[Openvpn-devel,3/3] uncrustify openvpn/ sources

Message ID 20181130135641.11533-3-gert@greenie.muc.de
State Accepted, archived
Delegated to: David Sommerseth
Headers show
Series
  • [Openvpn-devel,1/3] Uncrustify sample-plugin sources according to code style
Related show

Commit Message

Gert Doering Nov. 30, 2018, 1:56 p.m.
There are an amazing number of brackets that were either
totally missing, or have snuck up on the "for(...){"
line.  Further, uncrustify wants "|" in multi-line
logical expressions now at the beginning of the new
line, and "PRIi64" now gets surrounding spaces.

Added "sp_after_semi_for_empty=Add" to uncrustify.conf
to leave a few for() statements alone that look better
the way they are.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 dev-tools/uncrustify.conf        |  3 ++
 src/openvpn/block_dns.h          |  4 +--
 src/openvpn/buffer.c             |  4 +--
 src/openvpn/buffer.h             |  1 +
 src/openvpn/console.h            |  2 +-
 src/openvpn/crypto.c             | 10 +++++--
 src/openvpn/crypto.h             |  5 ++--
 src/openvpn/crypto_backend.h     |  2 +-
 src/openvpn/crypto_mbedtls.c     |  7 +++--
 src/openvpn/crypto_mbedtls.h     |  3 +-
 src/openvpn/crypto_openssl.c     | 37 +++++++++++++------------
 src/openvpn/crypto_openssl.h     |  3 +-
 src/openvpn/cryptoapi.c          | 26 ++++++++++--------
 src/openvpn/env_set.c            |  2 +-
 src/openvpn/env_set.h            |  6 ++--
 src/openvpn/error.c              |  2 +-
 src/openvpn/event.c              |  4 +--
 src/openvpn/forward.c            |  4 +--
 src/openvpn/forward.h            |  2 ++
 src/openvpn/init.c               | 22 +++++++--------
 src/openvpn/integer.h            |  4 +--
 src/openvpn/manage.c             |  4 +--
 src/openvpn/mss.c                |  2 +-
 src/openvpn/multi.c              |  2 +-
 src/openvpn/multi.h              |  1 +
 src/openvpn/ntlm.c               |  4 +--
 src/openvpn/openssl_compat.h     | 47 ++++++++++++++++----------------
 src/openvpn/options.c            | 10 +++++--
 src/openvpn/otime.c              |  4 +--
 src/openvpn/packet_id.c          | 12 ++++----
 src/openvpn/packet_id.h          |  2 +-
 src/openvpn/ping.h               |  2 +-
 src/openvpn/plugin.c             |  3 +-
 src/openvpn/proxy.c              |  4 +--
 src/openvpn/reliable.c           |  4 +--
 src/openvpn/route.c              |  4 +--
 src/openvpn/run_command.c        |  6 ++--
 src/openvpn/shaper.c             |  2 +-
 src/openvpn/shaper.h             |  2 +-
 src/openvpn/socket.c             |  6 +++-
 src/openvpn/socket.h             |  2 +-
 src/openvpn/ssl.c                | 20 +++++++-------
 src/openvpn/ssl_common.h         |  4 +--
 src/openvpn/ssl_mbedtls.c        | 32 +++++++++++-----------
 src/openvpn/ssl_mbedtls.h        |  4 +--
 src/openvpn/ssl_openssl.c        | 32 +++++++++++-----------
 src/openvpn/ssl_verify.c         | 42 ++++++++++++++--------------
 src/openvpn/ssl_verify_backend.h |  1 +
 src/openvpn/ssl_verify_openssl.c |  7 +++--
 src/openvpn/tls_crypt.c          |  6 ++--
 src/openvpn/tls_crypt.h          |  6 ++--
 src/openvpn/tun.c                | 15 +++++-----
 src/openvpn/win32.c              |  2 +-
 53 files changed, 243 insertions(+), 204 deletions(-)

Comments

Antonio Quartulli Dec. 12, 2018, 11:33 a.m. | #1
Hi,

On 30/11/2018 23:56, Gert Doering wrote:

[cut]

> diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
> index fa057cb2..9687d8c2 100644
> --- a/src/openvpn/cryptoapi.c
> +++ b/src/openvpn/cryptoapi.c
> @@ -159,7 +159,8 @@ ms_error_text(DWORD ms_err)
>          /* trim to the left */
>          if (rv)
>          {
> -            for (p = rv + strlen(rv) - 1; p >= rv; p--) {
> +            for (p = rv + strlen(rv) - 1; p >= rv; p--)
> +            {
>                  if (isspace(*p))
>                  {
>                      *p = '\0';
> @@ -198,7 +199,8 @@ err_put_ms_error(DWORD ms_err, int func, const char *file, int line)
>      }
>      /* since MS error codes are 32 bit, and the ones in the ERR_... system is
>       * only 12, we must have a mapping table between them.  */
> -    for (i = 0; i < ERR_MAP_SZ; i++) {
> +    for (i = 0; i < ERR_MAP_SZ; i++)
> +    {
>          if (err_map[i].ms_err == ms_err)
>          {
>              ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line);
> @@ -267,8 +269,8 @@ priv_enc_CNG(const CAPI_DATA *cd, const wchar_t *hash_algo, const unsigned char
>      BCRYPT_PKCS1_PADDING_INFO padinfo = {hash_algo};
>      DWORD status;
>  
> -    status = NCryptSignHash(hkey, padding? &padinfo : NULL, (BYTE*) from, flen,
> -                            to, tlen, &len, padding? BCRYPT_PAD_PKCS1 : 0);
> +    status = NCryptSignHash(hkey, padding ? &padinfo : NULL, (BYTE *) from, flen,
> +                            to, tlen, &len, padding ? BCRYPT_PAD_PKCS1 : 0);
>      if (status != ERROR_SUCCESS)
>      {
>          SetLastError(status);
> @@ -375,7 +377,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
>   */
>  static int
>  rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len,
> -              unsigned char *sig, unsigned int *siglen, const RSA *rsa)
> +             unsigned char *sig, unsigned int *siglen, const RSA *rsa)
>  {
>      CAPI_DATA *cd = (CAPI_DATA *) RSA_meth_get0_app_data(RSA_get_method(rsa));
>      const wchar_t *alg = NULL;
> @@ -419,6 +421,7 @@ rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len,
>              /* No DigestInfo header is required -- set alg-name to NULL */
>              alg = NULL;
>              break;
> +
>          default:
>              msg(M_WARN, "cryptoapicert: Unknown hash type NID=0x%x", type);
>              RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
> @@ -459,7 +462,7 @@ finish(RSA *rsa)
>          return 0;
>      }
>      CAPI_DATA_free(cd);
> -    RSA_meth_free((RSA_METHOD*) rsa_meth);
> +    RSA_meth_free((RSA_METHOD *) rsa_meth);
>      return 1;
>  }
>  
> @@ -586,7 +589,7 @@ ssl_ctx_set_eckey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey)
>      if (cd->key_spec != CERT_NCRYPT_KEY_SPEC)
>      {
>          msg(M_NONFATAL, "ERROR: cryptoapicert with only legacy private key handle available."
> -                    " EC certificate not supported.");
> +            " EC certificate not supported.");
>          goto err;
>      }
>      /* create a method struct with default callbacks filled in */
> @@ -686,7 +689,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
>  
>          /* skip the tag */
>          cert_prop += 6;
> -        for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) {
> +        for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++)
> +        {
>              if (*p >= '0' && *p <= '9')
>              {
>                  x = (*p - '0') << 4;
> @@ -739,7 +743,7 @@ ssl_ctx_set_rsakey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey)
>      bool rsa_method_set = false;
>  
>      my_rsa_method = RSA_meth_new("Microsoft Cryptography API RSA Method",
> -                                  RSA_METHOD_FLAG_NO_CHECK);
> +                                 RSA_METHOD_FLAG_NO_CHECK);
>      check_malloc_return(my_rsa_method);
>      RSA_meth_set_pub_enc(my_rsa_method, rsa_pub_enc);
>      RSA_meth_set_pub_dec(my_rsa_method, rsa_pub_dec);
> @@ -797,7 +801,7 @@ ssl_ctx_set_rsakey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey)
>          goto err;
>      }
>      /* SSL_CTX_use_RSAPrivateKey() increased the reference count in 'rsa', so
> -     * we decrease it here with RSA_free(), or it will never be cleaned up. */
> +    * we decrease it here with RSA_free(), or it will never be cleaned up. */

Is the above change right? Maybe it would make more sense to move the */
to the new line too, but regardless, this change is clearly breaking the
alignment of the *s.

>      RSA_free(rsa);
>      return 1;
>  
> @@ -867,7 +871,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
>      DWORD flags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG
>                    | CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
>      if (!CryptAcquireCertificatePrivateKey(cd->cert_context, flags, NULL,
> -                    &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov))
> +                                           &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov))
>      {
>          /* if we don't have a smart card reader here, and we try to access a
>           * smart card certificate, we get:

[cut]


> --- a/src/openvpn/forward.c
> +++ b/src/openvpn/forward.c
> @@ -757,7 +757,7 @@ static void
>  process_coarse_timers(struct context *c)
>  {
>      /* flush current packet-id to file once per 60
> -     * seconds if --replay-persist was specified */
> +    * seconds if --replay-persist was specified */

same here

>      check_packet_id_persist_flush(c);
>  
>      /* should we update status file? */
> @@ -836,7 +836,7 @@ check_coarse_timers_dowork(struct context *c)
>      process_coarse_timers(c);
>      c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
>  
> -    dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %"PRIi64" seconds", (int64_t)c->c2.timeval.tv_sec);
> +    dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
>  
>      /* Is the coarse timeout NOT the earliest one? */
>      if (c->c2.timeval.tv_sec > save.tv_sec)

[cut]

> --- a/src/openvpn/ntlm.c
> +++ b/src/openvpn/ntlm.c
> @@ -314,8 +314,8 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2,
>           * byte order on the wire for the NTLM header is LE.
>           */
>          const size_t hoff = 0x14;
> -        unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8) |
> -                              (buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24);
> +        unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8)
> +                              |(buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24);

shouldn't there be a space between | and the opening ( ?

>          if ((flags & 0x00800000) == 0x00800000)
>          {
>              tib_len = buf2[0x28];            /* Get Target Information block size */
> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
> index 9560b29f..a4072b9a 100644
> --- a/src/openvpn/openssl_compat.h
> +++ b/src/openvpn/openssl_compat.h
> @@ -193,8 +193,8 @@ X509_get0_pubkey(const X509 *x)
>   * @param store              X509 object store
>   * @return                   the X509 object stack
>   */
> -static inline STACK_OF(X509_OBJECT) *
> -X509_STORE_get0_objects(X509_STORE *store)
> +static inline STACK_OF(X509_OBJECT)
> +*X509_STORE_get0_objects(X509_STORE *store)

This is kind of wierd, isn't it? normally the * is kept on the same line
as the type, exactly because it is part of the return type. no?

>  {
>      return store ? store->objs : NULL;
>  }
> @@ -369,7 +369,7 @@ RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
>  
>      return 1;
>  }
> -#endif
> +#endif /* if !defined(HAVE_RSA_SET0_KEY) */
>  
>  #if !defined(HAVE_RSA_BITS)
>  /**
> @@ -483,9 +483,9 @@ RSA_meth_free(RSA_METHOD *meth)
>   */
>  static inline int
>  RSA_meth_set_pub_enc(RSA_METHOD *meth,
> -                     int (*pub_enc) (int flen, const unsigned char *from,
> -                                     unsigned char *to, RSA *rsa,
> -                                     int padding))
> +                     int (*pub_enc)(int flen, const unsigned char *from,
> +                                    unsigned char *to, RSA *rsa,
> +                                    int padding))
>  {
>      if (meth)
>      {
> @@ -506,9 +506,9 @@ RSA_meth_set_pub_enc(RSA_METHOD *meth,
>   */
>  static inline int
>  RSA_meth_set_pub_dec(RSA_METHOD *meth,
> -                     int (*pub_dec) (int flen, const unsigned char *from,
> -                                     unsigned char *to, RSA *rsa,
> -                                     int padding))
> +                     int (*pub_dec)(int flen, const unsigned char *from,
> +                                    unsigned char *to, RSA *rsa,
> +                                    int padding))
>  {
>      if (meth)
>      {
> @@ -529,9 +529,9 @@ RSA_meth_set_pub_dec(RSA_METHOD *meth,
>   */
>  static inline int
>  RSA_meth_set_priv_enc(RSA_METHOD *meth,
> -                      int (*priv_enc) (int flen, const unsigned char *from,
> -                                       unsigned char *to, RSA *rsa,
> -                                       int padding))
> +                      int (*priv_enc)(int flen, const unsigned char *from,
> +                                      unsigned char *to, RSA *rsa,
> +                                      int padding))
>  {
>      if (meth)
>      {
> @@ -552,9 +552,9 @@ RSA_meth_set_priv_enc(RSA_METHOD *meth,
>   */
>  static inline int
>  RSA_meth_set_priv_dec(RSA_METHOD *meth,
> -                      int (*priv_dec) (int flen, const unsigned char *from,
> -                                       unsigned char *to, RSA *rsa,
> -                                       int padding))
> +                      int (*priv_dec)(int flen, const unsigned char *from,
> +                                      unsigned char *to, RSA *rsa,
> +                                      int padding))
>  {
>      if (meth)
>      {
> @@ -574,7 +574,7 @@ RSA_meth_set_priv_dec(RSA_METHOD *meth,
>   * @return                   1 on success, 0 on error
>   */
>  static inline int
> -RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
> +RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa))
>  {
>      if (meth)
>      {
> @@ -594,11 +594,12 @@ RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
>   * @return                   1 on success, 0 on error
>   */
>  static inline
> -int RSA_meth_set_sign(RSA_METHOD *meth,
> -                      int (*sign) (int type, const unsigned char *m,
> -                                   unsigned int m_length,
> -                                   unsigned char *sigret, unsigned int *siglen,
> -                                   const RSA *rsa))
> +int

shouldn't int go on the same line as 'static inline' ?

> +RSA_meth_set_sign(RSA_METHOD *meth,
> +                  int (*sign)(int type, const unsigned char *m,
> +                              unsigned int m_length,
> +                              unsigned char *sigret, unsigned int *siglen,
> +                              const RSA *rsa))
>  {
>      meth->rsa_sign = sign;
>      return 1;
> @@ -614,7 +615,7 @@ int RSA_meth_set_sign(RSA_METHOD *meth,
>   * @return                   1 on success, 0 on error
>   */
>  static inline int
> -RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
> +RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
>  {
>      if (meth)
>      {
> @@ -669,7 +670,7 @@ RSA_meth_get0_app_data(const RSA_METHOD *meth)
>  static inline int
>  EC_GROUP_order_bits(const EC_GROUP *group)
>  {
> -    BIGNUM* order = BN_new();
> +    BIGNUM *order = BN_new();
>      EC_GROUP_get_order(group, order, NULL);
>      int bits = BN_num_bits(order);
>      BN_free(order);
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 9ee1836b..6d53dea5 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -2134,7 +2134,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
>              "passwords is STRONGLY discouraged and considered insecure");
>      }
>  
> -#endif
> +#endif /* ifdef ENABLE_MANAGEMENT */
>  
>      /*
>       * Windows-specific options.
> @@ -2859,8 +2859,10 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
>          {
>              struct buffer in = buffer_read_from_file(o->tls_auth_file, &o->gc);
>              if (!buf_valid(&in))
> +            {
>                  msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)",
>                      o->tls_auth_file);
> +            }
>  
>              ce->tls_auth_file = INLINE_FILE_TAG;
>              ce->tls_auth_file_inline = (char *)in.data;
> @@ -2870,8 +2872,10 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
>          {
>              struct buffer in = buffer_read_from_file(o->tls_crypt_file, &o->gc);
>              if (!buf_valid(&in))
> +            {
>                  msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)",
>                      o->tls_auth_file);
> +            }
>  
>              ce->tls_crypt_file = INLINE_FILE_TAG;
>              ce->tls_crypt_inline = (char *)in.data;
> @@ -3040,7 +3044,7 @@ options_postprocess_mutate(struct options *o)
>      {
>          /* DH file is only meaningful in a tls-server context. */
>          msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
> -                    "include this in your server configuration");
> +            "include this in your server configuration");
>          o->dh_file = NULL;
>      }
>  
> @@ -7146,7 +7150,7 @@ add_option(struct options *options,
>          {
>              if (strstr(p[2], ":"))
>              {
> -                ipv6dns=true;
> +                ipv6dns = true;
>                  foreign_option(options, p, 3, es);
>                  dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
>              }
> diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c
> index e0b1b0ee..759a7fb5 100644
> --- a/src/openvpn/otime.c
> +++ b/src/openvpn/otime.c
> @@ -88,7 +88,7 @@ const char *
>  tv_string(const struct timeval *tv, struct gc_arena *gc)
>  {
>      struct buffer out = alloc_buf_gc(64, gc);
> -    buf_printf(&out, "[%"PRIi64"/%ld]",
> +    buf_printf(&out, "[%" PRIi64 "/%ld]",
>                 (int64_t)tv->tv_sec,
>                 (long)tv->tv_usec);
>      return BSTR(&out);
> @@ -198,7 +198,7 @@ time_test(void)
>          t = time(NULL);
>          gettimeofday(&tv, NULL);
>  #if 1
> -        msg(M_INFO, "t=%"PRIi64" s=%"PRIi64" us=%ld",
> +        msg(M_INFO, "t=%" PRIi64 " s=%" PRIi64 " us=%ld",
>              (int64_t)t,
>              (int64_t)tv.tv_sec,
>              (long)tv.tv_usec);
> diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c
> index dc44f36b..0c744875 100644
> --- a/src/openvpn/packet_id.c
> +++ b/src/openvpn/packet_id.c
> @@ -347,7 +347,7 @@ packet_id_send_update(struct packet_id_send *p, bool long_form)
>  
>  bool
>  packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form,
> -        bool prepend)
> +                bool prepend)
>  {
>      if (!packet_id_send_update(p, long_form))
>      {
> @@ -606,13 +606,13 @@ packet_id_debug_print(int msglevel,
>          }
>          buf_printf(&out, "%c", c);
>      }
> -    buf_printf(&out, "] %"PRIi64":" packet_id_format, (int64_t)p->time, (packet_id_print_type)p->id);
> +    buf_printf(&out, "] %" PRIi64 ":" packet_id_format, (int64_t)p->time, (packet_id_print_type)p->id);
>      if (pin)
>      {
> -        buf_printf(&out, " %"PRIi64":" packet_id_format, (int64_t)pin->time, (packet_id_print_type)pin->id);
> +        buf_printf(&out, " %" PRIi64 ":" packet_id_format, (int64_t)pin->time, (packet_id_print_type)pin->id);
>      }
>  
> -    buf_printf(&out, " t=%"PRIi64"[%d]",
> +    buf_printf(&out, " t=%" PRIi64 "[%d]",
>                 (int64_t)prev_now,
>                 (int)(prev_now - tv.tv_sec));
>  
> @@ -666,7 +666,7 @@ packet_id_interactive_test(void)
>          {
>              packet_id_reap_test(&pid.rec);
>              test = packet_id_test(&pid.rec, &pin);
> -            printf("packet_id_test (%"PRIi64", " packet_id_format ") returned %d\n",
> +            printf("packet_id_test (%" PRIi64 ", " packet_id_format ") returned %d\n",
>                     (int64_t)pin.time,
>                     (packet_id_print_type)pin.id,
>                     test);
> @@ -679,7 +679,7 @@ packet_id_interactive_test(void)
>          {
>              long_form = (count < 20);
>              packet_id_alloc_outgoing(&pid.send, &pin, long_form);
> -            printf("(%"PRIi64"(" packet_id_format "), %d)\n",
> +            printf("(%" PRIi64 "(" packet_id_format "), %d)\n",
>                     (int64_t)pin.time,
>                     (packet_id_print_type)pin.id,
>                     long_form);
> diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h
> index ec03e348..26b07975 100644
> --- a/src/openvpn/packet_id.h
> +++ b/src/openvpn/packet_id.h
> @@ -263,7 +263,7 @@ bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_for
>   * @return true if successful, false otherwise.
>   */
>  bool packet_id_write(struct packet_id_send *p, struct buffer *buf,
> -        bool long_form, bool prepend);
> +                     bool long_form, bool prepend);
>  
>  /*
>   * Inline functions.
> diff --git a/src/openvpn/ping.h b/src/openvpn/ping.h
> index a196b32b..b51f082a 100644
> --- a/src/openvpn/ping.h
> +++ b/src/openvpn/ping.h
> @@ -84,4 +84,4 @@ check_ping_send(struct context *c)
>      }
>  }
>  
> -#endif
> +#endif /* ifndef PING_H */
> diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
> index 4d17c821..33687d44 100644
> --- a/src/openvpn/plugin.c
> +++ b/src/openvpn/plugin.c
> @@ -552,8 +552,7 @@ plugin_call_item(const struct plugin *p,
>                                                          p->plugin_handle,
>                                                          per_client_context,
>                                                          (current_cert ? certdepth : -1),
> -                                                        current_cert
> -            };
> +                                                        current_cert};

why does the closing bracket go on the same line of the last field ? I
think in general we wanted to keep it aligned to where the opening line
starts, no?

>  
>              struct openvpn_plugin_args_func_return retargs;
>  
> diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
> index fdad3ed5..c8bd86dd 100644
> --- a/src/openvpn/proxy.c
> +++ b/src/openvpn/proxy.c
> @@ -884,10 +884,10 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
>                  const char *algor = get_pa_var("algorithm", pa, &gc);
>                  const char *opaque = get_pa_var("opaque", pa, &gc);
>  
> -                if ( !realm || !nonce )
> +                if (!realm || !nonce)
>                  {
>                      msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response "
> -                            "from server: realm= or nonce= missing" );
> +                        "from server: realm= or nonce= missing" );
>                      goto error;
>                  }
>  
> diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
> index a7f4ed96..eae1e0cb 100644
> --- a/src/openvpn/reliable.c
> +++ b/src/openvpn/reliable.c
> @@ -762,14 +762,14 @@ reliable_debug_print(const struct reliable *rel, char *desc)
>      printf("********* struct reliable %s\n", desc);
>      printf("  initial_timeout=%d\n", (int)rel->initial_timeout);
>      printf("  packet_id=" packet_id_format "\n", rel->packet_id);
> -    printf("  now=%"PRIi64"\n", (int64_t)now);
> +    printf("  now=%" PRIi64 "\n", (int64_t)now);
>      for (i = 0; i < rel->size; ++i)
>      {
>          const struct reliable_entry *e = &rel->array[i];
>          if (e->active)
>          {
>              printf("  %d: packet_id=" packet_id_format " len=%d", i, e->packet_id, e->buf.len);
> -            printf(" next_try=%"PRIi64, (int64_t)e->next_try);
> +            printf(" next_try=%" PRIi64, (int64_t)e->next_try);
>              printf("\n");
>          }
>      }
> diff --git a/src/openvpn/route.c b/src/openvpn/route.c
> index d97e8dba..346f08e2 100644
> --- a/src/openvpn/route.c
> +++ b/src/openvpn/route.c
> @@ -3074,7 +3074,7 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t
>       * (only do this for routes actually using the tun/tap device)
>       */
>      if (tt->type == DEV_TYPE_TUN
> -	 && msg.iface.index == tt->adapter_index )
> +        && msg.iface.index == tt->adapter_index)
>      {
>          inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
>      }
> @@ -3298,7 +3298,7 @@ get_default_gateway(struct route_gateway_info *rgi)
>                  if (rgi->flags & RGI_ON_LINK)
>                  {
>                      /* check that interface name of current interface
> -                     * matches interface name of best default route */
> +                    * matches interface name of best default route */

same in previous patterns.

>                      if (strcmp(ifreq.ifr_name, best_name))
>                      {
>                          continue;
> diff --git a/src/openvpn/run_command.c b/src/openvpn/run_command.c
> index 4e198676..04ad2312 100644
> --- a/src/openvpn/run_command.c
> +++ b/src/openvpn/run_command.c
> @@ -41,12 +41,14 @@
>  /* contains an SSEC_x value defined in platform.h */
>  static int script_security_level = SSEC_BUILT_IN; /* GLOBAL */
>  
> -int script_security(void)
> +int
> +script_security(void)
>  {
>      return script_security_level;
>  }
>  
> -void script_security_set(int level)
> +void
> +script_security_set(int level)
>  {
>      script_security_level = level;
>  }
> diff --git a/src/openvpn/shaper.c b/src/openvpn/shaper.c
> index 92364f29..62579840 100644
> --- a/src/openvpn/shaper.c
> +++ b/src/openvpn/shaper.c
> @@ -76,7 +76,7 @@ shaper_soonest_event(struct timeval *tv, int delay)
>          }
>      }
>  #ifdef SHAPER_DEBUG
> -    dmsg(D_SHAPER_DEBUG, "SHAPER shaper_soonest_event sec=%"PRIi64" usec=%ld ret=%d",
> +    dmsg(D_SHAPER_DEBUG, "SHAPER shaper_soonest_event sec=%" PRIi64 " usec=%ld ret=%d",
>           (int64_t)tv->tv_sec, (long)tv->tv_usec, (int)ret);
>  #endif
>      return ret;
> diff --git a/src/openvpn/shaper.h b/src/openvpn/shaper.h
> index 4efe398a..bcdb5e36 100644
> --- a/src/openvpn/shaper.h
> +++ b/src/openvpn/shaper.h
> @@ -147,7 +147,7 @@ shaper_wrote_bytes(struct shaper *s, int nbytes)
>          tv_add(&s->wakeup, &tv);
>  
>  #ifdef SHAPER_DEBUG
> -        dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%"PRIi64" usec=%ld",
> +        dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%" PRIi64 " usec=%ld",
>               nbytes,
>               (long)tv.tv_usec,
>               (int64_t)s->wakeup.tv_sec,
> diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
> index 3f2b97e4..db944245 100644
> --- a/src/openvpn/socket.c
> +++ b/src/openvpn/socket.c
> @@ -100,10 +100,12 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname,
>              bits = 0;
>              max_bits = sizeof(in_addr_t) * 8;
>              break;
> +
>          case AF_INET6:
>              bits = 64;
>              max_bits = sizeof(struct in6_addr) * 8;
>              break;
> +
>          default:
>              msg(M_WARN,
>                  "Unsupported AF family passed to getaddrinfo for %s (%d)",
> @@ -125,7 +127,7 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname,
>      }
>  
>      /* check if this hostname has a /bits suffix */
> -    sep = strchr(var_host , '/');
> +    sep = strchr(var_host, '/');
>      if (sep)
>      {
>          bits = strtoul(sep + 1, &endp, 10);
> @@ -156,10 +158,12 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname,
>                      *ip4 = ntohl(*ip4);
>                  }
>                  break;
> +
>              case AF_INET6:
>                  ip6 = network;
>                  *ip6 = ((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr;
>                  break;
> +
>              default:
>                  /* can't get here because 'af' was previously checked */
>                  msg(M_WARN,
> diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
> index 0f22d479..17801418 100644
> --- a/src/openvpn/socket.h
> +++ b/src/openvpn/socket.h
> @@ -138,7 +138,7 @@ struct stream_buf
>      int len;   /* -1 if not yet known */
>  
>      bool error; /* if true, fatal TCP error has occurred,
> -                *  requiring that connection be restarted */
> +                 *  requiring that connection be restarted */
>  #if PORT_SHARE
>  #define PS_DISABLED 0
>  #define PS_ENABLED  1
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index 74b88ce6..d783c598 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -680,7 +680,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
>      {
>          if (tls_ctx_use_management_external_key(new_ctx))
>          {
> -            msg (M_WARN, "Cannot initialize mamagement-external-key");
> +            msg(M_WARN, "Cannot initialize mamagement-external-key");
>              goto err;
>          }
>      }
> @@ -1099,7 +1099,7 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session)
>          else
>          {
>              session->initial_opcode = session->opt->tls_crypt_v2 ?
> -                    P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2;
> +                                      P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2;
>          }
>      }
>  
> @@ -1527,9 +1527,9 @@ read_control_auth(struct buffer *buf,
>      if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3
>          && !tls_crypt_v2_extract_client_key(buf, ctx, opt))
>      {
> -        msg (D_TLS_ERRORS,
> -             "TLS Error: can not extract tls-crypt-v2 client key from %s",
> -             print_link_socket_actual(from, &gc));
> +        msg(D_TLS_ERRORS,
> +            "TLS Error: can not extract tls-crypt-v2 client key from %s",
> +            print_link_socket_actual(from, &gc));
>          goto cleanup;
>      }
>  
> @@ -3781,7 +3781,7 @@ tls_pre_decrypt(struct tls_multi *multi,
>                                  /* Save incoming ciphertext packet to reliable buffer */
>                                  struct buffer *in = reliable_get_buf(ks->rec_reliable);
>                                  ASSERT(in);
> -                                if(!buf_copy(in, buf))
> +                                if (!buf_copy(in, buf))
>                                  {
>                                      msg(D_MULTI_DROPPED,
>                                          "Incoming control channel packet too big, dropping.");
> @@ -4182,10 +4182,10 @@ show_available_tls_ciphers(const char *cipher_list,
>      show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
>  
>      printf("\n"
> -    "Be aware that that whether a cipher suite in this list can actually work\n"
> -    "depends on the specific setup of both peers. See the man page entries of\n"
> -    "--tls-cipher and --show-tls for more details.\n\n"
> -    );
> +           "Be aware that that whether a cipher suite in this list can actually work\n"
> +           "depends on the specific setup of both peers. See the man page entries of\n"
> +           "--tls-cipher and --show-tls for more details.\n\n"
> +           );

since you are there you could move the closing parenthesis to the line
before :)

>  }
>  
>  /*
> diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
> index 7bf82b3a..410b2163 100644
> --- a/src/openvpn/ssl_common.h
> +++ b/src/openvpn/ssl_common.h
> @@ -215,10 +215,10 @@ struct tls_wrap_ctx
>      struct buffer work;         /**< Work buffer (only for --tls-crypt) */
>      struct key_ctx tls_crypt_v2_server_key;  /**< Decrypts client keys */
>      const struct buffer *tls_crypt_v2_wkc;   /**< Wrapped client key,
> -                                                  sent to server */
> +                                              *   sent to server */
>      struct buffer tls_crypt_v2_metadata;     /**< Received from client */
>      bool cleanup_key_ctx;                    /**< opt.key_ctx_bi is owned by
> -                                                  this context */
> +                                              *   this context */
>  };
>  
>  /*
> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
> index f7e8c2d0..a4197cba 100644
> --- a/src/openvpn/ssl_mbedtls.c
> +++ b/src/openvpn/ssl_mbedtls.c
> @@ -65,12 +65,12 @@
>  static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy =
>  {
>      /* Hashes from SHA-1 and above */
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
> +    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 )
> +    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 )
> +    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 )
> +    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 )
> +    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 )
> +    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),

space missing?

>      0xFFFFFFF, /* Any PK alg    */
>      0xFFFFFFF, /* Any curve     */
>      1024,      /* RSA-1024 and larger */
> @@ -79,10 +79,10 @@ static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy =
>  static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred =
>  {
>      /* SHA-2 and above */
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
> -    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
> +    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 )
> +    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 )
> +    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 )
> +    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),

space missing?

>      0xFFFFFFF, /* Any PK alg    */
>      0xFFFFFFF, /* Any curve     */
>      2048,      /* RSA-2048 and larger */
> @@ -232,7 +232,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
>      }
>  
>      msg(M_WARN, "mbed TLS does not support setting tls-ciphersuites. "
> -                "Ignoring TLS 1.3 cipher list: %s", ciphers);
> +        "Ignoring TLS 1.3 cipher list: %s", ciphers);
>  }
>  
>  void
> @@ -299,7 +299,7 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
>      }
>      else
>      {
> -        msg (M_FATAL, "ERROR: Invalid cert profile: %s", profile);
> +        msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
>      }
>  }
>  
> @@ -600,14 +600,14 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
>  
>      if (ctx->crt_chain == NULL)
>      {
> -        msg (M_WARN, "ERROR: external key requires a certificate.");
> +        msg(M_WARN, "ERROR: external key requires a certificate.");
>          return 1;
>      }
>  
>      if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
>      {
>          msg(M_WARN, "ERROR: external key with mbed TLS requires a "
> -                     "certificate with an RSA key.");
> +            "certificate with an RSA key.");
>          return 1;
>      }
>  
> @@ -653,8 +653,8 @@ management_sign_func(void *sign_ctx, const void *src, size_t src_len,
>  
>      ret = true;
>  cleanup:
> -    free (src_b64);
> -    free (dst_b64);
> +    free(src_b64);
> +    free(dst_b64);
>  
>      return ret;
>  }
> diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h
> index 998d6f2f..1328ceb7 100644
> --- a/src/openvpn/ssl_mbedtls.h
> +++ b/src/openvpn/ssl_mbedtls.h
> @@ -71,8 +71,8 @@ typedef struct {
>   * @return true if signing succeeded, false otherwise.
>   */
>  typedef bool (*external_sign_func)(
> -        void *sign_ctx, const void *src, size_t src_size,
> -        void *dst, size_t dst_size);
> +    void *sign_ctx, const void *src, size_t src_size,
> +    void *dst, size_t dst_size);
>  
>  /** Context used by external_pkcs1_sign() */
>  struct external_context {
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index da573cfa..ddb78da7 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -217,7 +217,7 @@ tls_version_max(void)
>      return TLS_VER_1_2;
>  #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
>      return TLS_VER_1_1;
> -#else
> +#else  /* if defined(TLS1_3_VERSION) */
>      return TLS_VER_1_0;
>  #endif
>  }
> @@ -322,7 +322,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
>  }
>  
>  void
> -convert_tls_list_to_openssl(char* openssl_ciphers, size_t len,const char *ciphers)
> +convert_tls_list_to_openssl(char *openssl_ciphers, size_t len,const char *ciphers)
>  {
>      /* Parse supplied cipher list and pass on to OpenSSL */
>      size_t begin_of_cipher, end_of_cipher;
> @@ -466,9 +466,9 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
>      }
>  
>  #if (OPENSSL_VERSION_NUMBER < 0x1010100fL)
> -        crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
> -                       "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
> -                        ciphers);
> +    crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
> +               "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
> +               ciphers);
>  #else
>      ASSERT(NULL != ctx);
>  
> @@ -509,13 +509,13 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
>      {
>          msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
>      }
> -#else
> +#else  /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
>      if (profile)
>      {
>          msg(M_WARN, "WARNING: OpenSSL 1.0.1 does not support --tls-cert-profile"
>              ", ignoring user-set profile: '%s'", profile);
>      }
> -#endif
> +#endif /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
>  }
>  
>  void
> @@ -658,7 +658,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
>          {
>              nid = EC_GROUP_get_curve_name(ecgrp);
>          }
> -#endif
> +#endif /* if OPENSSL_VERSION_NUMBER >= 0x10002000L */
>      }
>  
>      /* Translate NID back to name , just for kicks */
> @@ -1137,7 +1137,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
>  
>      ret = get_sig_from_man(from, flen, to, len);
>  
> -    return (ret == len)? ret : -1;
> +    return (ret == len) ? ret : -1;
>  }
>  
>  static int
> @@ -1325,7 +1325,7 @@ err:
>      {
>          EVP_PKEY_free(privkey);
>      }
> -    if(ec)
> +    if (ec)
>      {
>          EC_KEY_free(ec);
>      }
> @@ -1375,7 +1375,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
>          crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate");
>          goto cleanup;
>      }
> -#else
> +#else  /* if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) */
>      else
>      {
>          crypto_msg(M_WARN, "management-external-key requires an RSA certificate");
> @@ -1644,7 +1644,7 @@ bio_debug_data(const char *mode, BIO *bio, const uint8_t *buf, int len, const ch
>      if (len > 0)
>      {
>          open_biofp();
> -        fprintf(biofp, "BIO_%s %s time=%"PRIi64" bio=" ptr_format " len=%d data=%s\n",
> +        fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n",
>                  mode, desc, (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc));
>          fflush(biofp);
>      }
> @@ -1655,7 +1655,7 @@ static void
>  bio_debug_oc(const char *mode, BIO *bio)
>  {
>      open_biofp();
> -    fprintf(biofp, "BIO %s time=%"PRIi64" bio=" ptr_format "\n",
> +    fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n",
>              mode, (int64_t)time(NULL), (ptr_type)bio);
>      fflush(biofp);
>  }
> @@ -1963,7 +1963,7 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)
>              {
>                  EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
>                  const EC_GROUP *group = EC_KEY_get0_group(ec);
> -                const char* curve;
> +                const char *curve;
>  
>                  int nid = EC_GROUP_get_curve_name(group);
>                  if (nid == 0 || (curve = OBJ_nid2sn(nid)) == NULL)
> @@ -2024,7 +2024,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
>  #else
>      STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
>  #endif
> -    for (int i=0;i < sk_SSL_CIPHER_num(sk);i++)
> +    for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
>      {
>          const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
>  
> @@ -2035,7 +2035,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
>  
>          if (tls13)
>          {
> -              printf("%s\n", cipher_name);
> +            printf("%s\n", cipher_name);
>          }
>          else if (NULL == pair)
>          {
> diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
> index 03c0b661..a7f51751 100644
> --- a/src/openvpn/ssl_verify.c
> +++ b/src/openvpn/ssl_verify.c
> @@ -72,7 +72,7 @@ setenv_untrusted(struct tls_session *session)
>  static void
>  wipe_auth_token(struct tls_multi *multi)
>  {
> -    if(multi)
> +    if (multi)
>      {
>          if (multi->auth_token)
>          {
> @@ -712,24 +712,24 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
>  
>          switch (opt->verify_hash_algo)
>          {
> -        case MD_SHA1:
> -            ca_hash = x509_get_sha1_fingerprint(cert, &gc);
> -            break;
> -
> -        case MD_SHA256:
> -            ca_hash = x509_get_sha256_fingerprint(cert, &gc);
> -            break;
> -
> -        default:
> -            /* This should normally not happen at all; the algorithm used
> -             * is parsed by add_option() [options.c] and set to a predefined
> -             * value in an enumerated type.  So if this unlikely scenario
> -             * happens, consider this a failure
> -             */
> -            msg(M_WARN, "Unexpected invalid algorithm used with "
> -                "--verify-hash (%i)", opt->verify_hash_algo);
> -            ret = FAILURE;
> -            goto cleanup;
> +            case MD_SHA1:
> +                ca_hash = x509_get_sha1_fingerprint(cert, &gc);
> +                break;
> +
> +            case MD_SHA256:
> +                ca_hash = x509_get_sha256_fingerprint(cert, &gc);
> +                break;
> +
> +            default:
> +                /* This should normally not happen at all; the algorithm used
> +                 * is parsed by add_option() [options.c] and set to a predefined
> +                 * value in an enumerated type.  So if this unlikely scenario
> +                 * happens, consider this a failure
> +                 */
> +                msg(M_WARN, "Unexpected invalid algorithm used with "
> +                    "--verify-hash (%i)", opt->verify_hash_algo);
> +                ret = FAILURE;
> +                goto cleanup;
>          }
>  
>          if (memcmp(BPTR(&ca_hash), opt->verify_hash, BLEN(&ca_hash)))
> @@ -1178,8 +1178,8 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up)
>          /* generate filename for deferred auth control file */
>          if (!key_state_gen_auth_control_file(ks, session->opt))
>          {
> -            msg (D_TLS_ERRORS, "TLS Auth Error (%s): "
> -                 "could not create deferred auth control file", __func__);
> +            msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
> +                "could not create deferred auth control file", __func__);
>              goto cleanup;
>          }
>  #endif
> diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
> index 2a9e8bb7..f4cc2c54 100644
> --- a/src/openvpn/ssl_verify_backend.h
> +++ b/src/openvpn/ssl_verify_backend.h
> @@ -130,6 +130,7 @@ result_t backend_x509_get_username(char *common_name, int cn_len,
>   * --x509-username-field option.
>   */
>  bool x509_username_field_ext_supported(const char *extname);
> +
>  #endif
>  
>  /*
> diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
> index 10085b29..ff14db23 100644
> --- a/src/openvpn/ssl_verify_openssl.c
> +++ b/src/openvpn/ssl_verify_openssl.c
> @@ -114,7 +114,8 @@ cleanup:
>  }
>  
>  #ifdef ENABLE_X509ALTUSERNAME
> -bool x509_username_field_ext_supported(const char *fieldname)
> +bool
> +x509_username_field_ext_supported(const char *fieldname)
>  {
>      int nid = OBJ_txt2nid(fieldname);
>      return nid == NID_subject_alt_name || nid == NID_issuer_alt_name;
> @@ -587,7 +588,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
>           * prevent it to take a const argument
>           */
>          result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ?
> -	       SUCCESS : FAILURE;
> +                          SUCCESS : FAILURE;
>  
>          /*
>           * old versions of OpenSSL allow us to make the less strict check we used to
> @@ -615,7 +616,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
>           * prevent it to take a const argument
>           */
>          result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ?
> -	       SUCCESS : FAILURE;
> +                          SUCCESS : FAILURE;
>  
>          /*
>           * old versions of OpenSSL allow us to make the less strict check we used to
> diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
> index c3ed2b93..85495d7f 100644
> --- a/src/openvpn/tls_crypt.c
> +++ b/src/openvpn/tls_crypt.c
> @@ -86,7 +86,7 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
>      struct key_type kt = tls_crypt_kt();
>      if (!kt.cipher || !kt.digest)
>      {
> -        msg (M_FATAL, "ERROR: --tls-crypt not supported");
> +        msg(M_FATAL, "ERROR: --tls-crypt not supported");
>      }
>      crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
>                              "Control Channel Encryption", "tls-crypt");
> @@ -530,7 +530,7 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
>      memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys));
>      ASSERT(buf_advance(&plaintext, sizeof(client_key->keys)));
>  
> -    if(!buf_copy(metadata, &plaintext))
> +    if (!buf_copy(metadata, &plaintext))
>      {
>          CRYPT_ERROR("metadata too large for supplied buffer");
>      }
> @@ -613,7 +613,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf,
>      if (!ctx->tls_crypt_v2_server_key.cipher)
>      {
>          msg(D_TLS_ERRORS,
> -             "Client wants tls-crypt-v2, but no server key present.");
> +            "Client wants tls-crypt-v2, but no server key present.");
>          return false;
>      }
>  
> diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h
> index 9b5ea971..43bf8122 100644
> --- a/src/openvpn/tls_crypt.h
> +++ b/src/openvpn/tls_crypt.h
> @@ -99,10 +99,10 @@
>  #define TLS_CRYPT_V2_SERVER_KEY_LEN (sizeof(struct key))
>  #define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE)
>  #define TLS_CRYPT_V2_MAX_METADATA_LEN (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \
> -         - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
> -            + sizeof(uint16_t)))
> +                                                 - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
> +                                                    + sizeof(uint16_t)))
>  #define TLS_CRYPT_V2_MAX_B64_METADATA_LEN \
> -        OPENVPN_BASE64_LENGTH(TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
> +    OPENVPN_BASE64_LENGTH(TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
>  
>  /**
>   * Initialize a key_ctx_bi structure for use with --tls-crypt.
> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
> index c091401f..12e6eb00 100644
> --- a/src/openvpn/tun.c
> +++ b/src/openvpn/tun.c
> @@ -553,8 +553,8 @@ is_tun_p2p(const struct tuntap *tt)
>      bool tun = false;
>  
>      if (tt->type == DEV_TYPE_TAP
> -          || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
> -          || tt->type == DEV_TYPE_NULL )
> +        || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
> +        || tt->type == DEV_TYPE_NULL)
>      {
>          tun = false;
>      }
> @@ -893,7 +893,7 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu,
>                  ifconfig_ipv6_local, tt->netbits_ipv6, ifname);
>      argv_msg(M_INFO, &argv);
>      openvpn_execve_check(&argv, es, S_FATAL, "Linux ip -6 addr add failed");
> -#else
> +#else  /* ifdef ENABLE_IPROUTE */
>      argv_printf(&argv, "%s %s add %s/%d mtu %d up", IFCONFIG_PATH, ifname,
>                  ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu);
>      argv_msg(M_INFO, &argv);
> @@ -1387,6 +1387,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
>                      ifname, ifconfig_local,
>                      print_in_addr_t(tt->adapter_netmask, 0, &gc));
>                  break;
> +
>              case IPW32_SET_NETSH:
>                  netsh_ifconfig(&tt->options, ifname, tt->local,
>                                 tt->adapter_netmask, NI_IP_NETMASK|NI_OPTIONS);
> @@ -2442,7 +2443,7 @@ close_tun(struct tuntap *tt)
>      struct argv argv = argv_new();
>  
>      /* setup command, close tun dev (clears tt->actual_name!), run command
> -    */
> +     */
>  
>      argv_printf(&argv, "%s %s destroy",
>                  IFCONFIG_PATH, tt->actual_name);
> @@ -2528,7 +2529,7 @@ close_tun(struct tuntap *tt)
>      struct argv argv = argv_new();
>  
>      /* setup command, close tun dev (clears tt->actual_name!), run command
> -    */
> +     */
>  
>      argv_printf(&argv, "%s %s destroy",
>                  IFCONFIG_PATH, tt->actual_name);
> @@ -2668,7 +2669,7 @@ close_tun(struct tuntap *tt)
>      struct argv argv = argv_new();
>  
>      /* setup command, close tun dev (clears tt->actual_name!), run command
> -    */
> +     */
>  
>      argv_printf(&argv, "%s %s destroy",
>                  IFCONFIG_PATH, tt->actual_name);
> @@ -5923,7 +5924,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun
>                  };
>  
>                  if (send_msg_iservice(tt->options.msg_channel, &msg, sizeof(msg),
> -                    &ack, "TUN"))
> +                                      &ack, "TUN"))
>                  {
>                      status = ack.error_number;
>                  }
> diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
> index e43296eb..be526945 100644
> --- a/src/openvpn/win32.c
> +++ b/src/openvpn/win32.c
> @@ -1481,7 +1481,7 @@ send_msg_iservice(HANDLE pipe, const void *data, size_t size,
>          || !ReadFile(pipe, ack, sizeof(*ack), &len, NULL))
>      {
>          msg(M_WARN, "%s: could not talk to service: %s [%lu]",
> -            context? context : "Unknown",
> +            context ? context : "Unknown",
>              strerror_win32(GetLastError(), &gc), GetLastError());
>          ret = false;
>      }
> 

I know we want to get "uncrustity-clean", but maybe we can tweak some
options to comply with my remarks above? if not...well...uncrustify will
decide for our codestyle ;P


Cheers,
David Sommerseth Dec. 12, 2018, 1:34 p.m. | #2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ACK.  Checked with re-running uncrustify.  It did find two more places
which needed fixing, both came from commit e61b401ac50d2a9cfab which
were added after this patch-set, so not a fault of this patch.  This
can be fixed afterwards.

I did one-on-the-fly fix as well, in plugin.c - plugin_call_item() -
which uncrustify did not change with a re-run.

The patch resulted in this (line 549) 
- ---------------------------------------------------
  struct openvpn_plugin_args_func_in args = { type,
                                              (const char **const) a.argv,
                                              (const char **const) envp,
                                              p->plugin_handle,
                                              per_client_context,
                                              (current_cert ? certdepth : -1),
                                              current_cert};
- ---------------------------------------------------

I changed the last line above to:  "current_cert };" (adding a space).
This was due to the initial spacing in the opening bracket, to be
consistent with opening and closing.


Your patch has been applied to the master branch

commit f57431cdc88f22fa4d7962946f0d3187fe058539
Author: Gert Doering
Date:   Fri Nov 30 14:56:41 2018 +0100

     uncrustify openvpn/ sources

     Signed-off-by: Gert Doering <gert@greenie.muc.de>
     Acked-by: David Sommerseth <davids@openvpn.net>
     Message-Id: <20181130135641.11533-3-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17970.html
     Signed-off-by: David Sommerseth <davids@openvpn.net>


- --
kind regards,

David Sommerseth

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJcEQ5sAAoJEIbPlEyWcf3yOh0P/AihfHG6OP8Gi2H1Z4jXrSJP
+hszq/pLeP1BjOfArE6+DNHHR2AhMXj0qUzx0e0CvqGVvlTdMpLorXk9jP2oSBFg
bpBG/YVyGl0QPv+7F9lo2YOOZIazOxwk3IqBBE2RZt4v12gShX5cWvvrbUJgN6Xl
+qhEzIhWJbCjAVQza8V0EHP3/agieLbNK2PvhfPe8/0muHou99sBRwWhVaJvqsoi
tyxAMsort/6IyWc/Il185TNqyK4+a6hpNCpvXBPFQBehL5SQnw87kXeTxsbZtFxT
ERO2ZD14HyNgdFCJeaAKOZCZckenQlQJp5wyj7gsW5GSylKGPrYOgTbN7ynVWm3y
wi/T8MvQz40YmBCitpMMxPN33EPLMz0gchwpp9Wf+cj+Qm02uQso5khO6lcJF/yw
m8S+mIdCce+JSBvxjwhyMOEXwu/iHECO9jmoSqVcFKpXKEML3gEisIAvwofOjCyS
oGT74wcW0VgnsYLfLI9XXC87ncqtVNYd4VObWaGOovtD9W4R+53PQIC10qhPg36a
gGIpfbp447l7eGrP0rznjRmorjnPh+1SbW4kgvPQkjf+eexlb0n7wLLzorKeYuH4
9h7WMHgCO/AKR7YzT2TU2m+7xFMDX+0X8fn0Ef+1/E4fDftFMpJaaM8UB1J7oJrO
yMCmlIjwHupgMtfH5OvK
=SBiH
-----END PGP SIGNATURE-----
David Sommerseth Dec. 12, 2018, 10:50 p.m. | #3
On 12/12/2018 12:33, Antonio Quartulli wrote:
> I know we want to get "uncrustity-clean", but maybe we can tweak some
> options to comply with my remarks above? if not...well...uncrustify will
> decide for our codestyle ;P

Now I spotted your feedbacks, way too late :(  Sorry about that!

As I walked through this file, I thought this is better keeping it
out-of-the-loop for a few more weeks.  The code now is mostly compatible with
the _current_ uncrustify.conf available in the ./dev-tools, which is a good
step forward from the current state.  And I considered the current result
acceptable for now.

I do see my uncrustify run have some weird disagreements in
src/openvpn/push.c, where it wants to indent all the switch case parts one
more level.  Not sure why this didn't hit Gerts run though, this change does
seem appropriate to our CodeStyle wiki page.  My uncrustify also disagrees in
src/openvpn/buffer.c:474, where gc_addspecial(...) gets the space between
'void' and '(free_function)' removed.  Otherwise there is nothing unexpected
(including the change in src/openvpn/ssl.c already mentioned in the "PATCH
applied" mail).  But this can all be related to uncrustify versions and bugs
there.   I'll try to get a newer version built and see what happens then.

But I think we just need to accept that we can only push uncrustify to some
degree towards our desired coding style and then to accept the minor gaps to
our view of full perfection.  Telling contributors to "run your changes
through uncrustify before sending patches" will definitely help.
Gert Doering Dec. 13, 2018, 7:09 a.m. | #4
Hi,

On Wed, Dec 12, 2018 at 11:50:20PM +0100, David Sommerseth wrote:
> I do see my uncrustify run have some weird disagreements in
> src/openvpn/push.c, where it wants to indent all the switch case parts one
> more level.  Not sure why this didn't hit Gerts run though, this change does
> seem appropriate to our CodeStyle wiki page.  

This is Arne's forget-auth-token patch which added a level of brackets
but did not re-indent the switch/case part (e61b401ac5).  I commented
on this in the "merge and pushed" mail, but decided to merge it nonetheless
as this is another one that had been going in circles for too many moons...

[..]
> But I think we just need to accept that we can only push uncrustify to some
> degree towards our desired coding style and then to accept the minor gaps to
> our view of full perfection.  

I am fine with this.  Yes, some of the changes look funky, and I wouldn't
personally do other stuff, but I can live with the result - and it's way
better than having to argue style questions all the time, instead of
focusing on code and "possible logic flaws in the code".

> Telling contributors to "run your changes
> through uncrustify before sending patches" will definitely help.

Indeed.

gert

Patch

diff --git a/dev-tools/uncrustify.conf b/dev-tools/uncrustify.conf
index d8ea870e..25eb4cdd 100644
--- a/dev-tools/uncrustify.conf
+++ b/dev-tools/uncrustify.conf
@@ -60,6 +60,9 @@  mod_add_long_ifdef_else_comment=5
 # Misc cleanup
 mod_remove_extra_semicolon=true
 
+# leave blank at end of empty for() statements
+sp_after_semi_for_empty=Add
+
 # Use C-style comments (/* .. */)
 cmt_c_nl_end=true
 cmt_star_cont=true
diff --git a/src/openvpn/block_dns.h b/src/openvpn/block_dns.h
index 50b383f6..f9b1e5d0 100644
--- a/src/openvpn/block_dns.h
+++ b/src/openvpn/block_dns.h
@@ -65,5 +65,5 @@  DWORD
 set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family,
                      const ULONG metric);
 
-#endif
-#endif
+#endif /* ifndef OPENVPN_BLOCK_DNS_H */
+#endif /* ifdef _WIN32 */
diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
index 27c75271..2aae5c4c 100644
--- a/src/openvpn/buffer.c
+++ b/src/openvpn/buffer.c
@@ -312,7 +312,7 @@  openvpn_snprintf(char *str, size_t size, const char *format, ...)
 
 /*
  * openvpn_swprintf() is currently only used by Windows code paths
- * and when enabled for all platforms it will currently break older 
+ * and when enabled for all platforms it will currently break older
  * OpenBSD versions lacking vswprintf(3) support in their libc.
  */
 
@@ -474,7 +474,7 @@  x_gc_freespecial(struct gc_arena *a)
 }
 
 void
-gc_addspecial(void *addr, void(free_function)(void *), struct gc_arena *a)
+gc_addspecial(void *addr, void (free_function)(void *), struct gc_arena *a)
 {
     ASSERT(a);
     struct gc_entry_special *e;
diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
index d402d05b..a4fe6f9b 100644
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -458,6 +458,7 @@  __attribute__ ((format(__printf__, 3, 4)))
  */
 bool
 openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...);
+
 /*
  * Unlike in openvpn_snprintf, we cannot use format attributes since
  * GCC doesn't support wprintf as archetype.
diff --git a/src/openvpn/console.h b/src/openvpn/console.h
index 5a70e5fd..0ffd6683 100644
--- a/src/openvpn/console.h
+++ b/src/openvpn/console.h
@@ -21,7 +21,7 @@ 
  *  You should have received a copy of the GNU General Public License along
  *  with this program; if not, write to the Free Software Foundation, Inc.,
  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
+ */
 
 #ifndef CONSOLE_H
 #define CONSOLE_H
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e9bf22b0..df6f36ca 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -920,10 +920,12 @@  key_is_zero(struct key *key, const struct key_type *kt)
 {
     int i;
     for (i = 0; i < kt->cipher_length; ++i)
+    {
         if (key->cipher[i])
         {
             return false;
         }
+    }
     msg(D_CRYPT_ERRORS, "CRYPTO INFO: WARNING: zero key detected");
     return true;
 }
@@ -1270,7 +1272,9 @@  read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
     {
         in = buffer_read_from_file(file, &gc);
         if (!buf_valid(&in))
+        {
             msg(M_FATAL, "Read error on key file ('%s')", file);
+        }
 
         size = in.len;
     }
@@ -1462,7 +1466,7 @@  write_key_file(const int nkeys, const char *filename)
     buf_printf(&out, "%s\n", static_key_foot);
 
     /* write key file, now formatted in out, to file */
-    if(!buffer_write_file(filename, &out))
+    if (!buffer_write_file(filename, &out))
     {
         nbits = -1;
     }
@@ -1692,7 +1696,9 @@  prng_reset_nonce(void)
     {
         int i;
         for (i = 0; i < size; ++i)
+        {
             nonce_data[i] = (uint8_t) i;
+        }
     }
 #endif
 }
@@ -1773,7 +1779,7 @@  void
 print_cipher(const cipher_kt_t *cipher)
 {
     const char *var_key_size = cipher_kt_var_key_size(cipher) ?
-        " by default" : "";
+                               " by default" : "";
 
     printf("%s  (%d bit key%s, ",
            translate_cipher_name_to_openvpn(cipher_kt_name(cipher)),
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 96ba8586..1edde2e3 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -318,7 +318,7 @@  void free_key_ctx(struct key_ctx *ctx);
 
 void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
                      int key_direction, const struct key_type *kt,
-		     const char *name);
+                     const char *name);
 
 void free_key_ctx_bi(struct key_ctx_bi *ctx);
 
@@ -504,7 +504,8 @@  memcmp_constant_time(const void *a, const void *b, size_t size)
     int ret = 0;
     size_t i;
 
-    for (i = 0; i < size; i++) {
+    for (i = 0; i < size; i++)
+    {
         ret |= *a1++ ^ *b1++;
     }
 
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 38b2c175..a04e01f4 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -51,7 +51,7 @@ 
 typedef enum {
     MD_SHA1,
     MD_SHA256
-} hash_algo_type ;
+} hash_algo_type;
 
 /** Struct used in cipher name translation table */
 typedef struct {
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 77e84c3c..2e931440 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -233,8 +233,8 @@  crypto_pem_encode(const char *name, struct buffer *dst,
 
     size_t out_len = 0;
     if (MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL !=
-            mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src),
-                                     NULL, 0, &out_len))
+        mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src),
+                                 NULL, 0, &out_len))
     {
         return false;
     }
@@ -858,7 +858,8 @@  md_ctx_new(void)
     return ctx;
 }
 
-void md_ctx_free(mbedtls_md_context_t *ctx)
+void
+md_ctx_free(mbedtls_md_context_t *ctx)
 {
     free(ctx);
 }
diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
index 81b542bc..c4b13b7b 100644
--- a/src/openvpn/crypto_mbedtls.h
+++ b/src/openvpn/crypto_mbedtls.h
@@ -146,7 +146,8 @@  mbed_log_func_line_lite(unsigned int flags, int errval,
 #define mbed_ok(errval) \
     mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__)
 
-static inline bool cipher_kt_var_key_size(const cipher_kt_t *cipher)
+static inline bool
+cipher_kt_var_key_size(const cipher_kt_t *cipher)
 {
     return cipher->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
 }
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 0bff1a25..9691ce05 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -202,12 +202,12 @@  crypto_print_openssl_errors(const unsigned int flags)
         else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
         {
             msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
-                 "indicates that client and server have no common TLS version enabled. "
-                 "This can be caused by mismatched tls-version-min and tls-version-max "
-                 "options on client and server. "
-                 "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding "
-                 "tls-version-min 1.0 to the client configuration to use TLS 1.0+ "
-                 "instead of TLS 1.0 only");
+                "indicates that client and server have no common TLS version enabled. "
+                "This can be caused by mismatched tls-version-min and tls-version-max "
+                "options on client and server. "
+                "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding "
+                "tls-version-min 1.0 to the client configuration to use TLS 1.0+ "
+                "instead of TLS 1.0 only");
         }
         msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL));
     }
@@ -315,7 +315,8 @@  show_available_ciphers(void)
 
     qsort(cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp);
 
-    for (i = 0; i < num_ciphers; i++) {
+    for (i = 0; i < num_ciphers; i++)
+    {
         if (!cipher_kt_insecure(cipher_list[i]))
         {
             print_cipher(cipher_list[i]);
@@ -324,7 +325,8 @@  show_available_ciphers(void)
 
     printf("\nThe following ciphers have a block size of less than 128 bits, \n"
            "and are therefore deprecated.  Do not use unless you have to.\n\n");
-    for (i = 0; i < num_ciphers; i++) {
+    for (i = 0; i < num_ciphers; i++)
+    {
         if (cipher_kt_insecure(cipher_list[i]))
         {
             print_cipher(cipher_list[i]);
@@ -405,7 +407,7 @@  crypto_pem_encode(const char *name, struct buffer *dst,
 cleanup:
     if (!BIO_free(bio))
     {
-        ret = false;;
+        ret = false;
     }
 
     return ret;
@@ -458,7 +460,7 @@  cleanup:
     OPENSSL_free(data_read);
     if (!BIO_free(bio))
     {
-        ret = false;;
+        ret = false;
     }
 
     return ret;
@@ -688,7 +690,7 @@  cipher_kt_insecure(const EVP_CIPHER *cipher)
 #ifdef NID_chacha20_poly1305
              || EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305
 #endif
-            );
+             );
 }
 
 int
@@ -729,13 +731,13 @@  cipher_kt_mode_aead(const cipher_kt_t *cipher)
     {
         switch (EVP_CIPHER_nid(cipher))
         {
-        case NID_aes_128_gcm:
-        case NID_aes_192_gcm:
-        case NID_aes_256_gcm:
+            case NID_aes_128_gcm:
+            case NID_aes_192_gcm:
+            case NID_aes_256_gcm:
 #ifdef NID_chacha20_poly1305
-        case NID_chacha20_poly1305:
+            case NID_chacha20_poly1305:
 #endif
-            return true;
+                return true;
         }
     }
 #endif
@@ -962,7 +964,8 @@  md_ctx_new(void)
     return ctx;
 }
 
-void md_ctx_free(EVP_MD_CTX *ctx)
+void
+md_ctx_free(EVP_MD_CTX *ctx)
 {
     EVP_MD_CTX_free(ctx);
 }
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index 1ea3e858..64754480 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -101,7 +101,8 @@  void crypto_print_openssl_errors(const unsigned int flags);
         msg((flags), __VA_ARGS__); \
     } while (false)
 
-static inline bool cipher_kt_var_key_size(const cipher_kt_t *cipher)
+static inline bool
+cipher_kt_var_key_size(const cipher_kt_t *cipher)
 {
     return EVP_CIPHER_flags(cipher) & EVP_CIPH_VARIABLE_LENGTH;
 }
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index fa057cb2..9687d8c2 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -159,7 +159,8 @@  ms_error_text(DWORD ms_err)
         /* trim to the left */
         if (rv)
         {
-            for (p = rv + strlen(rv) - 1; p >= rv; p--) {
+            for (p = rv + strlen(rv) - 1; p >= rv; p--)
+            {
                 if (isspace(*p))
                 {
                     *p = '\0';
@@ -198,7 +199,8 @@  err_put_ms_error(DWORD ms_err, int func, const char *file, int line)
     }
     /* since MS error codes are 32 bit, and the ones in the ERR_... system is
      * only 12, we must have a mapping table between them.  */
-    for (i = 0; i < ERR_MAP_SZ; i++) {
+    for (i = 0; i < ERR_MAP_SZ; i++)
+    {
         if (err_map[i].ms_err == ms_err)
         {
             ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line);
@@ -267,8 +269,8 @@  priv_enc_CNG(const CAPI_DATA *cd, const wchar_t *hash_algo, const unsigned char
     BCRYPT_PKCS1_PADDING_INFO padinfo = {hash_algo};
     DWORD status;
 
-    status = NCryptSignHash(hkey, padding? &padinfo : NULL, (BYTE*) from, flen,
-                            to, tlen, &len, padding? BCRYPT_PAD_PKCS1 : 0);
+    status = NCryptSignHash(hkey, padding ? &padinfo : NULL, (BYTE *) from, flen,
+                            to, tlen, &len, padding ? BCRYPT_PAD_PKCS1 : 0);
     if (status != ERROR_SUCCESS)
     {
         SetLastError(status);
@@ -375,7 +377,7 @@  rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
  */
 static int
 rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len,
-              unsigned char *sig, unsigned int *siglen, const RSA *rsa)
+             unsigned char *sig, unsigned int *siglen, const RSA *rsa)
 {
     CAPI_DATA *cd = (CAPI_DATA *) RSA_meth_get0_app_data(RSA_get_method(rsa));
     const wchar_t *alg = NULL;
@@ -419,6 +421,7 @@  rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len,
             /* No DigestInfo header is required -- set alg-name to NULL */
             alg = NULL;
             break;
+
         default:
             msg(M_WARN, "cryptoapicert: Unknown hash type NID=0x%x", type);
             RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
@@ -459,7 +462,7 @@  finish(RSA *rsa)
         return 0;
     }
     CAPI_DATA_free(cd);
-    RSA_meth_free((RSA_METHOD*) rsa_meth);
+    RSA_meth_free((RSA_METHOD *) rsa_meth);
     return 1;
 }
 
@@ -586,7 +589,7 @@  ssl_ctx_set_eckey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey)
     if (cd->key_spec != CERT_NCRYPT_KEY_SPEC)
     {
         msg(M_NONFATAL, "ERROR: cryptoapicert with only legacy private key handle available."
-                    " EC certificate not supported.");
+            " EC certificate not supported.");
         goto err;
     }
     /* create a method struct with default callbacks filled in */
@@ -686,7 +689,8 @@  find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
 
         /* skip the tag */
         cert_prop += 6;
-        for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) {
+        for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++)
+        {
             if (*p >= '0' && *p <= '9')
             {
                 x = (*p - '0') << 4;
@@ -739,7 +743,7 @@  ssl_ctx_set_rsakey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey)
     bool rsa_method_set = false;
 
     my_rsa_method = RSA_meth_new("Microsoft Cryptography API RSA Method",
-                                  RSA_METHOD_FLAG_NO_CHECK);
+                                 RSA_METHOD_FLAG_NO_CHECK);
     check_malloc_return(my_rsa_method);
     RSA_meth_set_pub_enc(my_rsa_method, rsa_pub_enc);
     RSA_meth_set_pub_dec(my_rsa_method, rsa_pub_dec);
@@ -797,7 +801,7 @@  ssl_ctx_set_rsakey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey)
         goto err;
     }
     /* SSL_CTX_use_RSAPrivateKey() increased the reference count in 'rsa', so
-     * we decrease it here with RSA_free(), or it will never be cleaned up. */
+    * we decrease it here with RSA_free(), or it will never be cleaned up. */
     RSA_free(rsa);
     return 1;
 
@@ -867,7 +871,7 @@  SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
     DWORD flags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG
                   | CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
     if (!CryptAcquireCertificatePrivateKey(cd->cert_context, flags, NULL,
-                    &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov))
+                                           &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov))
     {
         /* if we don't have a smart card reader here, and we try to access a
          * smart card certificate, we get:
diff --git a/src/openvpn/env_set.c b/src/openvpn/env_set.c
index e7fb2d83..0ab0262a 100644
--- a/src/openvpn/env_set.c
+++ b/src/openvpn/env_set.c
@@ -277,7 +277,7 @@  void
 setenv_long_long(struct env_set *es, const char *name, long long value)
 {
     char buf[64];
-    openvpn_snprintf(buf, sizeof(buf), "%"PRIi64, (int64_t)value);
+    openvpn_snprintf(buf, sizeof(buf), "%" PRIi64, (int64_t)value);
     setenv_str(es, name, buf);
 }
 
diff --git a/src/openvpn/env_set.h b/src/openvpn/env_set.h
index 5dc33485..cf8415cc 100644
--- a/src/openvpn/env_set.h
+++ b/src/openvpn/env_set.h
@@ -94,13 +94,15 @@  void env_set_print(int msglevel, const struct env_set *es);
 void env_set_inherit(struct env_set *es, const struct env_set *src);
 
 /* returns true if environmental variable name starts with 'password' */
-static inline bool is_password_env_var(const char *str)
+static inline bool
+is_password_env_var(const char *str)
 {
     return (strncmp(str, "password", 8) == 0);
 }
 
 /* returns true if environmental variable safe to print to log */
-static inline bool env_safe_to_print(const char *str)
+static inline bool
+env_safe_to_print(const char *str)
 {
 #ifndef UNSAFE_DEBUG
     if (is_password_env_var(str))
diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 51294687..b2492f2b 100644
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -343,7 +343,7 @@  x_msg_va(const unsigned int flags, const char *format, va_list arglist)
                 struct timeval tv;
                 gettimeofday(&tv, NULL);
 
-                fprintf(fp, "%"PRIi64".%06ld %x %s%s%s%s",
+                fprintf(fp, "%" PRIi64 ".%06ld %x %s%s%s%s",
                         (int64_t)tv.tv_sec,
                         (long)tv.tv_usec,
                         flags,
diff --git a/src/openvpn/event.c b/src/openvpn/event.c
index 37276905..49dfa861 100644
--- a/src/openvpn/event.c
+++ b/src/openvpn/event.c
@@ -1041,7 +1041,7 @@  se_wait_fast(struct event_set *es, const struct timeval *tv, struct event_set_re
     struct timeval tv_tmp = *tv;
     int stat;
 
-    dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%"PRIi64"/%ld",
+    dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%" PRIi64 "/%ld",
          ses->maxfd,
          (int64_t)tv_tmp.tv_sec,
          (long)tv_tmp.tv_usec);
@@ -1065,7 +1065,7 @@  se_wait_scalable(struct event_set *es, const struct timeval *tv, struct event_se
     fd_set write = ses->writefds;
     int stat;
 
-    dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%"PRIi64"/%ld",
+    dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%" PRIi64 "/%ld",
          ses->maxfd, (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec);
 
     stat = select(ses->maxfd + 1, &read, &write, NULL, &tv_tmp);
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index f8faa810..37719dbe 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -757,7 +757,7 @@  static void
 process_coarse_timers(struct context *c)
 {
     /* flush current packet-id to file once per 60
-     * seconds if --replay-persist was specified */
+    * seconds if --replay-persist was specified */
     check_packet_id_persist_flush(c);
 
     /* should we update status file? */
@@ -836,7 +836,7 @@  check_coarse_timers_dowork(struct context *c)
     process_coarse_timers(c);
     c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
 
-    dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %"PRIi64" seconds", (int64_t)c->c2.timeval.tv_sec);
+    dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
 
     /* Is the coarse timeout NOT the earliest one? */
     if (c->c2.timeval.tv_sec > save.tv_sec)
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 58b75d64..b534c723 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -80,10 +80,12 @@  void check_incoming_control_channel_dowork(struct context *c);
 void check_scheduled_exit_dowork(struct context *c);
 
 void check_push_request_dowork(struct context *c);
+
 #endif /* P2MP */
 
 #ifdef ENABLE_FRAGMENT
 void check_fragment_dowork(struct context *c);
+
 #endif /* ENABLE_FRAGMENT */
 
 void check_connection_established_dowork(struct context *c);
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 2a1b38ea..a1841604 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1077,13 +1077,13 @@  do_genkey(const struct options *options)
     }
     if (options->tls_crypt_v2_genkey_type)
     {
-        if(!strcmp(options->tls_crypt_v2_genkey_type, "server"))
+        if (!strcmp(options->tls_crypt_v2_genkey_type, "server"))
         {
             tls_crypt_v2_write_server_key_file(options->tls_crypt_v2_genkey_file);
             return true;
         }
         if (options->tls_crypt_v2_genkey_type
-                 && !strcmp(options->tls_crypt_v2_genkey_type, "client"))
+            && !strcmp(options->tls_crypt_v2_genkey_type, "client"))
         {
             if (!options->tls_crypt_v2_file)
             {
@@ -1091,8 +1091,8 @@  do_genkey(const struct options *options)
             }
 
             tls_crypt_v2_write_client_key_file(options->tls_crypt_v2_genkey_file,
-                    options->tls_crypt_v2_metadata, options->tls_crypt_v2_file,
-                    options->tls_crypt_v2_inline);
+                                               options->tls_crypt_v2_metadata, options->tls_crypt_v2_file,
+                                               options->tls_crypt_v2_inline);
             return true;
         }
 
@@ -2570,8 +2570,8 @@  do_init_tls_wrap_key(struct context *c)
         if (!streq(options->authname, "none"))
         {
             c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
-                c->c1.ks.tls_auth_key_type.hmac_length =
-                    md_kt_size(c->c1.ks.tls_auth_key_type.digest);
+            c->c1.ks.tls_auth_key_type.hmac_length =
+                md_kt_size(c->c1.ks.tls_auth_key_type.digest);
         }
         else
         {
@@ -2655,7 +2655,7 @@  do_init_crypto_tls_c1(struct context *c)
             return;
 #else  /* if P2MP */
             msg(M_FATAL, "Error: private key password verification failed");
-#endif
+#endif /* if P2MP */
         }
 
         /* Get cipher & hash algorithms */
@@ -2763,15 +2763,15 @@  do_init_crypto_tls(struct context *c, const unsigned int flags)
     {
         /* Add 10% jitter to reneg-sec by default (server side only) */
         int auto_jitter = options->mode != MODE_SERVER ? 0 :
-                get_random() % max_int(options->renegotiate_seconds / 10, 1);
+                          get_random() % max_int(options->renegotiate_seconds / 10, 1);
         to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
     }
     else
     {
         /* Add user-specified jitter to reneg-sec */
-        to.renegotiate_seconds = options->renegotiate_seconds -
-                (get_random() % max_int(options->renegotiate_seconds
-                                        - options->renegotiate_seconds_min, 1));
+        to.renegotiate_seconds = options->renegotiate_seconds
+                                 -(get_random() % max_int(options->renegotiate_seconds
+                                                          - options->renegotiate_seconds_min, 1));
     }
     to.single_session = options->single_session;
     to.mode = options->mode;
diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h
index b1ae0eda..3755f43f 100644
--- a/src/openvpn/integer.h
+++ b/src/openvpn/integer.h
@@ -28,12 +28,12 @@ 
 
 #ifndef htonll
 #define htonll(x) ((1==htonl(1)) ? (x) : \
-                  ((uint64_t)htonl((x) & 0xFFFFFFFF) << 32) | htonl((x) >> 32))
+                   ((uint64_t)htonl((x) & 0xFFFFFFFF) << 32) | htonl((x) >> 32))
 #endif
 
 #ifndef ntohll
 #define ntohll(x) ((1==ntohl(1)) ? (x) : \
-                  ((uint64_t)ntohl((x) & 0xFFFFFFFF) << 32) | ntohl((x) >> 32))
+                   ((uint64_t)ntohl((x) & 0xFFFFFFFF) << 32) | ntohl((x) >> 32))
 #endif
 
 /*
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 8b633f20..2d86dad4 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -3640,7 +3640,7 @@  management_query_multiline_flatten(struct management *man,
 char *
 /* returns allocated base64 signature */
 management_query_pk_sig(struct management *man,
-                         const char *b64_data)
+                        const char *b64_data)
 {
     const char *prompt = "PK_SIGN";
     const char *desc = "pk-sign";
@@ -3650,7 +3650,7 @@  management_query_pk_sig(struct management *man,
         desc = "rsa-sign";
     }
     return management_query_multiline_flatten(man, b64_data, prompt, desc,
-            &man->connection.ext_key_state, &man->connection.ext_key_input);
+                                              &man->connection.ext_key_state, &man->connection.ext_key_input);
 }
 
 char *
diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c
index facdf7b5..b0e2c42b 100644
--- a/src/openvpn/mss.c
+++ b/src/openvpn/mss.c
@@ -150,7 +150,7 @@  mss_fixup_dowork(struct buffer *buf, uint16_t maxmss)
 
     if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr))
     {
-	return;
+        return;
     }
 
     verify_align_4(buf);
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 8440f311..53d6f0cf 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2394,7 +2394,7 @@  multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns
         multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
 
 #ifdef MULTI_DEBUG_EVENT_LOOP
-        printf("POST %s[%d] to=%d lo=%d/%d w=%"PRIi64"/%ld\n",
+        printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
                id(mi),
                (int) (mi == m->pending),
                mi ? mi->context.c2.to_tun.len : -1,
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 3d3d6875..7216865e 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -537,6 +537,7 @@  clear_prefix(void)
 #define MULTI_CACHE_ROUTE_TTL 60
 
 void multi_reap_process_dowork(const struct multi_context *m);
+
 void multi_process_per_second_timers_dowork(struct multi_context *m);
 
 static inline void
diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 077fa3e2..e3707484 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -314,8 +314,8 @@  ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2,
          * byte order on the wire for the NTLM header is LE.
          */
         const size_t hoff = 0x14;
-        unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8) |
-                              (buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24);
+        unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8)
+                              |(buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24);
         if ((flags & 0x00800000) == 0x00800000)
         {
             tib_len = buf2[0x28];            /* Get Target Information block size */
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 9560b29f..a4072b9a 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -193,8 +193,8 @@  X509_get0_pubkey(const X509 *x)
  * @param store              X509 object store
  * @return                   the X509 object stack
  */
-static inline STACK_OF(X509_OBJECT) *
-X509_STORE_get0_objects(X509_STORE *store)
+static inline STACK_OF(X509_OBJECT)
+*X509_STORE_get0_objects(X509_STORE *store)
 {
     return store ? store->objs : NULL;
 }
@@ -369,7 +369,7 @@  RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
 
     return 1;
 }
-#endif
+#endif /* if !defined(HAVE_RSA_SET0_KEY) */
 
 #if !defined(HAVE_RSA_BITS)
 /**
@@ -483,9 +483,9 @@  RSA_meth_free(RSA_METHOD *meth)
  */
 static inline int
 RSA_meth_set_pub_enc(RSA_METHOD *meth,
-                     int (*pub_enc) (int flen, const unsigned char *from,
-                                     unsigned char *to, RSA *rsa,
-                                     int padding))
+                     int (*pub_enc)(int flen, const unsigned char *from,
+                                    unsigned char *to, RSA *rsa,
+                                    int padding))
 {
     if (meth)
     {
@@ -506,9 +506,9 @@  RSA_meth_set_pub_enc(RSA_METHOD *meth,
  */
 static inline int
 RSA_meth_set_pub_dec(RSA_METHOD *meth,
-                     int (*pub_dec) (int flen, const unsigned char *from,
-                                     unsigned char *to, RSA *rsa,
-                                     int padding))
+                     int (*pub_dec)(int flen, const unsigned char *from,
+                                    unsigned char *to, RSA *rsa,
+                                    int padding))
 {
     if (meth)
     {
@@ -529,9 +529,9 @@  RSA_meth_set_pub_dec(RSA_METHOD *meth,
  */
 static inline int
 RSA_meth_set_priv_enc(RSA_METHOD *meth,
-                      int (*priv_enc) (int flen, const unsigned char *from,
-                                       unsigned char *to, RSA *rsa,
-                                       int padding))
+                      int (*priv_enc)(int flen, const unsigned char *from,
+                                      unsigned char *to, RSA *rsa,
+                                      int padding))
 {
     if (meth)
     {
@@ -552,9 +552,9 @@  RSA_meth_set_priv_enc(RSA_METHOD *meth,
  */
 static inline int
 RSA_meth_set_priv_dec(RSA_METHOD *meth,
-                      int (*priv_dec) (int flen, const unsigned char *from,
-                                       unsigned char *to, RSA *rsa,
-                                       int padding))
+                      int (*priv_dec)(int flen, const unsigned char *from,
+                                      unsigned char *to, RSA *rsa,
+                                      int padding))
 {
     if (meth)
     {
@@ -574,7 +574,7 @@  RSA_meth_set_priv_dec(RSA_METHOD *meth,
  * @return                   1 on success, 0 on error
  */
 static inline int
-RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
+RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa))
 {
     if (meth)
     {
@@ -594,11 +594,12 @@  RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
  * @return                   1 on success, 0 on error
  */
 static inline
-int RSA_meth_set_sign(RSA_METHOD *meth,
-                      int (*sign) (int type, const unsigned char *m,
-                                   unsigned int m_length,
-                                   unsigned char *sigret, unsigned int *siglen,
-                                   const RSA *rsa))
+int
+RSA_meth_set_sign(RSA_METHOD *meth,
+                  int (*sign)(int type, const unsigned char *m,
+                              unsigned int m_length,
+                              unsigned char *sigret, unsigned int *siglen,
+                              const RSA *rsa))
 {
     meth->rsa_sign = sign;
     return 1;
@@ -614,7 +615,7 @@  int RSA_meth_set_sign(RSA_METHOD *meth,
  * @return                   1 on success, 0 on error
  */
 static inline int
-RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
+RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
 {
     if (meth)
     {
@@ -669,7 +670,7 @@  RSA_meth_get0_app_data(const RSA_METHOD *meth)
 static inline int
 EC_GROUP_order_bits(const EC_GROUP *group)
 {
-    BIGNUM* order = BN_new();
+    BIGNUM *order = BN_new();
     EC_GROUP_get_order(group, order, NULL);
     int bits = BN_num_bits(order);
     BN_free(order);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 9ee1836b..6d53dea5 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2134,7 +2134,7 @@  options_postprocess_verify_ce(const struct options *options, const struct connec
             "passwords is STRONGLY discouraged and considered insecure");
     }
 
-#endif
+#endif /* ifdef ENABLE_MANAGEMENT */
 
     /*
      * Windows-specific options.
@@ -2859,8 +2859,10 @@  options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
         {
             struct buffer in = buffer_read_from_file(o->tls_auth_file, &o->gc);
             if (!buf_valid(&in))
+            {
                 msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)",
                     o->tls_auth_file);
+            }
 
             ce->tls_auth_file = INLINE_FILE_TAG;
             ce->tls_auth_file_inline = (char *)in.data;
@@ -2870,8 +2872,10 @@  options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
         {
             struct buffer in = buffer_read_from_file(o->tls_crypt_file, &o->gc);
             if (!buf_valid(&in))
+            {
                 msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)",
                     o->tls_auth_file);
+            }
 
             ce->tls_crypt_file = INLINE_FILE_TAG;
             ce->tls_crypt_inline = (char *)in.data;
@@ -3040,7 +3044,7 @@  options_postprocess_mutate(struct options *o)
     {
         /* DH file is only meaningful in a tls-server context. */
         msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
-                    "include this in your server configuration");
+            "include this in your server configuration");
         o->dh_file = NULL;
     }
 
@@ -7146,7 +7150,7 @@  add_option(struct options *options,
         {
             if (strstr(p[2], ":"))
             {
-                ipv6dns=true;
+                ipv6dns = true;
                 foreign_option(options, p, 3, es);
                 dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
             }
diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c
index e0b1b0ee..759a7fb5 100644
--- a/src/openvpn/otime.c
+++ b/src/openvpn/otime.c
@@ -88,7 +88,7 @@  const char *
 tv_string(const struct timeval *tv, struct gc_arena *gc)
 {
     struct buffer out = alloc_buf_gc(64, gc);
-    buf_printf(&out, "[%"PRIi64"/%ld]",
+    buf_printf(&out, "[%" PRIi64 "/%ld]",
                (int64_t)tv->tv_sec,
                (long)tv->tv_usec);
     return BSTR(&out);
@@ -198,7 +198,7 @@  time_test(void)
         t = time(NULL);
         gettimeofday(&tv, NULL);
 #if 1
-        msg(M_INFO, "t=%"PRIi64" s=%"PRIi64" us=%ld",
+        msg(M_INFO, "t=%" PRIi64 " s=%" PRIi64 " us=%ld",
             (int64_t)t,
             (int64_t)tv.tv_sec,
             (long)tv.tv_usec);
diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c
index dc44f36b..0c744875 100644
--- a/src/openvpn/packet_id.c
+++ b/src/openvpn/packet_id.c
@@ -347,7 +347,7 @@  packet_id_send_update(struct packet_id_send *p, bool long_form)
 
 bool
 packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form,
-        bool prepend)
+                bool prepend)
 {
     if (!packet_id_send_update(p, long_form))
     {
@@ -606,13 +606,13 @@  packet_id_debug_print(int msglevel,
         }
         buf_printf(&out, "%c", c);
     }
-    buf_printf(&out, "] %"PRIi64":" packet_id_format, (int64_t)p->time, (packet_id_print_type)p->id);
+    buf_printf(&out, "] %" PRIi64 ":" packet_id_format, (int64_t)p->time, (packet_id_print_type)p->id);
     if (pin)
     {
-        buf_printf(&out, " %"PRIi64":" packet_id_format, (int64_t)pin->time, (packet_id_print_type)pin->id);
+        buf_printf(&out, " %" PRIi64 ":" packet_id_format, (int64_t)pin->time, (packet_id_print_type)pin->id);
     }
 
-    buf_printf(&out, " t=%"PRIi64"[%d]",
+    buf_printf(&out, " t=%" PRIi64 "[%d]",
                (int64_t)prev_now,
                (int)(prev_now - tv.tv_sec));
 
@@ -666,7 +666,7 @@  packet_id_interactive_test(void)
         {
             packet_id_reap_test(&pid.rec);
             test = packet_id_test(&pid.rec, &pin);
-            printf("packet_id_test (%"PRIi64", " packet_id_format ") returned %d\n",
+            printf("packet_id_test (%" PRIi64 ", " packet_id_format ") returned %d\n",
                    (int64_t)pin.time,
                    (packet_id_print_type)pin.id,
                    test);
@@ -679,7 +679,7 @@  packet_id_interactive_test(void)
         {
             long_form = (count < 20);
             packet_id_alloc_outgoing(&pid.send, &pin, long_form);
-            printf("(%"PRIi64"(" packet_id_format "), %d)\n",
+            printf("(%" PRIi64 "(" packet_id_format "), %d)\n",
                    (int64_t)pin.time,
                    (packet_id_print_type)pin.id,
                    long_form);
diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h
index ec03e348..26b07975 100644
--- a/src/openvpn/packet_id.h
+++ b/src/openvpn/packet_id.h
@@ -263,7 +263,7 @@  bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_for
  * @return true if successful, false otherwise.
  */
 bool packet_id_write(struct packet_id_send *p, struct buffer *buf,
-        bool long_form, bool prepend);
+                     bool long_form, bool prepend);
 
 /*
  * Inline functions.
diff --git a/src/openvpn/ping.h b/src/openvpn/ping.h
index a196b32b..b51f082a 100644
--- a/src/openvpn/ping.h
+++ b/src/openvpn/ping.h
@@ -84,4 +84,4 @@  check_ping_send(struct context *c)
     }
 }
 
-#endif
+#endif /* ifndef PING_H */
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 4d17c821..33687d44 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -552,8 +552,7 @@  plugin_call_item(const struct plugin *p,
                                                         p->plugin_handle,
                                                         per_client_context,
                                                         (current_cert ? certdepth : -1),
-                                                        current_cert
-            };
+                                                        current_cert};
 
             struct openvpn_plugin_args_func_return retargs;
 
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index fdad3ed5..c8bd86dd 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -884,10 +884,10 @@  establish_http_proxy_passthru(struct http_proxy_info *p,
                 const char *algor = get_pa_var("algorithm", pa, &gc);
                 const char *opaque = get_pa_var("opaque", pa, &gc);
 
-                if ( !realm || !nonce )
+                if (!realm || !nonce)
                 {
                     msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response "
-                            "from server: realm= or nonce= missing" );
+                        "from server: realm= or nonce= missing" );
                     goto error;
                 }
 
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index a7f4ed96..eae1e0cb 100644
--- a/src/openvpn/reliable.c
+++ b/src/openvpn/reliable.c
@@ -762,14 +762,14 @@  reliable_debug_print(const struct reliable *rel, char *desc)
     printf("********* struct reliable %s\n", desc);
     printf("  initial_timeout=%d\n", (int)rel->initial_timeout);
     printf("  packet_id=" packet_id_format "\n", rel->packet_id);
-    printf("  now=%"PRIi64"\n", (int64_t)now);
+    printf("  now=%" PRIi64 "\n", (int64_t)now);
     for (i = 0; i < rel->size; ++i)
     {
         const struct reliable_entry *e = &rel->array[i];
         if (e->active)
         {
             printf("  %d: packet_id=" packet_id_format " len=%d", i, e->packet_id, e->buf.len);
-            printf(" next_try=%"PRIi64, (int64_t)e->next_try);
+            printf(" next_try=%" PRIi64, (int64_t)e->next_try);
             printf("\n");
         }
     }
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index d97e8dba..346f08e2 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -3074,7 +3074,7 @@  do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t
      * (only do this for routes actually using the tun/tap device)
      */
     if (tt->type == DEV_TYPE_TUN
-	 && msg.iface.index == tt->adapter_index )
+        && msg.iface.index == tt->adapter_index)
     {
         inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
     }
@@ -3298,7 +3298,7 @@  get_default_gateway(struct route_gateway_info *rgi)
                 if (rgi->flags & RGI_ON_LINK)
                 {
                     /* check that interface name of current interface
-                     * matches interface name of best default route */
+                    * matches interface name of best default route */
                     if (strcmp(ifreq.ifr_name, best_name))
                     {
                         continue;
diff --git a/src/openvpn/run_command.c b/src/openvpn/run_command.c
index 4e198676..04ad2312 100644
--- a/src/openvpn/run_command.c
+++ b/src/openvpn/run_command.c
@@ -41,12 +41,14 @@ 
 /* contains an SSEC_x value defined in platform.h */
 static int script_security_level = SSEC_BUILT_IN; /* GLOBAL */
 
-int script_security(void)
+int
+script_security(void)
 {
     return script_security_level;
 }
 
-void script_security_set(int level)
+void
+script_security_set(int level)
 {
     script_security_level = level;
 }
diff --git a/src/openvpn/shaper.c b/src/openvpn/shaper.c
index 92364f29..62579840 100644
--- a/src/openvpn/shaper.c
+++ b/src/openvpn/shaper.c
@@ -76,7 +76,7 @@  shaper_soonest_event(struct timeval *tv, int delay)
         }
     }
 #ifdef SHAPER_DEBUG
-    dmsg(D_SHAPER_DEBUG, "SHAPER shaper_soonest_event sec=%"PRIi64" usec=%ld ret=%d",
+    dmsg(D_SHAPER_DEBUG, "SHAPER shaper_soonest_event sec=%" PRIi64 " usec=%ld ret=%d",
          (int64_t)tv->tv_sec, (long)tv->tv_usec, (int)ret);
 #endif
     return ret;
diff --git a/src/openvpn/shaper.h b/src/openvpn/shaper.h
index 4efe398a..bcdb5e36 100644
--- a/src/openvpn/shaper.h
+++ b/src/openvpn/shaper.h
@@ -147,7 +147,7 @@  shaper_wrote_bytes(struct shaper *s, int nbytes)
         tv_add(&s->wakeup, &tv);
 
 #ifdef SHAPER_DEBUG
-        dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%"PRIi64" usec=%ld",
+        dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%" PRIi64 " usec=%ld",
              nbytes,
              (long)tv.tv_usec,
              (int64_t)s->wakeup.tv_sec,
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 3f2b97e4..db944245 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -100,10 +100,12 @@  get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname,
             bits = 0;
             max_bits = sizeof(in_addr_t) * 8;
             break;
+
         case AF_INET6:
             bits = 64;
             max_bits = sizeof(struct in6_addr) * 8;
             break;
+
         default:
             msg(M_WARN,
                 "Unsupported AF family passed to getaddrinfo for %s (%d)",
@@ -125,7 +127,7 @@  get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname,
     }
 
     /* check if this hostname has a /bits suffix */
-    sep = strchr(var_host , '/');
+    sep = strchr(var_host, '/');
     if (sep)
     {
         bits = strtoul(sep + 1, &endp, 10);
@@ -156,10 +158,12 @@  get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname,
                     *ip4 = ntohl(*ip4);
                 }
                 break;
+
             case AF_INET6:
                 ip6 = network;
                 *ip6 = ((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr;
                 break;
+
             default:
                 /* can't get here because 'af' was previously checked */
                 msg(M_WARN,
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
index 0f22d479..17801418 100644
--- a/src/openvpn/socket.h
+++ b/src/openvpn/socket.h
@@ -138,7 +138,7 @@  struct stream_buf
     int len;   /* -1 if not yet known */
 
     bool error; /* if true, fatal TCP error has occurred,
-                *  requiring that connection be restarted */
+                 *  requiring that connection be restarted */
 #if PORT_SHARE
 #define PS_DISABLED 0
 #define PS_ENABLED  1
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 74b88ce6..d783c598 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -680,7 +680,7 @@  init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
     {
         if (tls_ctx_use_management_external_key(new_ctx))
         {
-            msg (M_WARN, "Cannot initialize mamagement-external-key");
+            msg(M_WARN, "Cannot initialize mamagement-external-key");
             goto err;
         }
     }
@@ -1099,7 +1099,7 @@  tls_session_init(struct tls_multi *multi, struct tls_session *session)
         else
         {
             session->initial_opcode = session->opt->tls_crypt_v2 ?
-                    P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2;
+                                      P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2;
         }
     }
 
@@ -1527,9 +1527,9 @@  read_control_auth(struct buffer *buf,
     if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3
         && !tls_crypt_v2_extract_client_key(buf, ctx, opt))
     {
-        msg (D_TLS_ERRORS,
-             "TLS Error: can not extract tls-crypt-v2 client key from %s",
-             print_link_socket_actual(from, &gc));
+        msg(D_TLS_ERRORS,
+            "TLS Error: can not extract tls-crypt-v2 client key from %s",
+            print_link_socket_actual(from, &gc));
         goto cleanup;
     }
 
@@ -3781,7 +3781,7 @@  tls_pre_decrypt(struct tls_multi *multi,
                                 /* Save incoming ciphertext packet to reliable buffer */
                                 struct buffer *in = reliable_get_buf(ks->rec_reliable);
                                 ASSERT(in);
-                                if(!buf_copy(in, buf))
+                                if (!buf_copy(in, buf))
                                 {
                                     msg(D_MULTI_DROPPED,
                                         "Incoming control channel packet too big, dropping.");
@@ -4182,10 +4182,10 @@  show_available_tls_ciphers(const char *cipher_list,
     show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
 
     printf("\n"
-    "Be aware that that whether a cipher suite in this list can actually work\n"
-    "depends on the specific setup of both peers. See the man page entries of\n"
-    "--tls-cipher and --show-tls for more details.\n\n"
-    );
+           "Be aware that that whether a cipher suite in this list can actually work\n"
+           "depends on the specific setup of both peers. See the man page entries of\n"
+           "--tls-cipher and --show-tls for more details.\n\n"
+           );
 }
 
 /*
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 7bf82b3a..410b2163 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -215,10 +215,10 @@  struct tls_wrap_ctx
     struct buffer work;         /**< Work buffer (only for --tls-crypt) */
     struct key_ctx tls_crypt_v2_server_key;  /**< Decrypts client keys */
     const struct buffer *tls_crypt_v2_wkc;   /**< Wrapped client key,
-                                                  sent to server */
+                                              *   sent to server */
     struct buffer tls_crypt_v2_metadata;     /**< Received from client */
     bool cleanup_key_ctx;                    /**< opt.key_ctx_bi is owned by
-                                                  this context */
+                                              *   this context */
 };
 
 /*
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index f7e8c2d0..a4197cba 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -65,12 +65,12 @@ 
 static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy =
 {
     /* Hashes from SHA-1 and above */
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 )
+    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 )
+    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 )
+    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 )
+    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 )
+    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
     0xFFFFFFF, /* Any PK alg    */
     0xFFFFFFF, /* Any curve     */
     1024,      /* RSA-1024 and larger */
@@ -79,10 +79,10 @@  static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy =
 static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred =
 {
     /* SHA-2 and above */
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 )
+    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 )
+    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 )
+    |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
     0xFFFFFFF, /* Any PK alg    */
     0xFFFFFFF, /* Any curve     */
     2048,      /* RSA-2048 and larger */
@@ -232,7 +232,7 @@  tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
     }
 
     msg(M_WARN, "mbed TLS does not support setting tls-ciphersuites. "
-                "Ignoring TLS 1.3 cipher list: %s", ciphers);
+        "Ignoring TLS 1.3 cipher list: %s", ciphers);
 }
 
 void
@@ -299,7 +299,7 @@  tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
     }
     else
     {
-        msg (M_FATAL, "ERROR: Invalid cert profile: %s", profile);
+        msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
     }
 }
 
@@ -600,14 +600,14 @@  tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
 
     if (ctx->crt_chain == NULL)
     {
-        msg (M_WARN, "ERROR: external key requires a certificate.");
+        msg(M_WARN, "ERROR: external key requires a certificate.");
         return 1;
     }
 
     if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
     {
         msg(M_WARN, "ERROR: external key with mbed TLS requires a "
-                     "certificate with an RSA key.");
+            "certificate with an RSA key.");
         return 1;
     }
 
@@ -653,8 +653,8 @@  management_sign_func(void *sign_ctx, const void *src, size_t src_len,
 
     ret = true;
 cleanup:
-    free (src_b64);
-    free (dst_b64);
+    free(src_b64);
+    free(dst_b64);
 
     return ret;
 }
diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h
index 998d6f2f..1328ceb7 100644
--- a/src/openvpn/ssl_mbedtls.h
+++ b/src/openvpn/ssl_mbedtls.h
@@ -71,8 +71,8 @@  typedef struct {
  * @return true if signing succeeded, false otherwise.
  */
 typedef bool (*external_sign_func)(
-        void *sign_ctx, const void *src, size_t src_size,
-        void *dst, size_t dst_size);
+    void *sign_ctx, const void *src, size_t src_size,
+    void *dst, size_t dst_size);
 
 /** Context used by external_pkcs1_sign() */
 struct external_context {
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index da573cfa..ddb78da7 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -217,7 +217,7 @@  tls_version_max(void)
     return TLS_VER_1_2;
 #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
     return TLS_VER_1_1;
-#else
+#else  /* if defined(TLS1_3_VERSION) */
     return TLS_VER_1_0;
 #endif
 }
@@ -322,7 +322,7 @@  tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 }
 
 void
-convert_tls_list_to_openssl(char* openssl_ciphers, size_t len,const char *ciphers)
+convert_tls_list_to_openssl(char *openssl_ciphers, size_t len,const char *ciphers)
 {
     /* Parse supplied cipher list and pass on to OpenSSL */
     size_t begin_of_cipher, end_of_cipher;
@@ -466,9 +466,9 @@  tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
     }
 
 #if (OPENSSL_VERSION_NUMBER < 0x1010100fL)
-        crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
-                       "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
-                        ciphers);
+    crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
+               "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
+               ciphers);
 #else
     ASSERT(NULL != ctx);
 
@@ -509,13 +509,13 @@  tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
     {
         msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
     }
-#else
+#else  /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
     if (profile)
     {
         msg(M_WARN, "WARNING: OpenSSL 1.0.1 does not support --tls-cert-profile"
             ", ignoring user-set profile: '%s'", profile);
     }
-#endif
+#endif /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
 }
 
 void
@@ -658,7 +658,7 @@  tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
         {
             nid = EC_GROUP_get_curve_name(ecgrp);
         }
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x10002000L */
     }
 
     /* Translate NID back to name , just for kicks */
@@ -1137,7 +1137,7 @@  rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
 
     ret = get_sig_from_man(from, flen, to, len);
 
-    return (ret == len)? ret : -1;
+    return (ret == len) ? ret : -1;
 }
 
 static int
@@ -1325,7 +1325,7 @@  err:
     {
         EVP_PKEY_free(privkey);
     }
-    if(ec)
+    if (ec)
     {
         EC_KEY_free(ec);
     }
@@ -1375,7 +1375,7 @@  tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
         crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate");
         goto cleanup;
     }
-#else
+#else  /* if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) */
     else
     {
         crypto_msg(M_WARN, "management-external-key requires an RSA certificate");
@@ -1644,7 +1644,7 @@  bio_debug_data(const char *mode, BIO *bio, const uint8_t *buf, int len, const ch
     if (len > 0)
     {
         open_biofp();
-        fprintf(biofp, "BIO_%s %s time=%"PRIi64" bio=" ptr_format " len=%d data=%s\n",
+        fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n",
                 mode, desc, (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc));
         fflush(biofp);
     }
@@ -1655,7 +1655,7 @@  static void
 bio_debug_oc(const char *mode, BIO *bio)
 {
     open_biofp();
-    fprintf(biofp, "BIO %s time=%"PRIi64" bio=" ptr_format "\n",
+    fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n",
             mode, (int64_t)time(NULL), (ptr_type)bio);
     fflush(biofp);
 }
@@ -1963,7 +1963,7 @@  print_details(struct key_state_ssl *ks_ssl, const char *prefix)
             {
                 EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
                 const EC_GROUP *group = EC_KEY_get0_group(ec);
-                const char* curve;
+                const char *curve;
 
                 int nid = EC_GROUP_get_curve_name(group);
                 if (nid == 0 || (curve = OBJ_nid2sn(nid)) == NULL)
@@ -2024,7 +2024,7 @@  show_available_tls_ciphers_list(const char *cipher_list,
 #else
     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
 #endif
-    for (int i=0;i < sk_SSL_CIPHER_num(sk);i++)
+    for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
     {
         const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
 
@@ -2035,7 +2035,7 @@  show_available_tls_ciphers_list(const char *cipher_list,
 
         if (tls13)
         {
-              printf("%s\n", cipher_name);
+            printf("%s\n", cipher_name);
         }
         else if (NULL == pair)
         {
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 03c0b661..a7f51751 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -72,7 +72,7 @@  setenv_untrusted(struct tls_session *session)
 static void
 wipe_auth_token(struct tls_multi *multi)
 {
-    if(multi)
+    if (multi)
     {
         if (multi->auth_token)
         {
@@ -712,24 +712,24 @@  verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
 
         switch (opt->verify_hash_algo)
         {
-        case MD_SHA1:
-            ca_hash = x509_get_sha1_fingerprint(cert, &gc);
-            break;
-
-        case MD_SHA256:
-            ca_hash = x509_get_sha256_fingerprint(cert, &gc);
-            break;
-
-        default:
-            /* This should normally not happen at all; the algorithm used
-             * is parsed by add_option() [options.c] and set to a predefined
-             * value in an enumerated type.  So if this unlikely scenario
-             * happens, consider this a failure
-             */
-            msg(M_WARN, "Unexpected invalid algorithm used with "
-                "--verify-hash (%i)", opt->verify_hash_algo);
-            ret = FAILURE;
-            goto cleanup;
+            case MD_SHA1:
+                ca_hash = x509_get_sha1_fingerprint(cert, &gc);
+                break;
+
+            case MD_SHA256:
+                ca_hash = x509_get_sha256_fingerprint(cert, &gc);
+                break;
+
+            default:
+                /* This should normally not happen at all; the algorithm used
+                 * is parsed by add_option() [options.c] and set to a predefined
+                 * value in an enumerated type.  So if this unlikely scenario
+                 * happens, consider this a failure
+                 */
+                msg(M_WARN, "Unexpected invalid algorithm used with "
+                    "--verify-hash (%i)", opt->verify_hash_algo);
+                ret = FAILURE;
+                goto cleanup;
         }
 
         if (memcmp(BPTR(&ca_hash), opt->verify_hash, BLEN(&ca_hash)))
@@ -1178,8 +1178,8 @@  verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up)
         /* generate filename for deferred auth control file */
         if (!key_state_gen_auth_control_file(ks, session->opt))
         {
-            msg (D_TLS_ERRORS, "TLS Auth Error (%s): "
-                 "could not create deferred auth control file", __func__);
+            msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
+                "could not create deferred auth control file", __func__);
             goto cleanup;
         }
 #endif
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index 2a9e8bb7..f4cc2c54 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -130,6 +130,7 @@  result_t backend_x509_get_username(char *common_name, int cn_len,
  * --x509-username-field option.
  */
 bool x509_username_field_ext_supported(const char *extname);
+
 #endif
 
 /*
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 10085b29..ff14db23 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -114,7 +114,8 @@  cleanup:
 }
 
 #ifdef ENABLE_X509ALTUSERNAME
-bool x509_username_field_ext_supported(const char *fieldname)
+bool
+x509_username_field_ext_supported(const char *fieldname)
 {
     int nid = OBJ_txt2nid(fieldname);
     return nid == NID_subject_alt_name || nid == NID_issuer_alt_name;
@@ -587,7 +588,7 @@  x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
          * prevent it to take a const argument
          */
         result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ?
-	       SUCCESS : FAILURE;
+                          SUCCESS : FAILURE;
 
         /*
          * old versions of OpenSSL allow us to make the less strict check we used to
@@ -615,7 +616,7 @@  x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
          * prevent it to take a const argument
          */
         result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ?
-	       SUCCESS : FAILURE;
+                          SUCCESS : FAILURE;
 
         /*
          * old versions of OpenSSL allow us to make the less strict check we used to
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index c3ed2b93..85495d7f 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -86,7 +86,7 @@  tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
     struct key_type kt = tls_crypt_kt();
     if (!kt.cipher || !kt.digest)
     {
-        msg (M_FATAL, "ERROR: --tls-crypt not supported");
+        msg(M_FATAL, "ERROR: --tls-crypt not supported");
     }
     crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
                             "Control Channel Encryption", "tls-crypt");
@@ -530,7 +530,7 @@  tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
     memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys));
     ASSERT(buf_advance(&plaintext, sizeof(client_key->keys)));
 
-    if(!buf_copy(metadata, &plaintext))
+    if (!buf_copy(metadata, &plaintext))
     {
         CRYPT_ERROR("metadata too large for supplied buffer");
     }
@@ -613,7 +613,7 @@  tls_crypt_v2_extract_client_key(struct buffer *buf,
     if (!ctx->tls_crypt_v2_server_key.cipher)
     {
         msg(D_TLS_ERRORS,
-             "Client wants tls-crypt-v2, but no server key present.");
+            "Client wants tls-crypt-v2, but no server key present.");
         return false;
     }
 
diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h
index 9b5ea971..43bf8122 100644
--- a/src/openvpn/tls_crypt.h
+++ b/src/openvpn/tls_crypt.h
@@ -99,10 +99,10 @@ 
 #define TLS_CRYPT_V2_SERVER_KEY_LEN (sizeof(struct key))
 #define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE)
 #define TLS_CRYPT_V2_MAX_METADATA_LEN (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \
-         - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
-            + sizeof(uint16_t)))
+                                                 - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
+                                                    + sizeof(uint16_t)))
 #define TLS_CRYPT_V2_MAX_B64_METADATA_LEN \
-        OPENVPN_BASE64_LENGTH(TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
+    OPENVPN_BASE64_LENGTH(TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
 
 /**
  * Initialize a key_ctx_bi structure for use with --tls-crypt.
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index c091401f..12e6eb00 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -553,8 +553,8 @@  is_tun_p2p(const struct tuntap *tt)
     bool tun = false;
 
     if (tt->type == DEV_TYPE_TAP
-          || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
-          || tt->type == DEV_TYPE_NULL )
+        || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
+        || tt->type == DEV_TYPE_NULL)
     {
         tun = false;
     }
@@ -893,7 +893,7 @@  do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu,
                 ifconfig_ipv6_local, tt->netbits_ipv6, ifname);
     argv_msg(M_INFO, &argv);
     openvpn_execve_check(&argv, es, S_FATAL, "Linux ip -6 addr add failed");
-#else
+#else  /* ifdef ENABLE_IPROUTE */
     argv_printf(&argv, "%s %s add %s/%d mtu %d up", IFCONFIG_PATH, ifname,
                 ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu);
     argv_msg(M_INFO, &argv);
@@ -1387,6 +1387,7 @@  do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
                     ifname, ifconfig_local,
                     print_in_addr_t(tt->adapter_netmask, 0, &gc));
                 break;
+
             case IPW32_SET_NETSH:
                 netsh_ifconfig(&tt->options, ifname, tt->local,
                                tt->adapter_netmask, NI_IP_NETMASK|NI_OPTIONS);
@@ -2442,7 +2443,7 @@  close_tun(struct tuntap *tt)
     struct argv argv = argv_new();
 
     /* setup command, close tun dev (clears tt->actual_name!), run command
-    */
+     */
 
     argv_printf(&argv, "%s %s destroy",
                 IFCONFIG_PATH, tt->actual_name);
@@ -2528,7 +2529,7 @@  close_tun(struct tuntap *tt)
     struct argv argv = argv_new();
 
     /* setup command, close tun dev (clears tt->actual_name!), run command
-    */
+     */
 
     argv_printf(&argv, "%s %s destroy",
                 IFCONFIG_PATH, tt->actual_name);
@@ -2668,7 +2669,7 @@  close_tun(struct tuntap *tt)
     struct argv argv = argv_new();
 
     /* setup command, close tun dev (clears tt->actual_name!), run command
-    */
+     */
 
     argv_printf(&argv, "%s %s destroy",
                 IFCONFIG_PATH, tt->actual_name);
@@ -5923,7 +5924,7 @@  open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun
                 };
 
                 if (send_msg_iservice(tt->options.msg_channel, &msg, sizeof(msg),
-                    &ack, "TUN"))
+                                      &ack, "TUN"))
                 {
                     status = ack.error_number;
                 }
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index e43296eb..be526945 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -1481,7 +1481,7 @@  send_msg_iservice(HANDLE pipe, const void *data, size_t size,
         || !ReadFile(pipe, ack, sizeof(*ack), &len, NULL))
     {
         msg(M_WARN, "%s: could not talk to service: %s [%lu]",
-            context? context : "Unknown",
+            context ? context : "Unknown",
             strerror_win32(GetLastError(), &gc), GetLastError());
         ret = false;
     }