(PCSTR itf_name, PBOOL gpol, PHKEY key) } /* Try the system-wide search list */ - err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, - "System\\CurrentControlSet\\Services\\TCPIP\\Parameters", - 0, KEY_ALL_ACCESS, key); + err = + RegOpenKeyExA(HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\TCPIP\\Parameters", + 0, KEY_ALL_ACCESS, key); if (!err) { if (HasValidSearchList(*key)) @@ -1362,9 +1338,10 @@ GetDnsSearchListKey(PCSTR itf_name, PBOOL gpol, PHKEY key) if (!iid_err) { HKEY itfs; - err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, - "System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\Interfaces", - 0, KEY_ALL_ACCESS, &itfs); + err = + RegOpenKeyExA(HKEY_LOCAL_MACHINE, + "System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\Interfaces", + 0, KEY_ALL_ACCESS, &itfs); if (!err) { err = RegOpenKeyExW(itfs, iid, 0, KEY_ALL_ACCESS, key); @@ -1400,8 +1377,7 @@ InitialSearchListExists(HKEY key) { return FALSE; } - MsgToEventLog(M_ERR, L"%S: failed to get InitialSearchList (%lu)", - __func__, err); + MsgToEventLog(M_ERR, L"%S: failed to get InitialSearchList (%lu)", __func__, err); } return TRUE; @@ -1436,8 +1412,7 @@ StoreInitialDnsSearchList(HKEY key, PCWSTR list) LSTATUS err = RegSetValueExW(key, L"InitialSearchList", 0, REG_SZ, (PBYTE)list, size); if (err) { - MsgToEventLog(M_ERR, L"%S: failed to set InitialSearchList value (%lu)", - __func__, err); + MsgToEventLog(M_ERR, L"%S: failed to set InitialSearchList value (%lu)", __func__, err); return FALSE; } @@ -1457,7 +1432,7 @@ static BOOL AddDnsSearchDomains(HKEY key, BOOL have_list, PCWSTR domains) { LSTATUS err; - WCHAR list[2048] = {0}; + WCHAR list[2048] = { 0 }; DWORD size = sizeof(list); if (have_list) @@ -1465,8 +1440,8 @@ AddDnsSearchDomains(HKEY key, BOOL have_list, PCWSTR domains) err = RegGetValueW(key, NULL, L"SearchList", RRF_RT_REG_SZ, NULL, list, &size); if (err) { - MsgToEventLog(M_SYSERR, L"%S: could not get SearchList from registry (%lu)", - __func__, err); + MsgToEventLog(M_SYSERR, L"%S: could not get SearchList from registry (%lu)", __func__, + err); return FALSE; } @@ -1498,8 +1473,7 @@ AddDnsSearchDomains(HKEY key, BOOL have_list, PCWSTR domains) err = RegSetValueExW(key, L"SearchList", 0, REG_SZ, (PBYTE)list, size); if (err) { - MsgToEventLog(M_SYSERR, L"%S: could not set SearchList to registry (%lu)", - __func__, err); + MsgToEventLog(M_SYSERR, L"%S: could not set SearchList to registry (%lu)", __func__, err); return FALSE; } @@ -1540,8 +1514,7 @@ ResetDnsSearchDomains(HKEY key) err = RegSetValueExW(key, L"SearchList", 0, REG_SZ, (PBYTE)list, size); if (err) { - MsgToEventLog(M_SYSERR, L"%S: could not set SearchList in registry (%lu)", - __func__, err); + MsgToEventLog(M_SYSERR, L"%S: could not set SearchList in registry (%lu)", __func__, err); goto out; } @@ -1568,8 +1541,7 @@ RemoveDnsSearchDomains(HKEY key, PCWSTR domains) err = RegGetValueW(key, NULL, L"SearchList", RRF_RT_REG_SZ, NULL, list, &size); if (err) { - MsgToEventLog(M_SYSERR, L"%S: could not get SearchList from registry (%lu)", - __func__, err); + MsgToEventLog(M_SYSERR, L"%S: could not get SearchList from registry (%lu)", __func__, err); return; } @@ -1613,8 +1585,7 @@ RemoveDnsSearchDomains(HKEY key, PCWSTR domains) err = RegSetValueExW(key, L"SearchList", 0, REG_SZ, (PBYTE)list, size); if (err) { - MsgToEventLog(M_SYSERR, L"%S: could not set SearchList in registry (%lu)", - __func__, err); + MsgToEventLog(M_SYSERR, L"%S: could not set SearchList in registry (%lu)", __func__, err); } } @@ -1732,8 +1703,8 @@ static BOOL GetInterfacesKey(short family, PHKEY key) { PCSTR itfs_key = family == AF_INET6 - ? "SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces" - : "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces"; + ? "SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces" + : "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces"; LSTATUS err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, itfs_key, 0, KEY_ALL_ACCESS, key); if (err) @@ -1842,11 +1813,12 @@ HandleDNSConfigMessage(const dns_cfg_message_t *msg, undo_lists_t *lists) return ERROR_MESSAGE_DATA; } - /* use a non-const reference with limited scope to enforce null-termination of strings from client */ + /* use a non-const reference with limited scope to enforce null-termination of strings from + * client */ { - dns_cfg_message_t *msgptr = (dns_cfg_message_t *) msg; - msgptr->iface.name[_countof(msg->iface.name)-1] = '\0'; - msgptr->domains[_countof(msg->domains)-1] = '\0'; + dns_cfg_message_t *msgptr = (dns_cfg_message_t *)msg; + msgptr->iface.name[_countof(msg->iface.name) - 1] = '\0'; + msgptr->domains[_countof(msg->domains) - 1] = '\0'; } WCHAR iid[64]; @@ -1878,7 +1850,7 @@ HandleDNSConfigMessage(const dns_cfg_message_t *msg, undo_lists_t *lists) err = SetDnsSearchDomains(msg->iface.name, NULL, &gpol, lists); } ApplyDnsSettings(gpol); - return err; /* job done */ + return err; /* job done */ } if (msg->addr_len > 0) @@ -2100,8 +2072,7 @@ GetItfDnsServersV6(HKEY itf_key, PSTR addrs, PDWORD size) s--; } - if (inet_ntop(AF_INET6, &in_addrs[i], - pos, s) != NULL) + if (inet_ntop(AF_INET6, &in_addrs[i], pos, s) != NULL) { *size = 0; return ERROR_MORE_DATA; @@ -2188,7 +2159,7 @@ GetItfDnsDomains(HKEY itf, PCWSTR search_domains, PWSTR domains, PDWORD size) LSTATUS err = ERROR_FILE_NOT_FOUND; const DWORD buf_size = *size; const size_t one_glyph = sizeof(*domains); - PWSTR values[] = { L"SearchList", L"Domain", L"DhcpDomainSearchList", L"DhcpDomain", NULL}; + PWSTR values[] = { L"SearchList", L"Domain", L"DhcpDomainSearchList", L"DhcpDomain", NULL }; for (int i = 0; values[i]; i++) { @@ -2284,7 +2255,8 @@ IsInterfaceConnected(PWSTR iid_str) /* Get GUID from string */ if (IIDFromString(iid_str, &iid) != S_OK) { - MsgToEventLog(M_SYSERR, L"%S: could not convert interface %s GUID string", __func__, iid_str); + MsgToEventLog(M_SYSERR, L"%S: could not convert interface %s GUID string", __func__, + iid_str); goto out; } @@ -2326,8 +2298,7 @@ GetNrptExcludeData(PCWSTR search_domains, nrpt_exclude_data_t *data, size_t data HKEY v4_itfs = INVALID_HANDLE_VALUE; HKEY v6_itfs = INVALID_HANDLE_VALUE; - if (!GetInterfacesKey(AF_INET, &v4_itfs) - || !GetInterfacesKey(AF_INET6, &v6_itfs)) + if (!GetInterfacesKey(AF_INET, &v4_itfs) || !GetInterfacesKey(AF_INET6, &v6_itfs)) { goto out; } @@ -2338,8 +2309,8 @@ GetNrptExcludeData(PCWSTR search_domains, nrpt_exclude_data_t *data, size_t data { WCHAR itf_guid[MAX_PATH]; DWORD itf_guid_len = _countof(itf_guid); - LSTATUS err = RegEnumKeyExW(v4_itfs, enum_index++, itf_guid, &itf_guid_len, - NULL, NULL, NULL, NULL); + LSTATUS err = + RegEnumKeyExW(v4_itfs, enum_index++, itf_guid, &itf_guid_len, NULL, NULL, NULL, NULL); if (err) { if (err != ERROR_NO_MORE_ITEMS) @@ -2358,7 +2329,8 @@ GetNrptExcludeData(PCWSTR search_domains, nrpt_exclude_data_t *data, size_t data HKEY v4_itf; if (RegOpenKeyExW(v4_itfs, itf_guid, 0, KEY_READ, &v4_itf) != NO_ERROR) { - MsgToEventLog(M_SYSERR, L"%S: could not open interface %s v4 registry key", __func__, itf_guid); + MsgToEventLog(M_SYSERR, L"%S: could not open interface %s v4 registry key", __func__, + itf_guid); goto out; } @@ -2370,7 +2342,8 @@ GetNrptExcludeData(PCWSTR search_domains, nrpt_exclude_data_t *data, size_t data { if (err != ERROR_FILE_NOT_FOUND) { - MsgToEventLog(M_SYSERR, L"%S: could not read interface %s domain suffix", __func__, itf_guid); + MsgToEventLog(M_SYSERR, L"%S: could not read interface %s domain suffix", __func__, + itf_guid); } goto next_itf; } @@ -2393,7 +2366,8 @@ GetNrptExcludeData(PCWSTR search_domains, nrpt_exclude_data_t *data, size_t data HKEY v6_itf; if (RegOpenKeyExW(v6_itfs, itf_guid, 0, KEY_READ, &v6_itf) != NO_ERROR) { - MsgToEventLog(M_SYSERR, L"%S: could not open interface %s v6 registry key", __func__, itf_guid); + MsgToEventLog(M_SYSERR, L"%S: could not open interface %s v6 registry key", + __func__, itf_guid); goto next_itf; } err = GetItfDnsServersV6(v6_itf, v6_addrs, &v6_addrs_size); @@ -2441,8 +2415,8 @@ out: * @return NO_ERROR on success, or Windows error code */ static DWORD -SetNrptRule(HKEY nrpt_key, PCWSTR subkey, PCSTR address, - PCWSTR domains, DWORD dom_size, BOOL dnssec) +SetNrptRule(HKEY nrpt_key, PCWSTR subkey, PCSTR address, PCWSTR domains, DWORD dom_size, + BOOL dnssec) { /* Create rule subkey */ DWORD err = NO_ERROR; @@ -2461,7 +2435,8 @@ SetNrptRule(HKEY nrpt_key, PCWSTR subkey, PCSTR address, } /* Set DNS Server address */ - err = RegSetValueExA(rule_key, "GenericDNSServers", 0, REG_SZ, (PBYTE)address, strlen(address) + 1); + err = RegSetValueExA(rule_key, "GenericDNSServers", 0, REG_SZ, (PBYTE)address, + strlen(address) + 1); if (err) { goto out; @@ -2472,21 +2447,24 @@ SetNrptRule(HKEY nrpt_key, PCWSTR subkey, PCSTR address, if (dnssec) { reg_val = 1; - err = RegSetValueExA(rule_key, "DNSSECValidationRequired", 0, REG_DWORD, (PBYTE)®_val, sizeof(reg_val)); + err = RegSetValueExA(rule_key, "DNSSECValidationRequired", 0, REG_DWORD, (PBYTE)®_val, + sizeof(reg_val)); if (err) { goto out; } reg_val = 0; - err = RegSetValueExA(rule_key, "DNSSECQueryIPSECRequired", 0, REG_DWORD, (PBYTE)®_val, sizeof(reg_val)); + err = RegSetValueExA(rule_key, "DNSSECQueryIPSECRequired", 0, REG_DWORD, (PBYTE)®_val, + sizeof(reg_val)); if (err) { goto out; } reg_val = 0; - err = RegSetValueExA(rule_key, "DNSSECQueryIPSECEncryption", 0, REG_DWORD, (PBYTE)®_val, sizeof(reg_val)); + err = RegSetValueExA(rule_key, "DNSSECQueryIPSECEncryption", 0, REG_DWORD, (PBYTE)®_val, + sizeof(reg_val)); if (err) { goto out; @@ -2495,7 +2473,8 @@ SetNrptRule(HKEY nrpt_key, PCWSTR subkey, PCSTR address, /* Set NRPT config options */ reg_val = dnssec ? 0x0000000A : 0x00000008; - err = RegSetValueExA(rule_key, "ConfigOptions", 0, REG_DWORD, (const PBYTE)®_val, sizeof(reg_val)); + err = RegSetValueExA(rule_key, "ConfigOptions", 0, REG_DWORD, (const PBYTE)®_val, + sizeof(reg_val)); if (err) { goto out; @@ -2653,7 +2632,8 @@ OpenNrptBaseKey(PHKEY key, PBOOL gpol) * remains in the registry even if the last GP-NRPT rule is deleted. */ static PCSTR gpol_key = "SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient\\DnsPolicyConfig"; - static PCSTR sys_key = "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters\\DnsPolicyConfig"; + static PCSTR sys_key = + "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters\\DnsPolicyConfig"; HKEY nrpt; *gpol = TRUE; @@ -2661,7 +2641,8 @@ OpenNrptBaseKey(PHKEY key, PBOOL gpol) if (err == ERROR_FILE_NOT_FOUND) { *gpol = FALSE; - err = RegCreateKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, NULL, 0, KEY_ALL_ACCESS, NULL, &nrpt, NULL); + err = RegCreateKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, NULL, 0, KEY_ALL_ACCESS, NULL, &nrpt, + NULL); if (err) { nrpt = INVALID_HANDLE_VALUE; @@ -2763,15 +2744,14 @@ UndoNrptRules(DWORD ovpn_pid) * @return NO_ERROR on success, or a Windows error code */ static DWORD -HandleDNSConfigNrptMessage(const nrpt_dns_cfg_message_t *msg, - DWORD ovpn_pid, undo_lists_t *lists) +HandleDNSConfigNrptMessage(const nrpt_dns_cfg_message_t *msg, DWORD ovpn_pid, undo_lists_t *lists) { /* * Use a non-const reference with limited scope to * enforce null-termination of strings from client */ { - nrpt_dns_cfg_message_t *msgptr = (nrpt_dns_cfg_message_t *) msg; + nrpt_dns_cfg_message_t *msgptr = (nrpt_dns_cfg_message_t *)msg; msgptr->iface.name[_countof(msg->iface.name) - 1] = '\0'; msgptr->search_domains[_countof(msg->search_domains) - 1] = '\0'; msgptr->resolve_domains[_countof(msg->resolve_domains) - 1] = '\0'; @@ -2864,7 +2844,8 @@ HandleDNSConfigNrptMessage(const nrpt_dns_cfg_message_t *msg, /* Set NRPT rules */ BOOL dnssec = (msg->flags & nrpt_dnssec) != 0; - err = SetNrptRules(key, msg->addresses, msg->resolve_domains, msg->search_domains, dnssec, ovpn_pid); + err = SetNrptRules(key, msg->addresses, msg->resolve_domains, msg->search_domains, dnssec, + ovpn_pid); if (err) { goto out; @@ -2907,7 +2888,8 @@ HandleWINSConfigMessage(const wins_cfg_message_t *msg, undo_lists_t *lists) return ERROR_MESSAGE_DATA; } - /* use a non-const reference with limited scope to enforce null-termination of strings from client */ + /* use a non-const reference with limited scope to enforce null-termination of strings from + * client */ { wins_cfg_message_t *msgptr = (wins_cfg_message_t *)msg; msgptr->iface.name[_countof(msg->iface.name) - 1] = '\0'; @@ -2934,7 +2916,7 @@ HandleWINSConfigMessage(const wins_cfg_message_t *msg, undo_lists_t *lists) if (msg->header.type == msg_del_wins_cfg) { - goto out; /* job done */ + goto out; /* job done */ } for (int i = 0; i < addr_len; ++i) @@ -2988,7 +2970,7 @@ HandleEnableDHCPMessage(const enable_dhcp_message_t *dhcp) * 10 chars for 32 bit int in decimal and +1 for NUL */ size_t ncmdline = wcslen(fmt) + 10 + 1; - wchar_t *cmdline = malloc(ncmdline*sizeof(wchar_t)); + wchar_t *cmdline = malloc(ncmdline * sizeof(wchar_t)); if (!cmdline) { err = ERROR_OUTOFMEMORY; @@ -3073,16 +3055,12 @@ HandleCreateAdapterMessage(const create_adapter_message_t *msg) } static VOID -HandleMessage(HANDLE pipe, PPROCESS_INFORMATION proc_info, - DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) +HandleMessage(HANDLE pipe, PPROCESS_INFORMATION proc_info, DWORD bytes, DWORD count, + LPHANDLE events, undo_lists_t *lists) { pipe_message_t msg; ack_message_t ack = { - .header = { - .type = msg_acknowledgement, - .size = sizeof(ack), - .message_id = -1 - }, + .header = { .type = msg_acknowledgement, .size = sizeof(ack), .message_id = -1 }, .error_number = ERROR_MESSAGE_DATA }; @@ -3264,27 +3242,24 @@ RunOpenvpn(LPVOID p) STARTUPINFOW startup_info; PROCESS_INFORMATION proc_info; LPVOID user_env = NULL; - WCHAR ovpn_pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according to MSDN. */ + WCHAR ovpn_pipe_name[256]; /* The entire pipe name string can be up to 256 characters long + according to MSDN. */ LPCWSTR exe_path; WCHAR *cmdline = NULL; size_t cmdline_size; undo_lists_t undo_lists; WCHAR errmsg[512] = L""; - SECURITY_ATTRIBUTES inheritable = { - .nLength = sizeof(inheritable), - .lpSecurityDescriptor = NULL, - .bInheritHandle = TRUE - }; + SECURITY_ATTRIBUTES inheritable = { .nLength = sizeof(inheritable), + .lpSecurityDescriptor = NULL, + .bInheritHandle = TRUE }; PACL ovpn_dacl; EXPLICIT_ACCESS ea[2]; SECURITY_DESCRIPTOR ovpn_sd; - SECURITY_ATTRIBUTES ovpn_sa = { - .nLength = sizeof(ovpn_sa), - .lpSecurityDescriptor = &ovpn_sd, - .bInheritHandle = FALSE - }; + SECURITY_ATTRIBUTES ovpn_sa = { .nLength = sizeof(ovpn_sa), + .lpSecurityDescriptor = &ovpn_sd, + .bInheritHandle = FALSE }; ZeroMemory(&ea, sizeof(ea)); ZeroMemory(&startup_info, sizeof(startup_info)); @@ -3370,7 +3345,8 @@ RunOpenvpn(LPVOID p) * OR user is authorized to run any config. */ if (!ValidateOptions(pipe, sud.directory, sud.options, errmsg, _countof(errmsg)) - && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group, settings.ovpn_service_user)) + && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group, + settings.ovpn_service_user)) { ReturnError(pipe, ERROR_STARTUP_DATA, errmsg, 1, &exit_event); goto out; @@ -3382,14 +3358,14 @@ RunOpenvpn(LPVOID p) ea[0].grfInheritance = NO_INHERITANCE; ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[0].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; - ea[0].Trustee.ptstrName = (LPWSTR) svc_user->User.Sid; - ea[1].grfAccessPermissions = READ_CONTROL | SYNCHRONIZE | PROCESS_VM_READ - |SYNCHRONIZE | PROCESS_TERMINATE | PROCESS_QUERY_INFORMATION; + ea[0].Trustee.ptstrName = (LPWSTR)svc_user->User.Sid; + ea[1].grfAccessPermissions = READ_CONTROL | SYNCHRONIZE | PROCESS_VM_READ | SYNCHRONIZE + | PROCESS_TERMINATE | PROCESS_QUERY_INFORMATION; ea[1].grfAccessMode = SET_ACCESS; ea[1].grfInheritance = NO_INHERITANCE; ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[1].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; - ea[1].Trustee.ptstrName = (LPWSTR) ovpn_user->User.Sid; + ea[1].Trustee.ptstrName = (LPWSTR)ovpn_user->User.Sid; /* Set owner and DACL of OpenVPN security descriptor */ if (!SetSecurityDescriptorOwner(&ovpn_sd, svc_user->User.Sid, FALSE)) @@ -3416,8 +3392,8 @@ RunOpenvpn(LPVOID p) } /* use /dev/null for stdout of openvpn (client should use --log for output) */ - stdout_write = CreateFile(_L("NUL"), GENERIC_WRITE, FILE_SHARE_WRITE, - &inheritable, OPEN_EXISTING, 0, NULL); + stdout_write = CreateFile(_L("NUL"), GENERIC_WRITE, FILE_SHARE_WRITE, &inheritable, + OPEN_EXISTING, 0, NULL); if (stdout_write == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateFile for stdout"); @@ -3432,18 +3408,19 @@ RunOpenvpn(LPVOID p) } swprintf(ovpn_pipe_name, _countof(ovpn_pipe_name), - L"\\\\.\\pipe\\" _L(PACKAGE) L"%ls\\service_%lu", service_instance, GetCurrentThreadId()); - ovpn_pipe = CreateNamedPipe(ovpn_pipe_name, - PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 128, 128, 0, NULL); + L"\\\\.\\pipe\\" _L(PACKAGE) L"%ls\\service_%lu", service_instance, + GetCurrentThreadId()); + ovpn_pipe = CreateNamedPipe( + ovpn_pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED, + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 128, 128, 0, NULL); if (ovpn_pipe == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateNamedPipe"); goto out; } - svc_pipe = CreateFile(ovpn_pipe_name, GENERIC_READ | GENERIC_WRITE, 0, - &inheritable, OPEN_EXISTING, 0, NULL); + svc_pipe = CreateFile(ovpn_pipe_name, GENERIC_READ | GENERIC_WRITE, 0, &inheritable, + OPEN_EXISTING, 0, NULL); if (svc_pipe == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateFile"); @@ -3467,8 +3444,8 @@ RunOpenvpn(LPVOID p) /* there seem to be no common printf specifier that works on all * mingw/msvc platforms without trickery, so convert to void* and use * PRIuPTR to print that as best compromise */ - swprintf(cmdline, cmdline_size, L"openvpn %ls --msg-channel %" PRIuPTR, - sud.options, (uintptr_t)svc_pipe); + swprintf(cmdline, cmdline_size, L"openvpn %ls --msg-channel %" PRIuPTR, sud.options, + (uintptr_t)svc_pipe); if (!CreateEnvironmentBlock(&user_env, imp_token, FALSE)) { @@ -3527,7 +3504,10 @@ RunOpenvpn(LPVOID p) if (bytes > sizeof(pipe_message_t)) { /* process at the other side of the pipe is misbehaving, shut it down */ - MsgToEventLog(MSG_FLAGS_ERROR, L"OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated", bytes); + MsgToEventLog( + MSG_FLAGS_ERROR, + L"OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated", + bytes); break; } @@ -3543,8 +3523,7 @@ RunOpenvpn(LPVOID p) else if (exit_code != 0) { WCHAR buf[256]; - swprintf(buf, _countof(buf), - L"OpenVPN exited with error: exit code = %lu", exit_code); + swprintf(buf, _countof(buf), L"OpenVPN exited with error: exit code = %lu", exit_code); ReturnError(pipe, ERROR_OPENVPN_STARTUP, buf, 1, &exit_event); } Undo(&undo_lists); @@ -3607,17 +3586,19 @@ CreateClientPipeInstance(VOID) * allow read/write for authenticated users * deny all access to anonymous */ - const WCHAR *sddlString = L"D:(A;OICI;GA;;;S-1-5-18)(D;OICI;0x4;;;S-1-1-0)(A;OICI;GRGW;;;S-1-5-11)(D;;GA;;;S-1-5-7)"; + const WCHAR *sddlString = + L"D:(A;OICI;GA;;;S-1-5-18)(D;OICI;0x4;;;S-1-1-0)(A;OICI;GRGW;;;S-1-5-11)(D;;GA;;;S-1-5-7)"; PSECURITY_DESCRIPTOR sd = NULL; - if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddlString, SDDL_REVISION_1, &sd, NULL)) + if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddlString, SDDL_REVISION_1, &sd, + NULL)) { MsgToEventLog(M_SYSERR, L"ConvertStringSecurityDescriptorToSecurityDescriptor failed."); return INVALID_HANDLE_VALUE; } /* Set up SECURITY_ATTRIBUTES */ - SECURITY_ATTRIBUTES sa = {0}; + SECURITY_ATTRIBUTES sa = { 0 }; sa.nLength = sizeof(SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor = sd; sa.bInheritHandle = FALSE; @@ -3631,11 +3612,13 @@ CreateClientPipeInstance(VOID) first = FALSE; } - WCHAR pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according to MSDN. */ - swprintf(pipe_name, _countof(pipe_name), L"\\\\.\\pipe\\" _L(PACKAGE) L"%ls\\service", service_instance); - HANDLE pipe = CreateNamedPipe(pipe_name, flags, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, - PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, &sa); + WCHAR pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according + to MSDN. */ + swprintf(pipe_name, _countof(pipe_name), L"\\\\.\\pipe\\" _L(PACKAGE) L"%ls\\service", + service_instance); + HANDLE pipe = CreateNamedPipe( + pipe_name, flags, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, + PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, &sa); LocalFree(sd); @@ -3650,8 +3633,8 @@ CreateClientPipeInstance(VOID) static DWORD -UpdateWaitHandles(LPHANDLE *handles_ptr, LPDWORD count, - HANDLE io_event, HANDLE exit_event, list_item_t *threads) +UpdateWaitHandles(LPHANDLE *handles_ptr, LPDWORD count, HANDLE io_event, HANDLE exit_event, + list_item_t *threads) { static DWORD size = 10; static LPHANDLE handles = NULL; @@ -3762,7 +3745,8 @@ ServiceStartInteractive(DWORD dwArgc, LPWSTR *lpszArgv) PHANDLE handles = NULL; DWORD handle_count; - service = RegisterServiceCtrlHandlerEx(interactive_service.name, ServiceCtrlInteractive, &status); + service = + RegisterServiceCtrlHandlerEx(interactive_service.name, ServiceCtrlInteractive, &status); if (!service) { return; @@ -3817,8 +3801,7 @@ ServiceStartInteractive(DWORD dwArgc, LPWSTR *lpszArgv) while (TRUE) { - if (ConnectNamedPipe(pipe, &overlapped) == FALSE - && GetLastError() != ERROR_PIPE_CONNECTED + if (ConnectNamedPipe(pipe, &overlapped) == FALSE && GetLastError() != ERROR_PIPE_CONNECTED && GetLastError() != ERROR_IO_PENDING) { MsgToEventLog(M_SYSERR, L"Could not connect pipe"); @@ -3836,11 +3819,13 @@ ServiceStartInteractive(DWORD dwArgc, LPWSTR *lpszArgv) error = AddListItem(&threads, thread); if (!error) { - error = UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads); + error = + UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads); } if (error) { - ReturnError(pipe, error, L"Insufficient resources to service new clients", 1, &exit_event); + ReturnError(pipe, error, L"Insufficient resources to service new clients", 1, + &exit_event); /* Update wait handles again after removing the last worker thread */ RemoveListItem(&threads, CmpHandle, thread); UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads); diff --git a/src/openvpnserv/service.c b/src/openvpnserv/service.c index a76dce755..04b20d7b8 100644 --- a/src/openvpnserv/service.c +++ b/src/openvpnserv/service.c @@ -33,8 +33,7 @@ ReportStatusToSCMgr(SERVICE_STATUS_HANDLE service, SERVICE_STATUS *status) status->dwControlsAccepted = SERVICE_ACCEPT_STOP; } - if (status->dwCurrentState == SERVICE_RUNNING - || status->dwCurrentState == SERVICE_STOPPED) + if (status->dwCurrentState == SERVICE_RUNNING || status->dwCurrentState == SERVICE_STOPPED) { status->dwCheckPoint = 0; } @@ -79,16 +78,10 @@ CmdInstallServices(void) for (i = 0; i < _service_max; i++) { - service = CreateService(svc_ctl_mgr, - openvpn_service[i].name, - openvpn_service[i].display_name, - SERVICE_QUERY_STATUS, - SERVICE_WIN32_SHARE_PROCESS, - openvpn_service[i].start_type, - SERVICE_ERROR_NORMAL, - path, NULL, NULL, - openvpn_service[i].dependencies, - NULL, NULL); + service = CreateService( + svc_ctl_mgr, openvpn_service[i].name, openvpn_service[i].display_name, + SERVICE_QUERY_STATUS, SERVICE_WIN32_SHARE_PROCESS, openvpn_service[i].start_type, + SERVICE_ERROR_NORMAL, path, NULL, NULL, openvpn_service[i].dependencies, NULL, NULL); if (service) { wprintf(L"%ls installed.\n", openvpn_service[i].display_name); @@ -163,8 +156,8 @@ CmdRemoveServices(void) for (i = 0; i < _service_max; i++) { openvpn_service_t *ovpn_svc = &openvpn_service[i]; - service = OpenService(svc_ctl_mgr, ovpn_svc->name, - DELETE | SERVICE_STOP | SERVICE_QUERY_STATUS); + service = + OpenService(svc_ctl_mgr, ovpn_svc->name, DELETE | SERVICE_STOP | SERVICE_QUERY_STATUS); if (service == NULL) { wprintf(L"OpenService failed - %ls\n", GetLastErrorText()); @@ -228,15 +221,12 @@ wmain(int argc, WCHAR *argv[]) * This is the default. */ const SERVICE_TABLE_ENTRY dispatchTable_shared[] = { - { interactive_service.name, ServiceStartInteractive }, - { NULL, NULL } + { interactive_service.name, ServiceStartInteractive }, { NULL, NULL } }; /* Interactive service only (as a SERVICE_WIN32_OWN_PROCESS) */ - const SERVICE_TABLE_ENTRY dispatchTable_interactive[] = { - { L"", ServiceStartInteractiveOwn }, - { NULL, NULL } - }; + const SERVICE_TABLE_ENTRY dispatchTable_interactive[] = { { L"", ServiceStartInteractiveOwn }, + { NULL, NULL } }; const SERVICE_TABLE_ENTRY *dispatchTable = dispatchTable_shared; @@ -260,7 +250,7 @@ wmain(int argc, WCHAR *argv[]) } else if (argc > i + 2 && _wcsicmp(L"instance", argv[i] + 1) == 0) { - if (_wcsicmp(L"interactive", argv[i+1]) == 0) + if (_wcsicmp(L"interactive", argv[i + 1]) == 0) { dispatchTable = dispatchTable_interactive; service_instance = argv[i + 2]; @@ -268,22 +258,28 @@ wmain(int argc, WCHAR *argv[]) } else { - MsgToEventLog(M_ERR, L"Invalid argument to -instance <%s>. Service not started.", argv[i+1]); + MsgToEventLog(M_ERR, + L"Invalid argument to -instance <%s>. Service not started.", + argv[i + 1]); return 1; } } else { wprintf(L"%ls -install to install the interactive service\n", APPNAME); - wprintf(L"%ls -start [name] to start the service (name = \"interactive\") is optional\n", APPNAME); + wprintf( + L"%ls -start [name] to start the service (name = \"interactive\") is optional\n", + APPNAME); wprintf(L"%ls -remove to remove the service\n", APPNAME); wprintf(L"\nService run-time parameters:\n"); wprintf(L"-instance interactive \n" L" Runs the service as an alternate instance.\n" L" The service settings will be loaded from\n" - L" HKLM\\Software\\" _L(PACKAGE_NAME) L" registry key, and the service will accept\n" - L" requests on \\\\.\\pipe\\" _L(PACKAGE) L"\\service named pipe.\n"); + L" HKLM\\Software\\" _L( + PACKAGE_NAME) L" registry key, and the service will accept\n" + L" requests on \\\\.\\pipe\\" _L( + PACKAGE) L"\\service named pipe.\n"); return 0; } diff --git a/src/openvpnserv/service.h b/src/openvpnserv/service.h index 8989e60bd..3d3b82b5d 100644 --- a/src/openvpnserv/service.h +++ b/src/openvpnserv/service.h @@ -33,24 +33,26 @@ #include #include "../tapctl/basic.h" -#define APPNAME _L(PACKAGE) L"serv" -#define SERVICE_DEPENDENCIES _L(TAP_WIN_COMPONENT_ID) L"\0Dhcp\0\0" +#define APPNAME _L(PACKAGE) L"serv" +#define SERVICE_DEPENDENCIES _L(TAP_WIN_COMPONENT_ID) L"\0Dhcp\0\0" /* * Message handling */ -#define MSG_FLAGS_ERROR (1<<0) -#define MSG_FLAGS_SYS_CODE (1<<1) -#define M_INFO (0) /* informational */ -#define M_SYSERR (MSG_FLAGS_ERROR|MSG_FLAGS_SYS_CODE) /* error + system code */ -#define M_ERR (MSG_FLAGS_ERROR) /* error */ +#define MSG_FLAGS_ERROR (1 << 0) +#define MSG_FLAGS_SYS_CODE (1 << 1) +#define M_INFO (0) /* informational */ +#define M_SYSERR (MSG_FLAGS_ERROR | MSG_FLAGS_SYS_CODE) /* error + system code */ +#define M_ERR (MSG_FLAGS_ERROR) /* error */ -typedef enum { +typedef enum +{ interactive, _service_max } openvpn_service_type; -typedef struct { +typedef struct +{ openvpn_service_type type; WCHAR *name; WCHAR *display_name; @@ -59,7 +61,8 @@ typedef struct { } openvpn_service_t; #define MAX_NAME 256 -typedef struct { +typedef struct +{ WCHAR exe_path[MAX_PATH]; WCHAR config_dir[MAX_PATH]; WCHAR bin_dir[MAX_PATH]; diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index 6ed5bea21..59d5b86ea 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -26,8 +26,7 @@ #include #include -static const WCHAR *white_list[] = -{ +static const WCHAR *white_list[] = { L"auth-retry", L"config", L"log", @@ -46,7 +45,7 @@ static const WCHAR *white_list[] = L"pull-filter", L"script-security", - NULL /* last value */ + NULL /* last value */ }; static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name); @@ -65,7 +64,7 @@ CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s) const WCHAR *config_dir = NULL; /* convert fname to full path */ - if (PathIsRelativeW(fname) ) + if (PathIsRelativeW(fname)) { swprintf(tmp, _countof(tmp), L"%ls\\%ls", workdir, fname); config_file = tmp; @@ -128,7 +127,7 @@ GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen) return FALSE; } - b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size); + b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size); if (b) { b = LookupAccountSidW(NULL, admin_sid, name, &nlen, domain, &dlen, &snu); @@ -140,7 +139,8 @@ GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen) } BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user) +IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, + const WCHAR *ovpn_service_user) { const WCHAR *admin_group[2]; WCHAR username[MAX_NAME]; @@ -171,7 +171,8 @@ IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, co } else { - MsgToEventLog(M_SYSERR, L"Failed to get the name of Administrators group. Using the default."); + MsgToEventLog(M_SYSERR, + L"Failed to get the name of Administrators group. Using the default."); /* use the default value */ admin_group[0] = SYSTEM_ADMIN_GROUP; } @@ -183,7 +184,8 @@ IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, co ret = IsUserInGroup(sid, token_groups, admin_group[i]); if (ret) { - MsgToEventLog(M_INFO, L"Authorizing user '%ls@%ls' by virtue of membership in group '%ls'", + MsgToEventLog(M_INFO, + L"Authorizing user '%ls@%ls' by virtue of membership in group '%ls'", username, domain, admin_group[i]); goto out; } @@ -265,11 +267,11 @@ IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_nam int nloop = 0; /* a counter used to not get stuck in the do .. while() */ /* first check in the token groups */ - if (token_groups && LookupSID(group_name, (PSID) grp_sid, _countof(grp_sid))) + if (token_groups && LookupSID(group_name, (PSID)grp_sid, _countof(grp_sid))) { for (DWORD i = 0; i < token_groups->GroupCount; ++i) { - if (EqualSid((PSID) grp_sid, token_groups->Groups[i].Sid)) + if (EqualSid((PSID)grp_sid, token_groups->Groups[i].Sid)) { return TRUE; } @@ -285,8 +287,8 @@ IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_nam { DWORD nread, nmax; LOCALGROUP_MEMBERS_INFO_0 *members = NULL; - err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *) &members, - MAX_PREFERRED_LENGTH, &nread, &nmax, &resume); + err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *)&members, MAX_PREFERRED_LENGTH, + &nread, &nmax, &resume); if ((err != NERR_Success && err != ERROR_MORE_DATA)) { break; @@ -319,16 +321,13 @@ CheckOption(const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s) { /* Do not modify argv or *argv -- ideally it should be const WCHAR *const *, but alas...*/ - if (wcscmp(argv[0], L"--config") == 0 - && argc > 1 - && !CheckConfigPath(workdir, argv[1], s) - ) + if (wcscmp(argv[0], L"--config") == 0 && argc > 1 && !CheckConfigPath(workdir, argv[1], s)) { return FALSE; } /* option name starts at 2 characters from argv[i] */ - if (OptionLookup(argv[0] + 2, white_list) == -1) /* not found */ + if (OptionLookup(argv[0] + 2, white_list) == -1) /* not found */ { return FALSE; } diff --git a/src/openvpnserv/validate.h b/src/openvpnserv/validate.h index bde189250..6f3bf09f5 100644 --- a/src/openvpnserv/validate.h +++ b/src/openvpnserv/validate.h @@ -28,19 +28,20 @@ /* Authorized groups who can use any options and config locations */ #define SYSTEM_ADMIN_GROUP L"Administrators" -#define OVPN_ADMIN_GROUP L"OpenVPN Administrators" /* may be set in HKLM\Software\OpenVPN\ovpn_admin_group */ -#define OVPN_SERVICE_USER L"OpenVPNService" /* may be set in HKLM\Software\OpenVPN\ovpn_service_user */ +#define OVPN_ADMIN_GROUP \ + L"OpenVPN Administrators" /* may be set in HKLM\Software\OpenVPN\ovpn_admin_group */ +#define OVPN_SERVICE_USER \ + L"OpenVPNService" /* may be set in HKLM\Software\OpenVPN\ovpn_service_user */ /* * Check whether user is a member of Administrators group or * the group specified in ovpn_admin_group or * OpenVPN Virtual Service Account user */ -BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user); +BOOL IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, + const WCHAR *ovpn_service_user); -BOOL -CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s); +BOOL CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s); static inline BOOL IsOption(const WCHAR *o) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index bff476722..15169ca57 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -99,12 +99,14 @@ struct auth_pam_context #define N_NAME_VALUE 16 -struct name_value { +struct name_value +{ const char *name; const char *value; }; -struct name_value_list { +struct name_value_list +{ int len; struct name_value data[N_NAME_VALUE]; }; @@ -113,7 +115,8 @@ struct name_value_list { * Used to pass the username/password * to the PAM conversation function. */ -struct user_pass { +struct user_pass +{ int verb; char username[128]; @@ -126,7 +129,8 @@ struct user_pass { }; /* Background process function */ -static void pam_server(int fd, const char *service, int verb, const struct name_value_list *name_value_list); +static void pam_server(int fd, const char *service, int verb, + const struct name_value_list *name_value_list); /* @@ -152,11 +156,11 @@ recv_control(int fd) static int send_control(int fd, int code) { - unsigned char c = (unsigned char) code; + unsigned char c = (unsigned char)code; const ssize_t size = write(fd, &c, sizeof(c)); if (size == sizeof(c)) { - return (int) size; + return (int)size; } else { @@ -171,7 +175,7 @@ recv_string(int fd, char *buffer, size_t len) { memset(buffer, 0, len); ssize_t size = read(fd, buffer, len); - buffer[len-1] = 0; + buffer[len - 1] = 0; if (size >= 1) { return size; @@ -220,7 +224,7 @@ daemonize(const char *envp[]) #endif if (daemon(0, 0) < 0) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "daemonization failed"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "daemonization failed"); } #if defined(__APPLE__) && defined(__clang__) #pragma clang diagnostic pop @@ -321,11 +325,11 @@ split_scrv1_password(struct user_pass *up) } *resp++ = '\0'; - int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1); + int n = plugin_base64_decode(pass, up->password, sizeof(up->password) - 1); if (n >= 0) { up->password[n] = '\0'; - n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1); + n = plugin_base64_decode(resp, up->response, sizeof(up->response) - 1); if (n >= 0) { up->response[n] = '\0'; @@ -353,8 +357,7 @@ out: } OPENVPN_EXPORT int -openvpn_plugin_open_v3(const int v3structver, - struct openvpn_plugin_args_open_in const *args, +openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret) { pid_t pid; @@ -371,14 +374,15 @@ openvpn_plugin_open_v3(const int v3structver, /* Check API compatibility -- struct version 5 or higher needed */ if (v3structver < 5) { - fprintf(stderr, "AUTH-PAM: This plugin is incompatible with the running version of OpenVPN\n"); + fprintf(stderr, + "AUTH-PAM: This plugin is incompatible with the running version of OpenVPN\n"); return OPENVPN_PLUGIN_FUNC_ERROR; } /* * Allocate our context */ - context = (struct auth_pam_context *) calloc(1, sizeof(struct auth_pam_context)); + context = (struct auth_pam_context *)calloc(1, sizeof(struct auth_pam_context)); if (!context) { goto error; @@ -426,7 +430,7 @@ openvpn_plugin_open_v3(const int v3structver, { const int base = base_parms + i * 2; name_value_list.data[i].name = argv[base]; - name_value_list.data[i].value = argv[base+1]; + name_value_list.data[i].value = argv[base + 1]; } } @@ -447,7 +451,7 @@ openvpn_plugin_open_v3(const int v3structver, */ if (socketpair(PF_UNIX, SOCK_DGRAM, 0, fd) == -1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "socketpair call failed"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "socketpair call failed"); goto error; } @@ -473,7 +477,8 @@ openvpn_plugin_open_v3(const int v3structver, /* don't let future subprocesses inherit child socket */ if (fcntl(fd[0], F_SETFD, FD_CLOEXEC) < 0) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Set FD_CLOEXEC flag on socket file descriptor failed"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, + "Set FD_CLOEXEC flag on socket file descriptor failed"); } /* wait for background child process to initialize */ @@ -481,8 +486,8 @@ openvpn_plugin_open_v3(const int v3structver, if (status == RESPONSE_INIT_SUCCEEDED) { context->foreground_fd = fd[0]; - ret->handle = (openvpn_plugin_handle_t *) context; - plugin_log( PLOG_NOTE, MODULE, "initialization succeeded (fg)" ); + ret->handle = (openvpn_plugin_handle_t *)context; + plugin_log(PLOG_NOTE, MODULE, "initialization succeeded (fg)"); return OPENVPN_PLUGIN_FUNC_SUCCESS; } } @@ -518,9 +523,10 @@ error: } OPENVPN_EXPORT int -openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) +openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], + const char *envp[]) { - struct auth_pam_context *context = (struct auth_pam_context *) handle; + struct auth_pam_context *context = (struct auth_pam_context *)handle; if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY && context->foreground_fd >= 0) { @@ -549,8 +555,7 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha { if (DEBUG(context->verb)) { - plugin_log(PLOG_NOTE, MODULE, "do deferred auth '%s'", - auth_control_file); + plugin_log(PLOG_NOTE, MODULE, "do deferred auth '%s'", auth_control_file); } } else @@ -567,7 +572,8 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha || send_string(context->foreground_fd, auth_control_file) == -1 || send_string(context->foreground_fd, remote) == -1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error sending auth info to background process"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, + "Error sending auth info to background process"); } else { @@ -586,7 +592,8 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha } if (status == -1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error receiving auth confirmation from background process"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, + "Error receiving auth confirmation from background process"); } } } @@ -597,7 +604,7 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { - struct auth_pam_context *context = (struct auth_pam_context *) handle; + struct auth_pam_context *context = (struct auth_pam_context *)handle; if (DEBUG(context->verb)) { @@ -609,7 +616,7 @@ openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) /* tell background process to exit */ if (send_control(context->foreground_fd, COMMAND_EXIT) == -1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error signaling background process to exit"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "Error signaling background process to exit"); } /* wait for background process to exit */ @@ -628,7 +635,7 @@ openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) OPENVPN_EXPORT void openvpn_plugin_abort_v1(openvpn_plugin_handle_t handle) { - struct auth_pam_context *context = (struct auth_pam_context *) handle; + struct auth_pam_context *context = (struct auth_pam_context *)handle; /* tell background process to exit */ if (context && context->foreground_fd >= 0) @@ -643,10 +650,10 @@ openvpn_plugin_abort_v1(openvpn_plugin_handle_t handle) * PAM conversation function */ static int -my_conv(int num_msg, const struct pam_message **msg_array, - struct pam_response **response_array, void *appdata_ptr) +my_conv(int num_msg, const struct pam_message **msg_array, struct pam_response **response_array, + void *appdata_ptr) { - const struct user_pass *up = ( const struct user_pass *) appdata_ptr; + const struct user_pass *up = (const struct user_pass *)appdata_ptr; struct pam_response *aresp; int ret = PAM_SUCCESS; @@ -670,10 +677,8 @@ my_conv(int num_msg, const struct pam_message **msg_array, if (DEBUG(up->verb)) { - plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: my_conv[%d] query='%s' style=%d", - i, - msg->msg ? msg->msg : "NULL", - msg->msg_style); + plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: my_conv[%d] query='%s' style=%d", i, + msg->msg ? msg->msg : "NULL", msg->msg_style); } if (up->name_value_list && up->name_value_list->len > 0) @@ -695,10 +700,10 @@ my_conv(int num_msg, const struct pam_message **msg_array, if (DEBUG(up->verb)) { - plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'", - msg->msg, - match_name, - match_value); + plugin_log( + PLOG_NOTE, MODULE, + "BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'", + msg->msg, match_name, match_value); } if (strstr(match_value, "USERNAME")) @@ -711,7 +716,8 @@ my_conv(int num_msg, const struct pam_message **msg_array, } else if (strstr(match_value, "COMMONNAME")) { - aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name); + aresp[i].resp = + searchandreplace(match_value, "COMMONNAME", up->common_name); } else if (strstr(match_value, "OTP")) { @@ -822,8 +828,7 @@ pam_auth(const char *service, const struct user_pass *up) if (!ret) { plugin_log(PLOG_ERR, MODULE, "BACKGROUND: user '%s' failed to authenticate: %s", - up->username, - pam_strerror(pamh, status)); + up->username, pam_strerror(pamh, status)); } /* Close PAM */ @@ -844,12 +849,12 @@ pam_auth(const char *service, const struct user_pass *up) */ static void -do_deferred_pam_auth(int fd, const char *ac_file_name, - const char *service, const struct user_pass *up) +do_deferred_pam_auth(int fd, const char *ac_file_name, const char *service, + const struct user_pass *up) { if (send_control(fd, RESPONSE_DEFER) == -1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [4]"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [4]"); return; } @@ -858,52 +863,50 @@ do_deferred_pam_auth(int fd, const char *ac_file_name, if (p1 < 0) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(1) failed"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: fork(1) failed"); return; } - if (p1 != 0) /* parent */ + if (p1 != 0) /* parent */ { waitpid(p1, NULL, 0); - return; /* parent's job succeeded */ + return; /* parent's job succeeded */ } /* child */ - close(fd); /* socketpair no longer needed */ + close(fd); /* socketpair no longer needed */ pid_t p2 = fork(); if (p2 < 0) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed"); exit(1); } - if (p2 != 0) /* new parent: exit right away */ + if (p2 != 0) /* new parent: exit right away */ { exit(0); } /* grandchild */ - plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: deferred auth for '%s', pid=%d", - up->username, (int) getpid() ); + plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: deferred auth for '%s', pid=%d", up->username, + (int)getpid()); /* the rest is very simple: do PAM, write status byte to file, done */ - int ac_fd = open( ac_file_name, O_WRONLY ); + int ac_fd = open(ac_file_name, O_WRONLY); if (ac_fd < 0) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "cannot open '%s' for writing", - ac_file_name ); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "cannot open '%s' for writing", ac_file_name); exit(1); } int pam_success = pam_auth(service, up); - if (write( ac_fd, pam_success ? "1" : "0", 1 ) != 1) + if (write(ac_fd, pam_success ? "1" : "0", 1) != 1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "cannot write to '%s'", - ac_file_name ); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "cannot write to '%s'", ac_file_name); } close(ac_fd); - plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: %s: deferred auth: PAM %s", - up->username, pam_success ? "succeeded" : "rejected" ); + plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: %s: deferred auth: PAM %s", up->username, + pam_success ? "succeeded" : "rejected"); exit(0); } @@ -934,7 +937,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * */ if (!dlopen_pam(pam_so)) { - plugin_log(PLOG_ERR, MODULE, "BACKGROUND: could not load PAM lib %s: %s", pam_so, dlerror()); + plugin_log(PLOG_ERR, MODULE, "BACKGROUND: could not load PAM lib %s: %s", pam_so, + dlerror()); send_control(fd, RESPONSE_INIT_FAILED); goto done; } @@ -945,7 +949,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * */ if (send_control(fd, RESPONSE_INIT_SUCCEEDED) == -1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [1]"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [1]"); goto done; } @@ -977,7 +981,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * || recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1 || recv_string(fd, up.remote, sizeof(up.remote)) == -1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read error on command channel: code=%d, exiting", + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, + "BACKGROUND: read error on command channel: code=%d, exiting", command); goto done; } @@ -1012,7 +1017,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * { if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [2]"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, + "BACKGROUND: write error on response socket [2]"); goto done; } } @@ -1020,7 +1026,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * { if (send_control(fd, RESPONSE_VERIFY_FAILED) == -1) { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [3]"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, + "BACKGROUND: write error on response socket [3]"); goto done; } } @@ -1031,7 +1038,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * goto done; case -1: - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read error on command channel"); + plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, + "BACKGROUND: read error on command channel"); goto done; default: diff --git a/src/plugins/auth-pam/pamdl.c b/src/plugins/auth-pam/pamdl.c index 02ea71a48..c1ecfa09e 100644 --- a/src/plugins/auth-pam/pamdl.c +++ b/src/plugins/auth-pam/pamdl.c @@ -19,14 +19,20 @@ static void *libpam_h = NULL; -#define RESOLVE_PAM_FUNCTION(x, y, z, err) \ - { \ - union { const void *tpointer; y(*fn) z; } fptr; \ - fptr.tpointer = dlsym(libpam_h, #x); real_ ## x = fptr.fn; \ - if (real_ ## x == NULL) { \ +#define RESOLVE_PAM_FUNCTION(x, y, z, err) \ + { \ + union \ + { \ + const void *tpointer; \ + y(*fn) z; \ + } fptr; \ + fptr.tpointer = dlsym(libpam_h, #x); \ + real_##x = fptr.fn; \ + if (real_##x == NULL) \ + { \ fprintf(stderr, "PAMDL: unable to resolve '%s': %s\n", #x, dlerror()); \ - return err; \ - } \ + return err; \ + } \ } int @@ -34,7 +40,7 @@ dlopen_pam(const char *so) { if (libpam_h == NULL) { - libpam_h = dlopen(so, RTLD_GLOBAL|RTLD_NOW); + libpam_h = dlopen(so, RTLD_GLOBAL | RTLD_NOW); } return libpam_h != NULL; } @@ -50,16 +56,13 @@ dlclose_pam(void) } int -pam_start(const char *service_name, const char *user, - const struct pam_conv *pam_conversation, +pam_start(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh) { - int (*real_pam_start)(const char *, const char *, - const struct pam_conv *, - pam_handle_t **); - RESOLVE_PAM_FUNCTION(pam_start, int, (const char *, const char *, - const struct pam_conv *, - pam_handle_t **), PAM_ABORT); + int (*real_pam_start)(const char *, const char *, const struct pam_conv *, pam_handle_t **); + RESOLVE_PAM_FUNCTION(pam_start, int, + (const char *, const char *, const struct pam_conv *, pam_handle_t **), + PAM_ABORT); return real_pam_start(service_name, user, pam_conversation, pamh); } @@ -75,8 +78,7 @@ int pam_set_item(pam_handle_t *pamh, int item_type, const void *item) { int (*real_pam_set_item)(pam_handle_t *, int, const void *); - RESOLVE_PAM_FUNCTION(pam_set_item, int, - (pam_handle_t *, int, const void *), PAM_ABORT); + RESOLVE_PAM_FUNCTION(pam_set_item, int, (pam_handle_t *, int, const void *), PAM_ABORT); return real_pam_set_item(pamh, item_type, item); } @@ -84,9 +86,7 @@ int pam_get_item(const pam_handle_t *pamh, int item_type, const void **item) { int (*real_pam_get_item)(const pam_handle_t *, int, const void **); - RESOLVE_PAM_FUNCTION(pam_get_item, int, - (const pam_handle_t *, int, const void **), - PAM_ABORT); + RESOLVE_PAM_FUNCTION(pam_get_item, int, (const pam_handle_t *, int, const void **), PAM_ABORT); return real_pam_get_item(pamh, item_type, item); } @@ -94,8 +94,7 @@ int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay) { int (*real_pam_fail_delay)(pam_handle_t *, unsigned int); - RESOLVE_PAM_FUNCTION(pam_fail_delay, int, (pam_handle_t *, unsigned int), - PAM_ABORT); + RESOLVE_PAM_FUNCTION(pam_fail_delay, int, (pam_handle_t *, unsigned int), PAM_ABORT); return real_pam_fail_delay(pamh, musec_delay); } @@ -105,8 +104,7 @@ const_char_pointer pam_strerror(pam_handle_t *pamh, int errnum) { const_char_pointer (*real_pam_strerror)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_strerror, const_char_pointer, - (pam_handle_t *, int), NULL); + RESOLVE_PAM_FUNCTION(pam_strerror, const_char_pointer, (pam_handle_t *, int), NULL); return real_pam_strerror(pamh, errnum); } @@ -114,8 +112,7 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value) { int (*real_pam_putenv)(pam_handle_t *, const char *); - RESOLVE_PAM_FUNCTION(pam_putenv, int, (pam_handle_t *, const char *), - PAM_ABORT); + RESOLVE_PAM_FUNCTION(pam_putenv, int, (pam_handle_t *, const char *), PAM_ABORT); return real_pam_putenv(pamh, name_value); } @@ -123,8 +120,7 @@ const_char_pointer pam_getenv(pam_handle_t *pamh, const char *name) { const_char_pointer (*real_pam_getenv)(pam_handle_t *, const char *); - RESOLVE_PAM_FUNCTION(pam_getenv, const_char_pointer, - (pam_handle_t *, const char *), NULL); + RESOLVE_PAM_FUNCTION(pam_getenv, const_char_pointer, (pam_handle_t *, const char *), NULL); return real_pam_getenv(pamh, name); } @@ -133,8 +129,7 @@ char_ppointer pam_getenvlist(pam_handle_t *pamh) { char_ppointer (*real_pam_getenvlist)(pam_handle_t *); - RESOLVE_PAM_FUNCTION(pam_getenvlist, char_ppointer, (pam_handle_t *), - NULL); + RESOLVE_PAM_FUNCTION(pam_getenvlist, char_ppointer, (pam_handle_t *), NULL); return real_pam_getenvlist(pamh); } @@ -144,8 +139,7 @@ int pam_authenticate(pam_handle_t *pamh, int flags) { int (*real_pam_authenticate)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_authenticate, int, (pam_handle_t *, int), - PAM_ABORT); + RESOLVE_PAM_FUNCTION(pam_authenticate, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_authenticate(pamh, flags); } @@ -173,8 +167,7 @@ int pam_open_session(pam_handle_t *pamh, int flags) { int (*real_pam_open_session)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_open_session, int, (pam_handle_t *, int), - PAM_ABORT); + RESOLVE_PAM_FUNCTION(pam_open_session, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_open_session(pamh, flags); } @@ -182,8 +175,7 @@ int pam_close_session(pam_handle_t *pamh, int flags) { int (*real_pam_close_session)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_close_session, int, (pam_handle_t *, int), - PAM_ABORT); + RESOLVE_PAM_FUNCTION(pam_close_session, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_close_session(pamh, flags); } diff --git a/src/plugins/auth-pam/utils.c b/src/plugins/auth-pam/utils.c index 6524051e0..0da162d29 100644 --- a/src/plugins/auth-pam/utils.c +++ b/src/plugins/auth-pam/utils.c @@ -55,7 +55,8 @@ searchandreplace(const char *tosearch, const char *searchfor, const char *replac return NULL; } - bool is_potential_integer_overflow = (templen == SIZE_MAX) || (templen / tosearchlen != replacewithlen); + bool is_potential_integer_overflow = + (templen == SIZE_MAX) || (templen / tosearchlen != replacewithlen); if (is_potential_integer_overflow) { @@ -67,7 +68,7 @@ searchandreplace(const char *tosearch, const char *searchfor, const char *replac const char *searching = tosearch; char *scratch; - char temp[templen+1]; + char temp[templen + 1]; temp[0] = 0; scratch = strstr(searching, searchfor); @@ -78,10 +79,10 @@ searchandreplace(const char *tosearch, const char *searchfor, const char *replac while (scratch) { - strncat(temp, searching, (size_t)(scratch-searching)); + strncat(temp, searching, (size_t)(scratch - searching)); strcat(temp, replacewith); - searching = scratch+strlen(searchfor); + searching = scratch + strlen(searchfor); scratch = strstr(searching, searchfor); } return strdup(temp); diff --git a/src/plugins/auth-pam/utils.h b/src/plugins/auth-pam/utils.h index 0b90aee47..a733febeb 100644 --- a/src/plugins/auth-pam/utils.h +++ b/src/plugins/auth-pam/utils.h @@ -34,11 +34,10 @@ * @param searchfor needle to search for in the haystack * @param replacewith when a match is found, replace needle with this string * - * @return Returns NULL when any parameter is NULL or the worst-case result is to large ( >= SIZE_MAX). - * Otherwise it returns a pointer to a new buffer containing the modified input + * @return Returns NULL when any parameter is NULL or the worst-case result is to large ( >= + * SIZE_MAX). Otherwise it returns a pointer to a new buffer containing the modified input */ -char * -searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith); +char *searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith); /** * Given an environmental variable name, search @@ -47,10 +46,10 @@ searchandreplace(const char *tosearch, const char *searchfor, const char *replac * @param name Environment variable to look up * @param envp Environment variable table with all key/value pairs * - * @return Returns a pointer to the value of the environment variable if found, otherwise NULL is returned. + * @return Returns a pointer to the value of the environment variable if found, otherwise NULL is + * returned. */ -const char * -get_env(const char *name, const char *envp[]); +const char *get_env(const char *name, const char *envp[]); /** * Return the length of a string array @@ -58,7 +57,6 @@ get_env(const char *name, const char *envp[]); * @param array Pointer to the array to calculate size of * */ -int -string_array_len(const char *array[]); +int string_array_len(const char *array[]); #endif diff --git a/src/plugins/down-root/down-root.c b/src/plugins/down-root/down-root.c index 5f595fdd0..da476fc8a 100644 --- a/src/plugins/down-root/down-root.c +++ b/src/plugins/down-root/down-root.c @@ -142,7 +142,7 @@ recv_control(int fd) static ssize_t send_control(int fd, int code) { - unsigned char c = (unsigned char) code; + unsigned char c = (unsigned char)code; const ssize_t size = write(fd, &c, sizeof(c)); if (size == sizeof(c)) { @@ -252,7 +252,7 @@ run_script(char *const *argv, char *const *envp) int ret = 0; pid = fork(); - if (pid == (pid_t)0) /* child side */ + if (pid == (pid_t)0) /* child side */ { execve(argv[0], argv, envp); /* If execve() fails to run, exit child with exit code 127 */ @@ -263,12 +263,13 @@ run_script(char *const *argv, char *const *envp) warn("DOWN-ROOT: Failed to fork child to run %s", argv[0]); return -1; } - else /* parent side */ + else /* parent side */ { if (waitpid(pid, &ret, 0) != pid) { /* waitpid does not return error information via errno */ - fprintf(stderr, "DOWN-ROOT: waitpid() failed, don't know exit code of child (%s)\n", argv[0]); + fprintf(stderr, "DOWN-ROOT: waitpid() failed, don't know exit code of child (%s)\n", + argv[0]); return -1; } } @@ -283,7 +284,7 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char * /* * Allocate our context */ - context = (struct down_root_context *) calloc(1, sizeof(struct down_root_context)); + context = (struct down_root_context *)calloc(1, sizeof(struct down_root_context)); if (!context) { warn("DOWN-ROOT: Could not allocate memory for plug-in context"); @@ -319,7 +320,7 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char * /* Ignore argv[0], as it contains just the plug-in file name */ for (int i = 1; i < string_array_len(argv); i++) { - context->command[i-1] = (char *) argv[i]; + context->command[i - 1] = (char *)argv[i]; } /* @@ -333,7 +334,7 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char * } } - return (openvpn_plugin_handle_t) context; + return (openvpn_plugin_handle_t)context; error: free_context(context); @@ -341,11 +342,13 @@ error: } OPENVPN_EXPORT int -openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) +openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], + const char *envp[]) { - struct down_root_context *context = (struct down_root_context *) handle; + struct down_root_context *context = (struct down_root_context *)handle; - if (type == OPENVPN_PLUGIN_UP && context->foreground_fd == -1) /* fork off a process to hold onto root */ + if (type == OPENVPN_PLUGIN_UP + && context->foreground_fd == -1) /* fork off a process to hold onto root */ { pid_t pid; int fd[2]; @@ -409,7 +412,7 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha daemonize(envp); /* execute the event loop */ - down_root_server(fd[1], context->command, (char *const *) envp, context->verb); + down_root_server(fd[1], context->command, (char *const *)envp, context->verb); close(fd[1]); exit(0); @@ -431,7 +434,8 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha } if (status == -1) { - warn("DOWN-ROOT: Error receiving script execution confirmation from background process"); + warn( + "DOWN-ROOT: Error receiving script execution confirmation from background process"); } } } @@ -441,7 +445,7 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { - struct down_root_context *context = (struct down_root_context *) handle; + struct down_root_context *context = (struct down_root_context *)handle; if (DEBUG(context->verb)) { @@ -472,7 +476,7 @@ openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) OPENVPN_EXPORT void openvpn_plugin_abort_v1(openvpn_plugin_handle_t handle) { - struct down_root_context *context = (struct down_root_context *) handle; + struct down_root_context *context = (struct down_root_context *)handle; if (context && context->foreground_fd >= 0) { @@ -525,7 +529,7 @@ down_root_server(const int fd, char *const *argv, char *const *envp, const int v switch (command_code) { case COMMAND_RUN_SCRIPT: - if ( (exit_code = run_script(argv, envp)) == 0) /* Succeeded */ + if ((exit_code = run_script(argv, envp)) == 0) /* Succeeded */ { if (send_control(fd, RESPONSE_SCRIPT_SUCCEEDED) == -1) { @@ -535,7 +539,8 @@ down_root_server(const int fd, char *const *argv, char *const *envp, const int v } else /* Failed */ { - fprintf(stderr, "DOWN-ROOT: BACKGROUND: %s exited with exit code %i\n", argv[0], exit_code); + fprintf(stderr, "DOWN-ROOT: BACKGROUND: %s exited with exit code %i\n", argv[0], + exit_code); if (send_control(fd, RESPONSE_SCRIPT_FAILED) == -1) { warn("DOWN-ROOT: BACKGROUND: write error on response socket [3]"); diff --git a/src/tapctl/basic.h b/src/tapctl/basic.h index 571ae6280..620c1caea 100644 --- a/src/tapctl/basic.h +++ b/src/tapctl/basic.h @@ -26,14 +26,16 @@ #define UNICODE #endif -#define PRIXGUID "{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX}" -#define PRIGUID_PARAM(g) \ - (g).Data1, (g).Data2, (g).Data3, (g).Data4[0], (g).Data4[1], (g).Data4[2], (g).Data4[3], (g).Data4[4], (g).Data4[5], (g).Data4[6], (g).Data4[7] -#define PRIGUID_PARAM_REF(g) \ - &(g).Data1, &(g).Data2, &(g).Data3, &(g).Data4[0], &(g).Data4[1], &(g).Data4[2], &(g).Data4[3], &(g).Data4[4], &(g).Data4[5], &(g).Data4[6], &(g).Data4[7] +#define PRIXGUID "{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX}" +#define PRIGUID_PARAM(g) \ + (g).Data1, (g).Data2, (g).Data3, (g).Data4[0], (g).Data4[1], (g).Data4[2], (g).Data4[3], \ + (g).Data4[4], (g).Data4[5], (g).Data4[6], (g).Data4[7] +#define PRIGUID_PARAM_REF(g) \ + &(g).Data1, &(g).Data2, &(g).Data3, &(g).Data4[0], &(g).Data4[1], &(g).Data4[2], \ + &(g).Data4[3], &(g).Data4[4], &(g).Data4[5], &(g).Data4[6], &(g).Data4[7] -#define __L(q) L ## q -#define _L(q) __L(q) +#define __L(q) L##q +#define _L(q) __L(q) #ifndef _In_ #define _In_ diff --git a/src/tapctl/error.h b/src/tapctl/error.h index 3da567419..fb24a611a 100644 --- a/src/tapctl/error.h +++ b/src/tapctl/error.h @@ -34,27 +34,27 @@ extern int x_msg_line_num; /* msg() flags */ -#define M_DEBUG_LEVEL (0x0F) /* debug level mask */ +#define M_DEBUG_LEVEL (0x0F) /* debug level mask */ -#define M_FATAL (1<<4) /* exit program */ -#define M_NONFATAL (1<<5) /* non-fatal error */ -#define M_WARN (1<<6) /* call syslog with LOG_WARNING */ -#define M_DEBUG (1<<7) +#define M_FATAL (1 << 4) /* exit program */ +#define M_NONFATAL (1 << 5) /* non-fatal error */ +#define M_WARN (1 << 6) /* call syslog with LOG_WARNING */ +#define M_DEBUG (1 << 7) -#define M_ERRNO (1<<8) /* show errno description */ +#define M_ERRNO (1 << 8) /* show errno description */ -#define M_NOMUTE (1<<11) /* don't do mute processing */ -#define M_NOPREFIX (1<<12) /* don't show date/time prefix */ -#define M_USAGE_SMALL (1<<13) /* fatal options error, call usage_small */ -#define M_MSG_VIRT_OUT (1<<14) /* output message through msg_status_output callback */ -#define M_OPTERR (1<<15) /* print "Options error:" prefix */ -#define M_NOLF (1<<16) /* don't print new line */ -#define M_NOIPREFIX (1<<17) /* don't print instance prefix */ +#define M_NOMUTE (1 << 11) /* don't do mute processing */ +#define M_NOPREFIX (1 << 12) /* don't show date/time prefix */ +#define M_USAGE_SMALL (1 << 13) /* fatal options error, call usage_small */ +#define M_MSG_VIRT_OUT (1 << 14) /* output message through msg_status_output callback */ +#define M_OPTERR (1 << 15) /* print "Options error:" prefix */ +#define M_NOLF (1 << 16) /* don't print new line */ +#define M_NOIPREFIX (1 << 17) /* don't print instance prefix */ /* flag combinations which are frequently used */ -#define M_ERR (M_FATAL | M_ERRNO) -#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR) -#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX) +#define M_ERR (M_FATAL | M_ERRNO) +#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR) +#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX) /** Check muting filter */ @@ -62,18 +62,42 @@ bool dont_mute(unsigned int flags); /* Macro to ensure (and teach static analysis tools) we exit on fatal errors */ #ifdef _MSC_VER -#pragma warning(disable: 4127) /* EXIT_FATAL(flags) macro raises "warning C4127: conditional expression is constant" on each non M_FATAL invocation. */ +#pragma warning(disable : 4127) /* EXIT_FATAL(flags) macro raises "warning C4127: conditional \ + expression is constant" on each non M_FATAL invocation. */ #endif -#define EXIT_FATAL(flags) do { if ((flags) & M_FATAL) {_exit(1);}} while (false) - -#define msg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false) +#define EXIT_FATAL(flags) \ + do \ + { \ + if ((flags) & M_FATAL) \ + { \ + _exit(1); \ + } \ + } while (false) + +#define msg(flags, ...) \ + do \ + { \ + if (msg_test(flags)) \ + { \ + x_msg((flags), __VA_ARGS__); \ + } \ + EXIT_FATAL(flags); \ + } while (false) #ifdef ENABLE_DEBUG -#define dmsg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false) +#define dmsg(flags, ...) \ + do \ + { \ + if (msg_test(flags)) \ + { \ + x_msg((flags), __VA_ARGS__); \ + } \ + EXIT_FATAL(flags); \ + } while (false) #else #define dmsg(flags, ...) #endif -void x_msg(const unsigned int flags, const char *format, ...); /* should be called via msg above */ +void x_msg(const unsigned int flags, const char *format, ...); /* should be called via msg above */ void x_msg_va(const unsigned int flags, const char *format, va_list arglist); diff --git a/src/tapctl/main.c b/src/tapctl/main.c index 0dec3033f..031e262f3 100644 --- a/src/tapctl/main.c +++ b/src/tapctl/main.c @@ -120,9 +120,7 @@ static const WCHAR usage_message_delete[] = static void usage(void) { - fwprintf(stderr, - usage_message, - title_string); + fwprintf(stderr, usage_message, title_string); } /** @@ -139,8 +137,10 @@ is_adapter_name_available(LPCWSTR name, struct tap_adapter_node *adapter_list, B { LPOLESTR adapter_id = NULL; StringFromIID((REFIID)&a->guid, &adapter_id); - fwprintf(stderr, L"Adapter \"%ls\" already exists (GUID %" - L"ls).\n", a->szName, adapter_id); + fwprintf(stderr, + L"Adapter \"%ls\" already exists (GUID %" + L"ls).\n", + a->szName, adapter_id); CoTaskMemFree(adapter_id); } @@ -204,8 +204,7 @@ get_unique_adapter_name(LPCWSTR hwid, struct tap_adapter_node *adapter_list) /** * Program entry point */ -int __cdecl -wmain(int argc, LPCWSTR argv[]) +int __cdecl wmain(int argc, LPCWSTR argv[]) { int iResult; BOOL bRebootRequired = FALSE; @@ -239,8 +238,10 @@ wmain(int argc, LPCWSTR argv[]) } else { - fwprintf(stderr, L"Unknown command \"%ls" - L"\". Please, use \"tapctl help\" to list supported commands.\n", argv[2]); + fwprintf(stderr, + L"Unknown command \"%ls" + L"\". Please, use \"tapctl help\" to list supported commands.\n", + argv[2]); } return 1; @@ -263,25 +264,24 @@ wmain(int argc, LPCWSTR argv[]) } else { - fwprintf(stderr, L"Unknown option \"%ls" - L"\". Please, use \"tapctl help create\" to list supported options. Ignored.\n", - argv[i]); + fwprintf( + stderr, + L"Unknown option \"%ls" + L"\". Please, use \"tapctl help create\" to list supported options. Ignored.\n", + argv[i]); } } /* Create TUN/TAP adapter. */ GUID guidAdapter; LPOLESTR szAdapterId = NULL; - DWORD dwResult = tap_create_adapter( - NULL, - L"Virtual Ethernet", - szHwId, - &bRebootRequired, - &guidAdapter); + DWORD dwResult = + tap_create_adapter(NULL, L"Virtual Ethernet", szHwId, &bRebootRequired, &guidAdapter); if (dwResult != ERROR_SUCCESS) { fwprintf(stderr, L"Creating TUN/TAP adapter failed (error 0x%x).\n", dwResult); - iResult = 1; goto quit; + iResult = 1; + goto quit; } /* Get existing network adapters. */ @@ -294,7 +294,8 @@ wmain(int argc, LPCWSTR argv[]) goto create_delete_adapter; } - LPWSTR adapter_name = szName ? wcsdup(szName) : get_unique_adapter_name(szHwId, pAdapterList); + LPWSTR adapter_name = + szName ? wcsdup(szName) : get_unique_adapter_name(szHwId, pAdapterList); if (adapter_name) { /* Check for duplicates when name was specified, @@ -310,11 +311,13 @@ wmain(int argc, LPCWSTR argv[]) if (dwResult != ERROR_SUCCESS) { StringFromIID((REFIID)&guidAdapter, &szAdapterId); - fwprintf(stderr, L"Renaming TUN/TAP adapter %ls" + fwprintf(stderr, + L"Renaming TUN/TAP adapter %ls" L" to \"%ls\" failed (error 0x%x).\n", szAdapterId, adapter_name, dwResult); CoTaskMemFree(szAdapterId); - iResult = 1; goto quit; + iResult = 1; + goto quit; } } @@ -334,21 +337,19 @@ create_cleanup_pAdapterList: fwprintf(stdout, L"%ls\n", szAdapterId); CoTaskMemFree(szAdapterId); - iResult = 0; goto quit; + iResult = 0; + goto quit; create_delete_adapter: - tap_delete_adapter( - NULL, - &guidAdapter, - &bRebootRequired); - iResult = 1; goto quit; + tap_delete_adapter(NULL, &guidAdapter, &bRebootRequired); + iResult = 1; + goto quit; } else if (wcsicmp(argv[1], L"list") == 0) { WCHAR szzHwId[0x100] = - L"root\\" _L(TAP_WIN_COMPONENT_ID) L"\0" - _L(TAP_WIN_COMPONENT_ID) L"\0" - L"ovpn-dco\0"; + L"root\\" _L(TAP_WIN_COMPONENT_ID) L"\0" _L(TAP_WIN_COMPONENT_ID) L"\0" + L"ovpn-dco\0"; /* Parse options. */ for (int i = 2; i < argc; i++) @@ -357,13 +358,17 @@ create_delete_adapter: { memset(szzHwId, 0, sizeof(szzHwId)); ++i; - memcpy_s(szzHwId, sizeof(szzHwId) - 2*sizeof(WCHAR) /*requires double zero termination*/, argv[i], wcslen(argv[i])*sizeof(WCHAR)); + memcpy_s(szzHwId, + sizeof(szzHwId) - 2 * sizeof(WCHAR) /*requires double zero termination*/, + argv[i], wcslen(argv[i]) * sizeof(WCHAR)); } else { - fwprintf(stderr, L"Unknown option \"%ls" - L"\". Please, use \"tapctl help list\" to list supported options. Ignored.\n", - argv[i]); + fwprintf( + stderr, + L"Unknown option \"%ls" + L"\". Please, use \"tapctl help list\" to list supported options. Ignored.\n", + argv[i]); } } @@ -373,15 +378,18 @@ create_delete_adapter: if (dwResult != ERROR_SUCCESS) { fwprintf(stderr, L"Enumerating TUN/TAP adapters failed (error 0x%x).\n", dwResult); - iResult = 1; goto quit; + iResult = 1; + goto quit; } for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter; pAdapter = pAdapter->pNext) { LPOLESTR szAdapterId = NULL; StringFromIID((REFIID)&pAdapter->guid, &szAdapterId); - fwprintf(stdout, L"%ls\t%" - L"ls\n", szAdapterId, pAdapter->szName); + fwprintf(stdout, + L"%ls\t%" + L"ls\n", + szAdapterId, pAdapter->szName); CoTaskMemFree(szAdapterId); } @@ -392,7 +400,9 @@ create_delete_adapter: { if (argc < 3) { - fwprintf(stderr, L"Missing adapter GUID or name. Please, use \"tapctl help delete\" for usage info.\n"); + fwprintf( + stderr, + L"Missing adapter GUID or name. Please, use \"tapctl help delete\" for usage info.\n"); return 1; } @@ -405,7 +415,8 @@ create_delete_adapter: if (dwResult != ERROR_SUCCESS) { fwprintf(stderr, L"Enumerating TUN/TAP adapters failed (error 0x%x).\n", dwResult); - iResult = 1; goto quit; + iResult = 1; + goto quit; } for (struct tap_adapter_node *pAdapter = pAdapterList;; pAdapter = pAdapter->pNext) @@ -413,7 +424,8 @@ create_delete_adapter: if (pAdapter == NULL) { fwprintf(stderr, L"\"%ls\" adapter not found.\n", argv[2]); - iResult = 1; goto delete_cleanup_pAdapterList; + iResult = 1; + goto delete_cleanup_pAdapterList; } else if (wcsicmp(argv[2], pAdapter->szName) == 0) { @@ -433,23 +445,26 @@ delete_cleanup_pAdapterList: } /* Delete the network adapter. */ - DWORD dwResult = tap_delete_adapter( - NULL, - &guidAdapter, - &bRebootRequired); + DWORD dwResult = tap_delete_adapter(NULL, &guidAdapter, &bRebootRequired); if (dwResult != ERROR_SUCCESS) { - fwprintf(stderr, L"Deleting adapter \"%ls" - L"\" failed (error 0x%x).\n", argv[2], dwResult); - iResult = 1; goto quit; + fwprintf(stderr, + L"Deleting adapter \"%ls" + L"\" failed (error 0x%x).\n", + argv[2], dwResult); + iResult = 1; + goto quit; } - iResult = 0; goto quit; + iResult = 0; + goto quit; } else { - fwprintf(stderr, L"Unknown command \"%ls" - L"\". Please, use \"tapctl help\" to list supported commands.\n", argv[1]); + fwprintf(stderr, + L"Unknown command \"%ls" + L"\". Please, use \"tapctl help\" to list supported commands.\n", + argv[1]); return 1; } @@ -484,16 +499,13 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) /* Output system error message (if possible). */ DWORD dwResult = GetLastError(); LPWSTR szErrMessage = NULL; - if (FormatMessage( - FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS, - 0, - dwResult, - 0, - (LPWSTR)&szErrMessage, - 0, - NULL) && szErrMessage) + if (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER + | FORMAT_MESSAGE_IGNORE_INSERTS, + 0, dwResult, 0, (LPWSTR)&szErrMessage, 0, NULL) + && szErrMessage) { - /* Trim trailing whitespace. Set terminator after the last non-whitespace character. This prevents excessive trailing line breaks. */ + /* Trim trailing whitespace. Set terminator after the last non-whitespace character. + * This prevents excessive trailing line breaks. */ for (size_t i = 0, i_last = 0;; i++) { if (szErrMessage[i]) diff --git a/src/tapctl/tap.c b/src/tapctl/tap.c index 96f09ee69..09be7e821 100644 --- a/src/tapctl/tap.c +++ b/src/tapctl/tap.c @@ -40,10 +40,15 @@ #endif -const static GUID GUID_DEVCLASS_NET = { 0x4d36e972L, 0xe325, 0x11ce, { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 } }; +const static GUID GUID_DEVCLASS_NET = { + 0x4d36e972L, 0xe325, 0x11ce, { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 } +}; -const static WCHAR szAdapterRegKeyPathTemplate[] = L"SYSTEM\\CurrentControlSet\\Control\\Network\\%ls\\%ls\\Connection"; -#define ADAPTER_REGKEY_PATH_MAX (_countof(L"SYSTEM\\CurrentControlSet\\Control\\Network\\") - 1 + 38 + _countof(L"\\") - 1 + 38 + _countof(L"\\Connection")) +const static WCHAR szAdapterRegKeyPathTemplate[] = + L"SYSTEM\\CurrentControlSet\\Control\\Network\\%ls\\%ls\\Connection"; +#define ADAPTER_REGKEY_PATH_MAX \ + (_countof(L"SYSTEM\\CurrentControlSet\\Control\\Network\\") - 1 + 38 + _countof(L"\\") - 1 \ + + 38 + _countof(L"\\Connection")) /** * Dynamically load a library and find a function in it @@ -154,10 +159,8 @@ wcszistr(_In_z_ LPCWSTR szzHay, _In_z_ LPCWSTR szNeedle) * * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ -typedef DWORD (*devop_func_t)( - _In_ HDEVINFO hDeviceInfoSet, - _In_ PSP_DEVINFO_DATA pDeviceInfoData, - _Inout_ LPBOOL pbRebootRequired); +typedef DWORD (*devop_func_t)(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData, + _Inout_ LPBOOL pbRebootRequired); /** @@ -177,10 +180,8 @@ typedef DWORD (*devop_func_t)( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ static DWORD -check_reboot( - _In_ HDEVINFO hDeviceInfoSet, - _In_ PSP_DEVINFO_DATA pDeviceInfoData, - _Inout_ LPBOOL pbRebootRequired) +check_reboot(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData, + _Inout_ LPBOOL pbRebootRequired) { if (pbRebootRequired == NULL) { @@ -188,10 +189,7 @@ check_reboot( } SP_DEVINSTALL_PARAMS devinstall_params = { .cbSize = sizeof(SP_DEVINSTALL_PARAMS) }; - if (!SetupDiGetDeviceInstallParams( - hDeviceInfoSet, - pDeviceInfoData, - &devinstall_params)) + if (!SetupDiGetDeviceInstallParams(hDeviceInfoSet, pDeviceInfoData, &devinstall_params)) { DWORD dwResult = GetLastError(); msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceInstallParams failed", __FUNCTION__); @@ -224,10 +222,8 @@ check_reboot( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ static DWORD -delete_device( - _In_ HDEVINFO hDeviceInfoSet, - _In_ PSP_DEVINFO_DATA pDeviceInfoData, - _Inout_ LPBOOL pbRebootRequired) +delete_device(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData, + _Inout_ LPBOOL pbRebootRequired) { SP_REMOVEDEVICE_PARAMS params = { @@ -241,11 +237,8 @@ delete_device( }; /* Set class installer parameters for DIF_REMOVE. */ - if (!SetupDiSetClassInstallParams( - hDeviceInfoSet, - pDeviceInfoData, - ¶ms.ClassInstallHeader, - sizeof(SP_REMOVEDEVICE_PARAMS))) + if (!SetupDiSetClassInstallParams(hDeviceInfoSet, pDeviceInfoData, ¶ms.ClassInstallHeader, + sizeof(SP_REMOVEDEVICE_PARAMS))) { DWORD dwResult = GetLastError(); msg(M_NONFATAL | M_ERRNO, "%s: SetupDiSetClassInstallParams failed", __FUNCTION__); @@ -253,10 +246,7 @@ delete_device( } /* Call appropriate class installer. */ - if (!SetupDiCallClassInstaller( - DIF_REMOVE, - hDeviceInfoSet, - pDeviceInfoData)) + if (!SetupDiCallClassInstaller(DIF_REMOVE, hDeviceInfoSet, pDeviceInfoData)) { DWORD dwResult = GetLastError(); msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_REMOVE) failed", __FUNCTION__); @@ -288,11 +278,8 @@ delete_device( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ static DWORD -change_device_state( - _In_ HDEVINFO hDeviceInfoSet, - _In_ PSP_DEVINFO_DATA pDeviceInfoData, - _In_ BOOL bEnable, - _Inout_ LPBOOL pbRebootRequired) +change_device_state(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData, + _In_ BOOL bEnable, _Inout_ LPBOOL pbRebootRequired) { SP_PROPCHANGE_PARAMS params = { @@ -307,11 +294,8 @@ change_device_state( }; /* Set class installer parameters for DIF_PROPERTYCHANGE. */ - if (!SetupDiSetClassInstallParams( - hDeviceInfoSet, - pDeviceInfoData, - ¶ms.ClassInstallHeader, - sizeof(SP_PROPCHANGE_PARAMS))) + if (!SetupDiSetClassInstallParams(hDeviceInfoSet, pDeviceInfoData, ¶ms.ClassInstallHeader, + sizeof(SP_PROPCHANGE_PARAMS))) { DWORD dwResult = GetLastError(); msg(M_NONFATAL | M_ERRNO, "%s: SetupDiSetClassInstallParams failed", __FUNCTION__); @@ -319,13 +303,11 @@ change_device_state( } /* Call appropriate class installer. */ - if (!SetupDiCallClassInstaller( - DIF_PROPERTYCHANGE, - hDeviceInfoSet, - pDeviceInfoData)) + if (!SetupDiCallClassInstaller(DIF_PROPERTYCHANGE, hDeviceInfoSet, pDeviceInfoData)) { DWORD dwResult = GetLastError(); - msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_PROPERTYCHANGE) failed", __FUNCTION__); + msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_PROPERTYCHANGE) failed", + __FUNCTION__); return dwResult; } @@ -352,10 +334,8 @@ change_device_state( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ static DWORD -enable_device( - _In_ HDEVINFO hDeviceInfoSet, - _In_ PSP_DEVINFO_DATA pDeviceInfoData, - _Inout_ LPBOOL pbRebootRequired) +enable_device(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData, + _Inout_ LPBOOL pbRebootRequired) { return change_device_state(hDeviceInfoSet, pDeviceInfoData, TRUE, pbRebootRequired); } @@ -378,10 +358,8 @@ enable_device( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ static DWORD -disable_device( - _In_ HDEVINFO hDeviceInfoSet, - _In_ PSP_DEVINFO_DATA pDeviceInfoData, - _Inout_ LPBOOL pbRebootRequired) +disable_device(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData, + _Inout_ LPBOOL pbRebootRequired) { return change_device_state(hDeviceInfoSet, pDeviceInfoData, FALSE, pbRebootRequired); } @@ -402,10 +380,7 @@ disable_device( * @return ERROR_SUCCESS on success; Win32 error code otherwise */ static DWORD -get_reg_string( - _In_ HKEY hKey, - _In_ LPCWSTR szName, - _Out_ LPWSTR *pszValue) +get_reg_string(_In_ HKEY hKey, _In_ LPCWSTR szName, _Out_ LPWSTR *pszValue) { if (pszValue == NULL) { @@ -413,17 +388,13 @@ get_reg_string( } DWORD dwValueType = REG_NONE, dwSize = 0; - DWORD dwResult = RegQueryValueEx( - hKey, - szName, - NULL, - &dwValueType, - NULL, - &dwSize); + DWORD dwResult = RegQueryValueEx(hKey, szName, NULL, &dwValueType, NULL, &dwSize); if (dwResult != ERROR_SUCCESS) { - SetLastError(dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But we do have an error code. Set last error manually. */ - msg(M_NONFATAL | M_ERRNO, "%s: enumerating \"%ls\" registry value failed", __FUNCTION__, szName); + SetLastError(dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). + But we do have an error code. Set last error manually. */ + msg(M_NONFATAL | M_ERRNO, "%s: enumerating \"%ls\" registry value failed", __FUNCTION__, + szName); return dwResult; } @@ -440,17 +411,14 @@ get_reg_string( return ERROR_OUTOFMEMORY; } - dwResult = RegQueryValueEx( - hKey, - szName, - NULL, - NULL, - (LPBYTE)szValue, - &dwSize); + dwResult = RegQueryValueEx(hKey, szName, NULL, NULL, (LPBYTE)szValue, &dwSize); if (dwResult != ERROR_SUCCESS) { - SetLastError(dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But we do have an error code. Set last error manually. */ - msg(M_NONFATAL | M_ERRNO, "%s: reading \"%ls\" registry value failed", __FUNCTION__, szName); + SetLastError( + dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But + we do have an error code. Set last error manually. */ + msg(M_NONFATAL | M_ERRNO, "%s: reading \"%ls\" registry value failed", __FUNCTION__, + szName); free(szValue); return dwResult; } @@ -459,12 +427,12 @@ get_reg_string( { /* Expand the environment strings. */ DWORD - dwSizeExp = dwSize * 2, - dwCountExp = + dwSizeExp = dwSize * 2, dwCountExp = #ifdef UNICODE - dwSizeExp / sizeof(WCHAR); + dwSizeExp / sizeof(WCHAR); #else - dwSizeExp / sizeof(WCHAR) - 1; /* Note: ANSI version requires one extra char. */ + dwSizeExp / sizeof(WCHAR) + - 1; /* Note: ANSI version requires one extra char. */ #endif LPWSTR szValueExp = (LPWSTR)malloc(dwSizeExp); if (szValueExp == NULL) @@ -474,13 +442,11 @@ get_reg_string( return ERROR_OUTOFMEMORY; } - DWORD dwCountExpResult = ExpandEnvironmentStrings( - szValue, - szValueExp, dwCountExp - ); + DWORD dwCountExpResult = ExpandEnvironmentStrings(szValue, szValueExp, dwCountExp); if (dwCountExpResult == 0) { - msg(M_NONFATAL | M_ERRNO, "%s: expanding \"%ls\" registry value failed", __FUNCTION__, szName); + msg(M_NONFATAL | M_ERRNO, "%s: expanding \"%ls\" registry value failed", + __FUNCTION__, szName); free(szValueExp); free(szValue); return dwResult; @@ -511,9 +477,7 @@ get_reg_string( return ERROR_OUTOFMEMORY; } - dwCountExpResult = ExpandEnvironmentStrings( - szValue, - szValueExp, dwCountExp); + dwCountExpResult = ExpandEnvironmentStrings(szValue, szValueExp, dwCountExp); free(szValue); *pszValue = szValueExp; return ERROR_SUCCESS; @@ -527,7 +491,8 @@ get_reg_string( } default: - msg(M_NONFATAL, "%s: \"%ls\" registry value is not string (type %u)", __FUNCTION__, dwValueType); + msg(M_NONFATAL, "%s: \"%ls\" registry value is not string (type %u)", __FUNCTION__, + dwValueType); return ERROR_UNSUPPORTED_TYPE; } } @@ -552,11 +517,8 @@ get_reg_string( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ static DWORD -get_net_adapter_guid( - _In_ HDEVINFO hDeviceInfoSet, - _In_ PSP_DEVINFO_DATA pDeviceInfoData, - _In_ int iNumAttempts, - _Out_ LPGUID pguidAdapter) +get_net_adapter_guid(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData, + _In_ int iNumAttempts, _Out_ LPGUID pguidAdapter) { DWORD dwResult = ERROR_BAD_ARGUMENTS; @@ -566,13 +528,8 @@ get_net_adapter_guid( } /* Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\ registry key. */ - HKEY hKey = SetupDiOpenDevRegKey( - hDeviceInfoSet, - pDeviceInfoData, - DICS_FLAG_GLOBAL, - 0, - DIREG_DRV, - KEY_READ); + HKEY hKey = SetupDiOpenDevRegKey(hDeviceInfoSet, pDeviceInfoData, DICS_FLAG_GLOBAL, 0, + DIREG_DRV, KEY_READ); if (hKey == INVALID_HANDLE_VALUE) { dwResult = GetLastError(); @@ -582,7 +539,8 @@ get_net_adapter_guid( while (iNumAttempts > 0) { - /* Query the NetCfgInstanceId value. Using get_reg_string() right on might clutter the output with error messages while the registry is still being populated. */ + /* Query the NetCfgInstanceId value. Using get_reg_string() right on might clutter the + * output with error messages while the registry is still being populated. */ LPWSTR szCfgGuidString = NULL; dwResult = RegQueryValueEx(hKey, L"NetCfgInstanceId", NULL, NULL, NULL, NULL); if (dwResult != ERROR_SUCCESS) @@ -594,22 +552,24 @@ get_net_adapter_guid( continue; } - SetLastError(dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But we do have an error code. Set last error manually. */ - msg(M_NONFATAL | M_ERRNO, "%s: querying \"NetCfgInstanceId\" registry value failed", __FUNCTION__); + SetLastError( + dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But we + do have an error code. Set last error manually. */ + msg(M_NONFATAL | M_ERRNO, "%s: querying \"NetCfgInstanceId\" registry value failed", + __FUNCTION__); break; } /* Read the NetCfgInstanceId value now. */ - dwResult = get_reg_string( - hKey, - L"NetCfgInstanceId", - &szCfgGuidString); + dwResult = get_reg_string(hKey, L"NetCfgInstanceId", &szCfgGuidString); if (dwResult != ERROR_SUCCESS) { break; } - dwResult = SUCCEEDED(CLSIDFromString(szCfgGuidString, (LPCLSID)pguidAdapter)) ? ERROR_SUCCESS : ERROR_INVALID_DATA; + dwResult = SUCCEEDED(CLSIDFromString(szCfgGuidString, (LPCLSID)pguidAdapter)) + ? ERROR_SUCCESS + : ERROR_INVALID_DATA; free(szCfgGuidString); break; } @@ -641,12 +601,9 @@ get_net_adapter_guid( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ static DWORD -get_device_reg_property( - _In_ HDEVINFO hDeviceInfoSet, - _In_ PSP_DEVINFO_DATA pDeviceInfoData, - _In_ DWORD dwProperty, - _Out_opt_ LPDWORD pdwPropertyRegDataType, - _Out_ LPVOID *ppData) +get_device_reg_property(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData, + _In_ DWORD dwProperty, _Out_opt_ LPDWORD pdwPropertyRegDataType, + _Out_ LPVOID *ppData) { DWORD dwResult = ERROR_BAD_ARGUMENTS; @@ -658,14 +615,9 @@ get_device_reg_property( /* Try with stack buffer first. */ BYTE bBufStack[128]; DWORD dwRequiredSize = 0; - if (SetupDiGetDeviceRegistryProperty( - hDeviceInfoSet, - pDeviceInfoData, - dwProperty, - pdwPropertyRegDataType, - bBufStack, - sizeof(bBufStack), - &dwRequiredSize)) + if (SetupDiGetDeviceRegistryProperty(hDeviceInfoSet, pDeviceInfoData, dwProperty, + pdwPropertyRegDataType, bBufStack, sizeof(bBufStack), + &dwRequiredSize)) { /* Copy from stack. */ *ppData = malloc(dwRequiredSize); @@ -691,27 +643,24 @@ get_device_reg_property( return ERROR_OUTOFMEMORY; } - if (SetupDiGetDeviceRegistryProperty( - hDeviceInfoSet, - pDeviceInfoData, - dwProperty, - pdwPropertyRegDataType, - *ppData, - dwRequiredSize, - &dwRequiredSize)) + if (SetupDiGetDeviceRegistryProperty(hDeviceInfoSet, pDeviceInfoData, dwProperty, + pdwPropertyRegDataType, *ppData, dwRequiredSize, + &dwRequiredSize)) { return ERROR_SUCCESS; } else { dwResult = GetLastError(); - msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceRegistryProperty(%u) failed", __FUNCTION__, dwProperty); + msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceRegistryProperty(%u) failed", + __FUNCTION__, dwProperty); return dwResult; } } else { - msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceRegistryProperty(%u) failed", __FUNCTION__, dwProperty); + msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceRegistryProperty(%u) failed", + __FUNCTION__, dwProperty); return dwResult; } } @@ -719,19 +668,13 @@ get_device_reg_property( DWORD -tap_create_adapter( - _In_opt_ HWND hwndParent, - _In_opt_ LPCWSTR szDeviceDescription, - _In_ LPCWSTR szHwId, - _Inout_ LPBOOL pbRebootRequired, - _Out_ LPGUID pguidAdapter) +tap_create_adapter(_In_opt_ HWND hwndParent, _In_opt_ LPCWSTR szDeviceDescription, + _In_ LPCWSTR szHwId, _Inout_ LPBOOL pbRebootRequired, _Out_ LPGUID pguidAdapter) { DWORD dwResult; HMODULE libnewdev = NULL; - if (szHwId == NULL - || pbRebootRequired == NULL - || pguidAdapter == NULL) + if (szHwId == NULL || pbRebootRequired == NULL || pguidAdapter == NULL) { return ERROR_BAD_ARGUMENTS; } @@ -747,11 +690,7 @@ tap_create_adapter( /* Get the device class name from GUID. */ WCHAR szClassName[MAX_CLASS_NAME_LEN]; - if (!SetupDiClassNameFromGuid( - &GUID_DEVCLASS_NET, - szClassName, - _countof(szClassName), - NULL)) + if (!SetupDiClassNameFromGuid(&GUID_DEVCLASS_NET, szClassName, _countof(szClassName), NULL)) { dwResult = GetLastError(); msg(M_NONFATAL, "%s: SetupDiClassNameFromGuid failed", __FUNCTION__); @@ -760,14 +699,8 @@ tap_create_adapter( /* Create a new device info element and add it to the device info set. */ SP_DEVINFO_DATA devinfo_data = { .cbSize = sizeof(SP_DEVINFO_DATA) }; - if (!SetupDiCreateDeviceInfo( - hDevInfoList, - szClassName, - &GUID_DEVCLASS_NET, - szDeviceDescription, - hwndParent, - DICD_GENERATE_ID, - &devinfo_data)) + if (!SetupDiCreateDeviceInfo(hDevInfoList, szClassName, &GUID_DEVCLASS_NET, szDeviceDescription, + hwndParent, DICD_GENERATE_ID, &devinfo_data)) { dwResult = GetLastError(); msg(M_NONFATAL, "%s: SetupDiCreateDeviceInfo failed", __FUNCTION__); @@ -775,9 +708,7 @@ tap_create_adapter( } /* Set a device information element as the selected member of a device information set. */ - if (!SetupDiSetSelectedDevice( - hDevInfoList, - &devinfo_data)) + if (!SetupDiSetSelectedDevice(hDevInfoList, &devinfo_data)) { dwResult = GetLastError(); msg(M_NONFATAL, "%s: SetupDiSetSelectedDevice failed", __FUNCTION__); @@ -785,11 +716,9 @@ tap_create_adapter( } /* Set Plug&Play device hardware ID property. */ - if (!SetupDiSetDeviceRegistryProperty( - hDevInfoList, - &devinfo_data, - SPDRP_HARDWAREID, - (const BYTE *)szHwId, (DWORD)((wcslen(szHwId) + 1) * sizeof(WCHAR)))) + if (!SetupDiSetDeviceRegistryProperty(hDevInfoList, &devinfo_data, SPDRP_HARDWAREID, + (const BYTE *)szHwId, + (DWORD)((wcslen(szHwId) + 1) * sizeof(WCHAR)))) { dwResult = GetLastError(); msg(M_NONFATAL, "%s: SetupDiSetDeviceRegistryProperty failed", __FUNCTION__); @@ -797,10 +726,7 @@ tap_create_adapter( } /* Register the device instance with the PnP Manager */ - if (!SetupDiCallClassInstaller( - DIF_REGISTERDEVICE, - hDevInfoList, - &devinfo_data)) + if (!SetupDiCallClassInstaller(DIF_REGISTERDEVICE, hDevInfoList, &devinfo_data)) { dwResult = GetLastError(); msg(M_NONFATAL, "%s: SetupDiCallClassInstaller(DIF_REGISTERDEVICE) failed", __FUNCTION__); @@ -816,10 +742,9 @@ tap_create_adapter( if (!DiInstallDevice(hwndParent, hDevInfoList, &devinfo_data, NULL, 0, pbRebootRequired)) #else /* mingw does not resolve DiInstallDevice, so load it at run time. */ - typedef BOOL (WINAPI *DiInstallDeviceFn)(HWND, HDEVINFO, SP_DEVINFO_DATA *, - SP_DRVINFO_DATA *, DWORD, BOOL *); - DiInstallDeviceFn installfn - = find_function(L"newdev.dll", "DiInstallDevice", &libnewdev); + typedef BOOL(WINAPI * DiInstallDeviceFn)(HWND, HDEVINFO, SP_DEVINFO_DATA *, SP_DRVINFO_DATA *, + DWORD, BOOL *); + DiInstallDeviceFn installfn = find_function(L"newdev.dll", "DiInstallDevice", &libnewdev); if (!installfn) { @@ -855,24 +780,20 @@ cleanup_remove_device: }; /* Set class installer parameters for DIF_REMOVE. */ - if (SetupDiSetClassInstallParams( - hDevInfoList, - &devinfo_data, - &removedevice_params.ClassInstallHeader, - sizeof(SP_REMOVEDEVICE_PARAMS))) + if (SetupDiSetClassInstallParams(hDevInfoList, &devinfo_data, + &removedevice_params.ClassInstallHeader, + sizeof(SP_REMOVEDEVICE_PARAMS))) { /* Call appropriate class installer. */ - if (SetupDiCallClassInstaller( - DIF_REMOVE, - hDevInfoList, - &devinfo_data)) + if (SetupDiCallClassInstaller(DIF_REMOVE, hDevInfoList, &devinfo_data)) { /* Check if a system reboot is required. */ check_reboot(hDevInfoList, &devinfo_data, pbRebootRequired); } else { - msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_REMOVE) failed", __FUNCTION__); + msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_REMOVE) failed", + __FUNCTION__); } } else @@ -912,11 +833,8 @@ cleanup_hDevInfoList: * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ static DWORD -execute_on_first_adapter( - _In_opt_ HWND hwndParent, - _In_ LPCGUID pguidAdapter, - _In_ devop_func_t funcOperation, - _Inout_ LPBOOL pbRebootRequired) +execute_on_first_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter, + _In_ devop_func_t funcOperation, _Inout_ LPBOOL pbRebootRequired) { DWORD dwResult; @@ -926,14 +844,8 @@ execute_on_first_adapter( } /* Create a list of network devices. */ - HDEVINFO hDevInfoList = SetupDiGetClassDevsEx( - &GUID_DEVCLASS_NET, - NULL, - hwndParent, - DIGCF_PRESENT, - NULL, - NULL, - NULL); + HDEVINFO hDevInfoList = SetupDiGetClassDevsEx(&GUID_DEVCLASS_NET, NULL, hwndParent, + DIGCF_PRESENT, NULL, NULL, NULL); if (hDevInfoList == INVALID_HANDLE_VALUE) { dwResult = GetLastError(); @@ -942,7 +854,8 @@ execute_on_first_adapter( } /* Retrieve information associated with a device information set. */ - SP_DEVINFO_LIST_DETAIL_DATA devinfo_list_detail_data = { .cbSize = sizeof(SP_DEVINFO_LIST_DETAIL_DATA) }; + SP_DEVINFO_LIST_DETAIL_DATA devinfo_list_detail_data = { .cbSize = sizeof( + SP_DEVINFO_LIST_DETAIL_DATA) }; if (!SetupDiGetDeviceInfoListDetail(hDevInfoList, &devinfo_list_detail_data)) { dwResult = GetLastError(); @@ -955,10 +868,7 @@ execute_on_first_adapter( { /* Get the device from the list. */ SP_DEVINFO_DATA devinfo_data = { .cbSize = sizeof(SP_DEVINFO_DATA) }; - if (!SetupDiEnumDeviceInfo( - hDevInfoList, - dwIndex, - &devinfo_data)) + if (!SetupDiEnumDeviceInfo(hDevInfoList, dwIndex, &devinfo_data)) { if (GetLastError() == ERROR_NO_MORE_ITEMS) { @@ -972,7 +882,8 @@ execute_on_first_adapter( else { /* Something is wrong with this device. Skip it. */ - msg(M_WARN | M_ERRNO, "%s: SetupDiEnumDeviceInfo(%u) failed", __FUNCTION__, dwIndex); + msg(M_WARN | M_ERRNO, "%s: SetupDiEnumDeviceInfo(%u) failed", __FUNCTION__, + dwIndex); continue; } } @@ -1001,23 +912,19 @@ cleanup_hDevInfoList: DWORD -tap_delete_adapter( - _In_opt_ HWND hwndParent, - _In_ LPCGUID pguidAdapter, - _Inout_ LPBOOL pbRebootRequired) +tap_delete_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter, + _Inout_ LPBOOL pbRebootRequired) { return execute_on_first_adapter(hwndParent, pguidAdapter, delete_device, pbRebootRequired); } DWORD -tap_enable_adapter( - _In_opt_ HWND hwndParent, - _In_ LPCGUID pguidAdapter, - _In_ BOOL bEnable, - _Inout_ LPBOOL pbRebootRequired) +tap_enable_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter, _In_ BOOL bEnable, + _Inout_ LPBOOL pbRebootRequired) { - return execute_on_first_adapter(hwndParent, pguidAdapter, bEnable ? enable_device : disable_device, pbRebootRequired); + return execute_on_first_adapter(hwndParent, pguidAdapter, + bEnable ? enable_device : disable_device, pbRebootRequired); } /* stripped version of ExecCommand in interactive.c */ @@ -1037,8 +944,8 @@ ExecCommand(const WCHAR *cmdline) /* CreateProcess needs a modifiable cmdline: make a copy */ cmdline_dup = _wcsdup(cmdline); - if (cmdline_dup && CreateProcessW(NULL, cmdline_dup, NULL, NULL, FALSE, - proc_flags, NULL, NULL, &si, &pi)) + if (cmdline_dup + && CreateProcessW(NULL, cmdline_dup, NULL, NULL, FALSE, proc_flags, NULL, NULL, &si, &pi)) { WaitForSingleObject(pi.hProcess, INFINITE); if (!GetExitCodeProcess(pi.hProcess, &exit_code)) @@ -1059,10 +966,7 @@ ExecCommand(const WCHAR *cmdline) } DWORD -tap_set_adapter_name( - _In_ LPCGUID pguidAdapter, - _In_ LPCWSTR szName, - _In_ BOOL bSilent) +tap_set_adapter_name(_In_ LPCGUID pguidAdapter, _In_ LPCWSTR szName, _In_ BOOL bSilent) { DWORD dwResult; int msg_flag = bSilent ? M_WARN : M_NONFATAL; @@ -1083,23 +987,16 @@ tap_set_adapter_name( /* Render registry key path. */ WCHAR szRegKey[ADAPTER_REGKEY_PATH_MAX]; - swprintf_s( - szRegKey, _countof(szRegKey), - szAdapterRegKeyPathTemplate, - szDevClassNetId, - szAdapterId); + swprintf_s(szRegKey, _countof(szRegKey), szAdapterRegKeyPathTemplate, szDevClassNetId, + szAdapterId); /* Open network adapter registry key. */ HKEY hKey = NULL; - dwResult = RegOpenKeyEx( - HKEY_LOCAL_MACHINE, - szRegKey, - 0, - KEY_QUERY_VALUE, - &hKey); + dwResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, szRegKey, 0, KEY_QUERY_VALUE, &hKey); if (dwResult != ERROR_SUCCESS) { - SetLastError(dwResult); /* MSDN does not mention RegOpenKeyEx() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(dwResult); /* MSDN does not mention RegOpenKeyEx() to set GetLastError(). But + we do have an error code. Set last error manually. */ msg(msg_flag, "%s: RegOpenKeyEx(HKLM, \"%ls\") failed", __FUNCTION__, szRegKey); goto cleanup_szAdapterId; } @@ -1142,10 +1039,8 @@ cleanup_szAdapterId: DWORD -tap_list_adapters( - _In_opt_ HWND hwndParent, - _In_opt_ LPCWSTR szzHwIDs, - _Out_ struct tap_adapter_node **ppAdapter) +tap_list_adapters(_In_opt_ HWND hwndParent, _In_opt_ LPCWSTR szzHwIDs, + _Out_ struct tap_adapter_node **ppAdapter) { DWORD dwResult; @@ -1155,14 +1050,8 @@ tap_list_adapters( } /* Create a list of network devices. */ - HDEVINFO hDevInfoList = SetupDiGetClassDevsEx( - &GUID_DEVCLASS_NET, - NULL, - hwndParent, - DIGCF_PRESENT, - NULL, - NULL, - NULL); + HDEVINFO hDevInfoList = SetupDiGetClassDevsEx(&GUID_DEVCLASS_NET, NULL, hwndParent, + DIGCF_PRESENT, NULL, NULL, NULL); if (hDevInfoList == INVALID_HANDLE_VALUE) { dwResult = GetLastError(); @@ -1171,7 +1060,8 @@ tap_list_adapters( } /* Retrieve information associated with a device information set. */ - SP_DEVINFO_LIST_DETAIL_DATA devinfo_list_detail_data = { .cbSize = sizeof(SP_DEVINFO_LIST_DETAIL_DATA) }; + SP_DEVINFO_LIST_DETAIL_DATA devinfo_list_detail_data = { .cbSize = sizeof( + SP_DEVINFO_LIST_DETAIL_DATA) }; if (!SetupDiGetDeviceInfoListDetail(hDevInfoList, &devinfo_list_detail_data)) { dwResult = GetLastError(); @@ -1190,10 +1080,7 @@ tap_list_adapters( { /* Get the device from the list. */ SP_DEVINFO_DATA devinfo_data = { .cbSize = sizeof(SP_DEVINFO_DATA) }; - if (!SetupDiEnumDeviceInfo( - hDevInfoList, - dwIndex, - &devinfo_data)) + if (!SetupDiEnumDeviceInfo(hDevInfoList, dwIndex, &devinfo_data)) { if (GetLastError() == ERROR_NO_MORE_ITEMS) { @@ -1202,7 +1089,8 @@ tap_list_adapters( else { /* Something is wrong with this device. Skip it. */ - msg(M_WARN | M_ERRNO, "%s: SetupDiEnumDeviceInfo(%u) failed", __FUNCTION__, dwIndex); + msg(M_WARN | M_ERRNO, "%s: SetupDiEnumDeviceInfo(%u) failed", __FUNCTION__, + dwIndex); continue; } } @@ -1210,12 +1098,8 @@ tap_list_adapters( /* Get device hardware ID(s). */ DWORD dwDataType = REG_NONE; LPWSTR szzDeviceHardwareIDs = NULL; - dwResult = get_device_reg_property( - hDevInfoList, - &devinfo_data, - SPDRP_HARDWAREID, - &dwDataType, - (LPVOID)&szzDeviceHardwareIDs); + dwResult = get_device_reg_property(hDevInfoList, &devinfo_data, SPDRP_HARDWAREID, + &dwDataType, (LPVOID)&szzDeviceHardwareIDs); if (dwResult != ERROR_SUCCESS) { /* Something is wrong with this device. Skip it. */ @@ -1271,48 +1155,42 @@ tap_list_adapters( /* Render registry key path. */ WCHAR szRegKey[ADAPTER_REGKEY_PATH_MAX]; - swprintf_s( - szRegKey, _countof(szRegKey), - szAdapterRegKeyPathTemplate, - szDevClassNetId, - szAdapterId); + swprintf_s(szRegKey, _countof(szRegKey), szAdapterRegKeyPathTemplate, szDevClassNetId, + szAdapterId); /* Open network adapter registry key. */ HKEY hKey = NULL; - dwResult = RegOpenKeyEx( - HKEY_LOCAL_MACHINE, - szRegKey, - 0, - KEY_READ, - &hKey); + dwResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, szRegKey, 0, KEY_READ, &hKey); if (dwResult != ERROR_SUCCESS) { - SetLastError(dwResult); /* MSDN does not mention RegOpenKeyEx() to set GetLastError(). But we do have an error code. Set last error manually. */ + SetLastError(dwResult); /* MSDN does not mention RegOpenKeyEx() to set GetLastError(). + But we do have an error code. Set last error manually. */ msg(M_WARN | M_ERRNO, "%s: RegOpenKeyEx(HKLM, \"%ls\") failed", __FUNCTION__, szRegKey); goto cleanup_szAdapterId; } /* Read adapter name. */ LPWSTR szName = NULL; - dwResult = get_reg_string( - hKey, - L"Name", - &szName); + dwResult = get_reg_string(hKey, L"Name", &szName); if (dwResult != ERROR_SUCCESS) { SetLastError(dwResult); - msg(M_WARN | M_ERRNO, "%s: Cannot determine %ls adapter name", __FUNCTION__, szAdapterId); + msg(M_WARN | M_ERRNO, "%s: Cannot determine %ls adapter name", __FUNCTION__, + szAdapterId); goto cleanup_hKey; } /* Append to the list. */ size_t hwid_size = (wcszlen(szzDeviceHardwareIDs) + 1) * sizeof(WCHAR); size_t name_size = (wcslen(szName) + 1) * sizeof(WCHAR); - struct tap_adapter_node *node = (struct tap_adapter_node *)malloc(sizeof(struct tap_adapter_node) + hwid_size + name_size); + struct tap_adapter_node *node = (struct tap_adapter_node *)malloc( + sizeof(struct tap_adapter_node) + hwid_size + name_size); if (node == NULL) { - msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, sizeof(struct tap_adapter_node) + hwid_size + name_size); - dwResult = ERROR_OUTOFMEMORY; goto cleanup_szName; + msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, + sizeof(struct tap_adapter_node) + hwid_size + name_size); + dwResult = ERROR_OUTOFMEMORY; + goto cleanup_szName; } memcpy(&node->guid, &guidAdapter, sizeof(GUID)); @@ -1351,8 +1229,7 @@ cleanup_hDevInfoList: void -tap_free_adapter_list( - _In_ struct tap_adapter_node *pAdapterList) +tap_free_adapter_list(_In_ struct tap_adapter_node *pAdapterList) { /* Iterate over all nodes of the list. */ while (pAdapterList) diff --git a/src/tapctl/tap.h b/src/tapctl/tap.h index a0b0561f6..ee5fb09b0 100644 --- a/src/tapctl/tap.h +++ b/src/tapctl/tap.h @@ -49,12 +49,8 @@ * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ DWORD -tap_create_adapter( - _In_opt_ HWND hwndParent, - _In_opt_ LPCWSTR szDeviceDescription, - _In_ LPCWSTR szHwId, - _Inout_ LPBOOL pbRebootRequired, - _Out_ LPGUID pguidAdapter); +tap_create_adapter(_In_opt_ HWND hwndParent, _In_opt_ LPCWSTR szDeviceDescription, + _In_ LPCWSTR szHwId, _Inout_ LPBOOL pbRebootRequired, _Out_ LPGUID pguidAdapter); /** @@ -76,10 +72,8 @@ tap_create_adapter( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ DWORD -tap_delete_adapter( - _In_opt_ HWND hwndParent, - _In_ LPCGUID pguidAdapter, - _Inout_ LPBOOL pbRebootRequired); +tap_delete_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter, + _Inout_ LPBOOL pbRebootRequired); /** @@ -103,11 +97,8 @@ tap_delete_adapter( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ DWORD -tap_enable_adapter( - _In_opt_ HWND hwndParent, - _In_ LPCGUID pguidAdapter, - _In_ BOOL bEnable, - _Inout_ LPBOOL pbRebootRequired); +tap_enable_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter, _In_ BOOL bEnable, + _Inout_ LPBOOL pbRebootRequired); /** @@ -123,10 +114,7 @@ tap_enable_adapter( * @return ERROR_SUCCESS on success; Win32 error code otherwise **/ DWORD -tap_set_adapter_name( - _In_ LPCGUID pguidAdapter, - _In_ LPCWSTR szName, - _In_ BOOL bSilent); +tap_set_adapter_name(_In_ LPCGUID pguidAdapter, _In_ LPCWSTR szName, _In_ BOOL bSilent); /** @@ -134,9 +122,9 @@ tap_set_adapter_name( */ struct tap_adapter_node { - GUID guid; /**< Adapter GUID */ - LPWSTR szzHardwareIDs; /**< Device hardware ID(s) */ - LPWSTR szName; /**< Adapter name */ + GUID guid; /**< Adapter GUID */ + LPWSTR szzHardwareIDs; /**< Device hardware ID(s) */ + LPWSTR szName; /**< Adapter name */ struct tap_adapter_node *pNext; /**< Pointer to next adapter */ }; @@ -162,10 +150,8 @@ struct tap_adapter_node * @return ERROR_SUCCESS on success; Win32 error code otherwise */ DWORD -tap_list_adapters( - _In_opt_ HWND hwndParent, - _In_opt_ LPCWSTR szzHwIDs, - _Out_ struct tap_adapter_node **ppAdapterList); +tap_list_adapters(_In_opt_ HWND hwndParent, _In_opt_ LPCWSTR szzHwIDs, + _Out_ struct tap_adapter_node **ppAdapterList); /** @@ -173,8 +159,6 @@ tap_list_adapters( * * @param pAdapterList A pointer to the first adapter in the list to free. */ -void -tap_free_adapter_list( - _In_ struct tap_adapter_node *pAdapterList); +void tap_free_adapter_list(_In_ struct tap_adapter_node *pAdapterList); #endif /* ifndef TAP_H */ diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c index 3960cc5db..700705114 100644 --- a/tests/ntlm_support.c +++ b/tests/ntlm_support.c @@ -49,7 +49,7 @@ main(void) crypto_unload_provider("legacy", legacy); crypto_unload_provider("default", def); #endif -#else /* ifdef NTLM */ +#else /* ifdef NTLM */ msg(M_FATAL, "NTLM support not compiled in"); #endif } diff --git a/tests/unit_tests/example_test/test.c b/tests/unit_tests/example_test/test.c index c174025cc..139e06f0d 100644 --- a/tests/unit_tests/example_test/test.c +++ b/tests/unit_tests/example_test/test.c @@ -10,7 +10,7 @@ static int setup(void **state) { - int *answer = malloc(sizeof(int)); + int *answer = malloc(sizeof(int)); *answer = 42; *state = answer; @@ -29,7 +29,7 @@ teardown(void **state) static void null_test_success(void **state) { - (void) state; + (void)state; } static void @@ -39,8 +39,7 @@ int_test_success(void **state) assert_int_equal(*answer, 42); } -__attribute__((unused)) -static void +__attribute__((unused)) static void failing_test(void **state) { /* This tests fails to test that make check fails */ @@ -53,7 +52,7 @@ main(void) const struct CMUnitTest tests[] = { cmocka_unit_test(null_test_success), cmocka_unit_test_setup_teardown(int_test_success, setup, teardown), -/* cmocka_unit_test(failing_test), */ + /* cmocka_unit_test(failing_test), */ }; return cmocka_run_group_tests_name("success_test", tests, NULL, NULL); diff --git a/tests/unit_tests/example_test/test2.c b/tests/unit_tests/example_test/test2.c index bb54633c8..308943236 100644 --- a/tests/unit_tests/example_test/test2.c +++ b/tests/unit_tests/example_test/test2.c @@ -11,7 +11,7 @@ static void test_true(void **state) { - (void) state; + (void)state; } diff --git a/tests/unit_tests/openvpn/cert_data.h b/tests/unit_tests/openvpn/cert_data.h index 638af398a..9e2974a53 100644 --- a/tests/unit_tests/openvpn/cert_data.h +++ b/tests/unit_tests/openvpn/cert_data.h @@ -52,12 +52,11 @@ static const char *const cert1 = "srXMaPe0lAea4etMSZsjIRPwGRMXBrwbRmb6iN2Cq40867HdaJoAryYig7IiDwSX\n" "htCbOA6sX+60+FEOYDEx5cmkogl633Pw7LJ3ICkyzIrUSEt6BOT1Gsc1eQ==\n" "-----END CERTIFICATE-----\n"; -static const char *const key1 = - "-----BEGIN PRIVATE KEY-----\n" - "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5Xpw/lLvBrWjAWDq\n" - "L6dm/4a1or6AQ6O3yXYgw78B23ihRANCAAR4SRvnSuGdJmPitKbqcFbcgyzsMBlh\n" - "4wWOrty4I0ZlIXxY2qEnyb3YKz4OdMGzpK7FLfQZehHg6LGblcLs4EW7\n" - "-----END PRIVATE KEY-----\n"; +static const char *const key1 = "-----BEGIN PRIVATE KEY-----\n" + "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5Xpw/lLvBrWjAWDq\n" + "L6dm/4a1or6AQ6O3yXYgw78B23ihRANCAAR4SRvnSuGdJmPitKbqcFbcgyzsMBlh\n" + "4wWOrty4I0ZlIXxY2qEnyb3YKz4OdMGzpK7FLfQZehHg6LGblcLs4EW7\n" + "-----END PRIVATE KEY-----\n"; static const char *const hash1 = "A4B74F1D68AF50691F62CBD675E24C8655369567"; static const char *const cname1 = "ovpn-test-ec1"; @@ -104,35 +103,34 @@ static const char *const cert3 = "F6MgVGSxl6eylJgDYckvJiAbmcp2PD/LRQQOxQA0yqeAMg2cbdvclETuYD6zoFfu\n" "Y8aO7dvDlw==\n" "-----END CERTIFICATE-----\n"; -static const char *const key3 = - "-----BEGIN PRIVATE KEY-----\n" - "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n" - "IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n" - "4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n" - "x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n" - "PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n" - "LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n" - "DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n" - "v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n" - "EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n" - "slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n" - "BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n" - "U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n" - "YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n" - "k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n" - "LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n" - "UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJeQAGAS6nQr9G8/617r+GwJnzRtxC6Vl\n" - "4OF5BJRsD70oX4CFOOlycMoJ8tzcYVH7NI8KVocjxb+QW82hqSvEwSsvnwwn3eOW\n" - "nr5u5vIHmQKBgCuc3lL6Dl1ntdZgEIdau0cUjXDoFUo589TwxBDIID/4gaZxoMJP\n" - "hPFXAVDxMDPw4azyjSB/47tPKTUsuYcnMfT8kynIujOEwnSPLcLgxQU5kgM/ynuw\n" - "qhNpQOwaVRMc7f2RTCMXPBYDpNE/GJn5eu8JWGLpZovEreBeoHX0VffvAoGAVrWn\n" - "+3mxykhzaf+oyg3KDNysG+cbq+tlDVVE+K5oG0kePVYX1fjIBQmJ+QhdJ3y9jCbB\n" - "UVveqzeZVXqHEw/kgoD4aZZmsdZfnVnpRa5/y9o1ZDUr50n+2nzUe/u/ijlb77iK\n" - "Is04gnGJNoI3ZWhdyrSNfXjcYH+bKClu9OM4n7kCgYAorc3PAX7M0bsQrrqYxUS8\n" - "56UU0YdhAgYitjM7Fm/0iIm0vDpSevxL9js4HnnsSMVR77spCBAGOCCZrTcI3Ejg\n" - "xKDYzh1xlfMRjJBuBu5Pd55ZAv9NXFGpsX5SO8fDZQJMwpcbQH36+UdqRRFDpjJ0\n" - "ZbX6nKcJ7jciJVKJds59Jg==\n" - "-----END PRIVATE KEY-----\n"; +static const char *const key3 = "-----BEGIN PRIVATE KEY-----\n" + "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n" + "IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n" + "4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n" + "x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n" + "PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n" + "LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n" + "DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n" + "v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n" + "EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n" + "slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n" + "BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n" + "U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n" + "YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n" + "k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n" + "LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n" + "UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJeQAGAS6nQr9G8/617r+GwJnzRtxC6Vl\n" + "4OF5BJRsD70oX4CFOOlycMoJ8tzcYVH7NI8KVocjxb+QW82hqSvEwSsvnwwn3eOW\n" + "nr5u5vIHmQKBgCuc3lL6Dl1ntdZgEIdau0cUjXDoFUo589TwxBDIID/4gaZxoMJP\n" + "hPFXAVDxMDPw4azyjSB/47tPKTUsuYcnMfT8kynIujOEwnSPLcLgxQU5kgM/ynuw\n" + "qhNpQOwaVRMc7f2RTCMXPBYDpNE/GJn5eu8JWGLpZovEreBeoHX0VffvAoGAVrWn\n" + "+3mxykhzaf+oyg3KDNysG+cbq+tlDVVE+K5oG0kePVYX1fjIBQmJ+QhdJ3y9jCbB\n" + "UVveqzeZVXqHEw/kgoD4aZZmsdZfnVnpRa5/y9o1ZDUr50n+2nzUe/u/ijlb77iK\n" + "Is04gnGJNoI3ZWhdyrSNfXjcYH+bKClu9OM4n7kCgYAorc3PAX7M0bsQrrqYxUS8\n" + "56UU0YdhAgYitjM7Fm/0iIm0vDpSevxL9js4HnnsSMVR77spCBAGOCCZrTcI3Ejg\n" + "xKDYzh1xlfMRjJBuBu5Pd55ZAv9NXFGpsX5SO8fDZQJMwpcbQH36+UdqRRFDpjJ0\n" + "ZbX6nKcJ7jciJVKJds59Jg==\n" + "-----END PRIVATE KEY-----\n"; static const char *const hash3 = "2463628674E362578113F508BA05F29EF142E979"; static const char *const cname3 = "ovpn-test-rsa1"; @@ -162,4 +160,4 @@ static const char *const cert4 = static const char *const hash4 = "E1401D4497C944783E3D62CDBD2A1F69F5E5071E"; #define cname4 cname3 /* same CN as that of cert3 */ -#endif /* CERT_DATA_H */ +#endif /* CERT_DATA_H */ diff --git a/tests/unit_tests/openvpn/mock_management.c b/tests/unit_tests/openvpn/mock_management.c index 9674b4593..b24e4c4f1 100644 --- a/tests/unit_tests/openvpn/mock_management.c +++ b/tests/unit_tests/openvpn/mock_management.c @@ -42,8 +42,7 @@ management_auth_failure(struct management *man, const char *type, const char *re } char * -management_query_pk_sig(struct management *man, const char *b64_data, - const char *algorithm) +management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm) { return NULL; } diff --git a/tests/unit_tests/openvpn/mock_msg.c b/tests/unit_tests/openvpn/mock_msg.c index 5407561cf..603520b90 100644 --- a/tests/unit_tests/openvpn/mock_msg.c +++ b/tests/unit_tests/openvpn/mock_msg.c @@ -71,8 +71,7 @@ get_debug_level(void) } void -x_msg_va(const unsigned int flags, const char *format, - va_list arglist) +x_msg_va(const unsigned int flags, const char *format, va_list arglist) { if (flags & M_FATAL) { @@ -107,7 +106,7 @@ assert_failed(const char *filename, int line, const char *condition) /* Keep compiler happy. Should not happen, mock_assert() does not return */ exit(1); } -#else /* ifndef NO_CMOCKA */ +#else /* ifndef NO_CMOCKA */ void assert_failed(const char *filename, int line, const char *condition) { diff --git a/tests/unit_tests/openvpn/mock_msg.h b/tests/unit_tests/openvpn/mock_msg.h index 40d76096a..f4ebc235a 100644 --- a/tests/unit_tests/openvpn/mock_msg.h +++ b/tests/unit_tests/openvpn/mock_msg.h @@ -35,13 +35,10 @@ void mock_set_debug_level(int level); extern bool fatal_error_triggered; extern char mock_msg_buf[MOCK_MSG_BUF]; -void -mock_set_debug_level(int level); +void mock_set_debug_level(int level); -int -mock_get_debug_level(void); +int mock_get_debug_level(void); -void -mock_set_print_debug_level(int level); +void mock_set_print_debug_level(int level); #endif /* MOCK_MSG */ diff --git a/tests/unit_tests/openvpn/mock_ssl_dependencies.c b/tests/unit_tests/openvpn/mock_ssl_dependencies.c index 2a562fcc5..7333c473e 100644 --- a/tests/unit_tests/openvpn/mock_ssl_dependencies.c +++ b/tests/unit_tests/openvpn/mock_ssl_dependencies.c @@ -37,8 +37,8 @@ #include "ssl_verify.h" int -parse_line(const char *line, char **p, const int n, const char *file, - const int line_num, int msglevel, struct gc_arena *gc) +parse_line(const char *line, char **p, const int n, const char *file, const int line_num, + int msglevel, struct gc_arena *gc) { /* Dummy function to get the linker happy, should never be called */ assert_true(false); diff --git a/tests/unit_tests/openvpn/pkey_test_utils.c b/tests/unit_tests/openvpn/pkey_test_utils.c index 56608ea64..c9aef463b 100644 --- a/tests/unit_tests/openvpn/pkey_test_utils.c +++ b/tests/unit_tests/openvpn/pkey_test_utils.c @@ -56,14 +56,14 @@ digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey) size_t siglen = 0; int ret = 0; - OSSL_PARAM params[2] = {OSSL_PARAM_END}; + OSSL_PARAM params[2] = { OSSL_PARAM_END }; const char *mdname = "SHA256"; if (EVP_PKEY_get_id(privkey) == EVP_PKEY_RSA) { const char *padmode = "pss"; /* RSA_PSS: for all other params, use defaults */ - params[0] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, - (char *)padmode, 0); + params[0] = + OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, (char *)padmode, 0); params[1] = OSSL_PARAM_construct_end(); } else if (EVP_PKEY_get_id(privkey) == EVP_PKEY_EC) @@ -79,8 +79,7 @@ digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey) EVP_PKEY_CTX *pctx = NULL; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); - if (!mctx - || EVP_DigestSignInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, privkey, params) <= 0) + if (!mctx || EVP_DigestSignInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, privkey, params) <= 0) { /* cmocka assert output for these kinds of failures is hardly explanatory, * print a message and assert in caller. */ @@ -115,7 +114,7 @@ digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey) mctx = EVP_MD_CTX_new(); pctx = NULL; if (!mctx - || EVP_DigestVerifyInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, pubkey, params) <= 0) + || EVP_DigestVerifyInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, pubkey, params) <= 0) { print_error("Failed to initialize EVP_DigestVerifyInit_ex()"); goto done; diff --git a/tests/unit_tests/openvpn/test_argv.c b/tests/unit_tests/openvpn/test_argv.c index 33b3dec00..a65857b3b 100644 --- a/tests/unit_tests/openvpn/test_argv.c +++ b/tests/unit_tests/openvpn/test_argv.c @@ -15,15 +15,15 @@ #include "test_common.h" /* Defines for use in the tests and the mock parse_line() */ -#define PATH1 "/s p a c e" -#define PATH2 "/foo bar/baz" -#define PARAM1 "param1" -#define PARAM2 "param two" -#define SCRIPT_CMD "\"" PATH1 PATH2 "\"" PARAM1 "\"" PARAM2 "\"" +#define PATH1 "/s p a c e" +#define PATH2 "/foo bar/baz" +#define PARAM1 "param1" +#define PARAM2 "param two" +#define SCRIPT_CMD "\"" PATH1 PATH2 "\"" PARAM1 "\"" PARAM2 "\"" int -__wrap_parse_line(const char *line, char **p, const int n, const char *file, - const int line_num, int msglevel, struct gc_arena *gc) +__wrap_parse_line(const char *line, char **p, const int n, const char *file, const int line_num, + int msglevel, struct gc_arena *gc) { p[0] = PATH1 PATH2; p[1] = PARAM1; @@ -201,10 +201,10 @@ argv_str__multiple_argv__correct_output(void **state) argv_printf_cat(&a, "%s", PARAM2); argv_printf_cat(&a, "%d", -1); argv_printf_cat(&a, "%u", -1); - argv_printf_cat(&a, "%lu", 1L ); + argv_printf_cat(&a, "%lu", 1L); output = argv_str(&a, &gc, PA_BRACKET); assert_string_equal(output, "[" PATH1 PATH2 "] [" PARAM1 "] [" PARAM2 "]" - " [-1] [4294967295] [1]"); + " [-1] [4294967295] [1]"); argv_free(&a); gc_free(&gc); diff --git a/tests/unit_tests/openvpn/test_auth_token.c b/tests/unit_tests/openvpn/test_auth_token.c index 960422c18..0c5467e0e 100644 --- a/tests/unit_tests/openvpn/test_auth_token.c +++ b/tests/unit_tests/openvpn/test_auth_token.c @@ -36,7 +36,8 @@ #include "auth_token.c" #include "test_common.h" -struct test_context { +struct test_context +{ struct tls_multi multi; struct key_type kt; struct user_pass up; @@ -52,10 +53,10 @@ send_push_reply_auth_token(struct tls_multi *multi) void auth_set_client_reason(struct tls_multi *multi, const char *reason) { - } -static const char *now0key0 = "SESS_ID_AT_0123456789abcdefAAAAAAAAAAAAAAAAAAAAAE5JsQJOVfo8jnI3RL3tBaR5NkE4yPfcylFUHmHSc5Bu"; +static const char *now0key0 = + "SESS_ID_AT_0123456789abcdefAAAAAAAAAAAAAAAAAAAAAE5JsQJOVfo8jnI3RL3tBaR5NkE4yPfcylFUHmHSc5Bu"; static const char *zeroinline = "-----BEGIN OpenVPN auth-token server key-----\n" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n" @@ -63,21 +64,24 @@ static const char *zeroinline = "-----BEGIN OpenVPN auth-token server key-----\n "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n" "-----END OpenVPN auth-token server key-----"; -static const char *allx01inline = "-----BEGIN OpenVPN auth-token server key-----\n" - "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n" - "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n" - "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=\n" - "-----END OpenVPN auth-token server key-----"; - -static const char *random_key = "-----BEGIN OpenVPN auth-token server key-----\n" - "+mmmf7IQ5cymtMVjKYTWk8IOcYanRlpQmV9Tb3EjkHYxueBVDg3yqRgzeBlVGzNLD//rAPiOVhau\n" - "3NDBjNOQB8951bfs7Cc2mYfay92Bh2gRJ5XEM/DMfzCWN+7uU6NWoTTHr4FuojnIQtjtqVAj/JS9\n" - "w+dTSp/vYHl+c7uHd19uVRu/qLqV85+rm4tUGIjO7FfYuwyPqwmhuIsi3hs9QkSimh888FmBpoKY\n" - "/tbKVTJZmSERKti9KEwtV2eVAR0znN5KW7lCB3mHVAhN7bUpcoDjfCzYIFARxwswTFu9gFkwqUMY\n" - "I1KUOgIsVNs4llACioeXplYekWETR+YkJwDc/A==\n" - "-----END OpenVPN auth-token server key-----"; +static const char *allx01inline = + "-----BEGIN OpenVPN auth-token server key-----\n" + "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n" + "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n" + "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=\n" + "-----END OpenVPN auth-token server key-----"; -static const char *random_token = "SESS_ID_AT_ThhRItzOKNKrh3dfAAAAAFwzHpwAAAAAXDMenDdrq0RoH3dkA1f7O3wO+7kZcx2DusVZrRmFlWQM9HOb"; +static const char *random_key = + "-----BEGIN OpenVPN auth-token server key-----\n" + "+mmmf7IQ5cymtMVjKYTWk8IOcYanRlpQmV9Tb3EjkHYxueBVDg3yqRgzeBlVGzNLD//rAPiOVhau\n" + "3NDBjNOQB8951bfs7Cc2mYfay92Bh2gRJ5XEM/DMfzCWN+7uU6NWoTTHr4FuojnIQtjtqVAj/JS9\n" + "w+dTSp/vYHl+c7uHd19uVRu/qLqV85+rm4tUGIjO7FfYuwyPqwmhuIsi3hs9QkSimh888FmBpoKY\n" + "/tbKVTJZmSERKti9KEwtV2eVAR0znN5KW7lCB3mHVAhN7bUpcoDjfCzYIFARxwswTFu9gFkwqUMY\n" + "I1KUOgIsVNs4llACioeXplYekWETR+YkJwDc/A==\n" + "-----END OpenVPN auth-token server key-----"; + +static const char *random_token = + "SESS_ID_AT_ThhRItzOKNKrh3dfAAAAAFwzHpwAAAAAXDMenDdrq0RoH3dkA1f7O3wO+7kZcx2DusVZrRmFlWQM9HOb"; static int @@ -87,7 +91,7 @@ setup(void **state) *state = ctx; struct key_parameters key = { 0 }; - key.hmac_size = MAX_HMAC_KEY_LENGTH; /* 64 byte of 0 */ + key.hmac_size = MAX_HMAC_KEY_LENGTH; /* 64 byte of 0 */ ctx->kt = auth_token_kt(); if (!ctx->kt.digest) @@ -115,7 +119,7 @@ setup(void **state) static int teardown(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; free_key_ctx(&ctx->multi.opt.auth_token_key); wipe_auth_token(&ctx->multi); @@ -129,23 +133,21 @@ teardown(void **state) static void auth_token_basic_test(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; generate_auth_token(&ctx->up, &ctx->multi); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } static void auth_token_fail_invalid_key(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; generate_auth_token(&ctx->up, &ctx->multi); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); /* Change auth-token key */ struct key_parameters key; @@ -161,15 +163,13 @@ auth_token_fail_invalid_key(void **state) memset(&key.hmac, 0, sizeof(key.hmac)); free_key_ctx(&ctx->multi.opt.auth_token_key); init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST"); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); - + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } static void auth_token_test_timeout(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; now = 100000; generate_auth_token(&ctx->up, &ctx->multi); @@ -179,33 +179,31 @@ auth_token_test_timeout(void **state) ctx->multi.auth_token_initial = NULL; /* No time has passed */ - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); /* Token before validity, should be rejected */ now = 100000 - 100; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); + AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); /* Token no valid for renegotiate_seconds but still for renewal_time */ - now = 100000 + 2*ctx->session->opt->renegotiate_seconds - 20; + now = 100000 + 2 * ctx->session->opt->renegotiate_seconds - 20; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); + AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); - now = 100000 + 2*ctx->session->opt->auth_token_renewal - 20; - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); + now = 100000 + 2 * ctx->session->opt->auth_token_renewal - 20; + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); /* Token past validity, should be rejected */ - now = 100000 + 2*ctx->session->opt->renegotiate_seconds + 20; + now = 100000 + 2 * ctx->session->opt->renegotiate_seconds + 20; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); + AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); /* But not when we reached our timeout */ now = 100000 + ctx->session->opt->auth_token_lifetime + 1; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); + AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); free(ctx->multi.auth_token_initial); ctx->multi.auth_token_initial = NULL; @@ -223,26 +221,25 @@ auth_token_test_timeout(void **state) assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); + AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); ctx->multi.opt.auth_token_lifetime = 0; /* Non expiring token should be fine */ - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } static void zerohmac(char *token) { - char *hmacstart = token + AUTH_TOKEN_SESSION_ID_LEN - + strlen(SESSION_ID_PREFIX) + 2*sizeof(uint64_t); + char *hmacstart = + token + AUTH_TOKEN_SESSION_ID_LEN + strlen(SESSION_ID_PREFIX) + 2 * sizeof(uint64_t); memset(hmacstart, 0x8d, strlen(hmacstart)); } static void auth_token_test_known_keys(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; now = 0; /* Preload the session id so the same session id is used here */ @@ -257,8 +254,7 @@ auth_token_test_known_keys(void **state) assert_string_equal(now0key0, ctx->multi.auth_token); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } static const char *lastsesion_statevalue; @@ -274,13 +270,12 @@ setenv_str(struct env_set *es, const char *name, const char *value) void auth_token_test_session_mismatch(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; /* Generate first auth token and check it is correct */ generate_auth_token(&ctx->up, &ctx->multi); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); char *token_sessiona = strdup(ctx->multi.auth_token); @@ -289,8 +284,7 @@ auth_token_test_session_mismatch(void **state) generate_auth_token(&ctx->up, &ctx->multi); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); assert_int_not_equal(0, memcmp(ctx->multi.auth_token_initial + strlen(SESSION_ID_PREFIX), token_sessiona + strlen(SESSION_ID_PREFIX), @@ -306,39 +300,37 @@ auth_token_test_session_mismatch(void **state) static void auth_token_test_empty_user(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; CLEAR(ctx->up.username); now = 0; generate_auth_token(&ctx->up, &ctx->multi); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); now = 100000; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); + AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); strcpy(ctx->up.username, "test user name"); now = 0; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_VALID_EMPTYUSER); + AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_VALID_EMPTYUSER); strcpy(ctx->up.username, "test user name"); now = 100000; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED|AUTH_TOKEN_VALID_EMPTYUSER); + AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED | AUTH_TOKEN_VALID_EMPTYUSER); zerohmac(ctx->up.password); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - 0); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), 0); } static void auth_token_test_env(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; struct key_state *ks = &ctx->multi.session[TM_ACTIVE].key[KS_PRIMARY]; @@ -356,15 +348,16 @@ auth_token_test_env(void **state) add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "Authenticated"); - ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED; + ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED; add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "Expired"); - ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_VALID_EMPTYUSER; + ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_VALID_EMPTYUSER; add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "AuthenticatedEmptyUser"); - ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED|AUTH_TOKEN_VALID_EMPTYUSER; + ks->auth_token_state_flags = + AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED | AUTH_TOKEN_VALID_EMPTYUSER; add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "ExpiredEmptyUser"); } @@ -372,7 +365,7 @@ auth_token_test_env(void **state) static void auth_token_test_random_keys(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; now = 0x5c331e9c; /* Preload the session id so the same session id is used here */ @@ -397,7 +390,7 @@ auth_token_test_random_keys(void **state) static void auth_token_test_key_load(void **state) { - struct test_context *ctx = (struct test_context *) *state; + struct test_context *ctx = (struct test_context *)*state; free_key_ctx(&ctx->multi.opt.auth_token_key); auth_token_init_secret(&ctx->multi.opt.auth_token_key, zeroinline, true); diff --git a/tests/unit_tests/openvpn/test_buffer.c b/tests/unit_tests/openvpn/test_buffer.c index 4b3aaf8cc..0cfb9184c 100644 --- a/tests/unit_tests/openvpn/test_buffer.c +++ b/tests/unit_tests/openvpn/test_buffer.c @@ -43,13 +43,13 @@ test_buffer_strprefix(void **state) assert_false(strprefix("12", "123")); } -#define testsep "," +#define testsep "," #define testnosep "" -#define teststr1 "one" -#define teststr2 "two" -#define teststr3 "three" +#define teststr1 "one" +#define teststr2 "two" +#define teststr3 "three" -#define assert_buf_equals_str(buf, str) \ +#define assert_buf_equals_str(buf, str) \ assert_int_equal(BLEN(buf), strlen(str)); \ assert_memory_equal(BPTR(buf), str, BLEN(buf)); @@ -82,9 +82,7 @@ static void test_buffer_format_hex_ex(void **state) { const int input_size = 10; - const uint8_t input[] = { - 0x01, 0x00, 0xff, 0x10, 0xff, 0x00, 0xf0, 0x0f, 0x09, 0x0a - }; + const uint8_t input[] = { 0x01, 0x00, 0xff, 0x10, 0xff, 0x00, 0xf0, 0x0f, 0x09, 0x0a }; char *output; struct gc_arena gc = gc_new(); @@ -113,7 +111,8 @@ test_buffer_format_hex_ex(void **state) gc_free(&gc); } -struct test_buffer_list_aggregate_ctx { +struct test_buffer_list_aggregate_ctx +{ struct buffer_list *empty; struct buffer_list *one_two_three; struct buffer_list *zero_length_strings; @@ -123,7 +122,7 @@ struct test_buffer_list_aggregate_ctx { static int test_buffer_list_setup(void **state) { - struct test_buffer_list_aggregate_ctx *ctx = calloc(1, sizeof(*ctx)); + struct test_buffer_list_aggregate_ctx *ctx = calloc(1, sizeof(*ctx)); ctx->empty = buffer_list_new(); ctx->one_two_three = buffer_list_new(); @@ -188,8 +187,7 @@ test_buffer_list_aggregate_separator_two(void **state) /* Aggregate the first two elements * (add 1 to max_len to test if "three" is not sneaked in too) */ - buffer_list_aggregate_separator(ctx->one_two_three, strlen(expected) + 1, - testsep); + buffer_list_aggregate_separator(ctx->one_two_three, strlen(expected) + 1, testsep); assert_int_equal(ctx->one_two_three->size, 2); struct buffer *buf = buffer_list_peek(ctx->one_two_three); assert_buf_equals_str(buf, expected); @@ -201,11 +199,10 @@ test_buffer_list_aggregate_separator_all(void **state) struct test_buffer_list_aggregate_ctx *ctx = *state; /* Aggregate all */ - buffer_list_aggregate_separator(ctx->one_two_three, 1<<16, testsep); + buffer_list_aggregate_separator(ctx->one_two_three, 1 << 16, testsep); assert_int_equal(ctx->one_two_three->size, 1); struct buffer *buf = buffer_list_peek(ctx->one_two_three); - assert_buf_equals_str(buf, - teststr1 testsep teststr2 testsep teststr3 testsep); + assert_buf_equals_str(buf, teststr1 testsep teststr2 testsep teststr3 testsep); } static void @@ -214,7 +211,7 @@ test_buffer_list_aggregate_separator_nosep(void **state) struct test_buffer_list_aggregate_ctx *ctx = *state; /* Aggregate all */ - buffer_list_aggregate_separator(ctx->one_two_three, 1<<16, testnosep); + buffer_list_aggregate_separator(ctx->one_two_three, 1 << 16, testnosep); assert_int_equal(ctx->one_two_three->size, 1); struct buffer *buf = buffer_list_peek(ctx->one_two_three); assert_buf_equals_str(buf, teststr1 teststr2 teststr3); @@ -227,7 +224,7 @@ test_buffer_list_aggregate_separator_zerolen(void **state) struct buffer_list *bl_zerolen = ctx->zero_length_strings; /* Aggregate all */ - buffer_list_aggregate_separator(bl_zerolen, 1<<16, testnosep); + buffer_list_aggregate_separator(bl_zerolen, 1 << 16, testnosep); assert_int_equal(bl_zerolen->size, 1); struct buffer *buf = buffer_list_peek(bl_zerolen); assert_buf_equals_str(buf, ""); @@ -240,7 +237,7 @@ test_buffer_list_aggregate_separator_emptybuffers(void **state) struct buffer_list *bl_emptybuffers = ctx->empty_buffers; /* Aggregate all */ - buffer_list_aggregate_separator(bl_emptybuffers, 1<<16, testnosep); + buffer_list_aggregate_separator(bl_emptybuffers, 1 << 16, testnosep); assert_int_equal(bl_emptybuffers->size, 1); struct buffer *buf = buffer_list_peek(bl_emptybuffers); assert_int_equal(BLEN(buf), 0); @@ -344,11 +341,12 @@ test_character_class(void **state) assert_string_equal(buf, "There.is...a.nice......year.old.tr..ee."); strcpy(buf, "There is \x01 a 'nice' \"1234\"\n year old \ntr\x7f ee!"); - assert_false(string_mod(buf, CC_ALPHA|CC_DIGIT|CC_NEWLINE|CC_SINGLE_QUOTE, CC_DOUBLE_QUOTE|CC_BLANK, '.')); + assert_false(string_mod(buf, CC_ALPHA | CC_DIGIT | CC_NEWLINE | CC_SINGLE_QUOTE, + CC_DOUBLE_QUOTE | CC_BLANK, '.')); assert_string_equal(buf, "There.is...a.'nice'..1234.\n.year.old.\ntr..ee."); strcpy(buf, "There is a \\'nice\\' \"1234\" [*] year old \ntree!"); - assert_false(string_mod(buf, CC_PRINT, CC_BACKSLASH|CC_ASTERISK, '.')); + assert_false(string_mod(buf, CC_PRINT, CC_BACKSLASH | CC_ASTERISK, '.')); assert_string_equal(buf, "There is a .'nice.' \"1234\" [.] year old .tree!"); } @@ -360,7 +358,7 @@ test_character_string_mod_buf(void **state) struct buffer buf = alloc_buf_gc(1024, &gc); - const char test1[] = "There is a nice 1234\x00 year old tree!"; + const char test1[] = "There is a nice 1234\x00 year old tree!"; buf_write(&buf, test1, sizeof(test1)); /* allow the null bytes and string but not the ! */ @@ -432,7 +430,7 @@ test_buffer_chomp(void **state) struct gc_arena gc = gc_new(); struct buffer buf = alloc_buf_gc(1024, &gc); - const char test1[] = "There is a nice 1234 year old tree!\n\r"; + const char test1[] = "There is a nice 1234 year old tree!\n\r"; buf_write(&buf, test1, sizeof(test1)); buf_chomp(&buf); /* Check that our own method agrees */ @@ -440,7 +438,7 @@ test_buffer_chomp(void **state) assert_string_equal(BSTR(&buf), "There is a nice 1234 year old tree!"); struct buffer buf2 = alloc_buf_gc(1024, &gc); - const char test2[] = "CR_RESPONSE,MTIx\x0a\x00"; + const char test2[] = "CR_RESPONSE,MTIx\x0a\x00"; buf_write(&buf2, test2, sizeof(test2)); buf_chomp(&buf2); @@ -461,26 +459,19 @@ main(void) cmocka_unit_test(test_buffer_printf_catrunc), cmocka_unit_test(test_buffer_format_hex_ex), cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_empty, - test_buffer_list_setup, - test_buffer_list_teardown), + test_buffer_list_setup, test_buffer_list_teardown), cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_noop, - test_buffer_list_setup, - test_buffer_list_teardown), + test_buffer_list_setup, test_buffer_list_teardown), cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_two, - test_buffer_list_setup, - test_buffer_list_teardown), + test_buffer_list_setup, test_buffer_list_teardown), cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_all, - test_buffer_list_setup, - test_buffer_list_teardown), + test_buffer_list_setup, test_buffer_list_teardown), cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_nosep, - test_buffer_list_setup, - test_buffer_list_teardown), + test_buffer_list_setup, test_buffer_list_teardown), cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_zerolen, - test_buffer_list_setup, - test_buffer_list_teardown), + test_buffer_list_setup, test_buffer_list_teardown), cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_emptybuffers, - test_buffer_list_setup, - test_buffer_list_teardown), + test_buffer_list_setup, test_buffer_list_teardown), cmocka_unit_test(test_buffer_free_gc_one), cmocka_unit_test(test_buffer_free_gc_two), cmocka_unit_test(test_buffer_gc_realloc), diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 1c3b14679..12ddabab9 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -156,7 +156,7 @@ crypto_test_tls_prf(void **state) const size_t seed_len = strlen(seedstr); - const unsigned char *secret = (const unsigned char *) ipsumlorem; + const unsigned char *secret = (const unsigned char *)ipsumlorem; size_t secret_len = strlen((const char *)secret); @@ -168,18 +168,16 @@ crypto_test_tls_prf(void **state) assert_false(ret); #else assert_true(ret); - uint8_t good_prf[32] = {0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69, - 0x27, 0x91, 0x6a, 0xcf, 0xc2, 0xd5, 0x92, 0xfb, - 0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14, 0x59, 0xe6, - 0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67}; + uint8_t good_prf[32] = { 0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69, 0x27, 0x91, 0x6a, + 0xcf, 0xc2, 0xd5, 0x92, 0xfb, 0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14, + 0x59, 0xe6, 0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67 }; assert_memory_equal(good_prf, out, sizeof(out)); #endif } -static uint8_t testkey[20] = {0x0b, 0x00}; -static uint8_t goodhash[20] = {0x58, 0xea, 0x5a, 0xf0, 0x42, 0x94, 0xe9, 0x17, - 0xed, 0x84, 0xb9, 0xf0, 0x83, 0x30, 0x23, 0xae, - 0x8b, 0xa7, 0x7e, 0xb8}; +static uint8_t testkey[20] = { 0x0b, 0x00 }; +static uint8_t goodhash[20] = { 0x58, 0xea, 0x5a, 0xf0, 0x42, 0x94, 0xe9, 0x17, 0xed, 0x84, + 0xb9, 0xf0, 0x83, 0x30, 0x23, 0xae, 0x8b, 0xa7, 0x7e, 0xb8 }; static void crypto_test_hmac(void **state) @@ -192,8 +190,8 @@ crypto_test_hmac(void **state) memcpy(key, testkey, sizeof(key)); hmac_ctx_init(hmac, key, "SHA1"); - hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); - hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem)); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem)); uint8_t hash[20]; hmac_ctx_final(hmac, hash); @@ -203,8 +201,8 @@ crypto_test_hmac(void **state) /* try again */ hmac_ctx_reset(hmac); - hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); - hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem)); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem)); hmac_ctx_final(hmac, hash); assert_memory_equal(hash, goodhash, sizeof(hash)); @@ -213,8 +211,8 @@ crypto_test_hmac(void **state) memset(key, 0x55, sizeof(key)); hmac_ctx_reset(hmac); - hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); - hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem)); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem)); hmac_ctx_final(hmac, hash); assert_memory_equal(hash, goodhash, sizeof(hash)); @@ -481,22 +479,16 @@ void crypto_test_hkdf_expand_testa1(void **state) { /* RFC 5889 A.1 Test Case 1 */ - uint8_t prk[32] = - {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, - 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63, - 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31, - 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5}; - - uint8_t info[10] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, - 0xf6, 0xf7, 0xf8, 0xf9}; - - uint8_t okm[42] = - {0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, - 0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a, - 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c, - 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, - 0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, - 0x58, 0x65}; + uint8_t prk[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f, + 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, + 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 }; + + uint8_t info[10] = { 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 }; + + uint8_t okm[42] = { 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, + 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, + 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, + 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65 }; uint8_t out[42]; ovpn_hkdf_expand(prk, info, sizeof(info), out, sizeof(out)); @@ -508,39 +500,28 @@ void crypto_test_hkdf_expand_testa2(void **state) { /* RFC 5889 A.2 Test Case 2 */ - uint8_t prk[32] = - {0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a, - 0x06, 0x10, 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c, - 0xef, 0x76, 0x00, 0x14, 0x90, 0x46, 0x71, 0x01, - 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44}; - - uint8_t info[80] = - {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, - 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, - 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, - 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, - 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, - 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, - 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, - 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, - 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, - 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff}; + uint8_t prk[32] = { 0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a, 0x06, 0x10, 0x4c, + 0x9c, 0xeb, 0x35, 0xb4, 0x5c, 0xef, 0x76, 0x00, 0x14, 0x90, 0x46, + 0x71, 0x01, 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44 }; + + uint8_t info[80] = { 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, + 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, + 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, + 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, + 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, + 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff }; const int L = 82; - uint8_t okm[82] = - {0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, - 0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34, - 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8, - 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, - 0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72, - 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09, - 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, - 0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71, - 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87, - 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, - 0x1d, 0x87}; - - uint8_t out[82] = {0xaa}; + uint8_t okm[82] = { 0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, 0xc8, 0xe7, 0xf7, 0x8c, + 0x59, 0x6a, 0x49, 0x34, 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8, + 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, 0x59, 0x04, 0x5a, 0x99, + 0xca, 0xc7, 0x82, 0x72, 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09, + 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, 0x36, 0x77, 0x93, 0xa9, + 0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87, + 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87 }; + + uint8_t out[82] = { 0xaa }; ovpn_hkdf_expand(prk, info, sizeof(info), out, L); assert_memory_equal(out, okm, L); @@ -550,22 +531,17 @@ void crypto_test_hkdf_expand_testa3(void **state) { /* RFC 5889 A.3 Test Case 3 */ - uint8_t prk[32] = - {0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16, - 0x7f, 0x33, 0xa9, 0x1d, 0x6f, 0x64, 0x8b, 0xdf, - 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, 0x63, 0x77, - 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04}; + uint8_t prk[32] = { 0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16, 0x7f, 0x33, 0xa9, + 0x1d, 0x6f, 0x64, 0x8b, 0xdf, 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, + 0x63, 0x77, 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04 }; uint8_t info[] = {}; int L = 42; - uint8_t okm[42] = - {0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, - 0x71, 0x5f, 0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31, - 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e, - 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, - 0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, - 0x96, 0xc8}; + uint8_t okm[42] = { 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f, 0x80, + 0x2a, 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, + 0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d, + 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8 }; uint8_t out[42]; ovpn_hkdf_expand(prk, info, 0, out, L); @@ -579,23 +555,17 @@ crypto_test_hkdf_expand_test_ovpn(void **state) /* tests the HDKF with a label/okm that OpenVPN itself uses in OpenSSL 3 * HDKF unit test*/ - uint8_t prk[32] = - {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, - 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63, - 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31, - 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5}; + uint8_t prk[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f, + 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, + 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 }; - uint8_t info[18] = - {0x00, 0x1b, 0x0e, 0x6f, 0x76, 0x70, 0x6e, 0x20, - 0x75, 0x6e, 0x69, 0x74, 0x20, 0x74, 0x65, 0x73, - 0x74, 0x00}; + uint8_t info[18] = { 0x00, 0x1b, 0x0e, 0x6f, 0x76, 0x70, 0x6e, 0x20, 0x75, + 0x6e, 0x69, 0x74, 0x20, 0x74, 0x65, 0x73, 0x74, 0x00 }; int L = 27; - uint8_t okm[27] = - {0x87, 0x5a, 0x8e, 0xec, 0x18, 0x55, 0x63, 0x80, - 0xb8, 0xd9, 0x33, 0xed, 0x32, 0x3c, 0x2d, 0xf8, - 0xe8, 0xec, 0xcf, 0x49, 0x72, 0xe6, 0x83, 0xf0, - 0x6a, 0x83, 0xac }; + uint8_t okm[27] = { 0x87, 0x5a, 0x8e, 0xec, 0x18, 0x55, 0x63, 0x80, 0xb8, + 0xd9, 0x33, 0xed, 0x32, 0x3c, 0x2d, 0xf8, 0xe8, 0xec, + 0xcf, 0x49, 0x72, 0xe6, 0x83, 0xf0, 0x6a, 0x83, 0xac }; uint8_t out[27]; ovpn_hkdf_expand(prk, info, sizeof(info), out, L); @@ -606,19 +576,16 @@ crypto_test_hkdf_expand_test_ovpn(void **state) void crypto_test_ovpn_label_expand(void **state) { - uint8_t secret[32] = - {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, - 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63, - 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31, - 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5}; + uint8_t secret[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f, + 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, + 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 }; - const uint8_t *label = (const uint8_t *) ("unit test"); + const uint8_t *label = (const uint8_t *)("unit test"); uint8_t out[16]; ovpn_expand_label(secret, sizeof(secret), label, 9, NULL, 0, out, sizeof(out)); - uint8_t out_expected[16] = - {0x18, 0x5e, 0xaa, 0x1c, 0x7f, 0x22, 0x8a, 0xb8, - 0xeb, 0x29, 0x77, 0x32, 0x14, 0xd9, 0x20, 0x46}; + uint8_t out_expected[16] = { 0x18, 0x5e, 0xaa, 0x1c, 0x7f, 0x22, 0x8a, 0xb8, + 0xeb, 0x29, 0x77, 0x32, 0x14, 0xd9, 0x20, 0x46 }; assert_memory_equal(out, out_expected, 16); } @@ -630,15 +597,13 @@ crypto_test_ovpn_label_expand(void **state) * openvpn_PRF ifdef maze */ bool -ossl_expand_label(const uint8_t *secret, size_t secret_len, - const uint8_t *label, size_t label_len, - const uint8_t *context, size_t context_len, - uint8_t *out, uint16_t out_len) +ossl_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len, + const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len) { OSSL_LIB_CTX *libctx = NULL; const char *properties = NULL; - const uint8_t *label_prefix = (const uint8_t *) ("ovpn "); + const uint8_t *label_prefix = (const uint8_t *)("ovpn "); const size_t label_prefix_len = 5; EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_TLS1_3_KDF, properties); @@ -657,15 +622,12 @@ ossl_expand_label(const uint8_t *secret, size_t secret_len, int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY; *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode); - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - (char *) mdname, 0); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, - (unsigned char *) secret, hashlen); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, - (unsigned char *) label_prefix, + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, (char *)mdname, 0); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (unsigned char *)secret, hashlen); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, (unsigned char *)label_prefix, label_prefix_len); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, - (unsigned char *) label, label_len); + *p++ = + OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, (unsigned char *)label, label_len); *p++ = OSSL_PARAM_construct_end(); @@ -680,13 +642,11 @@ ossl_expand_label(const uint8_t *secret, size_t secret_len, void crypto_test_ovpn_expand_openssl3(void **state) { - uint8_t secret[32] = - {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, - 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63, - 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31, - 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5}; + uint8_t secret[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f, + 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, + 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 }; - const uint8_t *label = (const uint8_t *) ("unit test"); + const uint8_t *label = (const uint8_t *)("unit test"); const size_t labellen = 9; uint8_t out[27]; @@ -725,11 +685,10 @@ crypto_test_epoch_setup(void **state) init_key_type(&data->kt, "AES-128-GCM", "none", true, false); /* have an epoch key that uses 0x23 for the key for all bytes */ - struct epoch_key epoch1send = { .epoch = 1, .epoch_key = {0x23} }; - struct epoch_key epoch1recv = { .epoch = 1, .epoch_key = {0x27} }; + struct epoch_key epoch1send = { .epoch = 1, .epoch_key = { 0x23 } }; + struct epoch_key epoch1recv = { .epoch = 1, .epoch_key = { 0x27 } }; - epoch_init_key_ctx(&data->co, &data->kt, &epoch1send, - &epoch1recv, *num_future_keys); + epoch_init_key_ctx(&data->co, &data->kt, &epoch1send, &epoch1recv, *num_future_keys); *state = data; return 0; @@ -913,7 +872,7 @@ crypto_test_epoch_key_overflow(void **state) void epoch_test_derive_data_key(void **state) { - struct epoch_key e17 = { .epoch = 17, .epoch_key = { 19, 12 }}; + struct epoch_key e17 = { .epoch = 17, .epoch_key = { 19, 12 } }; struct key_type kt = { 0 }; struct key_parameters key_parameters = { 0 }; init_key_type(&kt, "AES-192-GCM", "none", true, false); @@ -924,13 +883,12 @@ epoch_test_derive_data_key(void **state) assert_int_equal(key_parameters.cipher_size, 24); assert_int_equal(key_parameters.hmac_size, 12); - uint8_t exp_cipherkey[24] = - {0xed, 0x85, 0x33, 0xdb, 0x1c, 0x28, 0xac, 0xe4, - 0x18, 0xe9, 0x00, 0x6a, 0xb2, 0x9c, 0x17, 0x41, - 0x7d, 0x60, 0xeb, 0xe6, 0xcd, 0x90, 0xbf, 0x0a}; + uint8_t exp_cipherkey[24] = { 0xed, 0x85, 0x33, 0xdb, 0x1c, 0x28, 0xac, 0xe4, + 0x18, 0xe9, 0x00, 0x6a, 0xb2, 0x9c, 0x17, 0x41, + 0x7d, 0x60, 0xeb, 0xe6, 0xcd, 0x90, 0xbf, 0x0a }; - uint8_t exp_impl_iv[12] = - {0x86, 0x89, 0x0a, 0xab, 0xf0, 0x32, 0xcb, 0x59, 0xf4, 0xcf, 0xa3, 0x4e}; + uint8_t exp_impl_iv[12] = { 0x86, 0x89, 0x0a, 0xab, 0xf0, 0x32, + 0xcb, 0x59, 0xf4, 0xcf, 0xa3, 0x4e }; assert_memory_equal(key_parameters.cipher, exp_cipherkey, sizeof(exp_cipherkey)); assert_memory_equal(key_parameters.hmac, exp_impl_iv, sizeof(exp_impl_iv)); @@ -960,20 +918,16 @@ main(void) cmocka_unit_test(crypto_test_ovpn_expand_openssl3), cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_generation, crypto_test_epoch_setup, - crypto_test_epoch_teardown, - &prestate_num16), + crypto_test_epoch_teardown, &prestate_num16), cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_rotation, crypto_test_epoch_setup, - crypto_test_epoch_teardown, - &prestate_num13), + crypto_test_epoch_teardown, &prestate_num13), cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_receive_lookup, crypto_test_epoch_setup, - crypto_test_epoch_teardown, - &prestate_num13), + crypto_test_epoch_teardown, &prestate_num13), cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_overflow, crypto_test_epoch_setup, - crypto_test_epoch_teardown, - &prestate_num32), + crypto_test_epoch_teardown, &prestate_num32), cmocka_unit_test(epoch_test_derive_data_key) }; diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c index 072cc78fb..0cfc952ed 100644 --- a/tests/unit_tests/openvpn/test_cryptoapi.c +++ b/tests/unit_tests/openvpn/test_cryptoapi.c @@ -31,7 +31,7 @@ #include "xkey_common.h" #include "cert_data.h" -#if defined(HAVE_XKEY_PROVIDER) && defined (ENABLE_CRYPTOAPI) +#if defined(HAVE_XKEY_PROVIDER) && defined(ENABLE_CRYPTOAPI) #include #include #include @@ -42,19 +42,18 @@ #include "test_common.h" #include -#include /* pull-in the whole file to test static functions */ +#include /* pull-in the whole file to test static functions */ struct management *management; /* global */ static OSSL_PROVIDER *prov[2]; /* mock a management function that xkey_provider needs */ char * -management_query_pk_sig(struct management *man, const char *b64_data, - const char *algorithm) +management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm) { - (void) man; - (void) b64_data; - (void) algorithm; + (void)man; + (void)b64_data; + (void)algorithm; return NULL; } @@ -73,14 +72,12 @@ crypto_print_openssl_errors(const unsigned int flags) OSSL_LIB_CTX *tls_libctx; #ifndef _countof -#define _countof(x) sizeof((x))/sizeof(*(x)) +#define _countof(x) sizeof((x)) / sizeof(*(x)) #endif /* test data */ -static const uint8_t test_hash[] = { - 0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b, 0xae, - 0xc0, 0xb7, 0x96, 0xf9, 0x66, 0x4d, 0x5f, 0xd0, 0xb7 -}; +static const uint8_t test_hash[] = { 0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b, + 0xae, 0xc0, 0xb7, 0x96, 0xf9, 0x66, 0x4d, 0x5f, 0xd0, 0xb7 }; /* valid test strings to test with and without embedded and trailing spaces */ static const char *valid_str[] = { @@ -101,13 +98,13 @@ static const char *invalid_str[] = { */ static struct test_cert { - const char *const cert; /* certificate as PEM */ - const char *const key; /* key as unencrypted PEM */ - const char *const cname; /* common-name */ - const char *const issuer; /* issuer common-name */ - const char *const friendly_name; /* identifies certs loaded to the store -- keep unique */ - const char *hash; /* SHA1 fingerprint */ - int valid; /* nonzero if certificate has not expired */ + const char *const cert; /* certificate as PEM */ + const char *const key; /* key as unencrypted PEM */ + const char *const cname; /* common-name */ + const char *const issuer; /* issuer common-name */ + const char *const friendly_name; /* identifies certs loaded to the store -- keep unique */ + const char *hash; /* SHA1 fingerprint */ + int valid; /* nonzero if certificate has not expired */ } certs[5]; static bool certs_loaded; @@ -118,11 +115,11 @@ void init_cert_data(void) { struct test_cert certs_local[] = { - {cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", hash1, 1}, - {cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", hash2, 1}, - {cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", hash3, 1}, - {cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", hash4, 0}, - {0} + { cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", hash1, 1 }, + { cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", hash2, 1 }, + { cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", hash3, 1 }, + { cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", hash4, 0 }, + { 0 } }; assert(sizeof(certs_local) == sizeof(certs)); memcpy(certs, certs_local, sizeof(certs_local)); @@ -144,20 +141,21 @@ lookup_cert(const char *friendly_name) static void import_certs(void **state) { - (void) state; + (void)state; if (certs_loaded) { return; } init_cert_data(); - user_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER - |CERT_STORE_OPEN_EXISTING_FLAG, L"MY"); + user_store = + CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, + CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_OPEN_EXISTING_FLAG, L"MY"); assert_non_null(user_store); for (struct test_cert *c = certs; c->cert; c++) { /* Convert PEM cert & key to pkcs12 and import */ - const char *pass = "opensesame"; /* some password */ - const wchar_t *wpass = L"opensesame"; /* same as a wide string */ + const char *pass = "opensesame"; /* some password */ + const wchar_t *wpass = L"opensesame"; /* same as a wide string */ X509 *x509 = NULL; EVP_PKEY *pkey = NULL; @@ -191,7 +189,7 @@ import_certs(void **state) return; } - CRYPT_DATA_BLOB blob = {.cbData = 0, .pbData = NULL}; + CRYPT_DATA_BLOB blob = { .cbData = 0, .pbData = NULL }; int len = i2d_PKCS12(p12, &blob.pbData); /* pbData will be allocated by OpenSSL */ if (len <= 0) { @@ -200,7 +198,7 @@ import_certs(void **state) } blob.cbData = len; - DWORD flags = PKCS12_ALLOW_OVERWRITE_KEY|PKCS12_ALWAYS_CNG_KSP; + DWORD flags = PKCS12_ALLOW_OVERWRITE_KEY | PKCS12_ALWAYS_CNG_KSP; HCERTSTORE tmp_store = PFXImportCertStore(&blob, wpass, flags); PKCS12_free(p12); OPENSSL_free(blob.pbData); @@ -228,7 +226,7 @@ import_certs(void **state) static int cleanup(void **state) { - (void) state; + (void)state; struct gc_arena gc = gc_new(); if (user_store) /* delete all certs we imported */ { @@ -260,7 +258,7 @@ cleanup(void **state) static void test_find_cert_bythumb(void **state) { - (void) state; + (void)state; char select_string[64]; struct gc_arena gc = gc_new(); const CERT_CONTEXT *ctx; @@ -293,7 +291,7 @@ test_find_cert_bythumb(void **state) static void test_find_cert_byname(void **state) { - (void) state; + (void)state; char select_string[64]; struct gc_arena gc = gc_new(); const CERT_CONTEXT *ctx; @@ -326,7 +324,7 @@ test_find_cert_byname(void **state) static void test_find_cert_byissuer(void **state) { - (void) state; + (void)state; char select_string[64]; struct gc_arena gc = gc_new(); const CERT_CONTEXT *ctx; @@ -359,7 +357,7 @@ test_find_cert_byissuer(void **state) static int setup_xkey_provider(void **state) { - (void) state; + (void)state; /* Initialize providers in a way matching what OpenVPN core does */ tls_libctx = OSSL_LIB_CTX_new(); prov[0] = OSSL_PROVIDER_load(tls_libctx, "default"); @@ -374,7 +372,7 @@ setup_xkey_provider(void **state) static int teardown_xkey_provider(void **state) { - (void) state; + (void)state; for (size_t i = 0; i < _countof(prov); i++) { if (prov[i]) @@ -396,7 +394,7 @@ int digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey); void test_cryptoapi_sign(void **state) { - (void) state; + (void)state; char select_string[64]; X509 *x509 = NULL; EVP_PKEY *privkey = NULL; @@ -430,7 +428,7 @@ test_cryptoapi_sign(void **state) void test_ssl_ctx_use_cryptoapicert(void **state) { - (void) state; + (void)state; char select_string[64]; import_certs(state); /* a no-op if already imported */ @@ -454,7 +452,8 @@ test_ssl_ctx_use_cryptoapicert(void **state) /* Use OpenSSL to check that the cert and private key in ssl_ctx "match" */ if (!SSL_CTX_check_private_key(ssl_ctx)) { - fail_msg("Certificate and private key in ssl_ctx do not match for <%s>", c->friendly_name); + fail_msg("Certificate and private key in ssl_ctx do not match for <%s>", + c->friendly_name); return; } @@ -466,7 +465,7 @@ static void test_parse_hexstring(void **state) { unsigned char hash[255]; - (void) state; + (void)state; for (int i = 0; i < _countof(valid_str); i++) { @@ -512,4 +511,4 @@ main(void) return 0; } -#endif /* ifdef HAVE_XKEY_PROVIDER */ +#endif /* ifdef HAVE_XKEY_PROVIDER */ diff --git a/tests/unit_tests/openvpn/test_misc.c b/tests/unit_tests/openvpn/test_misc.c index fb46e9939..1857922f6 100644 --- a/tests/unit_tests/openvpn/test_misc.c +++ b/tests/unit_tests/openvpn/test_misc.c @@ -44,14 +44,18 @@ test_compat_lzo_string(void **state) { struct gc_arena gc = gc_new(); - const char *input = "V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server"; + const char *input = + "V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server"; const char *output = options_string_compat_lzo(input, &gc); - assert_string_equal(output, "V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo"); + assert_string_equal( + output, + "V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo"); /* This string is has a much too small link-mtu so we should fail on it" */ - input = "V4,dev-type tun,link-mtu 2,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server"; + input = + "V4,dev-type tun,link-mtu 2,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server"; output = options_string_compat_lzo(input, &gc); @@ -64,11 +68,14 @@ test_compat_lzo_string(void **state) assert_string_equal(input, output); - input = "V4,dev-type tun,link-mtu 999,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server"; + input = + "V4,dev-type tun,link-mtu 999,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server"; output = options_string_compat_lzo(input, &gc); /* 999 -> 1000, 3 to 4 chars */ - assert_string_equal(output, "V4,dev-type tun,link-mtu 1000,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo"); + assert_string_equal( + output, + "V4,dev-type tun,link-mtu 1000,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo"); gc_free(&gc); } @@ -110,7 +117,6 @@ test_auth_fail_temp_flags_msg(void **state) } - struct word { const char *word; @@ -121,7 +127,7 @@ struct word static uint32_t word_hash_function(const void *key, uint32_t iv) { - const char *str = (const char *) key; + const char *str = (const char *)key; const int len = strlen(str); return hash_func((const uint8_t *)str, len, iv); } @@ -161,11 +167,10 @@ hash_lookup_by_value(struct hash *hash, void *value) static void test_list(void **state) { - -/* - * Test the hash code by implementing a simple - * word frequency algorithm. - */ + /* + * Test the hash code by implementing a simple + * word frequency algorithm. + */ struct gc_arena gc = gc_new(); struct hash *hash = hash_init(10000, get_random(), word_hash_function, word_compare_function); @@ -174,7 +179,7 @@ test_list(void **state) printf("hash_init n_buckets=%d mask=0x%08x\n", hash->n_buckets, hash->mask); char wordfile[PATH_MAX] = { 0 }; - openvpn_test_get_srcdir_dir(wordfile, PATH_MAX, "/../../../COPYRIGHT.GPL" ); + openvpn_test_get_srcdir_dir(wordfile, PATH_MAX, "/../../../COPYRIGHT.GPL"); FILE *words = fopen(wordfile, "r"); assert_non_null(words); @@ -200,7 +205,7 @@ test_list(void **state) c = buf[bi++]; if (isalnum(c) || c == '_') { - assert_true(wbi < (int) sizeof(wordbuf)); + assert_true(wbi < (int)sizeof(wordbuf)); wordbuf[wbi++] = c; } else @@ -209,13 +214,13 @@ test_list(void **state) { wordcount++; - ASSERT(wbi < (int) sizeof(wordbuf)); + ASSERT(wbi < (int)sizeof(wordbuf)); wordbuf[wbi++] = '\0'; /* word is parsed from stdin */ /* does it already exist in table? */ - struct word *w = (struct word *) hash_lookup(hash, wordbuf); + struct word *w = (struct word *)hash_lookup(hash, wordbuf); if (w) { @@ -230,13 +235,13 @@ test_list(void **state) w->word = string_alloc(wordbuf, &gc); w->n = 1; assert_true(hash_add(hash, w->word, w, false)); - assert_true(hash_add(nhash, w->word, (void *) ((ptr_type )(random() & 0x0F) + 1), false)); + assert_true(hash_add(nhash, w->word, + (void *)((ptr_type)(random() & 0x0F) + 1), false)); } } wbi = 0; } - } - while (c); + } while (c); } assert_int_equal(wordcount, 2971); @@ -261,7 +266,7 @@ test_list(void **state) while ((he = hash_iterator_next(&hi))) { - struct word *w = (struct word *) he->value; + struct word *w = (struct word *)he->value; /*printf("%6d '%s'\n", w->n, w->word); */ ++count; /* check a few words to match prior results */ @@ -269,19 +274,19 @@ test_list(void **state) { assert_int_equal(w->n, 49); } - else if (!strcmp(w->word, "redistribute")) + else if (!strcmp(w->word, "redistribute")) { assert_int_equal(w->n, 5); } - else if (!strcmp(w->word, "circumstances")) + else if (!strcmp(w->word, "circumstances")) { assert_int_equal(w->n, 1); } - else if (!strcmp(w->word, "so")) + else if (!strcmp(w->word, "so")) { assert_int_equal(w->n, 8); } - else if (!strcmp(w->word, "BECAUSE")) + else if (!strcmp(w->word, "BECAUSE")) { assert_int_equal(w->n, 1); } @@ -296,12 +301,12 @@ test_list(void **state) { for (ptr_type i = 1; i <= 16; ++i) { - struct hash_element *item = hash_lookup_by_value(nhash, (void *) i); - hash_remove_by_value(nhash, (void *) i); + struct hash_element *item = hash_lookup_by_value(nhash, (void *)i); + hash_remove_by_value(nhash, (void *)i); /* check item got removed if it was present before */ if (item) { - assert_null(hash_lookup_by_value(nhash, (void *) i)); + assert_null(hash_lookup_by_value(nhash, (void *)i)); } } } @@ -378,14 +383,12 @@ test_atoi_variants(void **state) mock_set_debug_level(saved_log_level); } -const struct CMUnitTest misc_tests[] = { - cmocka_unit_test(test_compat_lzo_string), - cmocka_unit_test(test_auth_fail_temp_no_flags), - cmocka_unit_test(test_auth_fail_temp_flags), - cmocka_unit_test(test_auth_fail_temp_flags_msg), - cmocka_unit_test(test_list), - cmocka_unit_test(test_atoi_variants) -}; +const struct CMUnitTest misc_tests[] = { cmocka_unit_test(test_compat_lzo_string), + cmocka_unit_test(test_auth_fail_temp_no_flags), + cmocka_unit_test(test_auth_fail_temp_flags), + cmocka_unit_test(test_auth_fail_temp_flags_msg), + cmocka_unit_test(test_list), + cmocka_unit_test(test_atoi_variants) }; int main(void) diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index 941216ac1..0a1c77401 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -46,8 +46,7 @@ const char *aes_ciphers = "AES-256-GCM:AES-128-GCM"; /* Define this function here as dummy since including the ssl_*.c files * leads to having to include even more unrelated code */ bool -key_state_export_keying_material(struct tls_session *session, - const char *label, size_t label_size, +key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size) { ASSERT(0); @@ -72,8 +71,7 @@ test_check_ncp_ciphers_list(void **state) bool have_blowfish = cipher_valid("BF-CBC"); assert_string_equal(mutate_ncp_cipher_list("none", &gc), "none"); - assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:none", &gc), - "AES-256-GCM:none"); + assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:none", &gc), "AES-256-GCM:none"); assert_string_equal(mutate_ncp_cipher_list(aes_ciphers, &gc), aes_ciphers); @@ -85,8 +83,7 @@ test_check_ncp_ciphers_list(void **state) if (have_chacha && have_blowfish) { assert_string_equal(mutate_ncp_cipher_list(bf_chacha, &gc), bf_chacha); - assert_string_equal(mutate_ncp_cipher_list("BF-CBC:CHACHA20-POLY1305", &gc), - bf_chacha); + assert_string_equal(mutate_ncp_cipher_list("BF-CBC:CHACHA20-POLY1305", &gc), bf_chacha); } else { @@ -98,14 +95,14 @@ test_check_ncp_ciphers_list(void **state) aes_ciphers); /* Check that optional ciphers work */ - assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", &gc), - aes_ciphers); + assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", &gc), aes_ciphers); /* All unsupported should still yield an empty list */ assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL); /* If the last is optional, previous invalid ciphers should be ignored */ - assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL); + assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), + NULL); /* We do not support CCM ciphers */ assert_ptr_equal(mutate_ncp_cipher_list("AES-256-GCM:AES-128-CCM", &gc), NULL); @@ -126,19 +123,19 @@ test_check_ncp_ciphers_list(void **state) assert_ptr_equal(mutate_ncp_cipher_list("AES-256-GCM:vollbit", &gc), NULL); assert_ptr_equal(mutate_ncp_cipher_list("", &gc), NULL); - assert_ptr_equal(mutate_ncp_cipher_list( - "ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:" - "ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:" - "ChaCha20-Poly1305", &gc), NULL); + assert_ptr_equal(mutate_ncp_cipher_list("ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:" + "ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:" + "ChaCha20-Poly1305", + &gc), + NULL); #ifdef ENABLE_CRYPTO_OPENSSL - assert_string_equal(mutate_ncp_cipher_list("id-aes128-GCM:id-aes256-GCM", - &gc), "AES-128-GCM:AES-256-GCM"); + assert_string_equal(mutate_ncp_cipher_list("id-aes128-GCM:id-aes256-GCM", &gc), + "AES-128-GCM:AES-256-GCM"); #else if (have_blowfish) { - assert_string_equal(mutate_ncp_cipher_list("BLOWFISH-CBC", - &gc), "BF-CBC"); + assert_string_equal(mutate_ncp_cipher_list("BLOWFISH-CBC", &gc), "BF-CBC"); } #endif gc_free(&gc); @@ -192,37 +189,28 @@ test_poor_man(void **state) const char *serverlist = "CHACHA20_POLY1305:AES-128-GCM"; const char *serverlistbfcbc = "CHACHA20_POLY1305:AES-128-GCM:BF-CBC:none"; - best_cipher = ncp_get_best_cipher(serverlist, - "IV_YOLO=NO\nIV_BAR=7", - "BF-CBC", &gc); + best_cipher = ncp_get_best_cipher(serverlist, "IV_YOLO=NO\nIV_BAR=7", "BF-CBC", &gc); assert_ptr_equal(best_cipher, NULL); - best_cipher = ncp_get_best_cipher(serverlistbfcbc, - "IV_YOLO=NO\nIV_BAR=7", - "BF-CBC", &gc); + best_cipher = ncp_get_best_cipher(serverlistbfcbc, "IV_YOLO=NO\nIV_BAR=7", "BF-CBC", &gc); assert_string_equal(best_cipher, "BF-CBC"); - best_cipher = ncp_get_best_cipher(serverlist, - "IV_NCP=1\nIV_BAR=7", - "AES-128-GCM", &gc); + best_cipher = ncp_get_best_cipher(serverlist, "IV_NCP=1\nIV_BAR=7", "AES-128-GCM", &gc); assert_string_equal(best_cipher, "AES-128-GCM"); - best_cipher = ncp_get_best_cipher(serverlist, NULL, - "AES-128-GCM", &gc); + best_cipher = ncp_get_best_cipher(serverlist, NULL, "AES-128-GCM", &gc); assert_string_equal(best_cipher, "AES-128-GCM"); - best_cipher = ncp_get_best_cipher(serverlist, NULL, - "none", &gc); + best_cipher = ncp_get_best_cipher(serverlist, NULL, "none", &gc); assert_ptr_equal(best_cipher, NULL); - best_cipher = ncp_get_best_cipher(serverlistbfcbc, NULL, - "none", &gc); + best_cipher = ncp_get_best_cipher(serverlistbfcbc, NULL, "none", &gc); assert_string_equal(best_cipher, "none"); best_cipher = ncp_get_best_cipher(serverlist, NULL, NULL, &gc); @@ -240,28 +228,23 @@ test_ncp_best(void **state) const char *serverlist = "CHACHA20_POLY1305:AES-128-GCM:AES-256-GCM"; - best_cipher = ncp_get_best_cipher(serverlist, - "IV_YOLO=NO\nIV_NCP=2\nIV_BAR=7", - "BF-CBC", &gc); + best_cipher = ncp_get_best_cipher(serverlist, "IV_YOLO=NO\nIV_NCP=2\nIV_BAR=7", "BF-CBC", &gc); assert_string_equal(best_cipher, "AES-128-GCM"); /* Best cipher is in --cipher of client */ - best_cipher = ncp_get_best_cipher(serverlist, "IV_NCP=2\nIV_BAR=7", - "CHACHA20_POLY1305", &gc); + best_cipher = ncp_get_best_cipher(serverlist, "IV_NCP=2\nIV_BAR=7", "CHACHA20_POLY1305", &gc); assert_string_equal(best_cipher, "CHACHA20_POLY1305"); /* Best cipher is in --cipher of client */ - best_cipher = ncp_get_best_cipher(serverlist, "IV_CIPHERS=AES-128-GCM", - "AES-256-CBC", &gc); + best_cipher = ncp_get_best_cipher(serverlist, "IV_CIPHERS=AES-128-GCM", "AES-256-CBC", &gc); assert_string_equal(best_cipher, "AES-128-GCM"); /* IV_NCP=2 should be ignored if IV_CIPHERS is sent */ - best_cipher = ncp_get_best_cipher(serverlist, - "IV_FOO=7\nIV_CIPHERS=AES-256-GCM\nIV_NCP=2", + best_cipher = ncp_get_best_cipher(serverlist, "IV_FOO=7\nIV_CIPHERS=AES-256-GCM\nIV_NCP=2", "AES-256-CBC", &gc); assert_string_equal(best_cipher, "AES-256-GCM"); @@ -312,11 +295,14 @@ test_ncp_default(void **state) if (have_chacha) { - assert_string_equal(o.ncp_ciphers, "BF-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC:AES-256-CBC"); + assert_string_equal( + o.ncp_ciphers, + "BF-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC:AES-256-CBC"); } else { - assert_string_equal(o.ncp_ciphers, "BF-CBC:AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC"); + assert_string_equal(o.ncp_ciphers, + "BF-CBC:AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC"); } assert_string_equal(o.ncp_ciphers_conf, "BF-CBC:DEFAULT:AES-128-CBC:AES-256-CBC"); @@ -326,7 +312,8 @@ test_ncp_default(void **state) if (have_chacha) { - assert_string_equal(o.ncp_ciphers, "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC:AES-192-CBC"); + assert_string_equal(o.ncp_ciphers, + "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC:AES-192-CBC"); } else { @@ -340,7 +327,8 @@ test_ncp_default(void **state) if (have_chacha) { - assert_string_equal(o.ncp_ciphers, "AES-192-GCM:AES-128-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305"); + assert_string_equal(o.ncp_ciphers, + "AES-192-GCM:AES-128-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305"); } else { @@ -355,7 +343,7 @@ static void test_ncp_expand(void **state) { bool have_chacha = cipher_valid("CHACHA20-POLY1305"); - struct options o = {0}; + struct options o = { 0 }; o.gc = gc_new(); struct gc_arena gc = gc_new(); diff --git a/tests/unit_tests/openvpn/test_networking.c b/tests/unit_tests/openvpn/test_networking.c index 04347076e..f2da83ed8 100644 --- a/tests/unit_tests/openvpn/test_networking.c +++ b/tests/unit_tests/openvpn/test_networking.c @@ -110,12 +110,10 @@ net__route_v4_add(const char *dst_str, int prefixlen, int metric) printf("\n"); return net_route_v4_add(NULL, &dst, prefixlen, NULL, iface, 0, metric); - } static int -net__route_v4_add_gw(const char *dst_str, int prefixlen, const char *gw_str, - int metric) +net__route_v4_add_gw(const char *dst_str, int prefixlen, const char *gw_str, int metric) { in_addr_t dst, gw; int ret; @@ -140,8 +138,7 @@ net__route_v4_add_gw(const char *dst_str, int prefixlen, const char *gw_str, dst = ntohl(dst); gw = ntohl(gw); - printf("CMD: ip route add %s/%d dev %s via %s", dst_str, prefixlen, iface, - gw_str); + printf("CMD: ip route add %s/%d dev %s via %s", dst_str, prefixlen, iface, gw_str); if (metric > 0) { printf(" metric %d", metric); @@ -176,12 +173,10 @@ net__route_v6_add(const char *dst_str, int prefixlen, int metric) printf("\n"); return net_route_v6_add(NULL, &dst, prefixlen, NULL, iface, 0, metric); - } static int -net__route_v6_add_gw(const char *dst_str, int prefixlen, const char *gw_str, - int metric) +net__route_v6_add_gw(const char *dst_str, int prefixlen, const char *gw_str, int metric) { struct in6_addr dst, gw; int ret; @@ -203,8 +198,7 @@ net__route_v6_add_gw(const char *dst_str, int prefixlen, const char *gw_str, return -1; } - printf("CMD: ip -6 route add %s/%d dev %s via %s", dst_str, prefixlen, - iface, gw_str); + printf("CMD: ip -6 route add %s/%d dev %s via %s", dst_str, prefixlen, iface, gw_str); if (metric > 0) { printf(" metric %d", metric); diff --git a/tests/unit_tests/openvpn/test_packet_id.c b/tests/unit_tests/openvpn/test_packet_id.c index 084db5e6c..d623c3dff 100644 --- a/tests/unit_tests/openvpn/test_packet_id.c +++ b/tests/unit_tests/openvpn/test_packet_id.c @@ -36,8 +36,10 @@ #include "reliable.h" #include "test_common.h" -struct test_packet_id_write_data { - struct { +struct test_packet_id_write_data +{ + struct + { uint32_t buf_id; uint32_t buf_time; } test_buf_data; @@ -49,15 +51,14 @@ struct test_packet_id_write_data { static int test_packet_id_write_setup(void **state) { - struct test_packet_id_write_data *data = - calloc(1, sizeof(struct test_packet_id_write_data)); + struct test_packet_id_write_data *data = calloc(1, sizeof(struct test_packet_id_write_data)); if (!data) { return -1; } - data->test_buf.data = (void *) &data->test_buf_data; + data->test_buf.data = (void *)&data->test_buf_data; data->test_buf.capacity = sizeof(data->test_buf_data); data->gc = gc_new(); @@ -162,7 +163,6 @@ test_packet_id_write_long_wrap(void **state) static void test_get_num_output_sequenced_available(void **state) { - struct reliable *rel = malloc(sizeof(struct reliable)); reliable_init(rel, 100, 50, 8, false); @@ -180,14 +180,14 @@ test_get_num_output_sequenced_available(void **state) /* test ids close to int/unsigned int barrier */ rel->array[5].active = true; - rel->array[5].packet_id = (0x80000000u -3); + rel->array[5].packet_id = (0x80000000u - 3); rel->array[6].active = false; - rel->packet_id = (0x80000000u -1); + rel->packet_id = (0x80000000u - 1); assert_int_equal(6, reliable_get_num_output_sequenced_available(rel)); rel->array[5].active = true; - rel->array[5].packet_id = (0x80000000u -3); + rel->array[5].packet_id = (0x80000000u - 3); rel->packet_id = 0x80000001u; assert_int_equal(4, reliable_get_num_output_sequenced_available(rel)); @@ -195,7 +195,7 @@ test_get_num_output_sequenced_available(void **state) /* test wrapping */ rel->array[5].active = true; - rel->array[5].packet_id = (0xffffffffu -3); + rel->array[5].packet_id = (0xffffffffu - 3); rel->array[6].active = false; rel->packet_id = (0xffffffffu - 1); @@ -223,7 +223,7 @@ test_packet_id_write_epoch(void **state) assert_true(packet_id_write_epoch(&data->pis, 0x23, &buf)); assert_int_equal(buf.len, 8); - uint8_t expected_header[8] = { 0x00, 0x23, 0, 0, 0, 0, 0, 1}; + uint8_t expected_header[8] = { 0x00, 0x23, 0, 0, 0, 0, 0, 1 }; assert_memory_equal(BPTR(&buf), expected_header, 8); /* too small buffer should error out */ @@ -234,7 +234,7 @@ test_packet_id_write_epoch(void **state) data->pis.id = 0xfa079ab9d2e8; struct buffer buf_48 = alloc_buf_gc(128, &data->gc); assert_true(packet_id_write_epoch(&data->pis, 0xfffe, &buf_48)); - uint8_t expected_header_48[8] = { 0xff, 0xfe, 0xfa, 0x07, 0x9a, 0xb9, 0xd2, 0xe9}; + uint8_t expected_header_48[8] = { 0xff, 0xfe, 0xfa, 0x07, 0x9a, 0xb9, 0xd2, 0xe9 }; assert_memory_equal(BPTR(&buf_48), expected_header_48, 8); /* test writing/checking the 48 bit per epoch packet counter @@ -242,7 +242,7 @@ test_packet_id_write_epoch(void **state) data->pis.id = 0xfffffffffffe; struct buffer buf_of = alloc_buf_gc(128, &data->gc); assert_true(packet_id_write_epoch(&data->pis, 0xf00f, &buf_of)); - uint8_t expected_header_of[8] = { 0xf0, 0x0f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; + uint8_t expected_header_of[8] = { 0xf0, 0x0f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; assert_memory_equal(BPTR(&buf_of), expected_header_of, 8); /* This is go over 2^48 - 1 and should error out. */ @@ -264,9 +264,9 @@ test_packet_id_write_epoch(void **state) static void test_copy_acks_to_lru(void **state) { - struct reliable_ack ack = { .len = 4, .packet_id = {2, 1, 3, 2} }; + struct reliable_ack ack = { .len = 4, .packet_id = { 2, 1, 3, 2 } }; - struct reliable_ack mru_ack = {0 }; + struct reliable_ack mru_ack = { 0 }; /* Test copying to empty ack structure */ copy_acks_to_mru(&ack, &mru_ack, 4); @@ -292,7 +292,7 @@ test_copy_acks_to_lru(void **state) /* Adding just two packets shoudl ignore the 42 in array and * reorder the order in the MRU */ - struct reliable_ack ack2 = { .len = 3, .packet_id = {3, 2, 42} }; + struct reliable_ack ack2 = { .len = 3, .packet_id = { 3, 2, 42 } }; copy_acks_to_mru(&ack2, &mru_ack2, 2); assert_int_equal(mru_ack2.packet_id[0], 3); assert_int_equal(mru_ack2.packet_id[1], 2); @@ -313,12 +313,12 @@ test_copy_acks_to_lru(void **state) assert_int_equal(mru_ack.packet_id[1], 1); assert_int_equal(mru_ack.packet_id[2], 3); - struct reliable_ack ack3 = { .len = 7, .packet_id = {5, 6, 7, 8, 9, 10, 11}}; + struct reliable_ack ack3 = { .len = 7, .packet_id = { 5, 6, 7, 8, 9, 10, 11 } }; /* Adding multiple acks tests if the a full array is handled correctly */ copy_acks_to_mru(&ack3, &mru_ack, 7); - struct reliable_ack expected_ack = { .len = 8, .packet_id = {5, 6, 7, 8, 9, 10, 11, 2}}; + struct reliable_ack expected_ack = { .len = 8, .packet_id = { 5, 6, 7, 8, 9, 10, 11, 2 } }; assert_int_equal(mru_ack.len, expected_ack.len); assert_memory_equal(mru_ack.packet_id, expected_ack.packet_id, sizeof(expected_ack.packet_id)); @@ -329,26 +329,19 @@ main(void) { openvpn_unit_test_setup(); const struct CMUnitTest tests[] = { - cmocka_unit_test_setup_teardown(test_packet_id_write_short, - test_packet_id_write_setup, + cmocka_unit_test_setup_teardown(test_packet_id_write_short, test_packet_id_write_setup, test_packet_id_write_teardown), - cmocka_unit_test_setup_teardown(test_packet_id_write_long, - test_packet_id_write_setup, + cmocka_unit_test_setup_teardown(test_packet_id_write_long, test_packet_id_write_setup, test_packet_id_write_teardown), cmocka_unit_test_setup_teardown(test_packet_id_write_short_prepend, - test_packet_id_write_setup, - test_packet_id_write_teardown), + test_packet_id_write_setup, test_packet_id_write_teardown), cmocka_unit_test_setup_teardown(test_packet_id_write_long_prepend, - test_packet_id_write_setup, - test_packet_id_write_teardown), - cmocka_unit_test_setup_teardown(test_packet_id_write_short_wrap, - test_packet_id_write_setup, + test_packet_id_write_setup, test_packet_id_write_teardown), + cmocka_unit_test_setup_teardown(test_packet_id_write_short_wrap, test_packet_id_write_setup, test_packet_id_write_teardown), - cmocka_unit_test_setup_teardown(test_packet_id_write_long_wrap, - test_packet_id_write_setup, + cmocka_unit_test_setup_teardown(test_packet_id_write_long_wrap, test_packet_id_write_setup, test_packet_id_write_teardown), - cmocka_unit_test_setup_teardown(test_packet_id_write_epoch, - test_packet_id_write_setup, + cmocka_unit_test_setup_teardown(test_packet_id_write_epoch, test_packet_id_write_setup, test_packet_id_write_teardown), cmocka_unit_test(test_get_num_output_sequenced_available), diff --git a/tests/unit_tests/openvpn/test_pkcs11.c b/tests/unit_tests/openvpn/test_pkcs11.c index 591a4575d..56125df9c 100644 --- a/tests/unit_tests/openvpn/test_pkcs11.c +++ b/tests/unit_tests/openvpn/test_pkcs11.c @@ -39,8 +39,8 @@ #include "test_common.h" #define token_name "Test Token" -#define PIN "12345" -#define HASHSIZE 20 +#define PIN "12345" +#define HASHSIZE 20 struct management *management; /* global */ @@ -58,8 +58,8 @@ crypto_print_openssl_errors(const unsigned int flags) /* stubs for some unused functions instead of pulling in too many dependencies */ int -parse_line(const char *line, char **p, const int n, const char *file, - const int line_num, int msglevel, struct gc_arena *gc) +parse_line(const char *line, char **p, const int n, const char *file, const int line_num, + int msglevel, struct gc_arena *gc) { assert_true(0); return 0; @@ -91,45 +91,43 @@ query_user_exec_builtin(void) void query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo) { - (void) prompt; - (void) prompt_len; - (void) resp; - (void) resp_len; - (void) echo; + (void)prompt; + (void)prompt_len; + (void)resp; + (void)resp_len; + (void)echo; assert_true(0); } void purge_user_pass(struct user_pass *up, const bool force) { - (void) force; + (void)force; secure_memzero(up, sizeof(*up)); } char * -management_query_pk_sig(struct management *man, const char *b64_data, - const char *algorithm) +management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm) { - (void) man; - (void) b64_data; - (void) algorithm; + (void)man; + (void)b64_data; + (void)algorithm; return NULL; } -int -digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey); +int digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey); /* Test certificate database: data for cert1, cert2 .. key1, key2 etc. * are defined in cert_data.h */ static struct test_cert { - const char *const cert; /* certificate as PEM */ - const char *const key; /* key as unencrypted PEM */ - const char *const cname; /* common-name */ - const char *const issuer; /* issuer common-name */ - const char *const friendly_name; /* identifies certs loaded to the store -- keep unique */ - uint8_t hash[HASHSIZE]; /* SHA1 fingerprint: computed and filled in later */ - char *p11_id; /* PKCS#11 id -- filled in later */ + const char *const cert; /* certificate as PEM */ + const char *const key; /* key as unencrypted PEM */ + const char *const cname; /* common-name */ + const char *const issuer; /* issuer common-name */ + const char *const friendly_name; /* identifies certs loaded to the store -- keep unique */ + uint8_t hash[HASHSIZE]; /* SHA1 fingerprint: computed and filled in later */ + char *p11_id; /* PKCS#11 id -- filled in later */ } certs[5]; static bool pkcs11_id_management; @@ -144,11 +142,11 @@ void init_cert_data(void) { struct test_cert certs_local[] = { - {cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", {0}, NULL}, - {cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", {0}, NULL}, - {cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", {0}, NULL}, - {cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", {0}, NULL}, - {0} + { cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", { 0 }, NULL }, + { cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", { 0 }, NULL }, + { cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", { 0 }, NULL }, + { cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", { 0 }, NULL }, + { 0 } }; assert(sizeof(certs_local) == sizeof(certs)); memcpy(certs, certs_local, sizeof(certs_local)); @@ -159,9 +157,9 @@ bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *unused) { - (void) unused; + (void)unused; bool ret = true; - if (!strcmp(prefix, "pkcs11-id-request") && flags&GET_USER_PASS_NEED_STR) + if (!strcmp(prefix, "pkcs11-id-request") && flags & GET_USER_PASS_NEED_STR) { assert_true(pkcs11_id_management); strncpynt(up->password, pkcs11_id_current, sizeof(up->password)); @@ -195,15 +193,16 @@ OSSL_PROVIDER *prov[2]; static int init(void **state) { - (void) state; + (void)state; - umask(0077); /* ensure all files and directories we create get user only access */ + umask(0077); /* ensure all files and directories we create get user only access */ char config[256]; init_cert_data(); if (!mkdtemp(softhsm2_tokens_path)) { - fail_msg("make tmpdir using template <%s> failed (error = %d)", softhsm2_tokens_path, errno); + fail_msg("make tmpdir using template <%s> failed (error = %d)", softhsm2_tokens_path, + errno); } int fd = mkstemp(softhsm2_conf_path); @@ -211,8 +210,7 @@ init(void **state) { fail_msg("make tmpfile using template <%s> failed (error = %d)", softhsm2_conf_path, errno); } - snprintf(config, sizeof(config), "directories.tokendir=%s/", - softhsm2_tokens_path); + snprintf(config, sizeof(config), "directories.tokendir=%s/", softhsm2_tokens_path); assert_int_equal(write(fd, config, strlen(config)), strlen(config)); close(fd); @@ -260,14 +258,16 @@ init(void **state) argv_free(&a); a = argv_new(); /* Use numcerts+1 as a unique id of the object -- same id for matching cert and key */ - argv_printf(&a, "%s --provider %s --load-certificate %s --label \"%s\" --id %08x --login --write", - P11TOOL_PATH, SOFTHSM2_MODULE_PATH, cert, c->friendly_name, num_certs+1); + argv_printf( + &a, "%s --provider %s --load-certificate %s --label \"%s\" --id %08x --login --write", + P11TOOL_PATH, SOFTHSM2_MODULE_PATH, cert, c->friendly_name, num_certs + 1); assert_true(openvpn_execve_check(&a, es, 0, "Failed to upload certificate into token")); argv_free(&a); a = argv_new(); - argv_printf(&a, "%s --provider %s --load-privkey %s --label \"%s\" --id %08x --login --write", - P11TOOL_PATH, SOFTHSM2_MODULE_PATH, key, c->friendly_name, num_certs+1); + argv_printf(&a, + "%s --provider %s --load-privkey %s --label \"%s\" --id %08x --login --write", + P11TOOL_PATH, SOFTHSM2_MODULE_PATH, key, c->friendly_name, num_certs + 1); assert_true(openvpn_execve_check(&a, es, 0, "Failed to upload key into token")); assert_int_equal(ftruncate(cert_fd, 0), 0); @@ -288,7 +288,7 @@ init(void **state) static int cleanup(void **state) { - (void) state; + (void)state; struct argv a = argv_new(); argv_printf(&a, "%s --delete-token --token \"%s\"", SOFTHSM2_UTIL_PATH, token_name); @@ -410,7 +410,7 @@ test_pkcs11_ids(void **state) static void test_tls_ctx_use_pkcs11(void **state) { - (void) state; + (void)state; struct tls_root_ctx tls_ctx = {}; uint8_t sha1[HASHSIZE]; for (struct test_cert *c = certs; c->cert; c++) @@ -451,7 +451,8 @@ test_tls_ctx_use_pkcs11(void **state) #else if (!SSL_CTX_check_private_key(tls_ctx.ctx)) { - fail_msg("Certificate and private key in ssl_ctx do not match for <%s>", c->friendly_name); + fail_msg("Certificate and private key in ssl_ctx do not match for <%s>", + c->friendly_name); return; } #endif @@ -472,10 +473,8 @@ main(void) { openvpn_unit_test_setup(); const struct CMUnitTest tests[] = { - cmocka_unit_test_setup_teardown(test_pkcs11_ids, setup_pkcs11, - teardown_pkcs11), - cmocka_unit_test_setup_teardown(test_tls_ctx_use_pkcs11, setup_pkcs11, - teardown_pkcs11), + cmocka_unit_test_setup_teardown(test_pkcs11_ids, setup_pkcs11, teardown_pkcs11), + cmocka_unit_test_setup_teardown(test_tls_ctx_use_pkcs11, setup_pkcs11, teardown_pkcs11), cmocka_unit_test_setup_teardown(test_tls_ctx_use_pkcs11__management, setup_pkcs11, teardown_pkcs11), }; diff --git a/tests/unit_tests/openvpn/test_pkt.c b/tests/unit_tests/openvpn/test_pkt.c index 46206fe0f..3823d3982 100644 --- a/tests/unit_tests/openvpn/test_pkt.c +++ b/tests/unit_tests/openvpn/test_pkt.c @@ -44,8 +44,8 @@ #include "reliable.h" int -parse_line(const char *line, char **p, const int n, const char *file, - const int line_num, int msglevel, struct gc_arena *gc) +parse_line(const char *line, char **p, const int n, const char *file, const int line_num, + int msglevel, struct gc_arena *gc) { /* Dummy function to get the linker happy, should never be called */ assert_true(false); @@ -55,8 +55,7 @@ parse_line(const char *line, char **p, const int n, const char *file, /* Define this function here as dummy since including the ssl_*.c files * leads to having to include even more unrelated code */ bool -key_state_export_keying_material(struct tls_session *session, - const char *label, size_t label_size, +key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size) { ASSERT(0); @@ -89,104 +88,73 @@ const char static_key[] = "\n" "-----END OpenVPN Static key V1-----\n" "\n"; -const uint8_t client_reset_v2_none[] = -{ 0x38, 0x68, 0x91, 0x92, 0x3f, 0xa3, 0x10, 0x34, - 0x37, 0x00, 0x00, 0x00, 0x00, 0x00 }; - -const uint8_t client_reset_v2_tls_auth[] = -{ 0x38, 0xde, 0x69, 0x4c, 0x5c, 0x7b, 0xfb, 0xa2, - 0x74, 0x93, 0x53, 0x7c, 0x1d, 0xed, 0x4e, 0x78, - 0x15, 0x29, 0xae, 0x7c, 0xfe, 0x4b, 0x8c, 0x6d, - 0x6b, 0x2b, 0x51, 0xf0, 0x5a, 0x00, 0x00, 0x00, - 0x01, 0x61, 0xd3, 0xbf, 0x6c, 0x00, 0x00, 0x00, - 0x00, 0x00}; - -const uint8_t client_reset_v2_tls_crypt[] = -{0x38, 0xf4, 0x19, 0xcb, 0x12, 0xd1, 0xf9, 0xe4, - 0x8f, 0x00, 0x00, 0x00, 0x01, 0x61, 0xd3, 0xf8, - 0xe1, 0x33, 0x02, 0x06, 0xf5, 0x68, 0x02, 0xbe, - 0x44, 0xfb, 0xed, 0x90, 0x50, 0x64, 0xe3, 0xdb, - 0x43, 0x41, 0x6b, 0xec, 0x5e, 0x52, 0x67, 0x19, - 0x46, 0x2b, 0x7e, 0xb9, 0x0c, 0x96, 0xde, 0xfc, - 0x9b, 0x05, 0xc4, 0x48, 0x79, 0xf7}; +const uint8_t client_reset_v2_none[] = { 0x38, 0x68, 0x91, 0x92, 0x3f, 0xa3, 0x10, + 0x34, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00 }; + +const uint8_t client_reset_v2_tls_auth[] = { 0x38, 0xde, 0x69, 0x4c, 0x5c, 0x7b, 0xfb, 0xa2, 0x74, + 0x93, 0x53, 0x7c, 0x1d, 0xed, 0x4e, 0x78, 0x15, 0x29, + 0xae, 0x7c, 0xfe, 0x4b, 0x8c, 0x6d, 0x6b, 0x2b, 0x51, + 0xf0, 0x5a, 0x00, 0x00, 0x00, 0x01, 0x61, 0xd3, 0xbf, + 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00 }; + +const uint8_t client_reset_v2_tls_crypt[] = { + 0x38, 0xf4, 0x19, 0xcb, 0x12, 0xd1, 0xf9, 0xe4, 0x8f, 0x00, 0x00, 0x00, 0x01, 0x61, + 0xd3, 0xf8, 0xe1, 0x33, 0x02, 0x06, 0xf5, 0x68, 0x02, 0xbe, 0x44, 0xfb, 0xed, 0x90, + 0x50, 0x64, 0xe3, 0xdb, 0x43, 0x41, 0x6b, 0xec, 0x5e, 0x52, 0x67, 0x19, 0x46, 0x2b, + 0x7e, 0xb9, 0x0c, 0x96, 0xde, 0xfc, 0x9b, 0x05, 0xc4, 0x48, 0x79, 0xf7 +}; /* Valid tls-auth client CONTROL_V1 packet with random server id */ const uint8_t client_ack_tls_auth_randomid[] = { - 0x20, 0x14, 0x01, 0x4e, 0xbc, 0x80, 0xc6, 0x14, - 0x2b, 0x7b, 0xc8, 0x76, 0xfb, 0xc5, 0x2e, 0x27, - 0xb1, 0xc5, 0x07, 0x35, 0x5b, 0xb6, 0x00, 0x6b, - 0xae, 0x71, 0xba, 0x4e, 0x38, 0x00, 0x00, 0x00, - 0x03, 0x61, 0xd3, 0xff, 0x53, 0x00, 0x00, 0x00, - 0x00, 0x01, 0x16, 0x03, 0x01, 0x01, 0x0c, 0x01, - 0x00, 0x01, 0x08, 0x03, 0x03, 0x8c, 0xaa, 0xac, - 0x3a, 0x1a, 0x07, 0xbd, 0xe7, 0xb7, 0x50, 0x06, - 0x9b, 0x94, 0x0c, 0x34, 0x4b, 0x5a, 0x35, 0xca, - 0xc4, 0x79, 0xbd, 0xc9, 0x09, 0xb0, 0x7b, 0xd9, - 0xee, 0xbb, 0x7d, 0xe7, 0x25, 0x20, 0x39, 0x38, - 0xe2, 0x18, 0x33, 0x36, 0x14, 0x9f, 0x34, 0xf0, - 0x44, 0x59, 0x96, 0x8d, 0x0e, 0xd2, 0x47, 0x76, - 0x64, 0x88, 0x59, 0xe9, 0x38, 0x03, 0x97, 0x96, - 0x98, 0x45, 0xfb, 0xf5, 0xff, 0x23, 0x00, 0x32, - 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x2c, - 0xc0, 0x30, 0x00, 0x9f, 0xcc, 0xa9, 0xcc, 0xa8, - 0xcc, 0xaa, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e, - 0xc0, 0x24, 0xc0, 0x28, 0x00, 0x6b, 0xc0, 0x23, - 0xc0, 0x27, 0x00, 0x67, 0xc0, 0x0a, 0xc0, 0x14, - 0x00, 0x39, 0xc0, 0x09, 0xc0, 0x13, 0x00, 0x33, - 0x00, 0xff, 0x01, 0x00, 0x00, 0x8d, 0x00, 0x0b, - 0x00, 0x04, 0x03, 0x00, 0x01, 0x02, 0x00, 0x0a, - 0x00, 0x0c, 0x00, 0x0a, 0x00, 0x1d, 0x00, 0x17, - 0x00, 0x1e, 0x00, 0x19, 0x00, 0x18, 0x00, 0x16, - 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x0d, - 0x00, 0x30, 0x00, 0x2e, 0x04, 0x03, 0x05, 0x03, - 0x06, 0x03, 0x08, 0x07, 0x08, 0x08, 0x08, 0x09, - 0x08, 0x0a, 0x08, 0x0b, 0x08, 0x04, 0x08, 0x05, - 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, - 0x03, 0x03, 0x02, 0x03, 0x03, 0x01, 0x02, 0x01, - 0x03, 0x02, 0x02, 0x02, 0x04, 0x02, 0x05, 0x02, - 0x06, 0x02, 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03, - 0x04, 0x03, 0x03, 0x00, 0x2d, 0x00, 0x02, 0x01, - 0x01, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, - 0x1d, 0x00, 0x20, 0x0e, 0xc9, 0x7a, 0xff, 0x58, - 0xdb, 0x56, 0xf6, 0x40, 0xd1, 0xed, 0xdb, 0x91, - 0x81, 0xd6, 0xef, 0x83, 0x86, 0x8a, 0xb2, 0x3d, - 0x88, 0x92, 0x3f, 0xd8, 0x51, 0x9c, 0xd6, 0x26, - 0x56, 0x33, 0x6b + 0x20, 0x14, 0x01, 0x4e, 0xbc, 0x80, 0xc6, 0x14, 0x2b, 0x7b, 0xc8, 0x76, 0xfb, 0xc5, 0x2e, 0x27, + 0xb1, 0xc5, 0x07, 0x35, 0x5b, 0xb6, 0x00, 0x6b, 0xae, 0x71, 0xba, 0x4e, 0x38, 0x00, 0x00, 0x00, + 0x03, 0x61, 0xd3, 0xff, 0x53, 0x00, 0x00, 0x00, 0x00, 0x01, 0x16, 0x03, 0x01, 0x01, 0x0c, 0x01, + 0x00, 0x01, 0x08, 0x03, 0x03, 0x8c, 0xaa, 0xac, 0x3a, 0x1a, 0x07, 0xbd, 0xe7, 0xb7, 0x50, 0x06, + 0x9b, 0x94, 0x0c, 0x34, 0x4b, 0x5a, 0x35, 0xca, 0xc4, 0x79, 0xbd, 0xc9, 0x09, 0xb0, 0x7b, 0xd9, + 0xee, 0xbb, 0x7d, 0xe7, 0x25, 0x20, 0x39, 0x38, 0xe2, 0x18, 0x33, 0x36, 0x14, 0x9f, 0x34, 0xf0, + 0x44, 0x59, 0x96, 0x8d, 0x0e, 0xd2, 0x47, 0x76, 0x64, 0x88, 0x59, 0xe9, 0x38, 0x03, 0x97, 0x96, + 0x98, 0x45, 0xfb, 0xf5, 0xff, 0x23, 0x00, 0x32, 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x2c, + 0xc0, 0x30, 0x00, 0x9f, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e, + 0xc0, 0x24, 0xc0, 0x28, 0x00, 0x6b, 0xc0, 0x23, 0xc0, 0x27, 0x00, 0x67, 0xc0, 0x0a, 0xc0, 0x14, + 0x00, 0x39, 0xc0, 0x09, 0xc0, 0x13, 0x00, 0x33, 0x00, 0xff, 0x01, 0x00, 0x00, 0x8d, 0x00, 0x0b, + 0x00, 0x04, 0x03, 0x00, 0x01, 0x02, 0x00, 0x0a, 0x00, 0x0c, 0x00, 0x0a, 0x00, 0x1d, 0x00, 0x17, + 0x00, 0x1e, 0x00, 0x19, 0x00, 0x18, 0x00, 0x16, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x0d, + 0x00, 0x30, 0x00, 0x2e, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08, 0x07, 0x08, 0x08, 0x08, 0x09, + 0x08, 0x0a, 0x08, 0x0b, 0x08, 0x04, 0x08, 0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, + 0x03, 0x03, 0x02, 0x03, 0x03, 0x01, 0x02, 0x01, 0x03, 0x02, 0x02, 0x02, 0x04, 0x02, 0x05, 0x02, + 0x06, 0x02, 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, 0x2d, 0x00, 0x02, 0x01, + 0x01, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x0e, 0xc9, 0x7a, 0xff, 0x58, + 0xdb, 0x56, 0xf6, 0x40, 0xd1, 0xed, 0xdb, 0x91, 0x81, 0xd6, 0xef, 0x83, 0x86, 0x8a, 0xb2, 0x3d, + 0x88, 0x92, 0x3f, 0xd8, 0x51, 0x9c, 0xd6, 0x26, 0x56, 0x33, 0x6b }; /* This is a truncated packet as we do not care for the TLS payload in the * unit test */ -const uint8_t client_control_with_ack[] = { - 0x20, 0x78, 0x19, 0xbf, 0x2e, 0xbc, 0xd1, 0x9a, - 0x45, 0x01, 0x00, 0x00, 0x00, 0x00, 0xea, - 0xfe, 0xbf, 0xa4, 0x41, 0x8a, 0xe3, 0x1b, - 0x00, 0x00, 0x00, 0x01, 0x16, 0x03, 0x01 -}; +const uint8_t client_control_with_ack[] = { 0x20, 0x78, 0x19, 0xbf, 0x2e, 0xbc, 0xd1, 0x9a, + 0x45, 0x01, 0x00, 0x00, 0x00, 0x00, 0xea, 0xfe, + 0xbf, 0xa4, 0x41, 0x8a, 0xe3, 0x1b, 0x00, 0x00, + 0x00, 0x01, 0x16, 0x03, 0x01 }; -const uint8_t client_ack_none_random_id[] = { - 0x28, 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, - 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0xdd, - 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e -}; +const uint8_t client_ack_none_random_id[] = { 0x28, 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, + 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0xdd, 0x85, + 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e }; struct tls_auth_standalone init_tas_auth(int key_direction) { struct tls_auth_standalone tas = { 0 }; - struct frame frame = { {.headroom = 200, .payload_size = 1400}, 0}; + struct frame frame = { { .headroom = 200, .payload_size = 1400 }, 0 }; tas.frame = frame; tas.tls_wrap.mode = TLS_WRAP_AUTH; /* we ignore packet ids on for the first packet check */ - tas.tls_wrap.opt.flags |= (CO_IGNORE_PACKET_ID|CO_PACKET_ID_LONG_FORM); + tas.tls_wrap.opt.flags |= (CO_IGNORE_PACKET_ID | CO_PACKET_ID_LONG_FORM); struct key_type tls_crypt_kt; init_key_type(&tls_crypt_kt, "none", "SHA1", true, false); - crypto_read_openvpn_key(&tls_crypt_kt, &tas.tls_wrap.opt.key_ctx_bi, - static_key, true, key_direction, - "Control Channel Authentication", "tls-auth", - NULL); + crypto_read_openvpn_key(&tls_crypt_kt, &tas.tls_wrap.opt.key_ctx_bi, static_key, true, + key_direction, "Control Channel Authentication", "tls-auth", NULL); tas.workbuf = alloc_buf(1600); return tas; @@ -197,11 +165,10 @@ init_tas_crypt(bool server) { struct tls_auth_standalone tas = { 0 }; tas.tls_wrap.mode = TLS_WRAP_CRYPT; - tas.tls_wrap.opt.flags |= (CO_IGNORE_PACKET_ID|CO_PACKET_ID_LONG_FORM); + tas.tls_wrap.opt.flags |= (CO_IGNORE_PACKET_ID | CO_PACKET_ID_LONG_FORM); - tls_crypt_init_key(&tas.tls_wrap.opt.key_ctx_bi, - &tas.tls_wrap.original_wrap_keydata, static_key, - true, server); + tls_crypt_init_key(&tas.tls_wrap.opt.key_ctx_bi, &tas.tls_wrap.original_wrap_keydata, + static_key, true, server); tas.workbuf = alloc_buf(1600); tas.tls_wrap.work = alloc_buf(1600); @@ -248,7 +215,7 @@ test_tls_decrypt_lite_crypt(void **ut_state) free_tls_pre_decrypt_state(&state); /* flip a byte in various places */ - for (int i = 0; isettings.flags = MF_EXTERNAL_KEY|MF_EXTERNAL_KEY_PSSPAD; + management->settings.flags = MF_EXTERNAL_KEY | MF_EXTERNAL_KEY_PSSPAD; /* first without digest support in management client */ again: @@ -328,8 +328,8 @@ xkey_free(void *handle) } static int -xkey_sign(void *handle, unsigned char *sig, size_t *siglen, - const unsigned char *tbs, size_t tbslen, XKEY_SIGALG s) +xkey_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen, + XKEY_SIGALG s) { if (!sig) { @@ -386,7 +386,8 @@ xkey_provider_test_generic_sign_cb(void **state) pubkey = load_pubkey(pubkeys[i]); assert_true(pubkey != NULL); - EVP_PKEY *privkey = xkey_load_generic_key(NULL, (void *)dummy, pubkey, xkey_sign, xkey_free); + EVP_PKEY *privkey = + xkey_load_generic_key(NULL, (void *)dummy, pubkey, xkey_sign, xkey_free); assert_true(privkey != NULL); xkey_sign_called = 0; diff --git a/tests/unit_tests/openvpn/test_push_update_msg.c b/tests/unit_tests/openvpn/test_push_update_msg.c index d47286a09..0f4ad4140 100644 --- a/tests/unit_tests/openvpn/test_push_update_msg.c +++ b/tests/unit_tests/openvpn/test_push_update_msg.c @@ -14,36 +14,17 @@ unsigned int pull_permission_mask(const struct context *c) { - unsigned int flags = - OPT_P_UP - | OPT_P_ROUTE_EXTRAS - | OPT_P_SOCKBUF - | OPT_P_SOCKFLAGS - | OPT_P_SETENV - | OPT_P_SHAPER - | OPT_P_TIMER - | OPT_P_COMP - | OPT_P_PERSIST - | OPT_P_MESSAGES - | OPT_P_EXPLICIT_NOTIFY - | OPT_P_ECHO - | OPT_P_PULL_MODE - | OPT_P_PEER_ID - | OPT_P_NCP - | OPT_P_PUSH_MTU - | OPT_P_ROUTE - | OPT_P_DHCPDNS; + unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS + | OPT_P_SETENV | OPT_P_SHAPER | OPT_P_TIMER | OPT_P_COMP | OPT_P_PERSIST + | OPT_P_MESSAGES | OPT_P_EXPLICIT_NOTIFY | OPT_P_ECHO | OPT_P_PULL_MODE + | OPT_P_PEER_ID | OPT_P_NCP | OPT_P_PUSH_MTU | OPT_P_ROUTE | OPT_P_DHCPDNS; return flags; } bool -apply_push_options(struct context *c, - struct options *options, - struct buffer *buf, - unsigned int permission_mask, - unsigned int *option_types_found, - struct env_set *es, - bool is_update) +apply_push_options(struct context *c, struct options *options, struct buffer *buf, + unsigned int permission_mask, unsigned int *option_types_found, + struct env_set *es, bool is_update) { char line[OPTION_PARM_SIZE]; @@ -80,10 +61,8 @@ apply_push_options(struct context *c, } int -process_incoming_push_msg(struct context *c, - const struct buffer *buffer, - bool honor_received_options, - unsigned int permission_mask, +process_incoming_push_msg(struct context *c, const struct buffer *buffer, + bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found) { struct buffer buf = *buffer; @@ -92,16 +71,13 @@ process_incoming_push_msg(struct context *c, { return PUSH_MSG_REQUEST; } - else if (honor_received_options - && buf_string_compare_advance(&buf, push_reply_cmd)) + else if (honor_received_options && buf_string_compare_advance(&buf, push_reply_cmd)) { return PUSH_MSG_REPLY; } - else if (honor_received_options - && buf_string_compare_advance(&buf, push_update_cmd)) + else if (honor_received_options && buf_string_compare_advance(&buf, push_update_cmd)) { - return process_incoming_push_update(c, permission_mask, - option_types_found, &buf); + return process_incoming_push_update(c, permission_mask, option_types_found, &buf); } else { @@ -116,11 +92,14 @@ test_incoming_push_message_basic(void **state) { struct context *c = *state; struct buffer buf = alloc_buf(256); - const char *update_msg = "PUSH_UPDATE,dhcp-option DNS 8.8.8.8, route 0.0.0.0 0.0.0.0 10.10.10.1"; + const char *update_msg = + "PUSH_UPDATE,dhcp-option DNS 8.8.8.8, route 0.0.0.0 0.0.0.0 10.10.10.1"; buf_write(&buf, update_msg, strlen(update_msg)); unsigned int option_types_found = 0; - assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_UPDATE); + assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), + &option_types_found), + PUSH_MSG_UPDATE); free_buf(&buf); } @@ -134,7 +113,9 @@ test_incoming_push_message_error1(void **state) buf_write(&buf, update_msg, strlen(update_msg)); unsigned int option_types_found = 0; - assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_ERROR); + assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), + &option_types_found), + PUSH_MSG_ERROR); free_buf(&buf); } @@ -149,7 +130,9 @@ test_incoming_push_message_error2(void **state) buf_write(&buf, update_msg, strlen(update_msg)); unsigned int option_types_found = 0; - assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_ERROR); + assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), + &option_types_found), + PUSH_MSG_ERROR); free_buf(&buf); } @@ -163,7 +146,9 @@ test_incoming_push_message_1(void **state) buf_write(&buf, update_msg, strlen(update_msg)); unsigned int option_types_found = 0; - assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_UPDATE); + assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), + &option_types_found), + PUSH_MSG_UPDATE); free_buf(&buf); } @@ -177,7 +162,9 @@ test_incoming_push_message_bad_format(void **state) buf_write(&buf, update_msg, strlen(update_msg)); unsigned int option_types_found = 0; - assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_ERROR); + assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), + &option_types_found), + PUSH_MSG_ERROR); free_buf(&buf); } @@ -191,7 +178,9 @@ test_incoming_push_message_not_updatable_option(void **state) buf_write(&buf, update_msg, strlen(update_msg)); unsigned int option_types_found = 0; - assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_ERROR); + assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), + &option_types_found), + PUSH_MSG_ERROR); free_buf(&buf); } @@ -201,11 +190,14 @@ test_incoming_push_message_mix(void **state) { struct context *c = *state; struct buffer buf = alloc_buf(256); - const char *update_msg = "PUSH_UPDATE,-dhcp-option, route 10.10.10.0, dhcp-option DNS 1.1.1.1, route 10.11.12.0, dhcp-option DOMAIN corp.local, keepalive 10 60"; + const char *update_msg = + "PUSH_UPDATE,-dhcp-option, route 10.10.10.0, dhcp-option DNS 1.1.1.1, route 10.11.12.0, dhcp-option DOMAIN corp.local, keepalive 10 60"; buf_write(&buf, update_msg, strlen(update_msg)); unsigned int option_types_found = 0; - assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_UPDATE); + assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), + &option_types_found), + PUSH_MSG_UPDATE); free_buf(&buf); } @@ -215,11 +207,14 @@ test_incoming_push_message_mix2(void **state) { struct context *c = *state; struct buffer buf = alloc_buf(256); - const char *update_msg = "PUSH_UPDATE,-dhcp-option,dhcp-option DNS 8.8.8.8,redirect-gateway local,route 192.168.1.0 255.255.255.0"; + const char *update_msg = + "PUSH_UPDATE,-dhcp-option,dhcp-option DNS 8.8.8.8,redirect-gateway local,route 192.168.1.0 255.255.255.0"; buf_write(&buf, update_msg, strlen(update_msg)); unsigned int option_types_found = 0; - assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_UPDATE); + assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), + &option_types_found), + PUSH_MSG_UPDATE); free_buf(&buf); } @@ -249,7 +244,8 @@ main(void) cmocka_unit_test_setup_teardown(test_incoming_push_message_basic, setup, teardown), cmocka_unit_test_setup_teardown(test_incoming_push_message_error1, setup, teardown), cmocka_unit_test_setup_teardown(test_incoming_push_message_error2, setup, teardown), - cmocka_unit_test_setup_teardown(test_incoming_push_message_not_updatable_option, setup, teardown), + cmocka_unit_test_setup_teardown(test_incoming_push_message_not_updatable_option, setup, + teardown), cmocka_unit_test_setup_teardown(test_incoming_push_message_1, setup, teardown), cmocka_unit_test_setup_teardown(test_incoming_push_message_bad_format, setup, teardown), cmocka_unit_test_setup_teardown(test_incoming_push_message_mix, setup, teardown), diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index c758f877f..7bf539699 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -159,7 +159,7 @@ static struct static int init(void **state) { - (void) state; + (void)state; global_state.gc = gc_new(); global_state.certfile = platform_create_temp_file(get_tmp_dir(), "cert", &global_state.gc); global_state.keyfile = platform_create_temp_file(get_tmp_dir(), "key", &global_state.gc); @@ -180,7 +180,7 @@ init(void **state) static int cleanup(void **state) { - (void) state; + (void)state; unlink(global_state.certfile); unlink(global_state.keyfile); gc_free(&global_state.gc); @@ -220,7 +220,7 @@ crypto_pem_encode_certificate(void **state) static void test_load_certificate_and_key(void **state) { - (void) state; + (void)state; struct tls_root_ctx ctx = { 0 }; /* test loading of inlined cert and key. @@ -242,11 +242,11 @@ test_load_certificate_and_key(void **state) static void test_load_certificate_and_key_uri(void **state) { - (void) state; + (void)state; #if !defined(HAVE_OPENSSL_STORE) skip(); -#else /* HAVE_OPENSSL_STORE */ +#else /* HAVE_OPENSSL_STORE */ struct tls_root_ctx ctx = { 0 }; const char *certfile = global_state.certfile; @@ -306,7 +306,6 @@ init_frame_parameters(struct frame *frame) frame->buf.tailroom = overhead; frame->tun_mtu = tls_mtu; - } static void @@ -333,7 +332,6 @@ do_data_channel_round_trip(struct crypto_options *co) /* Test encryption, decryption for all packet sizes */ for (int i = 1; i <= frame.buf.payload_size; ++i) { - /* msg(M_INFO, "TESTING ENCRYPT/DECRYPT of packet length=%d", i); */ /* @@ -413,7 +411,6 @@ encrypt_one_packet(struct crypto_options *co, int len) static void check_aead_limits(struct crypto_options *co, bool chachapoly) { - /* Check that we correctly react when we have a nearing AEAD limits */ /* manually increase the send counter to be past @@ -445,9 +442,8 @@ check_aead_limits(struct crypto_options *co, bool chachapoly) { /* Check always against the GCM usage limit here to see if that * check works */ - assert_true(aead_usage_limit_reached((1ull << 36), - &co->key_ctx_bi.encrypt, - co->packet_id.send.id)); + assert_true( + aead_usage_limit_reached((1ull << 36), &co->key_ctx_bi.encrypt, co->packet_id.send.id)); return; } @@ -464,10 +460,9 @@ check_aead_limits(struct crypto_options *co, bool chachapoly) static struct crypto_options -init_crypto_options(const char *cipher, const char *auth, bool epoch, - struct key2 *statickey) +init_crypto_options(const char *cipher, const char *auth, bool epoch, struct key2 *statickey) { - struct key2 key2 = { .n = 2}; + struct key2 key2 = { .n = 2 }; if (statickey) { @@ -488,7 +483,7 @@ init_crypto_options(const char *cipher, const char *auth, bool epoch, if (epoch) { - struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 }}; + struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 } }; memcpy(e1.epoch_key, key2.keys[0].cipher, sizeof(e1.epoch_key)); co.flags |= CO_EPOCH_DATA_KEY_FORMAT; epoch_init_key_ctx(&co, &kt, &e1, &e1, 5); @@ -633,11 +628,11 @@ test_data_channel_roundtrip_bf_cbc(void **state) static struct key2 create_key(void) { - struct key2 key2 = {.n = 2}; + struct key2 key2 = { .n = 2 }; - const uint8_t key[] = - {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', '0', '1', '2', '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F', - 'G', 'H', 'j', 'k', 'u', 'c', 'h', 'e', 'n', 'l'}; + const uint8_t key[] = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', '0', '1', '2', + '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F', + 'G', 'H', 'j', 'k', 'u', 'c', 'h', 'e', 'n', 'l' }; static_assert(sizeof(key) == 32, "Size of key should be 32 bytes"); @@ -647,7 +642,7 @@ create_key(void) for (int i = 0; i < sizeof(key2.keys); i++) { - keydata[i] = (uint8_t) (key[i % sizeof(key)] ^ i); + keydata[i] = (uint8_t)(key[i % sizeof(key)] ^ i); } ASSERT(memcpy(key2.keys[0].cipher, keydata, sizeof(key2.keys[0].cipher))); @@ -663,8 +658,7 @@ test_data_channel_known_vectors_run(bool epoch) { struct key2 key2 = create_key(); - struct crypto_options co = init_crypto_options("AES-256-GCM", "none", epoch, - &key2); + struct crypto_options co = init_crypto_options("AES-256-GCM", "none", epoch, &key2); struct gc_arena gc = gc_new(); @@ -716,41 +710,40 @@ test_data_channel_known_vectors_run(bool epoch) if (epoch) { - uint8_t packetid1[8] = {0, 0x04, 0, 0, 0, 0, 0, 1}; + uint8_t packetid1[8] = { 0, 0x04, 0, 0, 0, 0, 0, 1 }; assert_memory_equal(BPTR(&buf), packetid1, 8); } else { - uint8_t packetid1[4] = {0, 0, 0, 1}; + uint8_t packetid1[4] = { 0, 0, 0, 1 }; assert_memory_equal(BPTR(&buf), packetid1, 4); } if (epoch) { uint8_t *tag_location = BEND(&buf) - OPENVPN_AEAD_TAG_LENGTH; - const uint8_t exp_tag_epoch[16] = - {0x0f, 0xff, 0xf5, 0x91, 0x3d, 0x39, 0xd7, 0x5b, - 0x18, 0x57, 0x3b, 0x57, 0x48, 0x58, 0x9a, 0x7d}; + const uint8_t exp_tag_epoch[16] = { 0x0f, 0xff, 0xf5, 0x91, 0x3d, 0x39, 0xd7, 0x5b, + 0x18, 0x57, 0x3b, 0x57, 0x48, 0x58, 0x9a, 0x7d }; assert_memory_equal(tag_location, exp_tag_epoch, OPENVPN_AEAD_TAG_LENGTH); } else { uint8_t *tag_location = BPTR(&buf) + 4; - const uint8_t exp_tag_noepoch[16] = - {0x1f, 0xdd, 0x90, 0x8f, 0x0e, 0x9d, 0xc2, 0x5e, 0x79, 0xd8, 0x32, 0x02, 0x0d, 0x58, 0xe7, 0x3f}; + const uint8_t exp_tag_noepoch[16] = { 0x1f, 0xdd, 0x90, 0x8f, 0x0e, 0x9d, 0xc2, 0x5e, + 0x79, 0xd8, 0x32, 0x02, 0x0d, 0x58, 0xe7, 0x3f }; assert_memory_equal(tag_location, exp_tag_noepoch, OPENVPN_AEAD_TAG_LENGTH); } /* Check some bytes at the beginning of the encrypted part */ if (epoch) { - const uint8_t bytesat14[6] = {0x36, 0xaa, 0xb4, 0xd4, 0x9c, 0xe6}; + const uint8_t bytesat14[6] = { 0x36, 0xaa, 0xb4, 0xd4, 0x9c, 0xe6 }; assert_memory_equal(BPTR(&buf) + 14, bytesat14, sizeof(bytesat14)); } else { - const uint8_t bytesat30[6] = {0xa8, 0x2e, 0x6b, 0x17, 0x06, 0xd9}; + const uint8_t bytesat30[6] = { 0xa8, 0x2e, 0x6b, 0x17, 0x06, 0xd9 }; assert_memory_equal(BPTR(&buf) + 30, bytesat30, sizeof(bytesat30)); } diff --git a/tests/unit_tests/openvpn/test_tls_crypt.c b/tests/unit_tests/openvpn/test_tls_crypt.c index 1b5eb277c..532bfcda3 100644 --- a/tests/unit_tests/openvpn/test_tls_crypt.c +++ b/tests/unit_tests/openvpn/test_tls_crypt.c @@ -39,8 +39,7 @@ /* Define this function here as dummy since including the ssl_*.c files * leads to having to include even more unrelated code */ bool -key_state_export_keying_material(struct tls_session *session, - const char *label, size_t label_size, +key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size) { memset(ekm, 0xba, ekm_size); @@ -48,22 +47,22 @@ key_state_export_keying_material(struct tls_session *session, } -#define TESTBUF_SIZE 128 +#define TESTBUF_SIZE 128 /* Defines for use in the tests and the mock parse_line() */ -#define PATH1 "/s p a c e" -#define PATH2 "/foo bar/baz" -#define PARAM1 "param1" -#define PARAM2 "param two" +#define PATH1 "/s p a c e" +#define PATH2 "/foo bar/baz" +#define PARAM1 "param1" +#define PARAM2 "param two" -static const char *test_server_key = \ +static const char *test_server_key = "-----BEGIN OpenVPN tls-crypt-v2 server key-----\n" "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n" "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n" "YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8=\n" "-----END OpenVPN tls-crypt-v2 server key-----\n"; -static const char *test_client_key = \ +static const char *test_client_key = "-----BEGIN OpenVPN tls-crypt-v2 client key-----\n" "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n" "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n" @@ -81,7 +80,7 @@ static const char *test_client_key = \ /* Has custom metadata of AABBCCDD (base64) */ -static const char *test_client_key_metadata = \ +static const char *test_client_key_metadata = "-----BEGIN OpenVPN tls-crypt-v2 client key-----\n" "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n" "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n" @@ -98,8 +97,8 @@ static const char *test_client_key_metadata = \ "-----END OpenVPN tls-crypt-v2 client key-----\n"; int -__wrap_parse_line(const char *line, char **p, const int n, const char *file, - const int line_num, int msglevel, struct gc_arena *gc) +__wrap_parse_line(const char *line, char **p, const int n, const char *file, const int line_num, + int msglevel, struct gc_arena *gc) { p[0] = PATH1 PATH2; p[1] = PARAM1; @@ -141,7 +140,8 @@ __wrap_rand_bytes(uint8_t *output, int len) return true; } -struct test_tls_crypt_context { +struct test_tls_crypt_context +{ struct crypto_options co; struct key_type kt; struct buffer source; @@ -156,8 +156,10 @@ test_tls_crypt_setup(void **state) struct test_tls_crypt_context *ctx = calloc(1, sizeof(*ctx)); *state = ctx; - struct key_parameters key = { .cipher = { 0 }, .hmac = { 0 }, - .hmac_size = MAX_HMAC_KEY_LENGTH, .cipher_size = MAX_CIPHER_KEY_LENGTH }; + struct key_parameters key = { .cipher = { 0 }, + .hmac = { 0 }, + .hmac_size = MAX_HMAC_KEY_LENGTH, + .cipher_size = MAX_CIPHER_KEY_LENGTH }; ctx->kt = tls_crypt_kt(); if (!ctx->kt.cipher || !ctx->kt.digest) @@ -187,8 +189,7 @@ test_tls_crypt_setup(void **state) static int test_tls_crypt_teardown(void **state) { - struct test_tls_crypt_context *ctx = - (struct test_tls_crypt_context *)*state; + struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state; free_buf(&ctx->source); free_buf(&ctx->ciphertext); @@ -216,7 +217,7 @@ skip_if_tls_crypt_not_supported(struct test_tls_crypt_context *ctx) static void tls_crypt_loopback(void **state) { - struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; + struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state; skip_if_tls_crypt_not_supported(ctx); @@ -224,8 +225,7 @@ tls_crypt_loopback(void **state) assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext)); assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped)); - assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), - BLEN(&ctx->source)); + assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), BLEN(&ctx->source)); } @@ -235,8 +235,7 @@ tls_crypt_loopback(void **state) static void test_tls_crypt_secure_reneg_key(void **state) { - struct test_tls_crypt_context *ctx = - (struct test_tls_crypt_context *)*state; + struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state; struct gc_arena gc = gc_new(); @@ -255,19 +254,19 @@ test_tls_crypt_secure_reneg_key(void **state) tls_crypt_wrap(&ctx->source, &rctx->work, &rctx->opt); assert_int_equal(buf_len(&ctx->source) + 40, buf_len(&rctx->work)); - uint8_t expected_ciphertext[] = { - 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xe3, 0x19, 0x27, 0x7f, 0x1c, 0x8d, 0x6e, 0x6a, - 0x77, 0x96, 0xa8, 0x55, 0x33, 0x7b, 0x9c, 0xfb, 0x56, 0xe1, 0xf1, 0x3a, 0x87, 0x0e, 0x66, 0x47, - 0xdf, 0xa1, 0x95, 0xc9, 0x2c, 0x17, 0xa0, 0x15, 0xba, 0x49, 0x67, 0xa1, 0x1d, 0x55, 0xea, 0x1a, - 0x06, 0xa7 - }; + uint8_t expected_ciphertext[] = { 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xe3, 0x19, + 0x27, 0x7f, 0x1c, 0x8d, 0x6e, 0x6a, 0x77, 0x96, 0xa8, 0x55, + 0x33, 0x7b, 0x9c, 0xfb, 0x56, 0xe1, 0xf1, 0x3a, 0x87, 0x0e, + 0x66, 0x47, 0xdf, 0xa1, 0x95, 0xc9, 0x2c, 0x17, 0xa0, 0x15, + 0xba, 0x49, 0x67, 0xa1, 0x1d, 0x55, 0xea, 0x1a, 0x06, 0xa7 }; assert_memory_equal(BPTR(&rctx->work), expected_ciphertext, buf_len(&rctx->work)); tls_wrap_free(&session.tls_wrap_reneg); /* Use previous tls-crypt key as 0x00, with xor we should have the same key * and expect the same result */ session.tls_wrap.mode = TLS_WRAP_CRYPT; - memset(&session.tls_wrap.original_wrap_keydata.keys, 0x00, sizeof(session.tls_wrap.original_wrap_keydata.keys)); + memset(&session.tls_wrap.original_wrap_keydata.keys, 0x00, + sizeof(session.tls_wrap.original_wrap_keydata.keys)); session.tls_wrap.original_wrap_keydata.n = 2; tls_session_generate_dynamic_tls_crypt_key(&session); @@ -278,7 +277,8 @@ test_tls_crypt_secure_reneg_key(void **state) tls_wrap_free(&session.tls_wrap_reneg); /* XOR should not force a different key */ - memset(&session.tls_wrap.original_wrap_keydata.keys, 0x42, sizeof(session.tls_wrap.original_wrap_keydata.keys)); + memset(&session.tls_wrap.original_wrap_keydata.keys, 0x42, + sizeof(session.tls_wrap.original_wrap_keydata.keys)); tls_session_generate_dynamic_tls_crypt_key(&session); tls_crypt_wrap(&ctx->source, &rctx->work, &rctx->opt); @@ -302,7 +302,7 @@ test_tls_crypt_secure_reneg_key(void **state) static void tls_crypt_loopback_zero_len(void **state) { - struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; + struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state; skip_if_tls_crypt_not_supported(ctx); @@ -312,8 +312,7 @@ tls_crypt_loopback_zero_len(void **state) assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext)); assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped)); - assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), - BLEN(&ctx->source)); + assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), BLEN(&ctx->source)); } /** @@ -322,20 +321,19 @@ tls_crypt_loopback_zero_len(void **state) static void tls_crypt_loopback_max_len(void **state) { - struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; + struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state; skip_if_tls_crypt_not_supported(ctx); buf_clear(&ctx->source); - assert_non_null(buf_write_alloc(&ctx->source, - TESTBUF_SIZE - BLEN(&ctx->ciphertext) - tls_crypt_buf_overhead())); + assert_non_null(buf_write_alloc(&ctx->source, TESTBUF_SIZE - BLEN(&ctx->ciphertext) + - tls_crypt_buf_overhead())); assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co)); assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext)); assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped)); - assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), - BLEN(&ctx->source)); + assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), BLEN(&ctx->source)); } /** @@ -344,13 +342,13 @@ tls_crypt_loopback_max_len(void **state) static void tls_crypt_fail_msg_too_long(void **state) { - struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; + struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state; skip_if_tls_crypt_not_supported(ctx); buf_clear(&ctx->source); - assert_non_null(buf_write_alloc(&ctx->source, - TESTBUF_SIZE - BLEN(&ctx->ciphertext) - tls_crypt_buf_overhead() + 1)); + assert_non_null(buf_write_alloc(&ctx->source, TESTBUF_SIZE - BLEN(&ctx->ciphertext) + - tls_crypt_buf_overhead() + 1)); assert_false(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co)); } @@ -361,13 +359,15 @@ tls_crypt_fail_msg_too_long(void **state) static void tls_crypt_fail_invalid_key(void **state) { - struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; + struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state; skip_if_tls_crypt_not_supported(ctx); /* Change decrypt key */ - struct key_parameters key = { .cipher = { 1 }, .hmac = { 1 }, - .cipher_size = MAX_CIPHER_KEY_LENGTH, .hmac_size = MAX_HMAC_KEY_LENGTH }; + struct key_parameters key = { .cipher = { 1 }, + .hmac = { 1 }, + .cipher_size = MAX_CIPHER_KEY_LENGTH, + .hmac_size = MAX_HMAC_KEY_LENGTH }; free_key_ctx(&ctx->co.key_ctx_bi.decrypt); init_key_ctx(&ctx->co.key_ctx_bi.decrypt, &key, &ctx->kt, false, "TEST"); @@ -382,7 +382,7 @@ tls_crypt_fail_invalid_key(void **state) static void tls_crypt_fail_replay(void **state) { - struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; + struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state; skip_if_tls_crypt_not_supported(ctx); @@ -402,7 +402,7 @@ tls_crypt_fail_replay(void **state) static void tls_crypt_ignore_replay(void **state) { - struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; + struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state; skip_if_tls_crypt_not_supported(ctx); @@ -416,7 +416,8 @@ tls_crypt_ignore_replay(void **state) assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); } -struct test_tls_crypt_v2_context { +struct test_tls_crypt_v2_context +{ struct gc_arena gc; struct key2 server_key2; struct key_ctx_bi server_keys; @@ -436,17 +437,15 @@ test_tls_crypt_v2_setup(void **state) ctx->gc = gc_new(); /* Slightly longer buffers to be able to test too-long data */ - ctx->metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN+16, &ctx->gc); - ctx->unwrapped_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN+16, - &ctx->gc); - ctx->wkc = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN+16, &ctx->gc); + ctx->metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN + 16, &ctx->gc); + ctx->unwrapped_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN + 16, &ctx->gc); + ctx->wkc = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN + 16, &ctx->gc); /* Generate server key */ rand_bytes((void *)ctx->server_key2.keys, sizeof(ctx->server_key2.keys)); ctx->server_key2.n = 2; struct key_type kt = tls_crypt_kt(); - init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2, - KEY_DIRECTION_BIDIRECTIONAL, &kt, + init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2, KEY_DIRECTION_BIDIRECTIONAL, &kt, "tls-crypt-v2 server key"); /* Generate client key */ @@ -459,8 +458,7 @@ test_tls_crypt_v2_setup(void **state) static int test_tls_crypt_v2_teardown(void **state) { - struct test_tls_crypt_v2_context *ctx = - (struct test_tls_crypt_v2_context *) *state; + struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state; free_key_ctx_bi(&ctx->server_keys); free_key_ctx_bi(&ctx->client_key); @@ -478,27 +476,20 @@ test_tls_crypt_v2_teardown(void **state) static void tls_crypt_v2_wrap_unwrap_no_metadata(void **state) { - struct test_tls_crypt_v2_context *ctx = - (struct test_tls_crypt_v2_context *) *state; - - struct buffer wrapped_client_key = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN, - &ctx->gc); - assert_true(tls_crypt_v2_wrap_client_key(&wrapped_client_key, - &ctx->client_key2, - &ctx->metadata, - &ctx->server_keys.encrypt, - &ctx->gc)); - - struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, - &ctx->gc); + struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state; + + struct buffer wrapped_client_key = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN, &ctx->gc); + assert_true(tls_crypt_v2_wrap_client_key(&wrapped_client_key, &ctx->client_key2, &ctx->metadata, + &ctx->server_keys.encrypt, &ctx->gc)); + + struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, &ctx->gc); struct key2 unwrapped_client_key2 = { 0 }; - assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, - &unwrap_metadata, - wrapped_client_key, - &ctx->server_keys.decrypt)); + assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, &unwrap_metadata, + wrapped_client_key, &ctx->server_keys.decrypt)); - assert_true(0 == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys, - sizeof(ctx->client_key2.keys))); + assert_true(0 + == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys, + sizeof(ctx->client_key2.keys))); } /** @@ -508,26 +499,21 @@ tls_crypt_v2_wrap_unwrap_no_metadata(void **state) static void tls_crypt_v2_wrap_unwrap_max_metadata(void **state) { - struct test_tls_crypt_v2_context *ctx = - (struct test_tls_crypt_v2_context *) *state; + struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state; - uint8_t *metadata = - buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN); + uint8_t *metadata = buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN); assert_true(rand_bytes(metadata, TLS_CRYPT_V2_MAX_METADATA_LEN)); - assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, - &ctx->metadata, - &ctx->server_keys.encrypt, - &ctx->gc)); + assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, &ctx->metadata, + &ctx->server_keys.encrypt, &ctx->gc)); - struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, - &ctx->gc); + struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, &ctx->gc); struct key2 unwrapped_client_key2 = { 0 }; - assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, - &unwrap_metadata, ctx->wkc, + assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, &unwrap_metadata, ctx->wkc, &ctx->server_keys.decrypt)); - assert_true(0 == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys, - sizeof(ctx->client_key2.keys))); + assert_true(0 + == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys, + sizeof(ctx->client_key2.keys))); assert_true(buf_equal(&ctx->metadata, &unwrap_metadata)); struct tls_wrap_ctx wrap_ctx = { @@ -545,14 +531,11 @@ tls_crypt_v2_wrap_unwrap_max_metadata(void **state) static void tls_crypt_v2_wrap_too_long_metadata(void **state) { - struct test_tls_crypt_v2_context *ctx = - (struct test_tls_crypt_v2_context *) *state; - - assert_true(buf_inc_len(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN+1)); - assert_false(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, - &ctx->metadata, - &ctx->server_keys.encrypt, - &ctx->gc)); + struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state; + + assert_true(buf_inc_len(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN + 1)); + assert_false(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, &ctx->metadata, + &ctx->server_keys.encrypt, &ctx->gc)); } /** @@ -562,28 +545,22 @@ tls_crypt_v2_wrap_too_long_metadata(void **state) static void tls_crypt_v2_wrap_unwrap_wrong_key(void **state) { - struct test_tls_crypt_v2_context *ctx = - (struct test_tls_crypt_v2_context *) *state; + struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state; - assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, - &ctx->metadata, - &ctx->server_keys.encrypt, - &ctx->gc)); + assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, &ctx->metadata, + &ctx->server_keys.encrypt, &ctx->gc)); /* Change server key */ struct key_type kt = tls_crypt_kt(); free_key_ctx_bi(&ctx->server_keys); memset(&ctx->server_key2.keys, 0, sizeof(ctx->server_key2.keys)); - init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2, - KEY_DIRECTION_BIDIRECTIONAL, &kt, + init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2, KEY_DIRECTION_BIDIRECTIONAL, &kt, "wrong tls-crypt-v2 server key"); struct key2 unwrapped_client_key2 = { 0 }; - assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, - &ctx->unwrapped_metadata, - ctx->wkc, - &ctx->server_keys.decrypt)); + assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, &ctx->unwrapped_metadata, + ctx->wkc, &ctx->server_keys.decrypt)); const struct key2 zero = { 0 }; assert_true(0 == memcmp(&unwrapped_client_key2, &zero, sizeof(zero))); @@ -597,23 +574,17 @@ tls_crypt_v2_wrap_unwrap_wrong_key(void **state) static void tls_crypt_v2_wrap_unwrap_dst_too_small(void **state) { - struct test_tls_crypt_v2_context *ctx = - (struct test_tls_crypt_v2_context *) *state; + struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state; - uint8_t *metadata = - buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN); + uint8_t *metadata = buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN); assert_true(rand_bytes(metadata, TLS_CRYPT_V2_MAX_METADATA_LEN)); - assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, - &ctx->metadata, - &ctx->server_keys.encrypt, - &ctx->gc)); + assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, &ctx->metadata, + &ctx->server_keys.encrypt, &ctx->gc)); struct key2 unwrapped_client_key2 = { 0 }; - struct buffer unwrapped_metadata = - alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN-1, &ctx->gc); - assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, - &unwrapped_metadata, ctx->wkc, - &ctx->server_keys.decrypt)); + struct buffer unwrapped_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN - 1, &ctx->gc); + assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, &unwrapped_metadata, + ctx->wkc, &ctx->server_keys.decrypt)); const struct key2 zero = { 0 }; assert_true(0 == memcmp(&unwrapped_client_key2, &zero, sizeof(zero))); @@ -626,8 +597,7 @@ test_tls_crypt_v2_write_server_key_file(void **state) const char *filename = "testfilename.key"; expect_string(__wrap_buffer_write_file, filename, filename); - expect_memory(__wrap_buffer_write_file, pem, test_server_key, - strlen(test_server_key)); + expect_memory(__wrap_buffer_write_file, pem, test_server_key, strlen(test_server_key)); will_return(__wrap_buffer_write_file, true); tls_crypt_v2_write_server_key_file(filename); @@ -640,8 +610,7 @@ test_tls_crypt_v2_write_client_key_file(void **state) /* Test writing the client key */ expect_string(__wrap_buffer_write_file, filename, filename); - expect_memory(__wrap_buffer_write_file, pem, test_client_key, - strlen(test_client_key)); + expect_memory(__wrap_buffer_write_file, pem, test_client_key, strlen(test_client_key)); will_return(__wrap_buffer_write_file, true); /* Key generation re-reads the created file as a sanity check */ @@ -667,8 +636,7 @@ test_tls_crypt_v2_write_client_key_file_metadata(void **state) expect_string(__wrap_buffer_read_from_file, filename, filename); will_return(__wrap_buffer_read_from_file, test_client_key_metadata); - tls_crypt_v2_write_client_key_file(filename, b64metadata, test_server_key, - true); + tls_crypt_v2_write_client_key_file(filename, b64metadata, test_server_key, true); } int @@ -676,44 +644,31 @@ main(void) { openvpn_unit_test_setup(); const struct CMUnitTest tests[] = { - cmocka_unit_test_setup_teardown(tls_crypt_loopback, - test_tls_crypt_setup, + cmocka_unit_test_setup_teardown(tls_crypt_loopback, test_tls_crypt_setup, test_tls_crypt_teardown), - cmocka_unit_test_setup_teardown(tls_crypt_loopback_zero_len, - test_tls_crypt_setup, + cmocka_unit_test_setup_teardown(tls_crypt_loopback_zero_len, test_tls_crypt_setup, test_tls_crypt_teardown), - cmocka_unit_test_setup_teardown(tls_crypt_loopback_max_len, - test_tls_crypt_setup, + cmocka_unit_test_setup_teardown(tls_crypt_loopback_max_len, test_tls_crypt_setup, test_tls_crypt_teardown), - cmocka_unit_test_setup_teardown(tls_crypt_fail_msg_too_long, - test_tls_crypt_setup, + cmocka_unit_test_setup_teardown(tls_crypt_fail_msg_too_long, test_tls_crypt_setup, test_tls_crypt_teardown), - cmocka_unit_test_setup_teardown(tls_crypt_fail_invalid_key, - test_tls_crypt_setup, + cmocka_unit_test_setup_teardown(tls_crypt_fail_invalid_key, test_tls_crypt_setup, test_tls_crypt_teardown), - cmocka_unit_test_setup_teardown(tls_crypt_fail_replay, - test_tls_crypt_setup, + cmocka_unit_test_setup_teardown(tls_crypt_fail_replay, test_tls_crypt_setup, test_tls_crypt_teardown), - cmocka_unit_test_setup_teardown(tls_crypt_ignore_replay, - test_tls_crypt_setup, + cmocka_unit_test_setup_teardown(tls_crypt_ignore_replay, test_tls_crypt_setup, test_tls_crypt_teardown), cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_no_metadata, - test_tls_crypt_v2_setup, - test_tls_crypt_v2_teardown), + test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown), cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_max_metadata, - test_tls_crypt_v2_setup, - test_tls_crypt_v2_teardown), + test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown), cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_too_long_metadata, - test_tls_crypt_v2_setup, - test_tls_crypt_v2_teardown), - cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_wrong_key, - test_tls_crypt_v2_setup, + test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown), + cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_wrong_key, test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown), cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_dst_too_small, - test_tls_crypt_v2_setup, - test_tls_crypt_v2_teardown), - cmocka_unit_test_setup_teardown(test_tls_crypt_secure_reneg_key, - test_tls_crypt_setup, + test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown), + cmocka_unit_test_setup_teardown(test_tls_crypt_secure_reneg_key, test_tls_crypt_setup, test_tls_crypt_teardown), cmocka_unit_test(test_tls_crypt_v2_write_server_key_file), cmocka_unit_test(test_tls_crypt_v2_write_client_key_file), diff --git a/tests/unit_tests/openvpn/test_user_pass.c b/tests/unit_tests/openvpn/test_user_pass.c index 74f67a7c5..460b37fca 100644 --- a/tests/unit_tests/openvpn/test_user_pass.c +++ b/tests/unit_tests/openvpn/test_user_pass.c @@ -64,19 +64,16 @@ management_auth_failure(struct management *man, const char *type, const char *re assert_true(0); } bool -management_query_user_pass(struct management *man, - struct user_pass *up, - const char *type, - const unsigned int flags, - const char *static_challenge) +management_query_user_pass(struct management *man, struct user_pass *up, const char *type, + const unsigned int flags, const char *static_challenge) { assert_true(0); return false; } /* stubs for some unused functions instead of pulling in too many dependencies */ int -parse_line(const char *line, char **p, const int n, const char *file, - const int line_num, int msglevel, struct gc_arena *gc) +parse_line(const char *line, char **p, const int n, const char *file, const int line_num, + int msglevel, struct gc_arena *gc) { assert_true(0); return 0; @@ -162,7 +159,9 @@ test_get_user_pass_inline_creds(void **state) /*FIXME: query_user_exec() called even though nothing queued */ will_return(query_user_exec_builtin, true); /* FIXME? content after first two lines just ignored */ - assert_true(get_user_pass_cr(&up, "#iuser and 커뮤니티\n//ipasswörd!\nsome other content\nnot relevant", "UT", flags, NULL)); + assert_true( + get_user_pass_cr(&up, "#iuser and 커뮤니티\n//ipasswörd!\nsome other content\nnot relevant", + "UT", flags, NULL)); assert_true(up.defined); assert_string_equal(up.username, "#iuser and 커뮤니티"); assert_string_equal(up.password, "//ipasswörd!"); @@ -250,7 +249,7 @@ test_get_user_pass_authfile_file(void **state) unsigned int flags = 0; char authfile[PATH_MAX] = { 0 }; - openvpn_test_get_srcdir_dir(authfile, PATH_MAX, "input/user_pass.txt" ); + openvpn_test_get_srcdir_dir(authfile, PATH_MAX, "input/user_pass.txt"); /*FIXME: query_user_exec() called even though nothing queued */ will_return(query_user_exec_builtin, true); @@ -292,7 +291,8 @@ test_get_user_pass_dynamic_challenge(void **state) const char *challenge = "CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN"; unsigned int flags = GET_USER_PASS_DYNAMIC_CHALLENGE; - expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN"); + expect_string(query_user_exec_builtin, query_user[i].prompt, + "CHALLENGE: Please enter token PIN"); will_return(query_user_exec_builtin, "challenge_response"); will_return(query_user_exec_builtin, true); assert_true(get_user_pass_cr(&up, NULL, "UT", flags, challenge)); @@ -314,7 +314,8 @@ test_get_user_pass_static_challenge(void **state) expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Password:"); will_return(query_user_exec_builtin, "cpassword"); will_return(query_user_exec_builtin, true); - expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN"); + expect_string(query_user_exec_builtin, query_user[i].prompt, + "CHALLENGE: Please enter token PIN"); will_return(query_user_exec_builtin, "challenge_response"); will_return(query_user_exec_builtin, true); assert_true(get_user_pass_cr(&up, NULL, "UT", flags, challenge)); @@ -332,7 +333,8 @@ test_get_user_pass_static_challenge(void **state) expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Password:"); will_return(query_user_exec_builtin, "c1password"); will_return(query_user_exec_builtin, true); - expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN"); + expect_string(query_user_exec_builtin, query_user[i].prompt, + "CHALLENGE: Please enter token PIN"); will_return(query_user_exec_builtin, "0123456"); will_return(query_user_exec_builtin, true); assert_true(get_user_pass_cr(&up, NULL, "UT", flags, challenge)); @@ -343,11 +345,12 @@ test_get_user_pass_static_challenge(void **state) reset_user_pass(&up); - flags = GET_USER_PASS_STATIC_CHALLENGE|GET_USER_PASS_INLINE_CREDS; + flags = GET_USER_PASS_STATIC_CHALLENGE | GET_USER_PASS_INLINE_CREDS; /*FIXME: query_user_exec() called even though nothing queued */ will_return(query_user_exec_builtin, true); - expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN"); + expect_string(query_user_exec_builtin, query_user[i].prompt, + "CHALLENGE: Please enter token PIN"); will_return(query_user_exec_builtin, "challenge_response"); will_return(query_user_exec_builtin, true); assert_true(get_user_pass_cr(&up, "iuser\nipassword", "UT", flags, challenge)); diff --git a/tests/unit_tests/plugins/auth-pam/test_search_and_replace.c b/tests/unit_tests/plugins/auth-pam/test_search_and_replace.c index 50b241da5..a861bfd36 100644 --- a/tests/unit_tests/plugins/auth-pam/test_search_and_replace.c +++ b/tests/unit_tests/plugins/auth-pam/test_search_and_replace.c @@ -12,7 +12,6 @@ static void pass_any_null_param__returns_null(void **state) { - char DUMMY[] = "DUMMY"; assert_null(searchandreplace(NULL, DUMMY, DUMMY)); @@ -23,7 +22,6 @@ pass_any_null_param__returns_null(void **state) static void pass_any_empty_string__returns_null(void **state) { - char DUMMY[] = "DUMMY"; char EMPTY[] = ""; -- 2.47.2