@@ -5,35 +5,26 @@
pull_request:
jobs:
- checkuncrustify:
- name: "Check code style with Uncrustify"
- # Ubuntu 22.04 has uncrustify 0.72_f
- runs-on: ubuntu-22.04
+ clang-format:
+ name: Check code style with clang-format
+ runs-on: ubuntu-24.04
steps:
- name: Install dependencies
- run: sudo apt update && sudo apt install -y uncrustify
+ run: |
+ sudo apt update && sudo apt install -y python3-pip
+ pip3 install pre-commit
- name: Checkout OpenVPN
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- with:
- path: openvpn
- - name: Show uncrustify version
- run: uncrustify --version
- - name: Run uncrustify
- run: ./dev-tools/reformat-all.sh
- working-directory: openvpn
+ - name: Run clang-format
+ run: pre-commit run -a --show-diff-on-failure || true
- name: Check for changes
- run: git diff --output=uncrustify-changes.patch
- working-directory: openvpn
- - name: Show changes on standard output
- run: git diff
- working-directory: openvpn
+ run: git diff --output=format-changes.patch
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
- name: uncrustify-changes.patch
- path: 'openvpn/uncrustify-changes.patch'
+ name: format-changes.patch
+ path: format-changes.patch
- name: Set job status
- run: test ! -s uncrustify-changes.patch
- working-directory: openvpn
+ run: test ! -s format-changes.patch
android:
strategy:
@@ -26,7 +26,8 @@
#include <windef.h>
#include <ws2tcpip.h>
-typedef enum {
+typedef enum
+{
msg_acknowledgement,
msg_add_address,
msg_del_address,
@@ -50,28 +51,33 @@
msg_create_adapter
} message_type_t;
-typedef struct {
+typedef struct
+{
message_type_t type;
size_t size;
int message_id;
} message_header_t;
-typedef union {
+typedef union
+{
struct in_addr ipv4;
struct in6_addr ipv6;
} inet_address_t;
-typedef struct {
+typedef struct
+{
int index;
char name[256];
} interface_t;
-typedef enum {
- wfp_block_local = 1<<0,
- wfp_block_dns = 1<<1
+typedef enum
+{
+ wfp_block_local = 1 << 0,
+ wfp_block_dns = 1 << 1
} wfp_block_flags_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
short family;
inet_address_t address;
@@ -79,7 +85,8 @@
interface_t iface;
} address_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
short family;
inet_address_t prefix;
@@ -89,7 +96,8 @@
int metric;
} route_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
char domains[512];
@@ -99,14 +107,16 @@
} dns_cfg_message_t;
-typedef enum {
+typedef enum
+{
nrpt_dnssec
} nrpt_flags_t;
-#define NRPT_ADDR_NUM 8 /* Max. number of addresses */
+#define NRPT_ADDR_NUM 8 /* Max. number of addresses */
#define NRPT_ADDR_SIZE 48 /* Max. address strlen + some */
typedef char nrpt_address_t[NRPT_ADDR_SIZE];
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
nrpt_address_t addresses[NRPT_ADDR_NUM];
@@ -115,14 +125,16 @@
nrpt_flags_t flags;
} nrpt_dns_cfg_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
int addr_len;
inet_address_t addr[4]; /* support up to 4 dns addresses */
} wins_cfg_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
int disable_nbt;
@@ -134,41 +146,48 @@
/* TODO: NTP */
-typedef struct {
+typedef struct
+{
message_header_t header;
short family;
interface_t iface;
} flush_neighbors_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
int error_number;
} ack_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
wfp_block_flags_t flags;
interface_t iface;
} wfp_block_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
} enable_dhcp_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
short family;
int mtu;
} set_mtu_message_t;
-typedef enum {
+typedef enum
+{
ADAPTER_TYPE_DCO,
ADAPTER_TYPE_TAP,
} adapter_type_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
adapter_type_t adapter_type;
} create_adapter_message_t;
@@ -58,8 +58,9 @@
* Our context, where we keep our state.
*/
-struct plugin_context {
- int verb; /* logging verbosity */
+struct plugin_context
+{
+ int verb; /* logging verbosity */
};
/* this is used for the CLIENT_CONNECT_V2 async/deferred handler
@@ -68,8 +69,9 @@
* this, and the "CLIENT_CONNECT_DEFER_V2" handler looks at it to see
* if it's time yet to succeed/fail
*/
-struct plugin_per_client_context {
- time_t sleep_until; /* wakeup time (time() + sleep) */
+struct plugin_per_client_context
+{
+ time_t sleep_until; /* wakeup time (time() + sleep) */
bool want_fail;
bool want_disable;
const char *client_config;
@@ -117,8 +119,7 @@
/* use v3 functions so we can use openvpn's logging and base64 etc. */
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *ret)
{
/* const char **argv = args->argv; */ /* command line arguments (unused) */
@@ -127,7 +128,9 @@
/* Check API compatibility -- struct version 5 or higher needed */
if (v3structver < 5)
{
- fprintf(stderr, "sample-client-connect: this plugin is incompatible with the running version of OpenVPN\n");
+ fprintf(
+ stderr,
+ "sample-client-connect: this plugin is incompatible with the running version of OpenVPN\n");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -143,18 +146,17 @@
/*
* Intercept just about everything...
*/
- ret->type_mask =
- OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
/* Save global pointers to functions exported from openvpn */
plugin_log = args->callbacks->plugin_log;
@@ -166,7 +168,7 @@
*/
context->verb = atoi_null0(get_env("verb", envp));
- ret->handle = (openvpn_plugin_handle_t *) context;
+ ret->handle = (openvpn_plugin_handle_t *)context;
plugin_log(PLOG_NOTE, MODULE, "initialization succeeded");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
@@ -242,8 +244,10 @@
const char *ccd_file = get_env("client_connect_deferred_file", envp);
if (!ccd_file)
{
- plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_ASYNC=%d, but "
- "'client_connect_deferred_file' not set -> fail", seconds);
+ plugin_log(PLOG_NOTE, MODULE,
+ "env has UV_WANT_CC_ASYNC=%d, but "
+ "'client_connect_deferred_file' not set -> fail",
+ seconds);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -257,13 +261,13 @@
int fd = open(ccd_file, O_WRONLY);
if (fd < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
if (write(fd, "2", 1) != 1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file );
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file);
close(fd);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -277,11 +281,11 @@
/* fork, sleep, succeed/fail according to env vars */
pid_t p1 = fork();
- if (p1 < 0) /* Fork failed */
+ if (p1 < 0) /* Fork failed */
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}
- if (p1 > 0) /* parent process */
+ if (p1 > 0) /* parent process */
{
waitpid(p1, NULL, 0);
return OPENVPN_PLUGIN_FUNC_DEFERRED;
@@ -291,10 +295,10 @@
pid_t p2 = fork();
if (p2 < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
exit(1);
}
- if (p2 > 0) /* new parent: exit right away */
+ if (p2 > 0) /* new parent: exit right away */
{
exit(0);
}
@@ -324,16 +328,16 @@
fd = open(ccd_file, O_WRONLY);
if (fd < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
exit(1);
}
plugin_log(PLOG_NOTE, MODULE, "cc_handle_deferred_v1: done, signalling %s",
- (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "success" : "fail" );
+ (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "success" : "fail");
if (write(fd, (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "1" : "0", 1) != 1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file );
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file);
}
close(fd);
@@ -341,14 +345,12 @@
}
int
-openvpn_plugin_client_connect(struct plugin_context *context,
- const char **argv,
- const char **envp)
+openvpn_plugin_client_connect(struct plugin_context *context, const char **argv, const char **envp)
{
/* log environment variables handed to us by OpenVPN, but
* only if "setenv verb" is 3 or higher (arbitrary number)
*/
- if (context->verb>=3)
+ if (context->verb >= 3)
{
for (int i = 0; argv[i]; i++)
{
@@ -389,8 +391,7 @@
int
openvpn_plugin_client_connect_v2(struct plugin_context *context,
- struct plugin_per_client_context *pcc,
- const char **envp,
+ struct plugin_per_client_context *pcc, const char **envp,
struct openvpn_plugin_string_list **return_list)
{
/* by setting "UV_WANT_CC2_ASYNC" we go to async/deferred mode */
@@ -420,7 +421,8 @@
pcc->want_fail = (want_fail != NULL);
pcc->want_disable = (want_disable != NULL);
pcc->client_config = client_config;
- plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_ASYNC=%s -> set up deferred handler", want_async);
+ plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_ASYNC=%s -> set up deferred handler",
+ want_async);
return OPENVPN_PLUGIN_FUNC_DEFERRED;
}
@@ -431,8 +433,7 @@
return OPENVPN_PLUGIN_FUNC_ERROR;
}
- struct openvpn_plugin_string_list *rl =
- calloc(1, sizeof(struct openvpn_plugin_string_list));
+ struct openvpn_plugin_string_list *rl = calloc(1, sizeof(struct openvpn_plugin_string_list));
if (!rl)
{
plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed");
@@ -466,12 +467,10 @@
int
openvpn_plugin_client_connect_defer_v2(struct plugin_context *context,
struct plugin_per_client_context *pcc,
- struct openvpn_plugin_string_list
- **return_list)
+ struct openvpn_plugin_string_list **return_list)
{
time_t time_left = pcc->sleep_until - time(NULL);
- plugin_log(PLOG_NOTE, MODULE, "defer_v2: seconds left=%d",
- (int) time_left);
+ plugin_log(PLOG_NOTE, MODULE, "defer_v2: seconds left=%d", (int)time_left);
/* not yet due? */
if (time_left > 0)
@@ -482,15 +481,14 @@
/* client wants fail? */
if (pcc->want_fail)
{
- plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL -> fail" );
+ plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL -> fail");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
/* fill in RL according to with-disable / without-disable */
/* TODO: unify this with non-deferred case */
- struct openvpn_plugin_string_list *rl =
- calloc(1, sizeof(struct openvpn_plugin_string_list));
+ struct openvpn_plugin_string_list *rl = calloc(1, sizeof(struct openvpn_plugin_string_list));
if (!rl)
{
plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed");
@@ -522,15 +520,12 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v2(openvpn_plugin_handle_t handle,
- const int type,
- const char *argv[],
- const char *envp[],
- void *per_client_context,
+openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[], void *per_client_context,
struct openvpn_plugin_string_list **return_list)
{
- struct plugin_context *context = (struct plugin_context *) handle;
- struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;
+ struct plugin_context *context = (struct plugin_context *)handle;
+ struct plugin_per_client_context *pcc = (struct plugin_per_client_context *)per_client_context;
/* for most functions, we just "don't do anything" but log the
* event received (so one can follow it in the log and understand
@@ -564,13 +559,11 @@
case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_V2");
- return openvpn_plugin_client_connect_v2(context, pcc, envp,
- return_list);
+ return openvpn_plugin_client_connect_v2(context, pcc, envp, return_list);
case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2:
plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
- return openvpn_plugin_client_connect_defer_v2(context, pcc,
- return_list);
+ return openvpn_plugin_client_connect_defer_v2(context, pcc, return_list);
case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_DISCONNECT");
@@ -607,7 +600,7 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
printf("FUNC: openvpn_plugin_close_v1\n");
free(context);
}
@@ -62,7 +62,8 @@
* Our context, where we keep our state.
*/
-struct plugin_context {
+struct plugin_context
+{
int test_deferred_auth;
char *authid;
char *test_valid_user;
@@ -103,11 +104,12 @@
* structver '5' here to indicate a desire for modern openvpn, rather
* than a need for any particular feature found in structver beyond '1'.
*/
-#define OPENVPN_PLUGIN_VERSION_MIN 3
+#define OPENVPN_PLUGIN_VERSION_MIN 3
#define OPENVPN_PLUGIN_STRUCTVER_MIN 5
-struct plugin_per_client_context {
+struct plugin_per_client_context
+{
int n_calls;
bool generated_pf_file;
};
@@ -175,13 +177,13 @@
/* use v3 functions so we can use openvpn's logging and base64 etc. */
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *ret)
{
if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN)
{
- fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE);
+ fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n",
+ MODULE);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -194,7 +196,7 @@
* Allocate our context
*/
struct plugin_context *context = NULL;
- context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+ context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context));
if (!context)
{
goto error;
@@ -238,7 +240,7 @@
* Which callbacks to intercept.
*/
ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
- ret->handle = (openvpn_plugin_handle_t *) context;
+ ret->handle = (openvpn_plugin_handle_t *)context;
plog(context, PLOG_NOTE, "initialization succeeded");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
@@ -253,29 +255,22 @@
}
static bool
-do_auth_user_pass(struct plugin_context *context,
- const char *username, const char *password)
+do_auth_user_pass(struct plugin_context *context, const char *username, const char *password)
{
- plog(context, PLOG_NOTE,
- "expect_user=%s, received_user=%s, expect_passw=%s, received_passw=%s",
- np(context->test_valid_user),
- np(username),
- np(context->test_valid_pass),
- np(password));
+ plog(context, PLOG_NOTE, "expect_user=%s, received_user=%s, expect_passw=%s, received_passw=%s",
+ np(context->test_valid_user), np(username), np(context->test_valid_pass), np(password));
if (context->test_valid_user && context->test_valid_pass)
{
if ((strcmp(context->test_valid_user, username) != 0)
|| (strcmp(context->test_valid_pass, password) != 0))
{
- plog(context, PLOG_ERR,
- "User/Password auth result: FAIL");
+ plog(context, PLOG_ERR, "User/Password auth result: FAIL");
return false;
}
else
{
- plog(context, PLOG_NOTE,
- "User/Password auth result: PASS");
+ plog(context, PLOG_NOTE, "User/Password auth result: PASS");
return true;
}
}
@@ -284,8 +279,7 @@
static int
-auth_user_pass_verify(struct plugin_context *context,
- struct plugin_per_client_context *pcc,
+auth_user_pass_verify(struct plugin_context *context, struct plugin_per_client_context *pcc,
const char *argv[], const char *envp[])
{
/* get username/password from envp string array */
@@ -295,8 +289,8 @@
if (!context->test_deferred_auth)
{
plog(context, PLOG_NOTE, "Direct authentication");
- return do_auth_user_pass(context, username, password) ?
- OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR;
+ return do_auth_user_pass(context, username, password) ? OPENVPN_PLUGIN_FUNC_SUCCESS
+ : OPENVPN_PLUGIN_FUNC_ERROR;
}
/* get auth_control_file filename from envp string array*/
@@ -317,11 +311,11 @@
/* fork, sleep, succeed (no "real" auth done = always succeed) */
pid_t p1 = fork();
- if (p1 < 0) /* Fork failed */
+ if (p1 < 0) /* Fork failed */
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}
- if (p1 > 0) /* parent process */
+ if (p1 > 0) /* parent process */
{
waitpid(p1, NULL, 0);
return OPENVPN_PLUGIN_FUNC_DEFERRED;
@@ -331,11 +325,11 @@
pid_t p2 = fork();
if (p2 < 0)
{
- plog(context, PLOG_ERR|PLOG_ERRNO, "BACKGROUND: fork(2) failed");
+ plog(context, PLOG_ERR | PLOG_ERRNO, "BACKGROUND: fork(2) failed");
exit(1);
}
- if (p2 != 0) /* new parent: exit right away */
+ if (p2 != 0) /* new parent: exit right away */
{
exit(0);
}
@@ -347,7 +341,7 @@
*/
/* do mighty complicated work that will really take time here... */
- useconds_t wait_time = (useconds_t)context->test_deferred_auth*1000;
+ useconds_t wait_time = (useconds_t)context->test_deferred_auth * 1000;
plog(context, PLOG_NOTE, "in async/deferred handler, usleep(%u)", wait_time);
usleep(wait_time);
@@ -355,8 +349,7 @@
int fd = open(auth_control_file, O_WRONLY);
if (fd < 0)
{
- plog(context, PLOG_ERR|PLOG_ERRNO,
- "open('%s') failed", auth_control_file);
+ plog(context, PLOG_ERR | PLOG_ERRNO, "open('%s') failed", auth_control_file);
exit(1);
}
@@ -368,7 +361,7 @@
if (write(fd, result, 1) != 1)
{
- plog(context, PLOG_ERR|PLOG_ERRNO, "write to '%s' failed", auth_control_file );
+ plog(context, PLOG_ERR | PLOG_ERRNO, "write to '%s' failed", auth_control_file);
}
close(fd);
@@ -377,19 +370,20 @@
OPENVPN_EXPORT int
-openvpn_plugin_func_v3(const int v3structver,
- struct openvpn_plugin_args_func_in const *args,
+openvpn_plugin_func_v3(const int v3structver, struct openvpn_plugin_args_func_in const *args,
struct openvpn_plugin_args_func_return *ret)
{
if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN)
{
- fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE);
+ fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n",
+ MODULE);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
const char **argv = args->argv;
const char **envp = args->envp;
- struct plugin_context *context = (struct plugin_context *) args->handle;
- struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) args->per_client_context;
+ struct plugin_context *context = (struct plugin_context *)args->handle;
+ struct plugin_per_client_context *pcc =
+ (struct plugin_per_client_context *)args->per_client_context;
switch (args->type)
{
case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
@@ -405,7 +399,7 @@
OPENVPN_EXPORT void *
openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_client_constructor_v1");
return calloc(1, sizeof(struct plugin_per_client_context));
}
@@ -413,7 +407,7 @@
OPENVPN_EXPORT void
openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_client_destructor_v1");
free(per_client_context);
}
@@ -421,7 +415,7 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_close_v1");
free(context);
}
@@ -37,22 +37,25 @@
#define MAXPATH 1024
#endif
-#define ovpn_err(fmt, ...) \
- plugin->log(PLOG_ERR, "SSO", fmt, ## __VA_ARGS__)
-#define ovpn_dbg(fmt, ...) \
- plugin->log(PLOG_DEBUG, "SSO", fmt, ## __VA_ARGS__)
-#define ovpn_note(fmt, ...) \
- plugin->log(PLOG_NOTE, "SSO", fmt, ## __VA_ARGS__)
+#define ovpn_err(fmt, ...) plugin->log(PLOG_ERR, "SSO", fmt, ##__VA_ARGS__)
+#define ovpn_dbg(fmt, ...) plugin->log(PLOG_DEBUG, "SSO", fmt, ##__VA_ARGS__)
+#define ovpn_note(fmt, ...) plugin->log(PLOG_NOTE, "SSO", fmt, ##__VA_ARGS__)
-enum endpoint { CLIENT = 1, SERVER = 2 };
+enum endpoint
+{
+ CLIENT = 1,
+ SERVER = 2
+};
-struct plugin {
+struct plugin
+{
plugin_log_t log;
enum endpoint type;
int mask;
};
-struct session {
+struct session
+{
char user[48];
char key[48];
};
@@ -85,8 +88,7 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int version,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int version, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *rv)
{
struct plugin *plugin = calloc(1, sizeof(*plugin));
@@ -98,9 +100,9 @@
}
plugin->type = get_env("remote_1", args->envp) ? CLIENT : SERVER;
- plugin->log = args->callbacks->plugin_log;
+ plugin->log = args->callbacks->plugin_log;
- plugin->mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+ plugin->mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
plugin->mask |= OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY);
ovpn_note("vpn endpoint type=%s", plugin->type == CLIENT ? "client" : "server");
@@ -163,8 +165,8 @@
static int
tls_verify(struct openvpn_plugin_args_func_in const *args)
{
- struct plugin *plugin = (struct plugin *)args->handle;
- struct session *sess = (struct session *)args->per_client_context;
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
/* we store cert subject for the server end point only */
if (plugin->type != SERVER)
@@ -199,8 +201,8 @@
static void
server_store(struct openvpn_plugin_args_func_in const *args)
{
- struct plugin *plugin = (struct plugin *)args->handle;
- struct session *sess = (struct session *)args->per_client_context;
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
char file[MAXPATH];
snprintf(file, sizeof(file) - 1, "/tmp/openvpn_sso_%s", sess->key);
@@ -211,8 +213,8 @@
static void
client_store(struct openvpn_plugin_args_func_in const *args)
{
- struct plugin *plugin = (struct plugin *)args->handle;
- struct session *sess = (struct session *)args->per_client_context;
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
char *file = "/tmp/openvpn_sso_user";
ovpn_note("app session file: %s", file);
@@ -223,8 +225,8 @@
tls_final(struct openvpn_plugin_args_func_in const *args,
struct openvpn_plugin_args_func_return *rv)
{
- struct plugin *plugin = (struct plugin *)args->handle;
- struct session *sess = (struct session *)args->per_client_context;
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
const char *key;
if (!(key = get_env("exported_keying_material", args->envp)))
@@ -251,8 +253,7 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v3(const int version,
- struct openvpn_plugin_args_func_in const *args,
+openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args,
struct openvpn_plugin_args_func_return *rv)
{
switch (args->type)
@@ -270,7 +271,7 @@
openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
{
struct plugin *plugin = (struct plugin *)handle;
- struct session *sess = calloc(1, sizeof(*sess));
+ struct session *sess = calloc(1, sizeof(*sess));
ovpn_note("app session created");
@@ -281,7 +282,7 @@
openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *ctx)
{
struct plugin *plugin = (struct plugin *)handle;
- struct session *sess = (struct session *)ctx;
+ struct session *sess = (struct session *)ctx;
ovpn_note("app session key: %s", sess->key);
ovpn_note("app session destroyed");
@@ -36,7 +36,8 @@
/*
* Our context, where we keep our state.
*/
-struct plugin_context {
+struct plugin_context
+{
const char *username;
const char *password;
};
@@ -75,7 +76,7 @@
/*
* Allocate our context
*/
- context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+ context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context));
if (context == NULL)
{
printf("PLUGIN: allocating memory for context failed\n");
@@ -91,19 +92,17 @@
/*
* Which callbacks to intercept.
*/
- *type_mask =
- OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+ *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
- return (openvpn_plugin_handle_t) context;
+ return (openvpn_plugin_handle_t)context;
}
void
@@ -171,9 +170,10 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[])
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
show(type, argv, envp);
@@ -184,8 +184,8 @@
const char *username = get_env("username", envp);
const char *password = get_env("password", envp);
- if (username && !strcmp(username, context->username)
- && password && !strcmp(password, context->password))
+ if (username && !strcmp(username, context->username) && password
+ && !strcmp(password, context->password))
{
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -203,6 +203,6 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
free(context);
}
@@ -39,7 +39,8 @@
/*
* Our context, where we keep our state.
*/
-struct plugin_context {
+struct plugin_context
+{
const char *username;
const char *password;
};
@@ -71,8 +72,7 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *ret)
{
struct plugin_context *context = NULL;
@@ -80,7 +80,8 @@
/* Check that we are API compatible */
if (v3structver != OPENVPN_PLUGINv3_STRUCTVER)
{
- printf("log_v3: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n");
+ printf(
+ "log_v3: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -91,26 +92,24 @@
}
/* Print some version information about the OpenVPN process using this plug-in */
- printf("log_v3: OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n",
- args->ovpn_version, args->ovpn_version_major,
- args->ovpn_version_minor, args->ovpn_version_patch);
+ printf("log_v3: OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n", args->ovpn_version,
+ args->ovpn_version_major, args->ovpn_version_minor, args->ovpn_version_patch);
/* Which callbacks to intercept. */
- ret->type_mask =
- OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
/* Allocate our context */
- context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+ context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context));
if (context == NULL)
{
printf("PLUGIN: allocating memory for context failed\n");
@@ -122,7 +121,7 @@
context->password = "bar";
/* Point the global context handle to our newly created context */
- ret->handle = (void *) context;
+ ret->handle = (void *)context;
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -243,13 +242,11 @@
}
-
OPENVPN_EXPORT int
-openvpn_plugin_func_v3(const int version,
- struct openvpn_plugin_args_func_in const *args,
+openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args,
struct openvpn_plugin_args_func_return *retptr)
{
- struct plugin_context *context = (struct plugin_context *) args->handle;
+ struct plugin_context *context = (struct plugin_context *)args->handle;
printf("\nopenvpn_plugin_func_v3() :::::>> ");
show(args->type, args->argv, args->envp);
@@ -270,8 +267,8 @@
const char *username = get_env("username", args->envp);
const char *password = get_env("password", args->envp);
- if (username && !strcmp(username, context->username)
- && password && !strcmp(password, context->password))
+ if (username && !strcmp(username, context->username) && password
+ && !strcmp(password, context->password))
{
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -289,6 +286,6 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
free(context);
}
@@ -98,21 +98,20 @@
*
*/
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *ret)
{
/* Check that we are API compatible */
if (v3structver != OPENVPN_PLUGINv3_STRUCTVER)
{
- printf("base64.c: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n");
+ printf(
+ "base64.c: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
/* Which callbacks to intercept. */
- ret->type_mask =
- OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2);
+ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2);
/* we don't need a plug-in context in this example, but OpenVPN expects "something" */
ret->handle = calloc(1, 1);
@@ -125,8 +124,8 @@
/* Print some version information about the OpenVPN process using this plug-in */
ovpn_log(PLOG_NOTE, PLUGIN_NAME, "OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n",
- args->ovpn_version, args->ovpn_version_major,
- args->ovpn_version_minor, args->ovpn_version_patch);
+ args->ovpn_version, args->ovpn_version_major, args->ovpn_version_minor,
+ args->ovpn_version_patch);
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -154,10 +153,10 @@
*/
OPENVPN_EXPORT int
-openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[])
{
- if (type != OPENVPN_PLUGIN_TLS_VERIFY
- && type != OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
+ if (type != OPENVPN_PLUGIN_TLS_VERIFY && type != OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
{
ovpn_log(PLOG_ERR, PLUGIN_NAME, "Unsupported plug-in hook call attempted");
return OPENVPN_PLUGIN_FUNC_ERROR;
@@ -174,14 +173,13 @@
/* test the BASE64 encode function */
char *buf = NULL;
int r = ovpn_base64_encode(clcert_cn, (int)strlen(clcert_cn), &buf);
- ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 encoded '%s' (return value %i): '%s'",
- clcert_cn, r, buf);
+ ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 encoded '%s' (return value %i): '%s'", clcert_cn, r,
+ buf);
/* test the BASE64 decode function */
- char buf2[256] = {0};
+ char buf2[256] = { 0 };
r = ovpn_base64_decode(buf, &buf2, 255);
- ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 decoded '%s' (return value %i): '%s'",
- buf, r, buf2);
+ ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 decoded '%s' (return value %i): '%s'", buf, r, buf2);
/* Verify the result, and free the buffer allocated by ovpn_base64_encode() */
r = strcmp(clcert_cn, buf2);
@@ -201,6 +199,6 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
free(context);
}
@@ -38,7 +38,8 @@
/*
* Our context, where we keep our state.
*/
-struct plugin_context {
+struct plugin_context
+{
const char *username;
const char *password;
};
@@ -77,7 +78,7 @@
/*
* Allocate our context
*/
- context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+ context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context));
if (context == NULL)
{
printf("PLUGIN: allocating memory for context failed\n");
@@ -96,21 +97,22 @@
*/
*type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
- return (openvpn_plugin_handle_t) context;
+ return (openvpn_plugin_handle_t)context;
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[])
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
/* get username/password from envp string array */
const char *username = get_env("username", envp);
const char *password = get_env("password", envp);
/* check entered username/password against what we require */
- if (username && !strcmp(username, context->username)
- && password && !strcmp(password, context->password))
+ if (username && !strcmp(username, context->username) && password
+ && !strcmp(password, context->password))
{
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -123,6 +125,6 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
free(context);
}
@@ -41,7 +41,7 @@
/* If NULL, check for \ instead ... might be Windows a path */
p = strrchr(filename, '\\');
}
- return p ? p + 1 : (char *) filename;
+ return p ? p + 1 : (char *)filename;
}
#endif /* HAVE_BASENAME */
@@ -89,7 +89,7 @@
/* The '/' is the last character, we have to look further. */
if (runp != path)
{
- last_slash = (char *) __memrchr(path, separator, runp - path);
+ last_slash = (char *)__memrchr(path, separator, runp - path);
}
}
@@ -134,7 +134,7 @@
/* This assignment is ill-designed but the XPG specs require to
* return a string containing "." in any case no directory part is
* found and so a static and constant string is required. */
- path = (char *) dot;
+ path = (char *)dot;
}
return path;
@@ -48,7 +48,7 @@
{
const time_t t = time(NULL);
const DWORD gtc = GetTickCount();
- gtc_base = t - gtc/1000;
+ gtc_base = t - gtc / 1000;
gtc_last = gtc;
}
@@ -112,7 +112,7 @@
return 0;
}
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
#include <time.h>
@@ -284,8 +284,7 @@
* free()d to avoid memory leaks.
*/
static char *
-argv_prep_format(const char *format, const char delim, size_t *count,
- struct gc_arena *gc)
+argv_prep_format(const char *format, const char delim, size_t *count, struct gc_arena *gc)
{
if (format == NULL)
{
@@ -311,7 +310,7 @@
* the string is empty; the resulting format string
* will never start with a delimiter.
*/
- if (j > 0) /* Has anything been written to the output string? */
+ if (j > 0) /* Has anything been written to the output string? */
{
f[j++] = delim;
}
@@ -347,7 +346,7 @@
static bool
argv_printf_arglist(struct argv *argres, const char *format, va_list arglist)
{
- const char delim = 0x1D; /* ASCII Group Separator (GS) */
+ const char delim = 0x1D; /* ASCII Group Separator (GS) */
bool res = false;
/*
@@ -484,8 +483,8 @@
argv_reset(argres);
char *parms[MAX_PARMS + 1] = { 0 };
- int nparms = parse_line(cmdstr, parms, MAX_PARMS, "SCRIPT-ARGV", 0,
- D_ARGV_PARSE_CMD, &argres->gc);
+ int nparms =
+ parse_line(cmdstr, parms, MAX_PARMS, "SCRIPT-ARGV", 0, D_ARGV_PARSE_CMD, &argres->gc);
if (nparms)
{
int i;
@@ -31,7 +31,8 @@
#include "buffer.h"
-struct argv {
+struct argv
+{
struct gc_arena gc;
size_t capacity;
size_t argc;
@@ -55,21 +56,21 @@
bool argv_printf(struct argv *a, const char *format, ...)
#ifdef __GNUC__
#if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format(gnu_printf, 2, 3)))
+ __attribute__((format(gnu_printf, 2, 3)))
#else
-__attribute__ ((format(__printf__, 2, 3)))
+ __attribute__((format(__printf__, 2, 3)))
#endif
#endif
-;
+ ;
bool argv_printf_cat(struct argv *a, const char *format, ...)
#ifdef __GNUC__
#if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format(gnu_printf, 2, 3)))
+ __attribute__((format(gnu_printf, 2, 3)))
#else
-__attribute__ ((format(__printf__, 2, 3)))
+ __attribute__((format(__printf__, 2, 3)))
#endif
#endif
-;
+ ;
#endif /* ifndef ARGV_H */
@@ -18,7 +18,7 @@
const char *auth_token_pem_name = "OpenVPN auth-token server key";
-#define AUTH_TOKEN_SESSION_ID_LEN 12
+#define AUTH_TOKEN_SESSION_ID_LEN 12
#define AUTH_TOKEN_SESSION_ID_BASE64_LEN (AUTH_TOKEN_SESSION_ID_LEN * 8 / 6)
#if AUTH_TOKEN_SESSION_ID_LEN % 3
@@ -53,7 +53,7 @@
}
else if (auth_token_state_flags & AUTH_TOKEN_HMAC_OK)
{
- switch (auth_token_state_flags & (AUTH_TOKEN_VALID_EMPTYUSER|AUTH_TOKEN_EXPIRED))
+ switch (auth_token_state_flags & (AUTH_TOKEN_VALID_EMPTYUSER | AUTH_TOKEN_EXPIRED))
{
case 0:
state = "Authenticated";
@@ -107,9 +107,9 @@
* in the encoding
*/
- char session_id[AUTH_TOKEN_SESSION_ID_LEN*2] = {0};
+ char session_id[AUTH_TOKEN_SESSION_ID_LEN * 2] = { 0 };
memcpy(session_id, session_id_source + strlen(SESSION_ID_PREFIX),
- AUTH_TOKEN_SESSION_ID_LEN*8/6);
+ AUTH_TOKEN_SESSION_ID_LEN * 8 / 6);
setenv_str(session->opt->es, "session_id", session_id);
}
@@ -121,8 +121,7 @@
}
void
-auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file,
- bool key_inline)
+auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
{
struct key_type kt = auth_token_kt();
@@ -131,14 +130,12 @@
bool key_loaded = false;
if (key_file)
{
- key_loaded = read_pem_key_file(&server_secret_key,
- auth_token_pem_name,
- key_file, key_inline);
+ key_loaded =
+ read_pem_key_file(&server_secret_key, auth_token_pem_name, key_file, key_inline);
}
else
{
- key_loaded = generate_ephemeral_key(&server_secret_key,
- auth_token_pem_name);
+ key_loaded = generate_ephemeral_key(&server_secret_key, auth_token_pem_name);
}
if (!key_loaded)
@@ -169,7 +166,7 @@
int64_t initial_timestamp = timestamp;
hmac_ctx_t *ctx = multi->opt.auth_token_key.hmac;
- ASSERT(hmac_ctx_size(ctx) == 256/8);
+ ASSERT(hmac_ctx_size(ctx) == 256 / 8);
uint8_t sessid[AUTH_TOKEN_SESSION_ID_LEN];
@@ -185,7 +182,7 @@
char *initial_token_copy = string_alloc(multi->auth_token_initial, &gc);
char *old_sessid = initial_token_copy + strlen(SESSION_ID_PREFIX);
- char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6;
+ char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN * 8 / 6;
/*
* We null terminate the old token just after the session ID to let
@@ -197,12 +194,13 @@
memcpy(&initial_timestamp, &old_tstamp_decode, sizeof(initial_timestamp));
old_tstamp_initial[0] = '\0';
- ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN) == AUTH_TOKEN_SESSION_ID_LEN);
+ ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN)
+ == AUTH_TOKEN_SESSION_ID_LEN);
}
else if (!rand_bytes(sessid, AUTH_TOKEN_SESSION_ID_LEN))
{
- msg( M_FATAL, "Failed to get enough randomness for "
- "authentication token");
+ msg(M_FATAL, "Failed to get enough randomness for "
+ "authentication token");
}
/* Calculate the HMAC */
@@ -210,7 +208,7 @@
* with \0 in them is asking for troubles in so many ways anyway that we
* ignore that corner case here
*/
- uint8_t hmac_output[256/8];
+ uint8_t hmac_output[256 / 8];
hmac_ctx_reset(ctx);
@@ -222,20 +220,20 @@
struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
if (ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER)
{
- hmac_ctx_update(ctx, (const uint8_t *) "", 0);
+ hmac_ctx_update(ctx, (const uint8_t *)"", 0);
}
else
{
- hmac_ctx_update(ctx, (uint8_t *) up->username, (int) strlen(up->username));
+ hmac_ctx_update(ctx, (uint8_t *)up->username, (int)strlen(up->username));
}
hmac_ctx_update(ctx, sessid, AUTH_TOKEN_SESSION_ID_LEN);
- hmac_ctx_update(ctx, (uint8_t *) &initial_timestamp, sizeof(initial_timestamp));
- hmac_ctx_update(ctx, (uint8_t *) ×tamp, sizeof(timestamp));
+ hmac_ctx_update(ctx, (uint8_t *)&initial_timestamp, sizeof(initial_timestamp));
+ hmac_ctx_update(ctx, (uint8_t *)×tamp, sizeof(timestamp));
hmac_ctx_final(ctx, hmac_output);
/* Construct the unencoded session token */
- struct buffer token = alloc_buf_gc(
- 2*sizeof(uint64_t) + AUTH_TOKEN_SESSION_ID_LEN + 256/8, &gc);
+ struct buffer token =
+ alloc_buf_gc(2 * sizeof(uint64_t) + AUTH_TOKEN_SESSION_ID_LEN + 256 / 8, &gc);
ASSERT(buf_write(&token, sessid, sizeof(sessid)));
ASSERT(buf_write(&token, &initial_timestamp, sizeof(initial_timestamp)));
@@ -245,8 +243,8 @@
char *b64output = NULL;
openvpn_base64_encode(BPTR(&token), BLEN(&token), &b64output);
- struct buffer session_token = alloc_buf_gc(
- strlen(SESSION_ID_PREFIX) + strlen(b64output) + 1, &gc);
+ struct buffer session_token =
+ alloc_buf_gc(strlen(SESSION_ID_PREFIX) + strlen(b64output) + 1, &gc);
ASSERT(buf_write(&session_token, SESSION_ID_PREFIX, strlen(SESSION_ID_PREFIX)));
ASSERT(buf_write(&session_token, b64output, (int)strlen(b64output)));
@@ -258,8 +256,7 @@
free(multi->auth_token);
multi->auth_token = strdup((char *)BPTR(&session_token));
- dmsg(D_SHOW_KEYS, "Generated token for client: %s (%s)",
- multi->auth_token, up->username);
+ dmsg(D_SHOW_KEYS, "Generated token for client: %s (%s)", multi->auth_token, up->username);
if (!multi->auth_token_initial)
{
@@ -277,22 +274,21 @@
static bool
check_hmac_token(hmac_ctx_t *ctx, const uint8_t *b64decoded, const char *username)
{
- ASSERT(hmac_ctx_size(ctx) == 256/8);
+ ASSERT(hmac_ctx_size(ctx) == 256 / 8);
- uint8_t hmac_output[256/8];
+ uint8_t hmac_output[256 / 8];
hmac_ctx_reset(ctx);
- hmac_ctx_update(ctx, (uint8_t *) username, (int)strlen(username));
- hmac_ctx_update(ctx, b64decoded, TOKEN_DATA_LEN - 256/8);
+ hmac_ctx_update(ctx, (uint8_t *)username, (int)strlen(username));
+ hmac_ctx_update(ctx, b64decoded, TOKEN_DATA_LEN - 256 / 8);
hmac_ctx_final(ctx, hmac_output);
- const uint8_t *hmac = b64decoded + TOKEN_DATA_LEN - 256/8;
+ const uint8_t *hmac = b64decoded + TOKEN_DATA_LEN - 256 / 8;
return memcmp_constant_time(&hmac_output, hmac, 32) == 0;
}
unsigned int
-verify_auth_token(struct user_pass *up, struct tls_multi *multi,
- struct tls_session *session)
+verify_auth_token(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
{
/*
* Base64 is <= input and input is < USER_PASS_LEN, so using USER_PASS_LEN
@@ -300,8 +296,8 @@
*/
ASSERT(up && !up->protected);
uint8_t b64decoded[USER_PASS_LEN];
- int decoded_len = openvpn_base64_decode(up->password + strlen(SESSION_ID_PREFIX),
- b64decoded, USER_PASS_LEN);
+ int decoded_len =
+ openvpn_base64_decode(up->password + strlen(SESSION_ID_PREFIX), b64decoded, USER_PASS_LEN);
/*
* Ensure that the decoded data is the size of the
@@ -309,8 +305,7 @@
*/
if (decoded_len != TOKEN_DATA_LEN)
{
- msg(M_WARN, "ERROR: --auth-token wrong size (%d!=%d)",
- decoded_len, (int) TOKEN_DATA_LEN);
+ msg(M_WARN, "ERROR: --auth-token wrong size (%d!=%d)", decoded_len, (int)TOKEN_DATA_LEN);
return 0;
}
@@ -343,15 +338,14 @@
}
else
{
- msg(M_WARN, "--auth-gen-token: HMAC on token from client failed (%s)",
- up->username);
+ msg(M_WARN, "--auth-gen-token: HMAC on token from client failed (%s)", up->username);
return 0;
}
/* Accept session tokens only if their timestamp is in the acceptable range
* for renegotiations */
- bool in_renegotiation_time = now >= timestamp
- && now < timestamp + 2 * session->opt->auth_token_renewal;
+ bool in_renegotiation_time =
+ now >= timestamp && now < timestamp + 2 * session->opt->auth_token_renewal;
if (!in_renegotiation_time)
{
@@ -363,14 +357,14 @@
/* Sanity check the initial timestamp */
if (timestamp < timestamp_initial)
{
- msg(M_WARN, "Initial timestamp (%" PRIu64 ") in token from client earlier than "
+ msg(M_WARN,
+ "Initial timestamp (%" PRIu64 ") in token from client earlier than "
"current timestamp %" PRIu64 ". Broken/unsynchronised clock?",
timestamp_initial, timestamp);
ret |= AUTH_TOKEN_EXPIRED;
}
- if (multi->opt.auth_token_lifetime
- && now > timestamp_initial + multi->opt.auth_token_lifetime)
+ if (multi->opt.auth_token_lifetime && now > timestamp_initial + multi->opt.auth_token_lifetime)
{
ret |= AUTH_TOKEN_EXPIRED;
}
@@ -391,7 +385,7 @@
strlen(SESSION_ID_PREFIX) + AUTH_TOKEN_SESSION_ID_BASE64_LEN))
{
msg(M_WARN, "--auth-gen-token: session id in token changed (Rejecting "
- "token.");
+ "token.");
ret = 0;
}
return ret;
@@ -409,8 +403,7 @@
}
if (multi->auth_token_initial)
{
- secure_memzero(multi->auth_token_initial,
- strlen(multi->auth_token_initial));
+ secure_memzero(multi->auth_token_initial, strlen(multi->auth_token_initial));
free(multi->auth_token_initial);
}
multi->auth_token = NULL;
@@ -438,7 +431,7 @@
if (!multi->auth_token_initial)
{
msg(D_SHOW_KEYS, "initial auth-token not generated yet, skipping "
- "auth-token renewal.");
+ "auth-token renewal.");
return;
}
@@ -58,27 +58,22 @@
* This function will free() an existing multi->auth_token and keep the
* existing initial timestamp and session id contained in that token.
*/
-void
-generate_auth_token(const struct user_pass *up, struct tls_multi *multi);
+void generate_auth_token(const struct user_pass *up, struct tls_multi *multi);
/**
* Verifies the auth token to be in the format that generate_auth_token
* create and checks if the token is valid.
*
*/
-unsigned
-verify_auth_token(struct user_pass *up, struct tls_multi *multi,
- struct tls_session *session);
-
+unsigned verify_auth_token(struct user_pass *up, struct tls_multi *multi,
+ struct tls_session *session);
/**
* Loads an HMAC secret from a file or if no file is present generates a
* epheremal secret for the run time of the server and stores it into ctx
*/
-void
-auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file,
- bool key_inline);
+void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline);
/**
@@ -125,8 +120,7 @@
static inline bool
is_auth_token(const char *password)
{
- return (memcmp_constant_time(SESSION_ID_PREFIX, password,
- strlen(SESSION_ID_PREFIX)) == 0);
+ return (memcmp_constant_time(SESSION_ID_PREFIX, password, strlen(SESSION_ID_PREFIX)) == 0);
}
/**
* Checks if a client should be sent a new auth token to update its
@@ -134,15 +128,13 @@
* @param multi Pointer the multi object of the TLS session
* @param session Pointer to the TLS session itself
*/
-void
-resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session);
+void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session);
/**
* Checks if the timer to resend the auth-token has expired and if a new
* auth-token should be send to the client and triggers the resending
*/
-void
-check_send_auth_token(struct context *c);
+void check_send_auth_token(struct context *c);
#endif /* AUTH_TOKEN_H */
@@ -41,8 +41,7 @@
#include "memdbg.h"
-static char base64_chars[] =
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static char base64_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
/*
* base64 encode input data of length size to malloced
* buffer which is returned as *str. Returns string
@@ -60,14 +59,14 @@
{
return -1;
}
- p = s = (char *) malloc(size * 4 / 3 + 4);
+ p = s = (char *)malloc(size * 4 / 3 + 4);
if (p == NULL)
{
return -1;
}
- q = (const unsigned char *) data;
+ q = (const unsigned char *)data;
i = 0;
- for (i = 0; i < size; )
+ for (i = 0; i < size;)
{
c = q[i++];
c *= 256;
@@ -196,5 +195,5 @@
*q++ = val & 0xff;
}
}
- return q - (unsigned char *) data;
+ return q - (unsigned char *)data;
}
@@ -35,12 +35,10 @@
#define _BASE64_H_
/** Compute resulting base64 length. 6 bits per byte, padded to 4 bytes. */
-#define OPENVPN_BASE64_LENGTH(binary_length) \
- ((((8 * binary_length) / 6) + 3) & ~3)
+#define OPENVPN_BASE64_LENGTH(binary_length) ((((8 * binary_length) / 6) + 3) & ~3)
/** Compute the maximal number of bytes encoded in a base64 string. */
-#define OPENVPN_BASE64_DECODED_LENGTH(base64_length) \
- ((base64_length / 4) * 3)
+#define OPENVPN_BASE64_DECODED_LENGTH(base64_length) ((base64_length / 4) * 3)
int openvpn_base64_encode(const void *data, int size, char **str);
@@ -26,7 +26,7 @@
#define BOOL_CAST(x) ((x) ? (true) : (false))
/* size of an array */
-#define SIZE(x) (sizeof(x)/sizeof(x[0]))
+#define SIZE(x) (sizeof(x) / sizeof(x[0]))
/* clear an object (may be optimized away, use secure_memzero() to erase secrets) */
#define CLEAR(x) memset(&(x), 0, sizeof(x))
@@ -40,12 +40,14 @@
array_mult_safe(const size_t m1, const size_t m2, const size_t extra)
{
const size_t limit = 0xFFFFFFFF;
- unsigned long long res = (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra;
- if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit) || unlikely(res > (unsigned long long)limit))
+ unsigned long long res =
+ (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra;
+ if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit)
+ || unlikely(res > (unsigned long long)limit))
{
msg(M_FATAL, "attempted allocation of excessively large array");
}
- return (size_t) res;
+ return (size_t)res;
}
void
@@ -96,9 +98,9 @@
buf.offset = 0;
buf.len = 0;
#ifdef DMALLOC
- buf.data = (uint8_t *) gc_malloc_debug(size, false, gc, file, line);
+ buf.data = (uint8_t *)gc_malloc_debug(size, false, gc, file, line);
#else
- buf.data = (uint8_t *) gc_malloc(size, false, gc);
+ buf.data = (uint8_t *)gc_malloc(size, false, gc);
#endif
if (size)
{
@@ -119,9 +121,9 @@
ret.offset = buf->offset;
ret.len = buf->len;
#ifdef DMALLOC
- ret.data = (uint8_t *) openvpn_dmalloc(file, line, buf->capacity);
+ ret.data = (uint8_t *)openvpn_dmalloc(file, line, buf->capacity);
#else
- ret.data = (uint8_t *) malloc(buf->capacity);
+ ret.data = (uint8_t *)malloc(buf->capacity);
#endif
check_malloc_return(ret.data);
memcpy(BPTR(&ret), BPTR(buf), BLEN(buf));
@@ -150,7 +152,7 @@
return buf->debug_file;
}
-#else /* ifdef BUF_INIT_TRACKING */
+#else /* ifdef BUF_INIT_TRACKING */
#define buf_debug_line(buf) 0
#define buf_debug_file(buf) "[UNDEF]"
@@ -252,7 +254,7 @@
stat = vsnprintf((char *)ptr, cap, format, arglist);
va_end(arglist);
*(buf->data + buf->capacity - 1) = 0; /* windows vsnprintf needs this */
- buf->len += (int) strlen((char *)ptr);
+ buf->len += (int)strlen((char *)ptr);
if (stat >= 0 && stat < cap)
{
ret = true;
@@ -272,7 +274,7 @@
{
strncpynt((char *)ptr, str, cap);
*(buf->data + buf->capacity - 1) = 0; /* windows vsnprintf needs this */
- buf->len += (int) strlen((char *)ptr);
+ buf->len += (int)strlen((char *)ptr);
ret = true;
}
return ret;
@@ -299,8 +301,7 @@
buffer_write_file(const char *filename, const struct buffer *buf)
{
bool ret = false;
- int fd = platform_open(filename, O_CREAT | O_TRUNC | O_WRONLY,
- S_IRUSR | S_IWUSR);
+ int fd = platform_open(filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR);
if (fd == -1)
{
msg(M_ERRNO, "Cannot open file '%s' for write", filename);
@@ -340,12 +341,12 @@
{
struct gc_entry *e;
#ifdef DMALLOC
- e = (struct gc_entry *) openvpn_dmalloc(file, line, size + sizeof(struct gc_entry));
+ e = (struct gc_entry *)openvpn_dmalloc(file, line, size + sizeof(struct gc_entry));
#else
- e = (struct gc_entry *) malloc(size + sizeof(struct gc_entry));
+ e = (struct gc_entry *)malloc(size + sizeof(struct gc_entry));
#endif
check_malloc_return(e);
- ret = (char *) e + sizeof(struct gc_entry);
+ ret = (char *)e + sizeof(struct gc_entry);
e->next = a->list;
a->list = e;
}
@@ -361,7 +362,7 @@
#ifndef ZERO_BUFFER_ON_ALLOC
if (clear)
#endif
- memset(ret, 0, size);
+ memset(ret, 0, size);
return ret;
}
@@ -439,9 +440,9 @@
ASSERT(a);
struct gc_entry_special *e;
#ifdef DMALLOC
- e = (struct gc_entry_special *) openvpn_dmalloc(file, line, sizeof(struct gc_entry_special));
+ e = (struct gc_entry_special *)openvpn_dmalloc(file, line, sizeof(struct gc_entry_special));
#else
- e = (struct gc_entry_special *) malloc(sizeof(struct gc_entry_special));
+ e = (struct gc_entry_special *)malloc(sizeof(struct gc_entry_special));
#endif
check_malloc_return(e);
e->free_fnc = free_function;
@@ -479,15 +480,15 @@
*/
char *
-format_hex_ex(const uint8_t *data, int size, int maxoutput,
- unsigned int space_break_flags, const char *separator,
- struct gc_arena *gc)
+format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags,
+ const char *separator, struct gc_arena *gc)
{
const size_t bytes_per_hexblock = space_break_flags & FHE_SPACE_BREAK_MASK;
const size_t separator_len = separator ? strlen(separator) : 0;
static_assert(INT_MAX <= SIZE_MAX, "Code assumes INT_MAX <= SIZE_MAX");
- const size_t out_len = maxoutput > 0 ? maxoutput :
- ((size * 2) + ((size / bytes_per_hexblock) * separator_len) + 2);
+ const size_t out_len = maxoutput > 0
+ ? maxoutput
+ : ((size * 2) + ((size / bytes_per_hexblock) * separator_len) + 2);
struct buffer out = alloc_buf_gc(out_len, gc);
for (int i = 0; i < size; ++i)
@@ -531,13 +532,13 @@
void
buf_null_terminate(struct buffer *buf)
{
- char *last = (char *) BLAST(buf);
+ char *last = (char *)BLAST(buf);
if (last && *last == '\0') /* already terminated? */
{
return;
}
- if (!buf_safe(buf, 1)) /* make space for trailing null */
+ if (!buf_safe(buf, 1)) /* make space for trailing null */
{
buf_inc_len(buf, -1);
}
@@ -554,12 +555,12 @@
{
while (true)
{
- char *last = (char *) BLAST(buf);
+ char *last = (char *)BLAST(buf);
if (!last)
{
break;
}
- if (char_class(*last, CC_CRLF|CC_NULL))
+ if (char_class(*last, CC_CRLF | CC_NULL))
{
if (!buf_inc_len(buf, -1))
{
@@ -656,9 +657,9 @@
if (gc)
{
#ifdef DMALLOC
- ret = (char *) gc_malloc_debug(n, false, gc, file, line);
+ ret = (char *)gc_malloc_debug(n, false, gc, file, line);
#else
- ret = (char *) gc_malloc(n, false, gc);
+ ret = (char *)gc_malloc(n, false, gc);
#endif
}
else
@@ -717,7 +718,7 @@
{
struct buffer out = alloc_buf_gc(256, gc);
int i = 0;
- for (;; )
+ for (;;)
{
const char *cp = *p++;
if (!cp)
@@ -756,9 +757,9 @@
ASSERT(str);
#ifdef DMALLOC
- buf_set_read(&buf, (uint8_t *) string_alloc_debug(str, gc, file, line), strlen(str) + 1);
+ buf_set_read(&buf, (uint8_t *)string_alloc_debug(str, gc, file, line), strlen(str) + 1);
#else
- buf_set_read(&buf, (uint8_t *) string_alloc(str, gc), strlen(str) + 1);
+ buf_set_read(&buf, (uint8_t *)string_alloc(str, gc), strlen(str) + 1);
#endif
if (buf.len > 0) /* Don't count trailing '\0' as part of length */
@@ -845,10 +846,9 @@
break;
}
line[n++] = (char)c;
- }
- while (c);
+ } while (c);
- line[size-1] = '\0';
+ line[size - 1] = '\0';
return !(eol && !strlen(line));
}
@@ -1038,7 +1038,8 @@
* Guaranteed to not increase string length.
*/
bool
-string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
+string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive,
+ const char replace)
{
const char *in = str;
bool ret = true;
@@ -1087,11 +1088,8 @@
}
const char *
-string_mod_const(const char *str,
- const unsigned int inclusive,
- const unsigned int exclusive,
- const char replace,
- struct gc_arena *gc)
+string_mod_const(const char *str, const unsigned int inclusive, const unsigned int exclusive,
+ const char replace, struct gc_arena *gc)
{
if (str)
{
@@ -1130,23 +1128,16 @@
if (buf && buf->len)
{
int msglevel = D_ALIGN_DEBUG;
- const unsigned int u = (unsigned int) BPTR(buf);
+ const unsigned int u = (unsigned int)BPTR(buf);
- if (u & (PAYLOAD_ALIGN-1))
+ if (u & (PAYLOAD_ALIGN - 1))
{
msglevel = D_ALIGN_ERRORS;
}
msg(msglevel, "%sAlignment at %s/%d ptr=" ptr_format " OLC=%d/%d/%d I=%s/%d",
- (msglevel == D_ALIGN_ERRORS) ? "ERROR: " : "",
- file,
- line,
- (ptr_type)buf->data,
- buf->offset,
- buf->len,
- buf->capacity,
- buf_debug_file(buf),
- buf_debug_line(buf));
+ (msglevel == D_ALIGN_ERRORS) ? "ERROR: " : "", file, line, (ptr_type)buf->data,
+ buf->offset, buf->len, buf->capacity, buf_debug_file(buf), buf_debug_line(buf));
}
}
#endif /* ifdef VERIFY_ALIGNMENT */
@@ -1200,7 +1191,7 @@
if (str)
{
const size_t len = strlen((const char *)str);
- struct buffer_entry *e = buffer_list_push_data(ol, str, len+1);
+ struct buffer_entry *e = buffer_list_push_data(ol, str, len + 1);
if (e)
{
e->buf.len = (int)len; /* Don't count trailing '\0' as part of length */
@@ -1249,8 +1240,7 @@
}
void
-buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len,
- const char *sep)
+buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, const char *sep)
{
const size_t sep_len = strlen(sep);
struct buffer_entry *more = bl->head;
@@ -1339,7 +1329,7 @@
if (fp)
{
- char *line = (char *) malloc(max_line_len);
+ char *line = (char *)malloc(max_line_len);
if (line)
{
bl = buffer_list_new();
@@ -58,13 +58,13 @@
*/
struct buffer
{
- int capacity; /**< Size in bytes of memory allocated by
- * \c malloc(). */
- int offset; /**< Offset in bytes of the actual content
- * within the allocated memory. */
- int len; /**< Length in bytes of the actual content
- * within the allocated memory. */
- uint8_t *data; /**< Pointer to the allocated memory. */
+ int capacity; /**< Size in bytes of memory allocated by
+ * \c malloc(). */
+ int offset; /**< Offset in bytes of the actual content
+ * within the allocated memory. */
+ int len; /**< Length in bytes of the actual content
+ * within the allocated memory. */
+ uint8_t *data; /**< Pointer to the allocated memory. */
#ifdef BUF_INIT_TRACKING
const char *debug_file;
@@ -85,8 +85,8 @@
*/
struct gc_entry
{
- struct gc_entry *next; /**< Pointer to the next item in the
- * linked list. */
+ struct gc_entry *next; /**< Pointer to the next item in the
+ * linked list. */
};
/**
@@ -114,8 +114,8 @@
*/
struct gc_arena
{
- struct gc_entry *list; /**< First element of the linked list of
- * \c gc_entry structures. */
+ struct gc_entry *list; /**< First element of the linked list of
+ * \c gc_entry structures. */
struct gc_entry_special *list_special;
};
@@ -140,7 +140,7 @@
size_t array_mult_safe(const size_t m1, const size_t m2, const size_t extra);
-#define PA_BRACKET (1<<0)
+#define PA_BRACKET (1 << 0)
char *print_argv(const char **p, struct gc_arena *gc, const unsigned int flags);
void buf_size_error(const size_t size);
@@ -166,13 +166,15 @@
char *string_alloc_debug(const char *str, struct gc_arena *gc, const char *file, int line);
-struct buffer string_alloc_buf_debug(const char *str, struct gc_arena *gc, const char *file, int line);
+struct buffer string_alloc_buf_debug(const char *str, struct gc_arena *gc, const char *file,
+ int line);
#else /* ifdef DMALLOC */
struct buffer alloc_buf(size_t size);
-struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc); /* allocate buffer with garbage collection */
+struct buffer alloc_buf_gc(size_t size,
+ struct gc_arena *gc); /* allocate buffer with garbage collection */
struct buffer clone_buf(const struct buffer *buf);
@@ -197,8 +199,7 @@
* @param a gc_arena to use
* @return new pointer
*/
-void *
-gc_realloc(void *ptr, size_t size, struct gc_arena *a);
+void *gc_realloc(void *ptr, size_t size, struct gc_arena *a);
#ifdef BUF_INIT_TRACKING
#define buf_init(buf, offset) buf_init_debug(buf, offset, __FILE__, __LINE__)
@@ -213,14 +214,14 @@
static inline void
gc_freeaddrinfo_callback(void *addr)
{
- freeaddrinfo((struct addrinfo *) addr);
+ freeaddrinfo((struct addrinfo *)addr);
}
/** Return an empty struct buffer */
static inline struct buffer
clear_buf(void)
{
- return (struct buffer) { 0 };
+ return (struct buffer){ 0 };
}
static inline bool
@@ -361,7 +362,7 @@
{
if (maxlen > 0)
{
- strncpy(dest, src, maxlen-1);
+ strncpy(dest, src, maxlen - 1);
dest[maxlen - 1] = 0;
}
}
@@ -416,9 +417,9 @@
SecureZeroMemory(data, len);
#elif defined(__GNUC__) || defined(__clang__)
memset(data, 0, len);
- __asm__ __volatile__ ("" : : "r" (data) : "memory");
+ __asm__ __volatile__("" : : "r"(data) : "memory");
#else
- volatile char *p = (volatile char *) data;
+ volatile char *p = (volatile char *)data;
while (len--)
{
*p++ = 0;
@@ -435,12 +436,12 @@
bool buf_printf(struct buffer *buf, const char *format, ...)
#ifdef __GNUC__
#if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format(gnu_printf, 2, 3)))
+ __attribute__((format(gnu_printf, 2, 3)))
#else
-__attribute__ ((format(__printf__, 2, 3)))
+ __attribute__((format(__printf__, 2, 3)))
#endif
#endif
-;
+ ;
/*
* puts append to a buffer with overflow check
@@ -493,12 +494,10 @@
/*
* Hex dump -- Output a binary buffer to a hex string and return it.
*/
-#define FHE_SPACE_BREAK_MASK 0xFF /* space_break parameter in lower 8 bits */
-#define FHE_CAPS 0x100 /* output hex in caps */
-char *
-format_hex_ex(const uint8_t *data, int size, int maxoutput,
- unsigned int space_break_flags, const char *separator,
- struct gc_arena *gc);
+#define FHE_SPACE_BREAK_MASK 0xFF /* space_break parameter in lower 8 bits */
+#define FHE_CAPS 0x100 /* output hex in caps */
+char *format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags,
+ const char *separator, struct gc_arena *gc);
static inline char *
format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
@@ -725,16 +724,10 @@
}
static inline bool
-buf_copy_range(struct buffer *dest,
- int dest_index,
- const struct buffer *src,
- int src_index,
+buf_copy_range(struct buffer *dest, int dest_index, const struct buffer *src, int src_index,
int src_len)
{
- if (src_index < 0
- || src_len < 0
- || src_index + src_len > src->len
- || dest_index < 0
+ if (src_index < 0 || src_len < 0 || src_index + src_len > src->len || dest_index < 0
|| dest->offset + dest_index + src_len > dest->capacity)
{
return false;
@@ -749,9 +742,7 @@
/* truncate src to len, copy excess data beyond len to dest */
static inline bool
-buf_copy_excess(struct buffer *dest,
- struct buffer *src,
- int len)
+buf_copy_excess(struct buffer *dest, struct buffer *src, int len)
{
if (len < 0)
{
@@ -879,44 +870,44 @@
/* character classes */
-#define CC_ANY (1<<0) /**< any character */
-#define CC_NULL (1<<1) /**< null character \0 */
+#define CC_ANY (1 << 0) /**< any character */
+#define CC_NULL (1 << 1) /**< null character \0 */
-#define CC_ALNUM (1<<2) /**< alphanumeric isalnum() */
-#define CC_ALPHA (1<<3) /**< alphabetic isalpha() */
-#define CC_ASCII (1<<4) /**< ASCII character */
-#define CC_CNTRL (1<<5) /**< control character iscntrl() */
-#define CC_DIGIT (1<<6) /**< digit isdigit() */
-#define CC_PRINT (1<<7) /**< printable (>= 32, != 127) */
-#define CC_PUNCT (1<<8) /**< punctuation ispunct() */
-#define CC_SPACE (1<<9) /**< whitespace isspace() */
-#define CC_XDIGIT (1<<10) /**< hex digit isxdigit() */
+#define CC_ALNUM (1 << 2) /**< alphanumeric isalnum() */
+#define CC_ALPHA (1 << 3) /**< alphabetic isalpha() */
+#define CC_ASCII (1 << 4) /**< ASCII character */
+#define CC_CNTRL (1 << 5) /**< control character iscntrl() */
+#define CC_DIGIT (1 << 6) /**< digit isdigit() */
+#define CC_PRINT (1 << 7) /**< printable (>= 32, != 127) */
+#define CC_PUNCT (1 << 8) /**< punctuation ispunct() */
+#define CC_SPACE (1 << 9) /**< whitespace isspace() */
+#define CC_XDIGIT (1 << 10) /**< hex digit isxdigit() */
-#define CC_BLANK (1<<11) /**< space or tab */
-#define CC_NEWLINE (1<<12) /**< newline */
-#define CC_CR (1<<13) /**< carriage return */
+#define CC_BLANK (1 << 11) /**< space or tab */
+#define CC_NEWLINE (1 << 12) /**< newline */
+#define CC_CR (1 << 13) /**< carriage return */
-#define CC_BACKSLASH (1<<14) /**< backslash */
-#define CC_UNDERBAR (1<<15) /**< underscore */
-#define CC_DASH (1<<16) /**< dash */
-#define CC_DOT (1<<17) /**< dot */
-#define CC_COMMA (1<<18) /**< comma */
-#define CC_COLON (1<<19) /**< colon */
-#define CC_SLASH (1<<20) /**< slash */
-#define CC_SINGLE_QUOTE (1<<21) /**< single quote */
-#define CC_DOUBLE_QUOTE (1<<22) /**< double quote */
-#define CC_REVERSE_QUOTE (1<<23) /**< reverse quote */
-#define CC_AT (1<<24) /**< at sign */
-#define CC_EQUAL (1<<25) /**< equal sign */
-#define CC_LESS_THAN (1<<26) /**< less than sign */
-#define CC_GREATER_THAN (1<<27) /**< greater than sign */
-#define CC_PIPE (1<<28) /**< pipe */
-#define CC_QUESTION_MARK (1<<29) /**< question mark */
-#define CC_ASTERISK (1<<30) /**< asterisk */
+#define CC_BACKSLASH (1 << 14) /**< backslash */
+#define CC_UNDERBAR (1 << 15) /**< underscore */
+#define CC_DASH (1 << 16) /**< dash */
+#define CC_DOT (1 << 17) /**< dot */
+#define CC_COMMA (1 << 18) /**< comma */
+#define CC_COLON (1 << 19) /**< colon */
+#define CC_SLASH (1 << 20) /**< slash */
+#define CC_SINGLE_QUOTE (1 << 21) /**< single quote */
+#define CC_DOUBLE_QUOTE (1 << 22) /**< double quote */
+#define CC_REVERSE_QUOTE (1 << 23) /**< reverse quote */
+#define CC_AT (1 << 24) /**< at sign */
+#define CC_EQUAL (1 << 25) /**< equal sign */
+#define CC_LESS_THAN (1 << 26) /**< less than sign */
+#define CC_GREATER_THAN (1 << 27) /**< greater than sign */
+#define CC_PIPE (1 << 28) /**< pipe */
+#define CC_QUESTION_MARK (1 << 29) /**< question mark */
+#define CC_ASTERISK (1 << 30) /**< asterisk */
/* macro classes */
-#define CC_NAME (CC_ALNUM|CC_UNDERBAR) /**< alphanumeric plus underscore */
-#define CC_CRLF (CC_CR|CC_NEWLINE) /**< carriage return or newline */
+#define CC_NAME (CC_ALNUM | CC_UNDERBAR) /**< alphanumeric plus underscore */
+#define CC_CRLF (CC_CR | CC_NEWLINE) /**< carriage return or newline */
bool char_class(const unsigned char c, const unsigned int flags);
@@ -935,7 +926,8 @@
* @param replace The character to replace the specified character classes with.
* @return True if the string was not modified, false otherwise.
*/
-bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace);
+bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive,
+ const char replace);
/**
@@ -946,8 +938,8 @@
* @param exclusive Character classes that are not allowed even if they are also in inclusive.
* @return True if the string consists only of allowed characters, false otherwise.
*/
-bool
-string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive);
+bool string_check_buf(struct buffer *buf, const unsigned int inclusive,
+ const unsigned int exclusive);
/**
* Returns a copy of a string with certain classes of characters of it replaced with a specified
@@ -963,11 +955,8 @@
*
* @return The modified string with characters replaced within the specified range.
*/
-const char *string_mod_const(const char *str,
- const unsigned int inclusive,
- const unsigned int exclusive,
- const char replace,
- struct gc_arena *gc);
+const char *string_mod_const(const char *str, const unsigned int inclusive,
+ const unsigned int exclusive, const char replace, struct gc_arena *gc);
void string_replace_leading(char *str, const char match, const char replace);
@@ -1051,51 +1040,51 @@
* Allocate memory to hold a structure
*/
-#define ALLOC_OBJ(dptr, type) \
- { \
- check_malloc_return((dptr) = (type *) malloc(sizeof(type))); \
+#define ALLOC_OBJ(dptr, type) \
+ { \
+ check_malloc_return((dptr) = (type *)malloc(sizeof(type))); \
}
-#define ALLOC_OBJ_CLEAR(dptr, type) \
- { \
- ALLOC_OBJ(dptr, type); \
+#define ALLOC_OBJ_CLEAR(dptr, type) \
+ { \
+ ALLOC_OBJ(dptr, type); \
memset((dptr), 0, sizeof(type)); \
}
-#define ALLOC_ARRAY(dptr, type, n) \
- { \
- check_malloc_return((dptr) = (type *) malloc(array_mult_safe(sizeof(type), (n), 0))); \
+#define ALLOC_ARRAY(dptr, type, n) \
+ { \
+ check_malloc_return((dptr) = (type *)malloc(array_mult_safe(sizeof(type), (n), 0))); \
}
-#define ALLOC_ARRAY_GC(dptr, type, n, gc) \
- { \
- (dptr) = (type *) gc_malloc(array_mult_safe(sizeof(type), (n), 0), false, (gc)); \
+#define ALLOC_ARRAY_GC(dptr, type, n, gc) \
+ { \
+ (dptr) = (type *)gc_malloc(array_mult_safe(sizeof(type), (n), 0), false, (gc)); \
}
-#define ALLOC_ARRAY_CLEAR(dptr, type, n) \
- { \
- ALLOC_ARRAY(dptr, type, n); \
+#define ALLOC_ARRAY_CLEAR(dptr, type, n) \
+ { \
+ ALLOC_ARRAY(dptr, type, n); \
memset((dptr), 0, (array_mult_safe(sizeof(type), (n), 0))); \
}
-#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc) \
- { \
- (dptr) = (type *) gc_malloc(array_mult_safe(sizeof(type), (n), 0), true, (gc)); \
+#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc) \
+ { \
+ (dptr) = (type *)gc_malloc(array_mult_safe(sizeof(type), (n), 0), true, (gc)); \
}
-#define ALLOC_VAR_ARRAY_CLEAR_GC(dptr, type, atype, n, gc) \
- { \
- (dptr) = (type *) gc_malloc(array_mult_safe(sizeof(atype), (n), sizeof(type)), true, (gc)); \
+#define ALLOC_VAR_ARRAY_CLEAR_GC(dptr, type, atype, n, gc) \
+ { \
+ (dptr) = (type *)gc_malloc(array_mult_safe(sizeof(atype), (n), sizeof(type)), true, (gc)); \
}
-#define ALLOC_OBJ_GC(dptr, type, gc) \
- { \
- (dptr) = (type *) gc_malloc(sizeof(type), false, (gc)); \
+#define ALLOC_OBJ_GC(dptr, type, gc) \
+ { \
+ (dptr) = (type *)gc_malloc(sizeof(type), false, (gc)); \
}
-#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc) \
- { \
- (dptr) = (type *) gc_malloc(sizeof(type), true, (gc)); \
+#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc) \
+ { \
+ (dptr) = (type *)gc_malloc(sizeof(type), true, (gc)); \
}
static inline void
@@ -1120,8 +1109,8 @@
{
struct buffer_entry *head; /* next item to pop/peek */
struct buffer_entry *tail; /* last item pushed */
- int size; /* current number of entries */
- int max_size; /* maximum size list should grow to */
+ int size; /* current number of entries */
+ int max_size; /* maximum size list should grow to */
};
/**
@@ -1209,8 +1198,7 @@
* @param max_len the maximum length of the aggregated buffer
* @param sep the separator to put between buffers during aggregation
*/
-void buffer_list_aggregate_separator(struct buffer_list *bl,
- const size_t max_len, const char *sep);
+void buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, const char *sep);
struct buffer_list *buffer_list_file(const char *fn, int max_line_len);
@@ -28,49 +28,46 @@
#include "error.h"
#define CIRC_LIST(name, type) \
- struct name { \
- int x_head; \
- int x_size; \
- int x_cap; \
- int x_sizeof; \
- type x_list[]; \
+ struct name \
+ { \
+ int x_head; \
+ int x_size; \
+ int x_cap; \
+ int x_sizeof; \
+ type x_list[]; \
}
-#define CIRC_LIST_PUSH(obj, item) \
- { \
+#define CIRC_LIST_PUSH(obj, item) \
+ { \
(obj)->x_head = modulo_add((obj)->x_head, -1, (obj)->x_cap); \
- (obj)->x_list[(obj)->x_head] = (item); \
- (obj)->x_size = min_int((obj)->x_size + 1, (obj)->x_cap); \
+ (obj)->x_list[(obj)->x_head] = (item); \
+ (obj)->x_size = min_int((obj)->x_size + 1, (obj)->x_cap); \
}
-#define CIRC_LIST_SIZE(obj) \
- ((obj)->x_size)
+#define CIRC_LIST_SIZE(obj) ((obj)->x_size)
-#define CIRC_LIST_INDEX(obj, index) \
- modulo_add((obj)->x_head, \
- index_verify((index), (obj)->x_size, __FILE__, __LINE__), \
+#define CIRC_LIST_INDEX(obj, index) \
+ modulo_add((obj)->x_head, index_verify((index), (obj)->x_size, __FILE__, __LINE__), \
(obj)->x_cap)
-#define CIRC_LIST_ITEM(obj, index) \
- ((obj)->x_list[CIRC_LIST_INDEX((obj), (index))])
+#define CIRC_LIST_ITEM(obj, index) ((obj)->x_list[CIRC_LIST_INDEX((obj), (index))])
#define CIRC_LIST_RESET(obj) \
- { \
- (obj)->x_head = 0; \
- (obj)->x_size = 0; \
+ { \
+ (obj)->x_head = 0; \
+ (obj)->x_size = 0; \
}
-#define CIRC_LIST_ALLOC(dest, list_type, size) \
- { \
+#define CIRC_LIST_ALLOC(dest, list_type, size) \
+ { \
const int so = sizeof(list_type) + sizeof((dest)->x_list[0]) * (size); \
- (dest) = (list_type *) malloc(so); \
- check_malloc_return(dest); \
- memset((dest), 0, so); \
- (dest)->x_cap = size; \
- (dest)->x_sizeof = so; \
+ (dest) = (list_type *)malloc(so); \
+ check_malloc_return(dest); \
+ memset((dest), 0, so); \
+ (dest)->x_cap = size; \
+ (dest)->x_sizeof = so; \
}
-#define CIRC_LIST_FREE(dest) \
- free(dest)
+#define CIRC_LIST_FREE(dest) free(dest)
#endif /* ifndef CIRC_LIST_H */
@@ -32,8 +32,7 @@
#include "memdbg.h"
static bool
-add_entry(struct client_nat_option_list *dest,
- const struct client_nat_entry *e)
+add_entry(struct client_nat_option_list *dest, const struct client_nat_entry *e)
{
if (dest->n >= MAX_CLIENT_NAT)
{
@@ -59,9 +58,7 @@
for (i = 0; i < list->n; ++i)
{
const struct client_nat_entry *e = &list->entries[i];
- msg(msglevel, " CNAT[%d] t=%d %s/%s/%s",
- i,
- e->type,
+ msg(msglevel, " CNAT[%d] t=%d %s/%s/%s", i, e->type,
print_in_addr_t(e->network, IA_NET_ORDER, &gc),
print_in_addr_t(e->netmask, IA_NET_ORDER, &gc),
print_in_addr_t(e->foreign_network, IA_NET_ORDER, &gc));
@@ -102,11 +99,8 @@
}
void
-add_client_nat_to_option_list(struct client_nat_option_list *dest,
- const char *type,
- const char *network,
- const char *netmask,
- const char *foreign_network,
+add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type,
+ const char *network, const char *netmask, const char *foreign_network,
int msglevel)
{
struct client_nat_entry e;
@@ -179,9 +173,7 @@
dirstr = "IN";
}
- msg(msglevel, "** CNAT %s %s %s -> %s",
- dirstr,
- prefix,
+ msg(msglevel, "** CNAT %s %s %s -> %s", dirstr, prefix,
print_in_addr_t(iph->saddr, IA_NET_ORDER, &gc),
print_in_addr_t(iph->daddr, IA_NET_ORDER, &gc));
@@ -189,11 +181,10 @@
}
void
-client_nat_transform(const struct client_nat_option_list *list,
- struct buffer *ipbuf,
+client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf,
const int direction)
{
- struct ip_tcp_udp_hdr *h = (struct ip_tcp_udp_hdr *) BPTR(ipbuf);
+ struct ip_tcp_udp_hdr *h = (struct ip_tcp_udp_hdr *)BPTR(ipbuf);
int i;
uint32_t addr, *addr_ptr;
const uint32_t *from, *to;
@@ -30,7 +30,8 @@
#define CN_OUTGOING 0
#define CN_INCOMING 1
-struct client_nat_entry {
+struct client_nat_entry
+{
#define CN_SNAT 0
#define CN_DNAT 1
int type;
@@ -39,28 +40,27 @@
in_addr_t foreign_network;
};
-struct client_nat_option_list {
+struct client_nat_option_list
+{
int n;
struct client_nat_entry entries[MAX_CLIENT_NAT];
};
struct client_nat_option_list *new_client_nat_list(struct gc_arena *gc);
-struct client_nat_option_list *clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc);
+struct client_nat_option_list *clone_client_nat_option_list(
+ const struct client_nat_option_list *src, struct gc_arena *gc);
-void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src);
+void copy_client_nat_option_list(struct client_nat_option_list *dest,
+ const struct client_nat_option_list *src);
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel);
-void add_client_nat_to_option_list(struct client_nat_option_list *dest,
- const char *type,
- const char *network,
- const char *netmask,
- const char *foreign_network,
- int msglevel);
+void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type,
+ const char *network, const char *netmask,
+ const char *foreign_network, int msglevel);
-void client_nat_transform(const struct client_nat_option_list *list,
- struct buffer *ipbuf,
+void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf,
const int direction);
#endif /* if !defined(CLINAT_H) */
@@ -27,7 +27,7 @@
* Statistics counters and associated printf format.
*/
typedef uint64_t counter_type;
-#define counter_format "%" PRIu64
+#define counter_format "%" PRIu64
/*
* Time intervals
@@ -37,17 +37,17 @@
/*
* Used as an upper bound for timeouts.
*/
-#define BIG_TIMEOUT (60*60*24*7) /* one week (in seconds) */
+#define BIG_TIMEOUT (60 * 60 * 24 * 7) /* one week (in seconds) */
/*
* Printf formats for special types
*/
#ifdef _WIN64
-#define ptr_format "0x%016" PRIx64
+#define ptr_format "0x%016" PRIx64
#else
-#define ptr_format "0x%08lx"
+#define ptr_format "0x%08lx"
#endif
-#define fragment_header_format "0x%08x"
+#define fragment_header_format "0x%08x"
/* these are used to cast the arguments
* and MUST match the formats above */
@@ -94,6 +94,7 @@
/*
* Script security warning
*/
-#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info."
+#define SCRIPT_SECURITY_WARNING \
+ "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info."
#endif /* ifndef COMMON_H */
@@ -56,8 +56,7 @@
/* Doesn't do any actual compression anymore */
static void
-lz4_compress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+lz4_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
if (buf->len <= 0)
@@ -78,8 +77,7 @@
/* Doesn't do any actual compression anymore */
static void
-lz4v2_compress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+lz4v2_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
if (buf->len <= 0)
@@ -91,14 +89,13 @@
}
static void
-do_lz4_decompress(size_t zlen_max,
- struct buffer *work,
- struct buffer *buf,
+do_lz4_decompress(size_t zlen_max, struct buffer *work, struct buffer *buf,
struct compress_context *compctx)
{
int uncomp_len;
ASSERT(buf_safe(work, zlen_max));
- uncomp_len = LZ4_decompress_safe((const char *)BPTR(buf), (char *)BPTR(work), (size_t)BLEN(buf), zlen_max);
+ uncomp_len = LZ4_decompress_safe((const char *)BPTR(buf), (char *)BPTR(work), (size_t)BLEN(buf),
+ zlen_max);
if (uncomp_len <= 0)
{
dmsg(D_COMP_ERRORS, "LZ4 decompression error: %d", uncomp_len);
@@ -117,12 +114,11 @@
}
static void
-lz4_decompress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+lz4_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
size_t zlen_max = frame->buf.payload_size;
- uint8_t c; /* flag indicating whether or not our peer compressed */
+ uint8_t c; /* flag indicating whether or not our peer compressed */
if (buf->len <= 0)
{
@@ -155,12 +151,11 @@
}
static void
-lz4v2_decompress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+lz4v2_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
size_t zlen_max = frame->buf.payload_size;
- uint8_t c; /* flag indicating whether or not our peer compressed */
+ uint8_t c; /* flag indicating whether or not our peer compressed */
if (buf->len <= 0)
{
@@ -203,19 +198,9 @@
}
}
-const struct compress_alg lz4_alg = {
- "lz4",
- lz4_compress_init,
- lz4_compress_uninit,
- lz4_compress,
- lz4_decompress
-};
+const struct compress_alg lz4_alg = { "lz4", lz4_compress_init, lz4_compress_uninit, lz4_compress,
+ lz4_decompress };
-const struct compress_alg lz4v2_alg = {
- "lz4v2",
- lz4v2_compress_init,
- lz4_compress_uninit,
- lz4v2_compress,
- lz4v2_decompress
-};
+const struct compress_alg lz4v2_alg = { "lz4v2", lz4v2_compress_init, lz4_compress_uninit,
+ lz4v2_compress, lz4v2_decompress };
#endif /* ENABLE_LZ4 */
@@ -171,10 +171,10 @@
{
#ifdef USE_COMP
msg(msglevel, "Compression or compression stub framing is not allowed "
- "since data-channel offloading is enabled.");
+ "since data-channel offloading is enabled.");
#else
msg(msglevel, "Compression or compression stub framing is not allowed "
- "since OpenVPN was built without compression support.");
+ "since OpenVPN was built without compression support.");
#endif
return false;
}
@@ -182,14 +182,14 @@
if ((info->flags & COMP_F_ALLOW_STUB_ONLY) && comp_non_stub_enabled(info))
{
msg(msglevel, "Compression is not allowed since allow-compression is "
- "set to 'stub-only'");
+ "set to 'stub-only'");
return false;
}
#ifndef ENABLE_LZ4
if (info->alg == COMP_ALGV2_LZ4 || info->alg == COMP_ALG_LZ4)
{
msg(msglevel, "OpenVPN is compiled without LZ4 support. Requested "
- "compression cannot be enabled.");
+ "compression cannot be enabled.");
return false;
}
#endif
@@ -197,7 +197,7 @@
if (info->alg == COMP_ALG_LZO)
{
msg(msglevel, "OpenVPN is compiled without LZO support. Requested "
- "compression cannot be enabled.");
+ "compression cannot be enabled.");
return false;
}
#endif
@@ -33,21 +33,22 @@
/* Compression flags */
/* Removed
#define COMP_F_ADAPTIVE (1<<0) / * COMP_ALG_LZO only * /
- #define COMP_F_ALLOW_COMPRESS (1<<1) / * not only incoming is compressed but also outgoing * /
+ #define COMP_F_ALLOW_COMPRESS (1<<1) / * not only incoming is compressed but also outgoing *
+ /
*/
/** initial command byte is swapped with last byte in buffer to preserve payload alignment */
-#define COMP_F_SWAP (1<<2)
+#define COMP_F_SWAP (1 << 2)
/** tell server that we only support compression stubs */
-#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3)
+#define COMP_F_ADVERTISE_STUBS_ONLY (1 << 3)
/** Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY
* we still accept other compressions to be pushed */
-#define COMP_F_ALLOW_STUB_ONLY (1<<4)
+#define COMP_F_ALLOW_STUB_ONLY (1 << 4)
/** push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */
-#define COMP_F_MIGRATE (1<<5)
+#define COMP_F_MIGRATE (1 << 5)
/** Compression was explicitly set to allow asymetric compression */
-#define COMP_F_ALLOW_ASYM (1<<6)
+#define COMP_F_ALLOW_ASYM (1 << 6)
/** Do not allow compression framing (breaks DCO) */
-#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7)
+#define COMP_F_ALLOW_NOCOMP_ONLY (1 << 7)
/* algorithms */
#define COMP_ALG_UNDEF 0
@@ -60,7 +61,7 @@
/* algorithm v2 */
#define COMP_ALGV2_UNCOMPRESSED 10
-#define COMP_ALGV2_LZ4 11
+#define COMP_ALGV2_LZ4 11
/*
#define COMP_ALGV2_LZO 12
#define COMP_ALGV2_SNAPPY 13
@@ -79,8 +80,7 @@
static inline bool
comp_non_stub_enabled(const struct compress_options *info)
{
- return info->alg != COMP_ALGV2_UNCOMPRESSED
- && info->alg != COMP_ALG_STUB
+ return info->alg != COMP_ALGV2_UNCOMPRESSED && info->alg != COMP_ALG_STUB
&& info->alg != COMP_ALG_UNDEF;
}
@@ -89,8 +89,7 @@
* flags of allow-compression and also the whether algorithms are compiled
* in
*/
-bool
-check_compression_settings_valid(struct compress_options *info, int msglevel);
+bool check_compression_settings_valid(struct compress_options *info, int msglevel);
#ifdef USE_COMP
#include "buffer.h"
@@ -109,18 +108,18 @@
/* V1 on wire codes */
/* Initial command byte to tell our peer if we compressed */
-#define LZO_COMPRESS_BYTE 0x66
-#define LZ4_COMPRESS_BYTE 0x69
+#define LZO_COMPRESS_BYTE 0x66
+#define LZ4_COMPRESS_BYTE 0x69
#define NO_COMPRESS_BYTE 0xFA
/** to maintain payload alignment, replace this byte with last byte of packet */
#define NO_COMPRESS_BYTE_SWAP 0xFB
/* V2 on wire code */
-#define COMP_ALGV2_INDICATOR_BYTE 0x50
-#define COMP_ALGV2_UNCOMPRESSED_BYTE 0
-#define COMP_ALGV2_LZ4_BYTE 1
-#define COMP_ALGV2_LZO_BYTE 2
-#define COMP_ALGV2_SNAPPY_BYTE 3
+#define COMP_ALGV2_INDICATOR_BYTE 0x50
+#define COMP_ALGV2_UNCOMPRESSED_BYTE 0
+#define COMP_ALGV2_LZ4_BYTE 1
+#define COMP_ALGV2_LZO_BYTE 2
+#define COMP_ALGV2_SNAPPY_BYTE 3
/*
* Compress worst case size expansion (for any algorithm)
@@ -129,7 +128,7 @@
* Snappy: len + len/6 + 32
* LZ4: len + len/255 + 16 (LZ4_COMPRESSBOUND(len))
*/
-#define COMP_EXTRA_BUFFER(len) ((len)/6 + 128 + 3 + COMP_PREFIX_LEN)
+#define COMP_EXTRA_BUFFER(len) ((len) / 6 + 128 + 3 + COMP_PREFIX_LEN)
/*
* Don't try to compress any packet smaller than this.
@@ -147,12 +146,10 @@
const char *name;
void (*compress_init)(struct compress_context *compctx);
void (*compress_uninit)(struct compress_context *compctx);
- void (*compress)(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+ void (*compress)(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame);
- void (*decompress)(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+ void (*decompress)(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame);
};
@@ -45,8 +45,7 @@
}
static void
-stub_compress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+stub_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
if (buf->len <= 0)
@@ -56,7 +55,7 @@
if (compctx->flags & COMP_F_SWAP)
{
uint8_t *head = BPTR(buf);
- uint8_t *tail = BEND(buf);
+ uint8_t *tail = BEND(buf);
ASSERT(buf_safe(buf, 1));
++buf->len;
@@ -72,8 +71,7 @@
}
static void
-stub_decompress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+stub_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
uint8_t c;
@@ -107,8 +105,7 @@
static void
-stubv2_compress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+stubv2_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
if (buf->len <= 0)
@@ -120,8 +117,7 @@
}
static void
-stubv2_decompress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+stubv2_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
if (buf->len <= 0)
@@ -157,19 +153,9 @@
}
}
-const struct compress_alg compv2_stub_alg = {
- "stubv2",
- stub_compress_init,
- stub_compress_uninit,
- stubv2_compress,
- stubv2_decompress
-};
+const struct compress_alg compv2_stub_alg = { "stubv2", stub_compress_init, stub_compress_uninit,
+ stubv2_compress, stubv2_decompress };
-const struct compress_alg comp_stub_alg = {
- "stub",
- stub_compress_init,
- stub_compress_uninit,
- stub_compress,
- stub_decompress
-};
+const struct compress_alg comp_stub_alg = { "stub", stub_compress_init, stub_compress_uninit,
+ stub_compress, stub_decompress };
#endif /* USE_STUB */
@@ -37,7 +37,7 @@
#endif
-struct _query_user query_user[QUERY_USER_NUMSLOTS]; /* GLOBAL */
+struct _query_user query_user[QUERY_USER_NUMSLOTS]; /* GLOBAL */
void
@@ -53,16 +53,14 @@
void
-query_user_add(char *prompt, size_t prompt_len,
- char *resp, size_t resp_len,
- bool echo)
+query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo)
{
int i;
/* Ensure input is sane. All these must be present otherwise it is
* a programming error.
*/
- ASSERT( prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL );
+ ASSERT(prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL);
/* Seek to the last unused slot */
for (i = 0; i < QUERY_USER_NUMSLOTS; i++)
@@ -72,7 +70,7 @@
break;
}
}
- ASSERT( i < QUERY_USER_NUMSLOTS ); /* Unlikely, but we want to panic if it happens */
+ ASSERT(i < QUERY_USER_NUMSLOTS); /* Unlikely, but we want to panic if it happens */
/* Save the information needed for the user interaction */
query_user[i].prompt = prompt;
@@ -30,16 +30,17 @@
/**
* Configuration setup for declaring what kind of information to ask a user for
*/
-struct _query_user {
- char *prompt; /**< Prompt to present to the user */
- size_t prompt_len; /**< Length of the prompt string */
- char *response; /**< The user's response */
- size_t response_len; /**< Length the of the user response */
- bool echo; /**< True: The user should see what is being typed, otherwise mask it */
+struct _query_user
+{
+ char *prompt; /**< Prompt to present to the user */
+ size_t prompt_len; /**< Length of the prompt string */
+ char *response; /**< The user's response */
+ size_t response_len; /**< Length the of the user response */
+ bool echo; /**< True: The user should see what is being typed, otherwise mask it */
};
#define QUERY_USER_NUMSLOTS 10
-extern struct _query_user query_user[]; /**< Global variable, declared in console.c */
+extern struct _query_user query_user[]; /**< Global variable, declared in console.c */
/**
* Wipes all data put into all of the query_user structs
@@ -58,9 +59,7 @@
* @param echo Should the user input be echoed to the user? If False, input will be masked
*
*/
-void query_user_add(char *prompt, size_t prompt_len,
- char *resp, size_t resp_len,
- bool echo);
+void query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo);
/**
@@ -107,7 +106,7 @@
{
return query_user_exec_builtin();
}
-#endif /* defined(ENABLE_SYSTEMD) */
+#endif /* defined(ENABLE_SYSTEMD) */
/**
@@ -118,9 +117,7 @@
*
*/
static inline bool
-query_user_SINGLE(char *prompt, size_t prompt_len,
- char *resp, size_t resp_len,
- bool echo)
+query_user_SINGLE(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo)
{
query_user_clear();
query_user_add(prompt, prompt_len, resp, resp_len, echo);
@@ -67,11 +67,10 @@
HANDLE in = GetStdHandle(STD_INPUT_HANDLE);
int orig_stderr = get_orig_stderr(); /* guaranteed to be always valid */
- if ((in == INVALID_HANDLE_VALUE)
- || win32_service_interrupt(&win32_signal)
+ if ((in == INVALID_HANDLE_VALUE) || win32_service_interrupt(&win32_signal)
|| (_write(orig_stderr, prompt, strlen(prompt)) == -1))
{
- msg(M_WARN|M_ERRNO, "get_console_input_win32(): unexpected error");
+ msg(M_WARN | M_ERRNO, "get_console_input_win32(): unexpected error");
return false;
}
@@ -135,7 +134,7 @@
return false;
}
-#endif /* _WIN32 */
+#endif /* _WIN32 */
#ifdef HAVE_TERMIOS_H
@@ -177,7 +176,7 @@
}
}
-#endif /* HAVE_TERMIOS_H */
+#endif /* HAVE_TERMIOS_H */
/**
@@ -209,15 +208,17 @@
* (in which case neither stdin or stderr are connected to a tty and
* /dev/tty can not be open()ed anymore)
*/
- if (!isatty(0) && !isatty(2) )
+ if (!isatty(0) && !isatty(2))
{
- int fd = open( "/dev/tty", O_RDWR );
+ int fd = open("/dev/tty", O_RDWR);
if (fd < 0)
{
- msg(M_FATAL, "neither stdin nor stderr are a tty device and you have neither a "
+ msg(M_FATAL,
+ "neither stdin nor stderr are a tty device and you have neither a "
"controlling tty nor systemd - can't ask for '%s'. If you used --daemon, "
"you need to use --askpass to make passphrase-protected keys work, and you "
- "can not use --auth-nocache.", prompt );
+ "can not use --auth-nocache.",
+ prompt);
}
close(fd);
}
@@ -285,8 +286,8 @@
/* Loop through configured query_user slots */
for (i = 0; i < QUERY_USER_NUMSLOTS && query_user[i].response != NULL; i++)
{
- if (!get_console_input(query_user[i].prompt, query_user[i].echo,
- query_user[i].response, query_user[i].response_len) )
+ if (!get_console_input(query_user[i].prompt, query_user[i].echo, query_user[i].response,
+ query_user[i].response_len))
{
/* Force the final result state to failed on failure */
ret = false;
@@ -50,9 +50,7 @@
* mounted, as well as the systemd-ask-password executable
* being available */
- return (sd_booted() > 0)
- && (stat(SYSTEMD_ASK_PASSWORD_PATH, &c) == 0);
-
+ return (sd_booted() > 0) && (stat(SYSTEMD_ASK_PASSWORD_PATH, &c) == 0);
}
static bool
@@ -79,7 +77,7 @@
return false;
}
memset(input, 0, capacity);
- if (read(std_out, input, capacity-1) != 0)
+ if (read(std_out, input, capacity - 1) != 0)
{
chomp(input);
ret = true;
@@ -99,7 +97,7 @@
bool
query_user_exec_systemd(void)
{
- bool ret = true; /* Presume everything goes okay */
+ bool ret = true; /* Presume everything goes okay */
int i;
/* If systemd is not available, use the default built-in mechanism */
@@ -112,7 +110,7 @@
for (i = 0; i < QUERY_USER_NUMSLOTS && query_user[i].response != NULL; i++)
{
if (!get_console_input_systemd(query_user[i].prompt, query_user[i].echo,
- query_user[i].response, query_user[i].response_len) )
+ query_user[i].response, query_user[i].response_len))
{
/* Force the final result state to failed on failure */
ret = false;
@@ -63,8 +63,7 @@
*/
static void
-openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
- struct crypto_options *opt)
+openvpn_encrypt_aead(struct buffer *buf, struct buffer work, struct crypto_options *opt)
{
struct gc_arena gc;
int outlen = 0;
@@ -88,7 +87,7 @@
/* Prepare IV */
{
struct buffer iv_buffer;
- uint8_t iv[OPENVPN_MAX_IV_LENGTH] = {0};
+ uint8_t iv[OPENVPN_MAX_IV_LENGTH] = { 0 };
const int iv_len = cipher_ctx_iv_length(ctx->cipher);
ASSERT(iv_len >= OPENVPN_AEAD_MIN_IV_LEN && iv_len <= OPENVPN_MAX_IV_LENGTH);
@@ -133,17 +132,14 @@
/* Buffer overflow check */
if (!buf_safe(&work, buf->len + mac_len + cipher_ctx_block_size(ctx->cipher)))
{
- msg(D_CRYPT_ERRORS,
- "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d",
- buf->capacity, buf->offset, buf->len, work.capacity, work.offset,
- work.len);
+ msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d",
+ buf->capacity, buf->offset, buf->len, work.capacity, work.offset, work.len);
goto err;
}
/* For AEAD ciphers, authenticate Additional Data, including opcode */
ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(&work), BLEN(&work)));
- dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s",
- format_hex(BPTR(&work), BLEN(&work), 0, &gc));
+ dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s", format_hex(BPTR(&work), BLEN(&work), 0, &gc));
if (!use_epoch_data_format)
{
@@ -159,7 +155,7 @@
/* update number of plaintext blocks encrypted. Use the (x + (n-1))/n trick
* to round up the result to the number of blocks used */
const int blocksize = AEAD_LIMIT_BLOCKSIZE;
- opt->key_ctx_bi.encrypt.plaintext_blocks += (outlen + (blocksize - 1))/blocksize;
+ opt->key_ctx_bi.encrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize;
/* Flush the encryption buffer */
ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen));
@@ -191,8 +187,7 @@
}
static void
-openvpn_encrypt_v1(struct buffer *buf, struct buffer work,
- struct crypto_options *opt)
+openvpn_encrypt_v1(struct buffer *buf, struct buffer work, struct crypto_options *opt)
{
struct gc_arena gc;
gc_init(&gc);
@@ -206,7 +201,7 @@
/* Do Encrypt from buf -> work */
if (ctx->cipher)
{
- uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH] = {0};
+ uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH] = { 0 };
const int iv_size = cipher_ctx_iv_length(ctx->cipher);
int outlen;
@@ -226,8 +221,7 @@
/* Put packet ID in plaintext buffer */
if (packet_id_initialized(&opt->packet_id)
&& !packet_id_write(&opt->packet_id.send, buf,
- opt->flags & CO_PACKET_ID_LONG_FORM,
- true))
+ opt->flags & CO_PACKET_ID_LONG_FORM, true))
{
msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
goto err;
@@ -252,8 +246,7 @@
ASSERT(buf_write(&work, iv_buf, iv_size));
dmsg(D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex(iv_buf, iv_size, 0, &gc));
- dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s",
- format_hex(BPTR(buf), BLEN(buf), 80, &gc));
+ dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc));
/* cipher_ctx was already initialized with key & keylen */
ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf));
@@ -261,13 +254,9 @@
/* Buffer overflow check */
if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
{
- msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d",
- buf->capacity,
- buf->offset,
- buf->len,
- work.capacity,
- work.offset,
- work.len,
+ msg(D_CRYPT_ERRORS,
+ "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d",
+ buf->capacity, buf->offset, buf->len, work.capacity, work.offset, work.len,
cipher_ctx_block_size(ctx->cipher));
goto err;
}
@@ -281,14 +270,13 @@
ASSERT(buf_inc_len(&work, outlen));
/* For all CBC mode ciphers, check the last block is complete */
- ASSERT(cipher_ctx_mode(ctx->cipher) != OPENVPN_MODE_CBC
- || outlen == iv_size);
+ ASSERT(cipher_ctx_mode(ctx->cipher) != OPENVPN_MODE_CBC || outlen == iv_size);
}
- else /* No Encryption */
+ else /* No Encryption */
{
if (packet_id_initialized(&opt->packet_id)
- && !packet_id_write(&opt->packet_id.send, buf,
- opt->flags & CO_PACKET_ID_LONG_FORM, true))
+ && !packet_id_write(&opt->packet_id.send, buf, opt->flags & CO_PACKET_ID_LONG_FORM,
+ true))
{
msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
goto err;
@@ -317,8 +305,7 @@
*buf = work;
- dmsg(D_PACKET_CONTENT, "ENCRYPT TO: %s",
- format_hex(BPTR(&work), BLEN(&work), 80, &gc));
+ dmsg(D_PACKET_CONTENT, "ENCRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc));
}
gc_free(&gc);
@@ -332,8 +319,7 @@
}
void
-openvpn_encrypt(struct buffer *buf, struct buffer work,
- struct crypto_options *opt)
+openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
{
if (buf->len > 0 && opt)
{
@@ -380,10 +366,8 @@
}
bool
-crypto_check_replay(struct crypto_options *opt,
- const struct packet_id_net *pin, uint16_t epoch,
- const char *error_prefix,
- struct gc_arena *gc)
+crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, uint16_t epoch,
+ const char *error_prefix, struct gc_arena *gc)
{
bool ret = false;
struct packet_id_rec *recv;
@@ -400,8 +384,10 @@
{
/* We have an epoch that is neither current or old recv key but
* is authenticated, ie we need to move to a new current recv key */
- msg(D_GENKEY, "Received data packet with new epoch %d. Updating "
- "receive key", epoch);
+ msg(D_GENKEY,
+ "Received data packet with new epoch %d. Updating "
+ "receive key",
+ epoch);
epoch_replace_update_recv_key(opt, epoch);
recv = &opt->packet_id.rec;
}
@@ -420,7 +406,8 @@
{
if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS))
{
- msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- "
+ msg(D_REPLAY_ERRORS,
+ "%s: bad packet ID (may be a replay): %s -- "
"see the man page entry for --replay-window for "
"more info or silence this warning with --mute-replay-warnings",
error_prefix, packet_id_net_print(pin, true, gc));
@@ -438,9 +425,8 @@
* On success, buf is set to point to plaintext, true is returned.
*/
static bool
-openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
- struct crypto_options *opt, const struct frame *frame,
- const uint8_t *ad_start)
+openvpn_decrypt_aead(struct buffer *buf, struct buffer work, struct crypto_options *opt,
+ const struct frame *frame, const uint8_t *ad_start)
{
static const char error_prefix[] = "AEAD Decrypt error";
struct packet_id_net pin = { 0 };
@@ -462,8 +448,7 @@
ASSERT(buf->len > 0);
ASSERT(ctx->cipher);
- dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s",
- format_hex(BPTR(buf), BLEN(buf), 80, &gc));
+ dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc));
ASSERT(ad_start >= buf->data && ad_start <= BPTR(buf));
@@ -571,28 +556,24 @@
/* feed in tag and the authenticated data */
ASSERT(cipher_ctx_update_ad(ctx->cipher, ad_start, ad_size));
- dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s",
- format_hex(ad_start, ad_size, 0, &gc));
+ dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s", format_hex(ad_start, ad_size, 0, &gc));
/* Decrypt and authenticate packet */
int outlen;
- if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf),
- data_len))
+ if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), data_len))
{
CRYPT_ERROR("packet decryption failed");
}
ASSERT(buf_inc_len(&work, outlen));
- if (!cipher_ctx_final_check_tag(ctx->cipher, BPTR(&work) + outlen,
- &outlen, tag_ptr, tag_size))
+ if (!cipher_ctx_final_check_tag(ctx->cipher, BPTR(&work) + outlen, &outlen, tag_ptr, tag_size))
{
ctx->failed_verifications++;
CRYPT_DROP("packet tag authentication failed");
}
ASSERT(buf_inc_len(&work, outlen));
- dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s",
- format_hex(BPTR(&work), BLEN(&work), 80, &gc));
+ dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc));
if (!crypto_check_replay(opt, &pin, epoch, error_prefix, &gc))
{
@@ -603,7 +584,7 @@
/* update number of plaintext blocks decrypted. Use the (x + (n-1))/n trick
* to round up the result to the number of blocks used. */
const int blocksize = AEAD_LIMIT_BLOCKSIZE;
- opt->key_ctx_bi.decrypt.plaintext_blocks += (outlen + (blocksize - 1))/blocksize;
+ opt->key_ctx_bi.decrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize;
*buf = work;
@@ -626,8 +607,8 @@
* On success, buf is set to point to plaintext, true is returned.
*/
static bool
-openvpn_decrypt_v1(struct buffer *buf, struct buffer work,
- struct crypto_options *opt, const struct frame *frame)
+openvpn_decrypt_v1(struct buffer *buf, struct buffer work, struct crypto_options *opt,
+ const struct frame *frame)
{
static const char error_prefix[] = "Authenticate/Decrypt packet error";
struct gc_arena gc;
@@ -639,8 +620,7 @@
struct packet_id_net pin;
bool have_pin = false;
- dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s",
- format_hex(BPTR(buf), BLEN(buf), 80, &gc));
+ dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc));
/* Verify the HMAC */
if (ctx->hmac)
@@ -722,8 +702,7 @@
}
ASSERT(buf_inc_len(&work, outlen));
- dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s",
- format_hex(BPTR(&work), BLEN(&work), 80, &gc));
+ dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc));
/* Get packet ID from plaintext buffer or IV, depending on cipher mode */
{
@@ -731,7 +710,8 @@
{
if (packet_id_initialized(&opt->packet_id))
{
- if (!packet_id_read(&pin, &work, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM)))
+ if (!packet_id_read(&pin, &work,
+ BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM)))
{
CRYPT_ERROR("error reading CBC packet-id");
}
@@ -790,9 +770,8 @@
bool
-openvpn_decrypt(struct buffer *buf, struct buffer work,
- struct crypto_options *opt, const struct frame *frame,
- const uint8_t *ad_start)
+openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt,
+ const struct frame *frame, const uint8_t *ad_start)
{
bool ret = false;
@@ -815,9 +794,7 @@
}
unsigned int
-calculate_crypto_overhead(const struct key_type *kt,
- unsigned int pkt_id_size,
- bool occ)
+calculate_crypto_overhead(const struct key_type *kt, unsigned int pkt_id_size, bool occ)
{
unsigned int crypto_overhead = 0;
@@ -866,9 +843,8 @@
unsigned int
crypto_max_overhead(void)
{
- return packet_id_size(true) + OPENVPN_MAX_IV_LENGTH
- +OPENVPN_MAX_CIPHER_BLOCK_SIZE
- +max_int(OPENVPN_MAX_HMAC_SIZE, OPENVPN_AEAD_TAG_LENGTH);
+ return packet_id_size(true) + OPENVPN_MAX_IV_LENGTH + OPENVPN_MAX_CIPHER_BLOCK_SIZE
+ + max_int(OPENVPN_MAX_HMAC_SIZE, OPENVPN_AEAD_TAG_LENGTH);
}
static void
@@ -876,12 +852,13 @@
{
if (cipher_kt_insecure(ciphername))
{
- msg(M_WARN, "WARNING: INSECURE cipher (%s) with block size less than 128"
+ msg(M_WARN,
+ "WARNING: INSECURE cipher (%s) with block size less than 128"
" bit (%d bit). This allows attacks like SWEET32. Mitigate by "
"using a --cipher with a larger block size (e.g. AES-256-CBC). "
"Support for these insecure ciphers will be removed in "
"OpenVPN 2.7.",
- ciphername, cipher_kt_block_size(ciphername)*8);
+ ciphername, cipher_kt_block_size(ciphername) * 8);
}
}
@@ -889,8 +866,8 @@
* Build a struct key_type.
*/
void
-init_key_type(struct key_type *kt, const char *ciphername,
- const char *authname, bool tls_mode, bool warn)
+init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode,
+ bool warn)
{
bool aead_cipher = false;
@@ -908,12 +885,11 @@
/* check legal cipher mode */
aead_cipher = cipher_kt_mode_aead(kt->cipher);
- if (!(cipher_kt_mode_cbc(kt->cipher)
- || (tls_mode && aead_cipher)
+ if (!(cipher_kt_mode_cbc(kt->cipher) || (tls_mode && aead_cipher)
#ifdef ENABLE_OFB_CFB_MODE
|| (tls_mode && cipher_kt_mode_ofb_cfb(kt->cipher))
#endif
- ))
+ ))
{
msg(M_FATAL, "Cipher '%s' mode not supported", ciphername);
}
@@ -932,9 +908,9 @@
if (warn)
{
msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. "
- "This means NO encryption will be performed and tunnelled "
- "data WILL be transmitted in clear text over the network! "
- "PLEASE DO RECONSIDER THIS SETTING!");
+ "This means NO encryption will be performed and tunnelled "
+ "data WILL be transmitted in clear text over the network! "
+ "PLEASE DO RECONSIDER THIS SETTING!");
}
}
kt->digest = authname;
@@ -959,10 +935,10 @@
if (warn)
{
msg(M_WARN, "******* WARNING *******: '--auth none' was specified. "
- "This means no authentication will be performed on received "
- "packets, meaning you CANNOT trust that the data received by "
- "the remote side have NOT been manipulated. "
- "PLEASE DO RECONSIDER THIS SETTING!");
+ "This means no authentication will be performed on received "
+ "packets, meaning you CANNOT trust that the data received by "
+ "the remote side have NOT been manipulated. "
+ "PLEASE DO RECONSIDER THIS SETTING!");
}
}
}
@@ -1011,9 +987,8 @@
/* given a key and key_type, build a key_ctx */
void
-init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key,
- const struct key_type *kt, int enc,
- const char *prefix)
+init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt,
+ int enc, const char *prefix)
{
struct gc_arena gc = gc_new();
CLEAR(*ctx);
@@ -1024,14 +999,13 @@
cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher, enc);
const char *ciphername = cipher_kt_name(kt->cipher);
- msg(D_CIPHER_INIT, "%s: Cipher '%s' initialized with %d bit key",
- prefix, ciphername, cipher_kt_key_size(kt->cipher) * 8);
+ msg(D_CIPHER_INIT, "%s: Cipher '%s' initialized with %d bit key", prefix, ciphername,
+ cipher_kt_key_size(kt->cipher) * 8);
dmsg(D_SHOW_KEYS, "%s: CIPHER KEY: %s", prefix,
format_hex(key->cipher, cipher_kt_key_size(kt->cipher), 0, &gc));
- dmsg(D_CRYPTO_DEBUG, "%s: CIPHER block_size=%d iv_size=%d",
- prefix, cipher_kt_block_size(kt->cipher),
- cipher_kt_iv_size(kt->cipher));
+ dmsg(D_CRYPTO_DEBUG, "%s: CIPHER block_size=%d iv_size=%d", prefix,
+ cipher_kt_block_size(kt->cipher), cipher_kt_iv_size(kt->cipher));
warn_insecure_key_type(ciphername);
}
@@ -1041,18 +1015,14 @@
ctx->hmac = hmac_ctx_new();
hmac_ctx_init(ctx->hmac, key->hmac, kt->digest);
- msg(D_CIPHER_INIT,
- "%s: Using %d bit message hash '%s' for HMAC authentication",
- prefix, md_kt_size(kt->digest) * 8, md_kt_name(kt->digest));
+ msg(D_CIPHER_INIT, "%s: Using %d bit message hash '%s' for HMAC authentication", prefix,
+ md_kt_size(kt->digest) * 8, md_kt_name(kt->digest));
dmsg(D_SHOW_KEYS, "%s: HMAC KEY: %s", prefix,
format_hex(key->hmac, md_kt_size(kt->digest), 0, &gc));
- dmsg(D_CRYPTO_DEBUG, "%s: HMAC size=%d block_size=%d",
- prefix,
- md_kt_size(kt->digest),
+ dmsg(D_CRYPTO_DEBUG, "%s: HMAC size=%d block_size=%d", prefix, md_kt_size(kt->digest),
hmac_ctx_size(ctx->hmac));
-
}
ctx->epoch = key->epoch;
gc_free(&gc);
@@ -1083,8 +1053,8 @@
}
void
-init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
- int key_direction, const struct key_type *kt, const char *name)
+init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction,
+ const struct key_type *kt, const char *name)
{
struct key_direction_state kds;
@@ -1174,39 +1144,34 @@
struct gc_arena gc = gc_new();
CLEAR(*key);
- if (!rand_bytes(key->cipher, cipher_len)
- || !rand_bytes(key->hmac, hmac_len))
+ if (!rand_bytes(key->cipher, cipher_len) || !rand_bytes(key->hmac, hmac_len))
{
msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation");
}
- dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc));
+ dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s",
+ format_hex(key->cipher, cipher_len, 0, &gc));
dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc));
gc_free(&gc);
}
static void
-key_print(const struct key *key,
- const struct key_type *kt,
- const char *prefix)
+key_print(const struct key *key, const struct key_type *kt, const char *prefix)
{
struct gc_arena gc = gc_new();
- dmsg(D_SHOW_KEY_SOURCE, "%s (cipher, %s, %d bits): %s",
- prefix, cipher_kt_name(kt->cipher), cipher_kt_key_size(kt->cipher) * 8,
+ dmsg(D_SHOW_KEY_SOURCE, "%s (cipher, %s, %d bits): %s", prefix, cipher_kt_name(kt->cipher),
+ cipher_kt_key_size(kt->cipher) * 8,
format_hex(key->cipher, cipher_kt_key_size(kt->cipher), 0, &gc));
- dmsg(D_SHOW_KEY_SOURCE, "%s (hmac, %s, %d bits): %s",
- prefix, md_kt_name(kt->digest), md_kt_size(kt->digest) * 8,
- format_hex(key->hmac, md_kt_size(kt->digest), 0, &gc));
+ dmsg(D_SHOW_KEY_SOURCE, "%s (hmac, %s, %d bits): %s", prefix, md_kt_name(kt->digest),
+ md_kt_size(kt->digest) * 8, format_hex(key->hmac, md_kt_size(kt->digest), 0, &gc));
gc_free(&gc);
}
/**
* Prints the keys in a key2 structure.
*/
void
-key2_print(const struct key2 *k,
- const struct key_type *kt,
- const char *prefix0,
+key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0,
const char *prefix1)
{
ASSERT(k->n == 2);
@@ -1248,11 +1213,10 @@
ASSERT(cipher_ctx_iv_length(cipher) >= OPENVPN_AEAD_MIN_IV_LEN);
/* Generate dummy implicit IV */
- ASSERT(rand_bytes(co->key_ctx_bi.encrypt.implicit_iv,
- OPENVPN_MAX_IV_LENGTH));
+ ASSERT(rand_bytes(co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH));
- memcpy(co->key_ctx_bi.decrypt.implicit_iv,
- co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH);
+ memcpy(co->key_ctx_bi.decrypt.implicit_iv, co->key_ctx_bi.encrypt.implicit_iv,
+ OPENVPN_MAX_IV_LENGTH);
}
}
@@ -1317,11 +1281,9 @@
}
void
-crypto_read_openvpn_key(const struct key_type *key_type,
- struct key_ctx_bi *ctx, const char *key_file,
- bool key_inline, const int key_direction,
- const char *key_name, const char *opt_name,
- struct key2 *keydata)
+crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx,
+ const char *key_file, bool key_inline, const int key_direction,
+ const char *key_name, const char *opt_name, struct key2 *keydata)
{
struct key2 key2;
struct key_direction_state kds;
@@ -1335,7 +1297,8 @@
if (key2.n != 2)
{
- msg(M_ERR, "File '%s' does not have OpenVPN Static Key format. Using "
+ msg(M_ERR,
+ "File '%s' does not have OpenVPN Static Key format. Using "
"free-form passphrase file is not supported anymore.",
print_key_filename(key_file, key_inline));
}
@@ -1374,7 +1337,7 @@
struct gc_arena gc = gc_new();
struct buffer in;
int size;
- uint8_t hex_byte[3] = {0, 0, 0};
+ uint8_t hex_byte[3] = { 0, 0, 0 };
/* parse info */
const unsigned char *cp;
@@ -1384,17 +1347,17 @@
int match = 0;
/* output */
- uint8_t *out = (uint8_t *) &key2->keys;
+ uint8_t *out = (uint8_t *)&key2->keys;
const int keylen = sizeof(key2->keys);
int count = 0;
/* parse states */
-#define PARSE_INITIAL 0
-#define PARSE_HEAD 1
-#define PARSE_DATA 2
-#define PARSE_DATA_COMPLETE 3
-#define PARSE_FOOT 4
-#define PARSE_FINISHED 5
+#define PARSE_INITIAL 0
+#define PARSE_HEAD 1
+#define PARSE_DATA 2
+#define PARSE_DATA_COMPLETE 3
+#define PARSE_FOOT 4
+#define PARSE_FINISHED 5
int state = PARSE_INITIAL;
/* constants */
@@ -1506,11 +1469,9 @@
}
else
{
- msg(M_FATAL,
- (isprint(c) ? printable_char_fmt : unprintable_char_fmt),
- c, line_num,
- print_key_filename(file, flags & RKF_INLINE), count,
- onekeylen, keylen);
+ msg(M_FATAL, (isprint(c) ? printable_char_fmt : unprintable_char_fmt), c,
+ line_num, print_key_filename(file, flags & RKF_INLINE), count, onekeylen,
+ keylen);
}
}
++line_index;
@@ -1524,22 +1485,21 @@
*/
key2->n = count / onekeylen;
- ASSERT(key2->n >= 0 && key2->n <= (int) SIZE(key2->keys));
+ ASSERT(key2->n >= 0 && key2->n <= (int)SIZE(key2->keys));
if (flags & RKF_MUST_SUCCEED)
{
if (!key2->n)
{
- msg(M_FATAL, "Insufficient key material or header text not found in file '%s' (%d/%d/%d bytes found/min/max)",
- print_key_filename(file, flags & RKF_INLINE), count, onekeylen,
- keylen);
+ msg(M_FATAL,
+ "Insufficient key material or header text not found in file '%s' (%d/%d/%d bytes found/min/max)",
+ print_key_filename(file, flags & RKF_INLINE), count, onekeylen, keylen);
}
if (state != PARSE_FINISHED)
{
msg(M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)",
- print_key_filename(file, flags & RKF_INLINE), count, onekeylen,
- keylen);
+ print_key_filename(file, flags & RKF_INLINE), count, onekeylen, keylen);
}
}
@@ -1598,12 +1558,7 @@
generate_key_random(&key);
/* format key as ascii */
- fmt = format_hex_ex((const uint8_t *)&key,
- sizeof(key),
- 0,
- bytes_per_line,
- "\n",
- &gc);
+ fmt = format_hex_ex((const uint8_t *)&key, sizeof(key), 0, bytes_per_line, "\n", &gc);
/* write to holding buffer */
buf_printf(&out, "%s\n", fmt);
@@ -1616,7 +1571,7 @@
buf_printf(&out, "%s\n", static_key_foot);
/* write key file to stdout if no filename given */
- if (!filename || strcmp(filename, "")==0)
+ if (!filename || strcmp(filename, "") == 0)
{
printf("%.*s\n", BLEN(&out), BPTR(&out));
}
@@ -1641,9 +1596,14 @@
if (key2->n < n)
{
#ifdef ENABLE_SMALL
- msg(M_FATAL, "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d]", filename, option, key2->n, n);
+ msg(M_FATAL,
+ "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d]",
+ filename, option, key2->n, n);
#else
- msg(M_FATAL, "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d] -- try generating a new key file with '" PACKAGE " --genkey secret [file]', or use the existing key file in bidirectional mode by specifying --%s without a key direction parameter", filename, option, key2->n, n, option);
+ msg(M_FATAL,
+ "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d] -- try generating a new key file with '" PACKAGE
+ " --genkey secret [file]', or use the existing key file in bidirectional mode by specifying --%s without a key direction parameter",
+ filename, option, key2->n, n, option);
#endif
}
}
@@ -1739,8 +1699,8 @@
/* This should be a very improbable failure */
if (!check_key(&key2->keys[i], kt))
{
- msg(M_FATAL, "Key #%d in '%s' is bad. Try making a new key with --genkey.",
- i+1, shared_secret_file);
+ msg(M_FATAL, "Key #%d in '%s' is bad. Try making a new key with --genkey.", i + 1,
+ shared_secret_file);
}
}
}
@@ -1767,9 +1727,7 @@
void
print_cipher(const char *ciphername)
{
- printf("%s (%d bit key, ",
- cipher_kt_name(ciphername),
- cipher_kt_key_size(ciphername) * 8);
+ printf("%s (%d bit key, ", cipher_kt_name(ciphername), cipher_kt_key_size(ciphername) * 8);
if (cipher_kt_block_size(ciphername) == 1)
{
@@ -1855,14 +1813,13 @@
goto cleanup;
}
buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key));
- if (!crypto_pem_encode(pem_name, &server_key_pem,
- &server_key_buf, &gc))
+ if (!crypto_pem_encode(pem_name, &server_key_pem, &server_key_buf, &gc))
{
msg(M_WARN, "ERROR: could not PEM-encode key");
goto cleanup;
}
- if (!filename || strcmp(filename, "")==0)
+ if (!filename || strcmp(filename, "") == 0)
{
printf("%.*s", BLEN(&server_key_pem), BPTR(&server_key_pem));
}
@@ -1898,8 +1855,7 @@
}
bool
-read_pem_key_file(struct buffer *key, const char *pem_name,
- const char *key_file, bool key_inline)
+read_pem_key_file(struct buffer *key, const char *pem_name, const char *key_file, bool key_inline)
{
bool ret = false;
struct buffer key_pem = { 0 };
@@ -1910,8 +1866,7 @@
key_pem = buffer_read_from_file(key_file, &gc);
if (!buf_valid(&key_pem))
{
- msg(M_WARN, "ERROR: failed to read %s file (%s)",
- pem_name, key_file);
+ msg(M_WARN, "ERROR: failed to read %s file (%s)", pem_name, key_file);
goto cleanup;
}
}
@@ -1948,9 +1903,8 @@
uint8_t out[8];
uint8_t expected_out[] = { 'q', 'D', '\xfe', '%', '@', 's', 'u', '\x95' };
- int ret = ssl_tls1_PRF((uint8_t *)seed, (int) strlen(seed),
- (uint8_t *)secret, (int) strlen(secret),
- out, sizeof(out));
+ int ret = ssl_tls1_PRF((uint8_t *)seed, (int)strlen(seed), (uint8_t *)secret,
+ (int)strlen(secret), out, sizeof(out));
return (ret && memcmp(out, expected_out, sizeof(out)) == 0);
}
@@ -129,7 +129,8 @@
#include "mtu.h"
/** Wrapper struct to pass around SHA256 digests */
-struct sha256_digest {
+struct sha256_digest
+{
uint8_t digest[SHA256_DIGEST_LENGTH];
};
@@ -138,8 +139,8 @@
*/
struct key_type
{
- const char *cipher; /**< const name of the cipher */
- const char *digest; /**< Message digest static parameters */
+ const char *cipher; /**< const name of the cipher */
+ const char *digest; /**< Message digest static parameters */
};
/**
@@ -158,7 +159,8 @@
/** internal structure similar to struct key that holds key information
* but is not represented on wire and can be changed/extended
*/
-struct key_parameters {
+struct key_parameters
+{
/** %Key material for cipher operations. */
uint8_t cipher[MAX_CIPHER_KEY_LENGTH];
@@ -184,10 +186,10 @@
* @param key_params destination for the converted struct
* @param key source of the conversion
*/
-void
-key_parameters_from_key(struct key_parameters *key_params, const struct key *key);
+void key_parameters_from_key(struct key_parameters *key_params, const struct key *key);
-struct epoch_key {
+struct epoch_key
+{
uint8_t epoch_key[SHA256_DIGEST_LENGTH];
uint16_t epoch;
};
@@ -198,8 +200,8 @@
*/
struct key_ctx
{
- cipher_ctx_t *cipher; /**< Generic cipher %context. */
- hmac_ctx_t *hmac; /**< Generic HMAC %context. */
+ cipher_ctx_t *cipher; /**< Generic cipher %context. */
+ hmac_ctx_t *hmac; /**< Generic HMAC %context. */
/**
* This implicit IV will be always XORed with the packet id that is sent on
* the wire to get the IV. For the common AEAD ciphers of AES-GCM and
@@ -213,7 +215,7 @@
*/
uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH];
/**< The implicit part of the IV */
- size_t implicit_iv_len; /**< The length of implicit_iv */
+ size_t implicit_iv_len; /**< The length of implicit_iv */
/** Counter for the number of plaintext block encrypted using this cipher
* with the current key in number of 128 bit blocks (only used for
* AEAD ciphers) */
@@ -236,12 +238,12 @@
*/
struct key2
{
- int n; /**< The number of \c key objects stored
- * in the \c key2.keys array. */
- struct key keys[2]; /**< Two unidirectional sets of %key
- * material. The first key is the client
- * (encrypts) to server (decrypts), the
- * second the server to client key. */
+ int n; /**< The number of \c key objects stored
+ * in the \c key2.keys array. */
+ struct key keys[2]; /**< Two unidirectional sets of %key
+ * material. The first key is the client
+ * (encrypts) to server (decrypts), the
+ * second the server to client key. */
};
/**
@@ -255,18 +257,18 @@
*/
struct key_direction_state
{
- int out_key; /**< Index into the \c key2.keys array for
- * the sending direction. */
- int in_key; /**< Index into the \c key2.keys array for
- * the receiving direction. */
- int need_keys; /**< The number of key objects necessary
- * to support both sending and
- * receiving.
- *
- * This will be 1 if the same keys are
- * used in both directions, or 2 if
- * there are two sets of unidirectional
- * keys. */
+ int out_key; /**< Index into the \c key2.keys array for
+ * the sending direction. */
+ int in_key; /**< Index into the \c key2.keys array for
+ * the receiving direction. */
+ int need_keys; /**< The number of key objects necessary
+ * to support both sending and
+ * receiving.
+ *
+ * This will be 1 if the same keys are
+ * used in both directions, or 2 if
+ * there are two sets of unidirectional
+ * keys. */
};
/**
@@ -276,10 +278,10 @@
*/
struct key_ctx_bi
{
- struct key_ctx encrypt; /**< Cipher and/or HMAC contexts for sending
- * direction. */
- struct key_ctx decrypt; /**< cipher and/or HMAC contexts for
- * receiving direction. */
+ struct key_ctx encrypt; /**< Cipher and/or HMAC contexts for sending
+ * direction. */
+ struct key_ctx decrypt; /**< cipher and/or HMAC contexts for
+ * receiving direction. */
bool initialized;
};
@@ -340,54 +342,58 @@
* keeping state between successive
* OpenVPN process startups. */
-#define CO_PACKET_ID_LONG_FORM (1<<0)
+#define CO_PACKET_ID_LONG_FORM (1 << 0)
/**< Bit-flag indicating whether to use
- * OpenVPN's long packet ID format. */
-#define CO_IGNORE_PACKET_ID (1<<1)
+ * OpenVPN's long packet ID format. */
+#define CO_IGNORE_PACKET_ID (1 << 1)
/**< Bit-flag indicating whether to ignore
* the packet ID of a received packet.
* This flag is used during processing
* of the first packet received from a
* client. */
-#define CO_MUTE_REPLAY_WARNINGS (1<<2)
+#define CO_MUTE_REPLAY_WARNINGS (1 << 2)
/**< Bit-flag indicating not to display
* replay warnings. */
-#define CO_USE_TLS_KEY_MATERIAL_EXPORT (1<<3)
+#define CO_USE_TLS_KEY_MATERIAL_EXPORT (1 << 3)
/**< Bit-flag indicating that data channel key derivation
* is done using TLS keying material export [RFC5705]
*/
-#define CO_RESEND_WKC (1<<4)
+#define CO_RESEND_WKC (1 << 4)
/**< Bit-flag indicating that the client is expected to
* resend the wrapped client key with the 2nd packet (packet-id 1)
* like with the HARD_RESET_CLIENT_V3 packet */
-#define CO_FORCE_TLSCRYPTV2_COOKIE (1<<5)
+#define CO_FORCE_TLSCRYPTV2_COOKIE (1 << 5)
/**< Bit-flag indicating that we do not allow clients that do
* not support resending the wrapped client key (WKc) with the
* third packet of the three-way handshake */
-#define CO_USE_CC_EXIT_NOTIFY (1<<6)
+#define CO_USE_CC_EXIT_NOTIFY (1 << 6)
/**< Bit-flag indicating that explicit exit notifies should be
* sent via the control channel instead of using an OCC message
*/
-#define CO_USE_DYNAMIC_TLS_CRYPT (1<<7)
+#define CO_USE_DYNAMIC_TLS_CRYPT (1 << 7)
/**< Bit-flag indicating that renegotiations are using tls-crypt
* with a TLS-EKM derived key.
*/
-#define CO_EPOCH_DATA_KEY_FORMAT (1<<8)
+#define CO_EPOCH_DATA_KEY_FORMAT (1 << 8)
/**< Bit-flag indicating the epoch the data format. This format
* has the AEAD tag at the end of the packet and is using a longer
* 64-bit packet id that is split into a 16 bit epoch and 48 bit
* epoch counter
*/
- unsigned int flags; /**< Bit-flags determining behavior of
- * security operation functions. */
+ unsigned int flags; /**< Bit-flags determining behavior of
+ * security operation functions. */
};
-#define CRYPT_ERROR_EXIT(flags, format) \
- do { msg(flags, "%s: " format, error_prefix); goto error_exit; } while (false)
+#define CRYPT_ERROR_EXIT(flags, format) \
+ do \
+ { \
+ msg(flags, "%s: " format, error_prefix); \
+ goto error_exit; \
+ } while (false)
#define CRYPT_ERROR(format) CRYPT_ERROR_EXIT(D_CRYPT_ERRORS, format)
-#define CRYPT_DROP(format) CRYPT_ERROR_EXIT(D_MULTI_DROPPED, format)
+#define CRYPT_DROP(format) CRYPT_ERROR_EXIT(D_MULTI_DROPPED, format)
/**
* Minimal IV length for AEAD mode ciphers (in bytes):
@@ -395,8 +401,8 @@
*/
#define OPENVPN_AEAD_MIN_IV_LEN (sizeof(packet_id_type) + 8)
-#define RKF_MUST_SUCCEED (1<<0)
-#define RKF_INLINE (1<<1)
+#define RKF_MUST_SUCCEED (1 << 0)
+#define RKF_INLINE (1 << 1)
void read_key_file(struct key2 *key2, const char *file, const unsigned int flags);
/**
@@ -418,30 +424,26 @@
* more ciphers than static key mode.
* @param warn Print warnings when null cipher / auth is used.
*/
-void init_key_type(struct key_type *kt, const char *ciphername,
- const char *authname, bool tls_mode, bool warn);
+void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode,
+ bool warn);
/*
* Key context functions
*/
-void init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key,
- const struct key_type *kt, int enc,
- const char *prefix);
+void init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt,
+ int enc, const char *prefix);
-void
-init_key_bi_ctx_send(struct key_ctx *ctx, const struct key_parameters *key,
- const struct key_type *kt, const char *name);
+void init_key_bi_ctx_send(struct key_ctx *ctx, const struct key_parameters *key,
+ const struct key_type *kt, const char *name);
-void
-init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key_parameters *key,
- const struct key_type *kt, const char *name);
+void init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key_parameters *key,
+ const struct key_type *kt, const char *name);
void free_key_ctx(struct key_ctx *ctx);
-void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
- int key_direction, const struct key_type *kt,
- const char *name);
+void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction,
+ const struct key_type *kt, const char *name);
void free_key_ctx_bi(struct key_ctx_bi *ctx);
@@ -476,8 +478,7 @@
* contain the processed packet ready for sending, or be empty if an
* error occurred.
*/
-void openvpn_encrypt(struct buffer *buf, struct buffer work,
- struct crypto_options *opt);
+void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt);
/**
@@ -513,9 +514,8 @@
* the plaintext packet ready for further processing, or be empty if
* an error occurred.
*/
-bool openvpn_decrypt(struct buffer *buf, struct buffer work,
- struct crypto_options *opt, const struct frame *frame,
- const uint8_t *ad_start);
+bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt,
+ const struct frame *frame, const uint8_t *ad_start);
/** @} name Functions for performing security operations on data channel packets */
@@ -530,11 +530,8 @@
*
* @return true if packet ID is validated to be not a replay, false otherwise.
*/
-bool crypto_check_replay(struct crypto_options *opt,
- const struct packet_id_net *pin,
- uint16_t epoch,
- const char *error_prefix,
- struct gc_arena *gc);
+bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin,
+ uint16_t epoch, const char *error_prefix, struct gc_arena *gc);
/** Calculate the maximum overhead that our encryption has
@@ -550,10 +547,8 @@
* incorrect way as all previous OpenVPN versions did, to
* end up with identical numbers for OCC compatibility
*/
-unsigned int
-calculate_crypto_overhead(const struct key_type *kt,
- unsigned int pkt_id_size,
- bool occ);
+unsigned int calculate_crypto_overhead(const struct key_type *kt, unsigned int pkt_id_size,
+ bool occ);
/** Return the worst-case OpenVPN crypto overhead (in bytes) */
unsigned int crypto_max_overhead(void);
@@ -565,8 +560,7 @@
* @param filename Filename of the server key file to create.
* @param key_name The name to use in the PEM header/footer.
*/
-void
-write_pem_key_file(const char *filename, const char *key_name);
+void write_pem_key_file(const char *filename, const char *key_name);
/**
* Generate ephermal key material into the key structure
@@ -575,8 +569,7 @@
* @param pem_name the name used for logging
* @return true if key generation was successful
*/
-bool
-generate_ephemeral_key(struct buffer *key, const char *pem_name);
+bool generate_ephemeral_key(struct buffer *key, const char *pem_name);
/**
* Read key material from a PEM encoded files into the key structure
@@ -588,9 +581,8 @@
* otherwise.
* @return true if reading into key was successful
*/
-bool
-read_pem_key_file(struct buffer *key, const char *pem_name,
- const char *key_file, bool key_inline);
+bool read_pem_key_file(struct buffer *key, const char *pem_name, const char *key_file,
+ bool key_inline);
/*
* Message digest-based pseudo random number generator.
@@ -631,16 +623,12 @@
const char *keydirection2ascii(int kd, bool remote, bool humanreadable);
/* print keys */
-void key2_print(const struct key2 *k,
- const struct key_type *kt,
- const char *prefix0,
+void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0,
const char *prefix1);
-void crypto_read_openvpn_key(const struct key_type *key_type,
- struct key_ctx_bi *ctx, const char *key_file,
- bool key_inline, const int key_direction,
- const char *key_name, const char *opt_name,
- struct key2 *keydata);
+void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx,
+ const char *key_file, bool key_inline, const int key_direction,
+ const char *key_name, const char *opt_name, struct key2 *keydata);
/*
* Inline functions
@@ -690,12 +678,12 @@
if (cipher_defined(kt.cipher) && !cipher_valid(kt.cipher))
{
msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.cipher);
- return (struct key_type) { 0 };
+ return (struct key_type){ 0 };
}
if (md_defined(kt.digest) && !md_valid(kt.digest))
{
msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.digest);
- return (struct key_type) { 0 };
+ return (struct key_type){ 0 };
}
return kt;
@@ -710,8 +698,7 @@
* For reference see the OpenVPN RFC draft and
* https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-08.html
*/
-uint64_t
-cipher_get_aead_limits(const char *ciphername);
+uint64_t cipher_get_aead_limits(const char *ciphername);
/**
* Check if the number of failed decryption is over the acceptable limit.
@@ -724,7 +711,7 @@
* but we accept slightly lower security bound for the edge
* of Chacha20-Poly1305 and packets over 16k as MTUs over 16k are
* extremely rarely used */
- return ctx->failed_verifications > (1ull << 36);
+ return ctx->failed_verifications > (1ull << 36);
}
/**
@@ -735,7 +722,7 @@
cipher_decrypt_verify_fail_warn(const struct key_ctx *ctx)
{
/* Use 2**35, half the amount after which we refuse to decrypt */
- return ctx->failed_verifications > (1ull << 35);
+ return ctx->failed_verifications > (1ull << 35);
}
@@ -744,7 +731,7 @@
*
* Since cipher_ctx_block_size() is not reliable and will return 1 in many
* cases use a hardcoded blocksize instead */
-#define AEAD_LIMIT_BLOCKSIZE 16
+#define AEAD_LIMIT_BLOCKSIZE 16
/**
* Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1
@@ -761,13 +748,12 @@
* to read.
*/
static inline bool
-aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx,
- int64_t higest_pid)
+aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx, int64_t higest_pid)
{
/* This is the q + s <= p^(1/2) * 2^(129/2) - 1 calculation where
* q is the number of protected messages (highest_pid)
* s Total plaintext length in all messages (in blocks) */
- return (limit > 0 && key_ctx->plaintext_blocks + (uint64_t) higest_pid > limit);
+ return (limit > 0 && key_ctx->plaintext_blocks + (uint64_t)higest_pid > limit);
}
#endif /* CRYPTO_H */
@@ -45,18 +45,20 @@
#define OPENVPN_MAX_CIPHER_BLOCK_SIZE 32
/* Maximum HMAC digest size (bytes) */
-#define OPENVPN_MAX_HMAC_SIZE 64
+#define OPENVPN_MAX_HMAC_SIZE 64
/** Types referencing specific message digest hashing algorithms */
-typedef enum {
+typedef enum
+{
MD_SHA1,
MD_SHA256
} hash_algo_type;
/** Struct used in cipher name translation table */
-typedef struct {
- const char *openvpn_name; /**< Cipher name used by OpenVPN */
- const char *lib_name; /**< Cipher name used by crypto library */
+typedef struct
+{
+ const char *openvpn_name; /**< Cipher name used by OpenVPN */
+ const char *lib_name; /**< Cipher name used by crypto library */
} cipher_name_pair;
/** Cipher name translation table */
@@ -122,8 +124,8 @@
*
* @return true iff PEM encode succeeded.
*/
-bool crypto_pem_encode(const char *name, struct buffer *dst,
- const struct buffer *src, struct gc_arena *gc);
+bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src,
+ struct gc_arena *gc);
/**
* Decode a PEM buffer to binary data.
@@ -134,8 +136,7 @@
*
* @return true iff PEM decode succeeded.
*/
-bool crypto_pem_decode(const char *name, struct buffer *dst,
- const struct buffer *src);
+bool crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src);
/*
*
@@ -338,8 +339,8 @@
* @param enc Whether to encrypt or decrypt (either
* \c OPENVPN_OP_ENCRYPT or \c OPENVPN_OP_DECRYPT).
*/
-void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key,
- const char *ciphername, crypto_operation_t enc);
+void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, const char *ciphername,
+ crypto_operation_t enc);
/**
* Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is
@@ -447,8 +448,7 @@
*
* @return \c 0 on failure, \c 1 on success.
*/
-int cipher_ctx_update(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len,
- uint8_t *src, int src_len);
+int cipher_ctx_update(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len);
/**
* Pads the final cipher block using PKCS padding, and output to the destination
@@ -475,8 +475,8 @@
*
* @return \c 0 on failure, \c 1 on success.
*/
-int cipher_ctx_final_check_tag(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len,
- uint8_t *tag, size_t tag_len);
+int cipher_ctx_final_check_tag(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *tag,
+ size_t tag_len);
/*
@@ -716,7 +716,7 @@
*
* @return true if successful, false on any error
*/
-bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
- int secret_len, uint8_t *output, int output_len);
+bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
+ uint8_t *output, int output_len);
#endif /* CRYPTO_BACKEND_H_ */
@@ -39,9 +39,8 @@
#include "integer.h"
void
-ovpn_hkdf_expand(const uint8_t *secret,
- const uint8_t *info, int info_len,
- uint8_t *out, int out_len)
+ovpn_hkdf_expand(const uint8_t *secret, const uint8_t *info, int info_len, uint8_t *out,
+ int out_len)
{
hmac_ctx_t *hmac_ctx = hmac_ctx_new();
hmac_ctx_init(hmac_ctx, secret, "SHA256");
@@ -74,13 +73,10 @@
}
bool
-ovpn_expand_label(const uint8_t *secret, size_t secret_len,
- const uint8_t *label, size_t label_len,
- const uint8_t *context, size_t context_len,
- uint8_t *out, uint16_t out_len)
+ovpn_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len,
+ const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len)
{
- if (secret_len != 32 || label_len > 250 || context_len > 255
- || label_len < 1)
+ if (secret_len != 32 || label_len > 250 || context_len > 255 || label_len < 1)
{
/* Our current implementation is not a general purpose one
* and assumes that the secret size matches the size of the
@@ -92,7 +88,7 @@
struct gc_arena gc = gc_new();
/* 2 byte for the outlen encoded as uint16, 5 bytes for "ovpn ",
* 1 byte for context len byte and 1 byte for label len byte */
- const uint8_t *label_prefix = (const uint8_t *) ("ovpn ");
+ const uint8_t *label_prefix = (const uint8_t *)("ovpn ");
int prefix_len = 5;
int hkdf_label_len = 2 + prefix_len + 1 + label_len + 1 + context_len;
@@ -111,8 +107,7 @@
ASSERT(buf_len(&hkdf_label) == hkdf_label_len);
- ovpn_hkdf_expand(secret, buf_bptr(&hkdf_label),
- buf_len(&hkdf_label), out, out_len);
+ ovpn_hkdf_expand(secret, buf_bptr(&hkdf_label), buf_len(&hkdf_label), out, out_len);
gc_free(&gc);
return true;
@@ -133,16 +128,14 @@
const size_t epoch_update_label_len = sizeof(epoch_update_label) - 1;
/* E_N+1 = OVPN-Expand-Label(E_N, "datakey upd", "", 32) */
- ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key),
- epoch_update_label, epoch_update_label_len,
- NULL, 0,
- new_epoch_key.epoch_key, sizeof(new_epoch_key.epoch_key));
+ ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key), epoch_update_label,
+ epoch_update_label_len, NULL, 0, new_epoch_key.epoch_key,
+ sizeof(new_epoch_key.epoch_key));
*epoch_key = new_epoch_key;
}
void
-epoch_data_key_derive(struct key_parameters *key,
- const struct epoch_key *epoch_key,
+epoch_data_key_derive(struct key_parameters *key, const struct epoch_key *epoch_key,
const struct key_type *kt)
{
key->hmac_size = cipher_kt_iv_size(kt->cipher);
@@ -157,19 +150,16 @@
/* length of the array without extra \0 byte from the string */
const size_t epoch_data_key_label_len = sizeof(epoch_data_key_label) - 1;
- ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key),
- epoch_data_key_label, epoch_data_key_label_len,
- NULL, 0,
- (uint8_t *)(&key->cipher), key->cipher_size);
+ ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key), epoch_data_key_label,
+ epoch_data_key_label_len, NULL, 0, (uint8_t *)(&key->cipher),
+ key->cipher_size);
const uint8_t epoch_data_iv_label[] = "data_iv";
/* length of the array without extra \0 byte from the string */
const size_t epoch_data_iv_label_len = sizeof(epoch_data_iv_label) - 1;
- ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key),
- epoch_data_iv_label, epoch_data_iv_label_len,
- NULL, 0,
- (uint8_t *)(&key->hmac), key->hmac_size);
+ ovpn_expand_label(epoch_key->epoch_key, sizeof(epoch_key->epoch_key), epoch_data_iv_label,
+ epoch_data_iv_label_len, NULL, 0, (uint8_t *)(&key->hmac), key->hmac_size);
key->epoch = epoch_key->epoch;
}
@@ -187,8 +177,7 @@
epoch_data_key_derive(&send_key, &co->epoch_key_send, &co->epoch_key_type);
- init_key_bi_ctx_send(&co->key_ctx_bi.encrypt, &send_key,
- &co->epoch_key_type, name);
+ init_key_bi_ctx_send(&co->key_ctx_bi.encrypt, &send_key, &co->epoch_key_type, name);
reset_packet_id_send(&co->packet_id.send);
CLEAR(send_key);
}
@@ -219,10 +208,10 @@
/* Either we have not generated any future keys yet (first initialisation)
* or the last index is the same as our current epoch key
* (last generated receive epoch key should match the epoch key) */
- struct key_ctx *highest_future_key = &co->epoch_data_keys_future[co->epoch_data_keys_future_count - 1];
+ struct key_ctx *highest_future_key =
+ &co->epoch_data_keys_future[co->epoch_data_keys_future_count - 1];
- ASSERT(co->epoch_key_recv.epoch == 1
- || highest_future_key->epoch == co->epoch_key_recv.epoch);
+ ASSERT(co->epoch_key_recv.epoch == 1 || highest_future_key->epoch == co->epoch_key_recv.epoch);
/* free the keys that are not used anymore */
for (uint16_t i = 0; i < co->epoch_data_keys_future_count; i++)
@@ -250,12 +239,12 @@
{
ASSERT(co->epoch_data_keys_future[i].epoch == 0);
}
- memmove(co->epoch_data_keys_future,
- co->epoch_data_keys_future + num_keys_generate,
+ memmove(co->epoch_data_keys_future, co->epoch_data_keys_future + num_keys_generate,
(co->epoch_data_keys_future_count - num_keys_generate) * sizeof(struct key_ctx));
/* Clear and regenerate the array elements at the end */
- for (uint16_t i = co->epoch_data_keys_future_count - num_keys_generate; i < co->epoch_data_keys_future_count; i++)
+ for (uint16_t i = co->epoch_data_keys_future_count - num_keys_generate;
+ i < co->epoch_data_keys_future_count; i++)
{
CLEAR(co->epoch_data_keys_future[i]);
epoch_key_iterate(&co->epoch_key_recv);
@@ -280,8 +269,7 @@
}
void
-epoch_replace_update_recv_key(struct crypto_options *co,
- uint16_t new_epoch)
+epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch)
{
/* Find the key of the new epoch in future keys */
uint16_t fki;
@@ -350,8 +338,7 @@
void
epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type,
- const struct epoch_key *e1_send,
- const struct epoch_key *e1_recv,
+ const struct epoch_key *e1_send, const struct epoch_key *e1_recv,
uint16_t future_key_count)
{
ASSERT(e1_send->epoch == 1 && e1_recv->epoch == 1);
@@ -441,11 +428,9 @@
* decryption fail warn limit.
* */
else if (opt->key_ctx_bi.encrypt.epoch == opt->key_ctx_bi.decrypt.epoch
- && (aead_usage_limit_reached(opt->aead_usage_limit,
- &opt->key_ctx_bi.decrypt,
+ && (aead_usage_limit_reached(opt->aead_usage_limit, &opt->key_ctx_bi.decrypt,
opt->packet_id.rec.id)
- || cipher_decrypt_verify_fail_warn(&opt->key_ctx_bi.decrypt)
- ))
+ || cipher_decrypt_verify_fail_warn(&opt->key_ctx_bi.decrypt)))
{
/* Receive key limit reached. Increase our own send key to signal
* that we want to use a new epoch. Peer should then also move its
@@ -458,5 +443,4 @@
{
epoch_iterate_send_key(opt);
}
-
}
@@ -38,10 +38,8 @@
* @param out output keying material
* @param out_len length of output keying material
*/
-void
-ovpn_hkdf_expand(const uint8_t *secret,
- const uint8_t *info, int info_len,
- uint8_t *out, int out_len);
+void ovpn_hkdf_expand(const uint8_t *secret, const uint8_t *info, int info_len, uint8_t *out,
+ int out_len);
/**
* Variant of the RFC 8446 TLS 1.3 HKDF-Expand-Label function with the
@@ -60,11 +58,9 @@
* @param out_len length of output keying material
* @return
*/
-bool
-ovpn_expand_label(const uint8_t *secret, size_t secret_len,
- const uint8_t *label, size_t label_len,
- const uint8_t *context, size_t context_len,
- uint8_t *out, uint16_t out_len);
+bool ovpn_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label,
+ size_t label_len, const uint8_t *context, size_t context_len, uint8_t *out,
+ uint16_t out_len);
/**
* Generate a data channel key pair from the epoch key
@@ -72,10 +68,8 @@
* @param epoch_key Epoch key to be used
* @param kt Cipher information to generate the data channel key for
*/
-void
-epoch_data_key_derive(struct key_parameters *key,
- const struct epoch_key *epoch_key,
- const struct key_type *kt);
+void epoch_data_key_derive(struct key_parameters *key, const struct epoch_key *epoch_key,
+ const struct key_type *kt);
/**
* Generates and fills the epoch_data_keys_future with next valid
@@ -90,8 +84,7 @@
* free the ones that are older than the crypto_options.key_ctx_bi.decrypt and
* generate the keys from the newer epoch.
*/
-void
-epoch_generate_future_receive_keys(struct crypto_options *co);
+void epoch_generate_future_receive_keys(struct crypto_options *co);
/** This is called when the peer uses a new send key that is not the default
@@ -102,21 +95,17 @@
* @param co crypto_options to update
* @param new_epoch the new epoch to use for the receive key
*/
-void
-epoch_replace_update_recv_key(struct crypto_options *co,
- uint16_t new_epoch);
+void epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch);
/**
* Updates the send key and send_epoch_key in cryptio_options->key_ctx_bi to
* use the next epoch */
-void
-epoch_iterate_send_key(struct crypto_options *co);
+void epoch_iterate_send_key(struct crypto_options *co);
/**
* Frees the extra data structures used by epoch keys in \c crypto_options
*/
-void
-free_epoch_key_ctx(struct crypto_options *co);
+void free_epoch_key_ctx(struct crypto_options *co);
/**
* Initialises data channel keys and internal structures for epoch data keys
@@ -131,10 +120,9 @@
* @param future_key_count the number of future epoch keys that should be
* considered valid when receiving data from the peer
*/
-void
-epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type,
- const struct epoch_key *e1_send, const struct epoch_key *e1_recv,
- uint16_t future_key_count);
+void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type,
+ const struct epoch_key *e1_send, const struct epoch_key *e1_recv,
+ uint16_t future_key_count);
/**
* Using an epoch, this function will try to retrieve a decryption
@@ -143,8 +131,7 @@
* @param epoch epoch of the key to lookup
* @return the key context with
*/
-struct key_ctx *
-epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch);
+struct key_ctx *epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch);
/**
* Checks if we need to iterate the send epoch key. This needs to be in one
@@ -153,8 +140,7 @@
* - send key aead usage limit reached (for AES-GCM and similar ciphers)
* - recv key usage limit reached
*/
-void
-epoch_check_send_iterate(struct crypto_options *opt);
+void epoch_check_send_iterate(struct crypto_options *opt);
#endif /* ifndef CRYPTO_EPOCH_H */
@@ -65,7 +65,7 @@
crypto_init_lib_engine(const char *engine_name)
{
msg(M_WARN, "Note: mbed TLS hardware crypto engine functionality is not "
- "available");
+ "available");
}
provider_t *
@@ -123,8 +123,7 @@
}
bool
-mbed_log_func_line(unsigned int flags, int errval, const char *func,
- int line)
+mbed_log_func_line(unsigned int flags, int errval, const char *func, int line)
{
char prefix[256];
@@ -203,8 +202,8 @@
const int *digests = mbedtls_md_list();
#ifndef ENABLE_SMALL
- printf("The following message digests are available for use with\n"
- PACKAGE_NAME ". A message digest is used in conjunction with\n"
+ printf("The following message digests are available for use with\n" PACKAGE_NAME
+ ". A message digest is used in conjunction with\n"
"the HMAC function, to authenticate received packets.\n"
"You can specify a message digest as parameter to\n"
"the --auth option.\n\n");
@@ -232,12 +231,12 @@
}
bool
-crypto_pem_encode(const char *name, struct buffer *dst,
- const struct buffer *src, struct gc_arena *gc)
+crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src,
+ struct gc_arena *gc)
{
/* 1000 chars is the PEM line length limit (+1 for tailing NUL) */
- char header[1000+1] = { 0 };
- char footer[1000+1] = { 0 };
+ char header[1000 + 1] = { 0 };
+ char footer[1000 + 1] = { 0 };
if (!snprintf(header, sizeof(header), "-----BEGIN %s-----\n", name))
{
@@ -249,9 +248,8 @@
}
size_t out_len = 0;
- if (MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL !=
- mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src),
- NULL, 0, &out_len))
+ if (MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL
+ != mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src), NULL, 0, &out_len))
{
return false;
}
@@ -259,9 +257,9 @@
/* We set the size buf to out_len-1 to NOT include the 0 byte that
* mbedtls_pem_write_buffer in its length calculation */
*dst = alloc_buf_gc(out_len, gc);
- if (!mbed_ok(mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src),
- BPTR(dst), BCAP(dst), &out_len))
- || !buf_inc_len(dst, out_len-1))
+ if (!mbed_ok(mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src), BPTR(dst),
+ BCAP(dst), &out_len))
+ || !buf_inc_len(dst, out_len - 1))
{
CLEAR(*dst);
return false;
@@ -271,12 +269,11 @@
}
bool
-crypto_pem_decode(const char *name, struct buffer *dst,
- const struct buffer *src)
+crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src)
{
/* 1000 chars is the PEM line length limit (+1 for tailing NUL) */
- char header[1000+1] = { 0 };
- char footer[1000+1] = { 0 };
+ char header[1000 + 1] = { 0 };
+ char footer[1000 + 1] = { 0 };
if (!snprintf(header, sizeof(header), "-----BEGIN %s-----", name))
{
@@ -296,8 +293,8 @@
size_t use_len = 0;
mbedtls_pem_context ctx = { 0 };
- bool ret = mbed_ok(mbedtls_pem_read_buffer(&ctx, header, footer, BPTR(&input),
- NULL, 0, &use_len));
+ bool ret =
+ mbed_ok(mbedtls_pem_read_buffer(&ctx, header, footer, BPTR(&input), NULL, 0, &use_len));
size_t buf_size = 0;
const unsigned char *buf = mbedtls_pem_get_buffer(&ctx, &buf_size);
if (ret && !buf_write(dst, buf, buf_size))
@@ -327,8 +324,8 @@
mbedtls_ctr_drbg_context *
rand_ctx_get(void)
{
- static mbedtls_entropy_context ec = {0};
- static mbedtls_ctr_drbg_context cd_ctx = {0};
+ static mbedtls_entropy_context ec = { 0 };
+ static mbedtls_ctr_drbg_context cd_ctx = { 0 };
static bool rand_initialised = false;
if (!rand_initialised)
@@ -341,14 +338,15 @@
* 800-90 section 8.7.1). We have very little information at this stage.
* Include Program Name, memory address of the context and PID.
*/
- buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, time_string(0, 0, 0, &gc));
+ buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx,
+ time_string(0, 0, 0, &gc));
/* Initialise mbed TLS RNG, and built-in entropy sources */
mbedtls_entropy_init(&ec);
mbedtls_ctr_drbg_init(&cd_ctx);
- if (!mbed_ok(mbedtls_ctr_drbg_seed(&cd_ctx, mbedtls_entropy_func, &ec,
- BPTR(&pers_string), BLEN(&pers_string))))
+ if (!mbed_ok(mbedtls_ctr_drbg_seed(&cd_ctx, mbedtls_entropy_func, &ec, BPTR(&pers_string),
+ BLEN(&pers_string))))
{
msg(M_FATAL, "Failed to initialize random generator");
}
@@ -421,12 +419,14 @@
return false;
}
- const size_t key_bytelen = mbedtls_cipher_info_get_key_bitlen(cipher)/8;
+ const size_t key_bytelen = mbedtls_cipher_info_get_key_bitlen(cipher) / 8;
if (key_bytelen > MAX_CIPHER_KEY_LENGTH)
{
- msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%zu bytes) "
+ msg(D_LOW,
+ "Cipher algorithm '%s' uses a default key size (%zu bytes) "
"which is larger than " PACKAGE_NAME "'s current maximum key size "
- "(%d bytes)", ciphername, key_bytelen, MAX_CIPHER_KEY_LENGTH);
+ "(%d bytes)",
+ ciphername, key_bytelen, MAX_CIPHER_KEY_LENGTH);
*reason = "disabled due to key size too large";
return false;
}
@@ -457,7 +457,7 @@
return 0;
}
- return (int)mbedtls_cipher_info_get_key_bitlen(cipher_kt)/8;
+ return (int)mbedtls_cipher_info_get_key_bitlen(cipher_kt) / 8;
}
int
@@ -506,7 +506,7 @@
#ifdef MBEDTLS_CHACHAPOLY_C
|| mbedtls_cipher_info_get_type(cipher_kt) == MBEDTLS_CIPHER_CHACHA20_POLY1305
#endif
- );
+ );
}
static mbedtls_cipher_mode_t
@@ -527,19 +527,21 @@
cipher_kt_mode_ofb_cfb(const char *ciphername)
{
const mbedtls_cipher_info_t *cipher = cipher_get(ciphername);
- return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB
- || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB);
+ return cipher
+ && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB
+ || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB);
}
bool
cipher_kt_mode_aead(const char *ciphername)
{
const mbedtls_cipher_info_t *cipher = cipher_get(ciphername);
- return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_GCM
+ return cipher
+ && (cipher_kt_mode(cipher) == OPENVPN_MODE_GCM
#ifdef MBEDTLS_CHACHAPOLY_C
- || cipher_kt_mode(cipher) == MBEDTLS_MODE_CHACHAPOLY
+ || cipher_kt_mode(cipher) == MBEDTLS_MODE_CHACHAPOLY
#endif
- );
+ );
}
@@ -565,8 +567,8 @@
}
void
-cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key,
- const char *ciphername, crypto_operation_t enc)
+cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, const char *ciphername,
+ crypto_operation_t enc)
{
ASSERT(NULL != ciphername && NULL != ctx);
CLEAR(*ctx);
@@ -611,7 +613,7 @@
return 0;
}
- if (!mbed_ok(mbedtls_cipher_write_tag(ctx, (unsigned char *) tag, tag_len)))
+ if (!mbed_ok(mbedtls_cipher_write_tag(ctx, (unsigned char *)tag, tag_len)))
{
return 0;
}
@@ -643,18 +645,20 @@
bool
cipher_ctx_mode_ofb_cfb(const cipher_ctx_t *ctx)
{
- return ctx && (cipher_ctx_mode(ctx) == OPENVPN_MODE_OFB
- || cipher_ctx_mode(ctx) == OPENVPN_MODE_CFB);
+ return ctx
+ && (cipher_ctx_mode(ctx) == OPENVPN_MODE_OFB
+ || cipher_ctx_mode(ctx) == OPENVPN_MODE_CFB);
}
bool
cipher_ctx_mode_aead(const cipher_ctx_t *ctx)
{
- return ctx && (cipher_ctx_mode(ctx) == OPENVPN_MODE_GCM
+ return ctx
+ && (cipher_ctx_mode(ctx) == OPENVPN_MODE_GCM
#ifdef MBEDTLS_CHACHAPOLY_C
- || cipher_ctx_mode(ctx) == MBEDTLS_MODE_CHACHAPOLY
+ || cipher_ctx_mode(ctx) == MBEDTLS_MODE_CHACHAPOLY
#endif
- );
+ );
}
int
@@ -690,13 +694,12 @@
}
int
-cipher_ctx_update(mbedtls_cipher_context_t *ctx, uint8_t *dst,
- int *dst_len, uint8_t *src, int src_len)
+cipher_ctx_update(mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src,
+ int src_len)
{
size_t s_dst_len = *dst_len;
- if (!mbed_ok(mbedtls_cipher_update(ctx, src, (size_t) src_len, dst,
- &s_dst_len)))
+ if (!mbed_ok(mbedtls_cipher_update(ctx, src, (size_t)src_len, dst, &s_dst_len)))
{
return 0;
}
@@ -722,8 +725,8 @@
}
int
-cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst,
- int *dst_len, uint8_t *tag, size_t tag_len)
+cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len, uint8_t *tag,
+ size_t tag_len)
{
size_t olen = 0;
@@ -749,8 +752,7 @@
}
*dst_len = olen;
- if (!mbed_ok(mbedtls_cipher_check_tag(ctx, (const unsigned char *) tag,
- tag_len)))
+ if (!mbed_ok(mbedtls_cipher_check_tag(ctx, (const unsigned char *)tag, tag_len)))
{
return 0;
}
@@ -759,7 +761,6 @@
}
-
/*
*
* Generic message digest information functions
@@ -780,10 +781,10 @@
}
if (mbedtls_md_get_size(md) > MAX_HMAC_KEY_LENGTH)
{
- msg(M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)",
- digest,
- mbedtls_md_get_size(md),
- MAX_HMAC_KEY_LENGTH);
+ msg(M_FATAL,
+ "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME
+ "'s current maximum hash size (%d bytes)",
+ digest, mbedtls_md_get_size(md), MAX_HMAC_KEY_LENGTH);
}
return md;
}
@@ -791,7 +792,7 @@
bool
md_valid(const char *digest)
{
- const mbedtls_md_info_t *md = mbedtls_md_info_from_string(digest);
+ const mbedtls_md_info_t *md = mbedtls_md_info_from_string(digest);
return md != NULL;
}
@@ -966,8 +967,8 @@
* via its APIs like OpenSSL does with CRYPTO_memcmp
* Adapt the function that mbedtls itself uses in
* mbedtls_safer_memcmp as it considers that to be safe */
- volatile const unsigned char *A = (volatile const unsigned char *) a;
- volatile const unsigned char *B = (volatile const unsigned char *) b;
+ volatile const unsigned char *A = (volatile const unsigned char *)a;
+ volatile const unsigned char *B = (volatile const unsigned char *)b;
volatile unsigned char diff = 0;
for (size_t i = 0; i < size; i++)
@@ -982,12 +983,11 @@
* from recent versions, so we use our own implementation if necessary. */
#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
bool
-ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
- int secret_len, uint8_t *output, int output_len)
+ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
+ uint8_t *output, int output_len)
{
- return mbed_ok(mbedtls_ssl_tls_prf(MBEDTLS_SSL_TLS_PRF_TLS1, secret,
- secret_len, "", seed, seed_len, output,
- output_len));
+ return mbed_ok(mbedtls_ssl_tls_prf(MBEDTLS_SSL_TLS_PRF_TLS1, secret, secret_len, "", seed,
+ seed_len, output, output_len));
}
#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
/*
@@ -1002,8 +1002,8 @@
* @param olen Length of the output buffer
*/
static void
-tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, int sec_len,
- const uint8_t *seed, int seed_len, uint8_t *out, int olen)
+tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed,
+ int seed_len, uint8_t *out, int olen)
{
struct gc_arena gc = gc_new();
uint8_t A1[MAX_HMAC_KEY_LENGTH];
@@ -1037,7 +1037,7 @@
hmac_ctx_update(ctx, seed, seed_len);
hmac_ctx_final(ctx, A1);
- for (;; )
+ for (;;)
{
hmac_ctx_reset(ctx);
hmac_ctx_reset(ctx_tmp);
@@ -1052,7 +1052,7 @@
olen -= chunk;
hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */
}
- else /* last one */
+ else /* last one */
{
hmac_ctx_final(ctx, A1);
memcpy(out, A1, olen);
@@ -1089,8 +1089,8 @@
* (2) The pre-master secret is generated by the client.
*/
bool
-ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec,
- int slen, uint8_t *out1, int olen)
+ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1,
+ int olen)
{
struct gc_arena gc = gc_new();
const md_kt_t *md5 = md_get("MD5");
@@ -1098,15 +1098,15 @@
uint8_t *out2 = (uint8_t *)gc_malloc(olen, false, &gc);
- int len = slen/2;
+ int len = slen / 2;
const uint8_t *S1 = sec;
const uint8_t *S2 = &(sec[len]);
- len += (slen&1); /* add for odd, make longer */
+ len += (slen & 1); /* add for odd, make longer */
tls1_P_hash(md5, S1, len, label, label_len, out1, olen);
tls1_P_hash(sha1, S2, len, label, label_len, out2, olen);
- for (int i = 0; i<olen; i++)
+ for (int i = 0; i < olen; i++)
{
out1[i] ^= out2[i];
}
@@ -50,32 +50,32 @@
typedef void provider_t;
/** Maximum length of an IV */
-#define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH
+#define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH
/** Cipher is in CBC mode */
-#define OPENVPN_MODE_CBC MBEDTLS_MODE_CBC
+#define OPENVPN_MODE_CBC MBEDTLS_MODE_CBC
/** Cipher is in OFB mode */
-#define OPENVPN_MODE_OFB MBEDTLS_MODE_OFB
+#define OPENVPN_MODE_OFB MBEDTLS_MODE_OFB
/** Cipher is in CFB mode */
-#define OPENVPN_MODE_CFB MBEDTLS_MODE_CFB
+#define OPENVPN_MODE_CFB MBEDTLS_MODE_CFB
/** Cipher is in GCM mode */
-#define OPENVPN_MODE_GCM MBEDTLS_MODE_GCM
+#define OPENVPN_MODE_GCM MBEDTLS_MODE_GCM
typedef mbedtls_operation_t crypto_operation_t;
/** Cipher should encrypt */
-#define OPENVPN_OP_ENCRYPT MBEDTLS_ENCRYPT
+#define OPENVPN_OP_ENCRYPT MBEDTLS_ENCRYPT
/** Cipher should decrypt */
-#define OPENVPN_OP_DECRYPT MBEDTLS_DECRYPT
+#define OPENVPN_OP_DECRYPT MBEDTLS_DECRYPT
-#define MD4_DIGEST_LENGTH 16
-#define MD5_DIGEST_LENGTH 16
-#define SHA_DIGEST_LENGTH 20
-#define SHA256_DIGEST_LENGTH 32
+#define MD4_DIGEST_LENGTH 16
+#define MD5_DIGEST_LENGTH 16
+#define SHA_DIGEST_LENGTH 20
+#define SHA256_DIGEST_LENGTH 32
/**
* Returns a singleton instance of the mbed TLS random number generator.
@@ -118,13 +118,11 @@
*
* @returns true if no errors are detected, false otherwise.
*/
-bool mbed_log_func_line(unsigned int flags, int errval, const char *func,
- int line);
+bool mbed_log_func_line(unsigned int flags, int errval, const char *func, int line);
/** Wraps mbed_log_func_line() to prevent function calls for non-errors */
static inline bool
-mbed_log_func_line_lite(unsigned int flags, int errval,
- const char *func, int line)
+mbed_log_func_line_lite(unsigned int flags, int errval, const char *func, int line)
{
if (errval)
{
@@ -145,7 +143,6 @@
*
* @returns true if no errors are detected, false otherwise.
*/
-#define mbed_ok(errval) \
- mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__)
+#define mbed_ok(errval) mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__)
#endif /* CRYPTO_MBEDTLS_H_ */
@@ -63,7 +63,7 @@
#ifdef _MSC_VER
/* mute ossl3 deprecation warnings treated as errors in msvc */
-#pragma warning(disable: 4996)
+#pragma warning(disable : 4996)
#endif
/*
@@ -118,22 +118,17 @@
ENGINE_register_all_complete();
return NULL;
}
- if ((e = ENGINE_by_id(engine)) == NULL
- && (e = try_load_engine(engine)) == NULL)
+ if ((e = ENGINE_by_id(engine)) == NULL && (e = try_load_engine(engine)) == NULL)
{
- crypto_msg(M_FATAL, "OpenSSL error: cannot load engine '%s'",
- engine);
+ crypto_msg(M_FATAL, "OpenSSL error: cannot load engine '%s'", engine);
}
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
{
- crypto_msg(M_FATAL,
- "OpenSSL error: ENGINE_set_default failed on engine '%s'",
- engine);
+ crypto_msg(M_FATAL, "OpenSSL error: ENGINE_set_default failed on engine '%s'", engine);
}
- msg(M_INFO, "Initializing OpenSSL support for engine '%s'",
- ENGINE_get_id(e));
+ msg(M_INFO, "Initializing OpenSSL support for engine '%s'", ENGINE_get_id(e));
}
return e;
}
@@ -151,7 +146,7 @@
engine_persist = setup_engine(engine_name);
engine_initialized = true;
}
-#else /* if HAVE_OPENSSL_ENGINE */
+#else /* if HAVE_OPENSSL_ENGINE */
msg(M_WARN, "Note: OpenSSL hardware crypto engine functionality is not available");
#endif
}
@@ -167,7 +162,7 @@
crypto_msg(M_FATAL, "failed to load provider '%s'", provider);
}
return prov;
-#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
msg(M_WARN, "Note: OpenSSL provider functionality is not available");
return NULL;
#endif
@@ -249,12 +244,13 @@
if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER)
{
msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites "
- "in common with the client. Your --tls-cipher setting might be "
- "too restrictive.");
+ "in common with the client. Your --tls-cipher setting might be "
+ "too restrictive.");
}
else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
{
- msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
+ msg(D_CRYPT_ERRORS,
+ "TLS error: Unsupported protocol. This typically "
"indicates that client and server have no common TLS version enabled. "
"This can be caused by mismatched tls-version-min and tls-version-max "
"options on client and server. "
@@ -270,8 +266,8 @@
}
else
{
- msg(flags, "OpenSSL: %s:%s:%s:%d:%s", ERR_error_string(err, NULL),
- data, file, line, func);
+ msg(flags, "OpenSSL: %s:%s:%s:%d:%s", ERR_error_string(err, NULL), data, file, line,
+ func);
}
}
}
@@ -307,9 +303,7 @@
void
crypto_init_dmalloc(void)
{
- CRYPTO_set_mem_ex_functions(crypto_malloc,
- crypto_realloc,
- crypto_free);
+ CRYPTO_set_mem_ex_functions(crypto_malloc, crypto_realloc, crypto_free);
}
#endif /* DMALLOC */
@@ -332,7 +326,8 @@
return strcmp(EVP_CIPHER_get0_name(*cipher_a), EVP_CIPHER_get0_name(*cipher_b));
}
-struct collect_ciphers {
+struct collect_ciphers
+{
/* If we ever exceed this, we must be more selective */
const EVP_CIPHER *list[1000];
size_t num;
@@ -354,12 +349,12 @@
const char *ciphername = EVP_CIPHER_get0_name(cipher);
- if (ciphername && (cipher_kt_mode_cbc(ciphername)
+ if (ciphername
+ && (cipher_kt_mode_cbc(ciphername)
#ifdef ENABLE_OFB_CFB_MODE
- || cipher_kt_mode_ofb_cfb(ciphername)
+ || cipher_kt_mode_ofb_cfb(ciphername)
#endif
- || cipher_kt_mode_aead(ciphername)
- ))
+ || cipher_kt_mode_aead(ciphername)))
{
cipher_list->list[cipher_list->num++] = cipher;
}
@@ -393,17 +388,18 @@
{
cipher = EVP_get_cipherbyname(name);
}
-#else /* if defined(LIBRESSL_VERSION_NUMBER) */
+#else /* if defined(LIBRESSL_VERSION_NUMBER) */
const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
#endif
/* We cast the const away so we can keep the function prototype
* compatible with EVP_CIPHER_do_all_provided */
- collect_ciphers((EVP_CIPHER *) cipher, &cipher_list);
+ collect_ciphers((EVP_CIPHER *)cipher, &cipher_list);
}
#endif
/* cast to non-const to prevent warning */
- qsort((EVP_CIPHER *)cipher_list.list, cipher_list.num, sizeof(*cipher_list.list), cipher_name_cmp);
+ qsort((EVP_CIPHER *)cipher_list.list, cipher_list.num, sizeof(*cipher_list.list),
+ cipher_name_cmp);
for (size_t i = 0; i < cipher_list.num; i++)
{
@@ -436,8 +432,8 @@
show_available_digests(void)
{
#ifndef ENABLE_SMALL
- printf("The following message digests are available for use with\n"
- PACKAGE_NAME ". A message digest is used in conjunction with\n"
+ printf("The following message digests are available for use with\n" PACKAGE_NAME
+ ". A message digest is used in conjunction with\n"
"the HMAC function, to authenticate received packets.\n"
"You can specify a message digest as parameter to\n"
"the --auth option.\n");
@@ -486,21 +482,19 @@
e = ENGINE_get_first();
while (e)
{
- printf("%s [%s]\n",
- ENGINE_get_name(e),
- ENGINE_get_id(e));
+ printf("%s [%s]\n", ENGINE_get_name(e), ENGINE_get_id(e));
e = ENGINE_get_next(e);
}
ENGINE_cleanup();
-#else /* if HAVE_OPENSSL_ENGINE */
+#else /* if HAVE_OPENSSL_ENGINE */
printf("Sorry, OpenSSL hardware crypto engine functionality is not available.\n");
#endif
}
bool
-crypto_pem_encode(const char *name, struct buffer *dst,
- const struct buffer *src, struct gc_arena *gc)
+crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src,
+ struct gc_arena *gc)
{
bool ret = false;
BIO *bio = BIO_new(BIO_s_mem());
@@ -527,8 +521,7 @@
}
bool
-crypto_pem_decode(const char *name, struct buffer *dst,
- const struct buffer *src)
+crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src)
{
bool ret = false;
@@ -542,8 +535,7 @@
char *header_read = NULL;
uint8_t *data_read = NULL;
long data_read_len = 0;
- if (!PEM_read_bio(bio, &name_read, &header_read, &data_read,
- &data_read_len))
+ if (!PEM_read_bio(bio, &name_read, &header_read, &data_read, &data_read_len))
{
dmsg(D_CRYPT_ERRORS, "%s: PEM decode failed", __func__);
goto cleanup;
@@ -551,17 +543,16 @@
if (strcmp(name, name_read))
{
- dmsg(D_CRYPT_ERRORS,
- "%s: unexpected PEM name (got '%s', expected '%s')",
- __func__, name_read, name);
+ dmsg(D_CRYPT_ERRORS, "%s: unexpected PEM name (got '%s', expected '%s')", __func__,
+ name_read, name);
goto cleanup;
}
uint8_t *dst_data = buf_write_alloc(dst, data_read_len);
if (!dst_data)
{
- dmsg(D_CRYPT_ERRORS, "%s: dst too small (%i, needs %li)", __func__,
- BCAP(dst), data_read_len);
+ dmsg(D_CRYPT_ERRORS, "%s: dst too small (%i, needs %li)", __func__, BCAP(dst),
+ data_read_len);
goto cleanup;
}
memcpy(dst_data, data_read, data_read_len);
@@ -632,18 +623,21 @@
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
{
- msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but "
- "currently disabled by running in FIPS mode.", ciphername);
+ msg(D_LOW,
+ "Cipher algorithm '%s' is known by OpenSSL library but "
+ "currently disabled by running in FIPS mode.",
+ ciphername);
*reason = "disabled by FIPS mode";
goto out;
}
#endif
if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH)
{
- msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) "
+ msg(D_LOW,
+ "Cipher algorithm '%s' uses a default key size (%d bytes) "
"which is larger than " PACKAGE_NAME "'s current maximum key size "
- "(%d bytes)", ciphername, EVP_CIPHER_key_length(cipher),
- MAX_CIPHER_KEY_LENGTH);
+ "(%d bytes)",
+ ciphername, EVP_CIPHER_key_length(cipher), MAX_CIPHER_KEY_LENGTH);
*reason = "disabled due to key size too large";
goto out;
}
@@ -758,7 +752,6 @@
bool
cipher_kt_insecure(const char *ciphername)
{
-
if (cipher_kt_block_size(ciphername) >= 128 / 8)
{
return false;
@@ -790,12 +783,13 @@
{
evp_cipher_type *cipher = cipher_get(ciphername);
- bool ret = cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
- /* Exclude AEAD cipher modes, they require a different API */
+ bool ret = cipher
+ && (cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
+ /* Exclude AEAD cipher modes, they require a different API */
#ifdef EVP_CIPH_FLAG_CTS
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
EVP_CIPHER_free(cipher);
return ret;
}
@@ -804,8 +798,9 @@
cipher_kt_mode_ofb_cfb(const char *ciphername)
{
evp_cipher_type *cipher = cipher_get(ciphername);
- bool ofb_cfb = cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB
- || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB)
+ bool ofb_cfb = cipher
+ && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB
+ || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB)
/* Exclude AEAD cipher modes, they require a different API */
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
EVP_CIPHER_free(cipher);
@@ -828,7 +823,7 @@
#ifdef NID_chacha20_poly1305
if (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305)
{
- isaead = true;
+ isaead = true;
}
#endif
}
@@ -859,8 +854,8 @@
}
void
-cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
- const char *ciphername, crypto_operation_t enc)
+cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, const char *ciphername,
+ crypto_operation_t enc)
{
ASSERT(NULL != ciphername && NULL != ctx);
evp_cipher_type *kt = cipher_get(ciphername);
@@ -913,7 +908,7 @@
int mode = EVP_CIPHER_CTX_mode(ctx);
return mode == EVP_CIPH_CBC_MODE
- /* Exclude AEAD cipher modes, they require a different API */
+ /* Exclude AEAD cipher modes, they require a different API */
#ifdef EVP_CIPH_FLAG_CTS
&& !(flags & EVP_CIPH_FLAG_CTS)
#endif
@@ -976,8 +971,7 @@
}
int
-cipher_ctx_update(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len,
- uint8_t *src, int src_len)
+cipher_ctx_update(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len)
{
if (!EVP_CipherUpdate(ctx, dst, dst_len, src, src_len))
{
@@ -993,8 +987,8 @@
}
int
-cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len,
- uint8_t *tag, size_t tag_len)
+cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *tag,
+ size_t tag_len)
{
ASSERT(tag_len < SIZE_MAX);
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag))
@@ -1025,7 +1019,8 @@
}
if (EVP_MD_size(md) > MAX_HMAC_KEY_LENGTH)
{
- crypto_msg(M_FATAL, "Message hash algorithm '%s' uses a default hash "
+ crypto_msg(M_FATAL,
+ "Message hash algorithm '%s' uses a default hash "
"size (%d bytes) which is larger than " PACKAGE_NAME "'s current "
"maximum hash size (%d bytes)",
digest, EVP_MD_size(md), MAX_HMAC_KEY_LENGTH);
@@ -1051,17 +1046,12 @@
* this translation table for forward lookup, only for returning the name
* with md_kt_name() */
const cipher_name_pair digest_name_translation_table[] = {
- { "BLAKE2s256", "BLAKE2S-256"},
- { "BLAKE2b512", "BLAKE2B-512"},
- { "RIPEMD160", "RIPEMD-160" },
- { "SHA224", "SHA2-224"},
- { "SHA256", "SHA2-256"},
- { "SHA384", "SHA2-384"},
- { "SHA512", "SHA2-512"},
- { "SHA512-224", "SHA2-512/224"},
- { "SHA512-256", "SHA2-512/256"},
- { "SHAKE128", "SHAKE-128"},
- { "SHAKE256", "SHAKE-256"},
+ { "BLAKE2s256", "BLAKE2S-256" }, { "BLAKE2b512", "BLAKE2B-512" },
+ { "RIPEMD160", "RIPEMD-160" }, { "SHA224", "SHA2-224" },
+ { "SHA256", "SHA2-256" }, { "SHA384", "SHA2-384" },
+ { "SHA512", "SHA2-512" }, { "SHA512-224", "SHA2-512/224" },
+ { "SHA512-256", "SHA2-512/256" }, { "SHAKE128", "SHAKE-128" },
+ { "SHAKE256", "SHAKE-256" },
};
const size_t digest_name_translation_table_count =
sizeof(digest_name_translation_table) / sizeof(*digest_name_translation_table);
@@ -1098,7 +1088,7 @@
return 0;
}
evp_md_type *kt = md_get(mdname);
- unsigned char size = (unsigned char)EVP_MD_size(kt);
+ unsigned char size = (unsigned char)EVP_MD_size(kt);
EVP_MD_free(kt);
return size;
}
@@ -1286,10 +1276,8 @@
* only used for lookup so we cast (as OpenSSL also does internally)
* the constness away here.
*/
- ctx->params[0] = OSSL_PARAM_construct_utf8_string("digest",
- (char *) EVP_MD_get0_name(kt), 0);
- ctx->params[1] = OSSL_PARAM_construct_octet_string("key",
- ctx->key, EVP_MD_size(kt));
+ ctx->params[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)EVP_MD_get0_name(kt), 0);
+ ctx->params[1] = OSSL_PARAM_construct_octet_string("key", ctx->key, EVP_MD_size(kt));
ctx->params[2] = OSSL_PARAM_construct_end();
if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params))
@@ -1348,8 +1336,8 @@
}
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) && !defined(LIBRESSL_VERSION_NUMBER)
bool
-ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
- int secret_len, uint8_t *output, int output_len)
+ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
+ uint8_t *output, int output_len)
{
bool ret = true;
EVP_KDF_CTX *kctx = NULL;
@@ -1372,18 +1360,18 @@
/* The OpenSSL APIs require us to cast the const aways even though the
* strings are never changed and only read */
- params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
- SN_md5_sha1, strlen(SN_md5_sha1));
- params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
- (uint8_t *) secret, (size_t) secret_len);
- params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
- (uint8_t *) seed, (size_t) seed_len);
+ params[0] =
+ OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, SN_md5_sha1, strlen(SN_md5_sha1));
+ params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, (uint8_t *)secret,
+ (size_t)secret_len);
+ params[2] =
+ OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, (uint8_t *)seed, (size_t)seed_len);
params[3] = OSSL_PARAM_construct_end();
if (EVP_KDF_derive(kctx, output, output_len, params) <= 0)
{
crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using "
- "EVP_KDF_derive failed");
+ "EVP_KDF_derive failed");
goto err;
}
@@ -1399,15 +1387,15 @@
}
#elif defined(OPENSSL_IS_AWSLC)
bool
-ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec,
- int slen, uint8_t *out1, int olen)
+ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1,
+ int olen)
{
CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0);
}
#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL)
bool
-ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
- int secret_len, uint8_t *output, int output_len)
+ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
+ uint8_t *output, int output_len)
{
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
if (!pctx)
@@ -1455,8 +1443,8 @@
* OpenSSL does. As result they will only be able to support
* peers that support TLS EKM like when running with OpenSSL 3.x FIPS */
bool
-ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec,
- int slen, uint8_t *out1, int olen)
+ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1,
+ int olen)
{
return false;
}
@@ -50,7 +50,8 @@
/* Use a dummy type for the provider */
typedef void provider_t;
#else
-typedef struct {
+typedef struct
+{
OSSL_PARAM params[3];
uint8_t key[EVP_MAX_KEY_LENGTH];
EVP_MAC_CTX *ctx;
@@ -71,29 +72,29 @@
#endif
/** Maximum length of an IV */
-#define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH
+#define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH
/** Cipher is in CBC mode */
-#define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE
+#define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE
/** Cipher is in OFB mode */
-#define OPENVPN_MODE_OFB EVP_CIPH_OFB_MODE
+#define OPENVPN_MODE_OFB EVP_CIPH_OFB_MODE
/** Cipher is in CFB mode */
-#define OPENVPN_MODE_CFB EVP_CIPH_CFB_MODE
+#define OPENVPN_MODE_CFB EVP_CIPH_CFB_MODE
/** Cipher is in GCM mode */
-#define OPENVPN_MODE_GCM EVP_CIPH_GCM_MODE
+#define OPENVPN_MODE_GCM EVP_CIPH_GCM_MODE
typedef int crypto_operation_t;
/** Cipher should encrypt */
-#define OPENVPN_OP_ENCRYPT 1
+#define OPENVPN_OP_ENCRYPT 1
/** Cipher should decrypt */
-#define OPENVPN_OP_DECRYPT 0
+#define OPENVPN_OP_DECRYPT 0
-#define MD4_DIGEST_LENGTH 16
+#define MD4_DIGEST_LENGTH 16
/**
* Retrieve any occurred OpenSSL errors and print those errors.
@@ -112,10 +113,11 @@
* @param flags Flags to indicate error type and priority.
* @param ... Format string and optional format arguments
*/
-#define crypto_msg(flags, ...) \
- do { \
+#define crypto_msg(flags, ...) \
+ do \
+ { \
crypto_print_openssl_errors(nonfatal(flags)); \
- msg((flags), __VA_ARGS__); \
+ msg((flags), __VA_ARGS__); \
} while (false)
#endif /* CRYPTO_OPENSSL_H_ */
@@ -62,11 +62,12 @@
return 0;
}
-#else /* HAVE_XKEY_PROVIDER */
+#else /* HAVE_XKEY_PROVIDER */
static XKEY_EXTERNAL_SIGN_fn xkey_cng_sign;
-typedef struct _CAPI_DATA {
+typedef struct _CAPI_DATA
+{
const CERT_CONTEXT *cert_context;
HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov;
EVP_PKEY *pubkey;
@@ -112,7 +113,7 @@
break;
default:
- msg(M_WARN|M_INFO, "cryptoapicert: Unknown hash type NID=0x%x", md_type);
+ msg(M_WARN | M_INFO, "cryptoapicert: Unknown hash type NID=0x%x", md_type);
break;
}
return alg;
@@ -157,7 +158,7 @@
parse_hexstring(const char *p, unsigned char *arr, size_t capacity)
{
int i = 0;
- for ( ; *p && i < capacity; p += 2)
+ for (; *p && i < capacity; p += 2)
{
/* skip spaces */
while (*p == ' ')
@@ -169,8 +170,7 @@
break;
}
- if (!isxdigit(p[0]) || !isxdigit(p[1])
- || sscanf(p, "%2hhx", &arr[i++]) != 1)
+ if (!isxdigit(p[0]) || !isxdigit(p[1]) || sscanf(p, "%2hhx", &arr[i++]) != 1)
{
return 0;
}
@@ -179,21 +179,21 @@
}
static void *
-decode_object(struct gc_arena *gc, LPCSTR struct_type,
- const CRYPT_OBJID_BLOB *val, DWORD flags, DWORD *cb)
+decode_object(struct gc_arena *gc, LPCSTR struct_type, const CRYPT_OBJID_BLOB *val, DWORD flags,
+ DWORD *cb)
{
/* get byte count for decoding */
BYTE *buf;
- if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type,
- val->pbData, val->cbData, flags, NULL, cb))
+ if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, val->pbData,
+ val->cbData, flags, NULL, cb))
{
return NULL;
}
/* do the actual decode */
buf = gc_malloc(*cb, false, gc);
- if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type,
- val->pbData, val->cbData, flags, buf, cb))
+ if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, val->pbData,
+ val->cbData, flags, buf, cb))
{
return NULL;
}
@@ -243,8 +243,8 @@
return true;
}
- const CRYPT_OID_INFO *tmpl_oid = find_oid(CRYPT_OID_INFO_NAME_KEY, tmpl_name,
- CRYPT_TEMPLATE_OID_GROUP_ID);
+ const CRYPT_OID_INFO *tmpl_oid =
+ find_oid(CRYPT_OID_INFO_NAME_KEY, tmpl_name, CRYPT_TEMPLATE_OID_GROUP_ID);
if (tmpl_oid && !stricmp(tmpl_oid->pszOID, cte->pszObjId))
{
/* found OID match in extension against resolved key */
@@ -274,7 +274,7 @@
DWORD find_type;
const void *find_param;
unsigned char hash[255];
- CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
+ CRYPT_HASH_BLOB blob = { .cbData = 0, .pbData = hash };
struct gc_arena gc = gc_new();
if (!strncmp(cert_prop, "SUBJ:", 5))
@@ -296,7 +296,7 @@
blob.cbData = parse_hexstring(cert_prop + 6, hash, sizeof(hash));
if (blob.cbData == 0)
{
- msg(M_WARN|M_INFO, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop);
+ msg(M_WARN | M_INFO, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop);
goto out;
}
}
@@ -308,7 +308,8 @@
}
else
{
- msg(M_NONFATAL, "Error in cryptoapicert: unsupported certificate specification <%s>", cert_prop);
+ msg(M_NONFATAL, "Error in cryptoapicert: unsupported certificate specification <%s>",
+ cert_prop);
goto out;
}
@@ -316,15 +317,14 @@
{
int validity = 1;
/* this frees previous rv, if not NULL */
- rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
- 0, find_type, find_param, rv);
+ rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
+ find_type, find_param, rv);
if (!rv)
{
break;
}
/* if searching by template name, check now if it matches */
- if (find_type == CERT_FIND_HAS_PRIVATE_KEY
- && !test_certificate_template(cert_prop, rv))
+ if (find_type == CERT_FIND_HAS_PRIVATE_KEY && !test_certificate_template(cert_prop, rv))
{
continue;
}
@@ -333,7 +333,7 @@
{
break;
}
- msg(M_WARN|M_INFO, "WARNING: cryptoapicert: ignoring certificate in store %s.",
+ msg(M_WARN | M_INFO, "WARNING: cryptoapicert: ignoring certificate in store %s.",
validity < 0 ? "not yet valid" : "that has expired");
}
@@ -356,12 +356,12 @@
if (status != ERROR_SUCCESS)
{
SetLastError(status);
- msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: ECDSA signature using CNG failed.");
+ msg(M_NONFATAL | M_ERRNO, "Error in cryptoapicert: ECDSA signature using CNG failed.");
return 0;
}
/* NCryptSignHash returns r|s -- convert to DER encoded buffer expected by OpenSSL */
- int derlen = ecdsa_bin2der(sig, (int) len, *siglen);
+ int derlen = ecdsa_bin2der(sig, (int)len, *siglen);
if (derlen <= 0)
{
return 0;
@@ -396,9 +396,9 @@
{
msg(D_LOW, "Signing using NCryptSignHash with PKCS1 padding: hashalg <%s>", sigalg.mdname);
- BCRYPT_PKCS1_PADDING_INFO padinfo = {hashalg};
- status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD)tbslen,
- sig, (DWORD)*siglen, &len, BCRYPT_PAD_PKCS1);
+ BCRYPT_PKCS1_PADDING_INFO padinfo = { hashalg };
+ status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD)tbslen, sig,
+ (DWORD)*siglen, &len, BCRYPT_PAD_PKCS1);
}
else if (!strcmp(sigalg.padmode, "pss"))
{
@@ -416,9 +416,10 @@
msg(D_LOW, "Signing using NCryptSignHash with PSS padding: hashalg <%s>, saltlen <%d>",
sigalg.mdname, saltlen);
- BCRYPT_PSS_PADDING_INFO padinfo = {hashalg, (DWORD) saltlen}; /* cast is safe as saltlen >= 0 */
- status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD) tbslen,
- sig, (DWORD)*siglen, &len, BCRYPT_PAD_PSS);
+ BCRYPT_PSS_PADDING_INFO padinfo = { hashalg,
+ (DWORD)saltlen }; /* cast is safe as saltlen >= 0 */
+ status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD)tbslen, sig,
+ (DWORD)*siglen, &len, BCRYPT_PAD_PSS);
}
else
{
@@ -429,7 +430,7 @@
if (status != ERROR_SUCCESS)
{
SetLastError(status);
- msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: RSA signature using CNG failed.");
+ msg(M_NONFATAL | M_ERRNO, "Error in cryptoapicert: RSA signature using CNG failed.");
return 0;
}
@@ -484,7 +485,7 @@
char *name = NULL;
if (len)
{
- wchar_t *wname = gc_malloc(len*sizeof(wchar_t), false, gc);
+ wchar_t *wname = gc_malloc(len * sizeof(wchar_t), false, gc);
if (!wname
|| CertGetNameStringW(cc, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, wname, len) == 0)
{
@@ -504,7 +505,6 @@
static int
Load_CryptoAPI_certificate(const char *cert_prop, X509 **cert, EVP_PKEY **privkey)
{
-
HCERTSTORE cs;
CAPI_DATA *cd = calloc(1, sizeof(*cd));
struct gc_arena gc = gc_new();
@@ -515,29 +515,35 @@
goto err;
}
/* search CURRENT_USER first, then LOCAL_MACHINE */
- cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER
- |CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY");
+ cs = CertOpenStore((LPCSTR)CERT_STORE_PROV_SYSTEM, 0, 0,
+ CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_OPEN_EXISTING_FLAG
+ | CERT_STORE_READONLY_FLAG,
+ L"MY");
if (cs == NULL)
{
- msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: failed to open user certficate store");
+ msg(M_NONFATAL | M_ERRNO, "Error in cryptoapicert: failed to open user certficate store");
goto err;
}
cd->cert_context = find_certificate_in_store(cert_prop, cs);
CertCloseStore(cs, 0);
if (!cd->cert_context)
{
- cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE
- |CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY");
+ cs = CertOpenStore((LPCSTR)CERT_STORE_PROV_SYSTEM, 0, 0,
+ CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_OPEN_EXISTING_FLAG
+ | CERT_STORE_READONLY_FLAG,
+ L"MY");
if (cs == NULL)
{
- msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: failed to open machine certficate store");
+ msg(M_NONFATAL | M_ERRNO,
+ "Error in cryptoapicert: failed to open machine certficate store");
goto err;
}
cd->cert_context = find_certificate_in_store(cert_prop, cs);
CertCloseStore(cs, 0);
if (cd->cert_context == NULL)
{
- msg(M_NONFATAL, "Error in cryptoapicert: certificate matching <%s> not found", cert_prop);
+ msg(M_NONFATAL, "Error in cryptoapicert: certificate matching <%s> not found",
+ cert_prop);
goto err;
}
}
@@ -550,7 +556,7 @@
}
/* cert_context->pbCertEncoded is the cert X509 DER encoded. */
- *cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded,
+ *cert = d2i_X509(NULL, (const unsigned char **)&cd->cert_context->pbCertEncoded,
cd->cert_context->cbCertEncoded);
if (*cert == NULL)
{
@@ -560,13 +566,13 @@
/* set up stuff to use the private key */
/* We support NCRYPT key handles only */
- DWORD flags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG
- | CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG;
- if (!CryptAcquireCertificatePrivateKey(cd->cert_context, flags, NULL,
- &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov))
+ DWORD flags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG | CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG;
+ if (!CryptAcquireCertificatePrivateKey(cd->cert_context, flags, NULL, &cd->crypt_prov,
+ &cd->key_spec, &cd->free_crypt_prov))
{
/* private key may be in a token not available, or incompatible with CNG */
- msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: failed to acquire key. Key not present or "
+ msg(M_NONFATAL | M_ERRNO,
+ "Error in cryptoapicert: failed to acquire key. Key not present or "
"is in a legacy token not supported by Windows CNG API");
X509_free(*cert);
goto err;
@@ -576,8 +582,8 @@
EVP_PKEY *pkey = X509_get_pubkey(*cert);
cd->pubkey = pkey; /* will be freed with cd */
- *privkey = xkey_load_generic_key(tls_libctx, cd, pkey,
- xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free);
+ *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, xkey_cng_sign,
+ (XKEY_PRIVKEY_FREE_fn *)CAPI_DATA_free);
gc_free(&gc);
return 1; /* do not free cd -- its kept by xkey provider */
@@ -598,8 +604,7 @@
{
return ret;
}
- if (SSL_CTX_use_certificate(ssl_ctx, cert)
- && SSL_CTX_use_PrivateKey(ssl_ctx, privkey))
+ if (SSL_CTX_use_certificate(ssl_ctx, cert) && SSL_CTX_use_PrivateKey(ssl_ctx, privkey))
{
crypto_print_openssl_errors(M_WARN);
ret = 1;
@@ -612,5 +617,5 @@
return ret;
}
-#endif /* HAVE_XKEY_PROVIDER */
-#endif /* _WIN32 */
+#endif /* HAVE_XKEY_PROVIDER */
+#endif /* _WIN32 */
@@ -51,14 +51,13 @@
#endif
static int
-dco_install_key(struct tls_multi *multi, struct key_state *ks,
- const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
- const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
+dco_install_key(struct tls_multi *multi, struct key_state *ks, const uint8_t *encrypt_key,
+ const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
const char *ciphername)
{
- msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d, currently %d keys installed",
- __func__, multi->dco_peer_id, ks->key_id, multi->dco_keys_installed);
+ msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d, currently %d keys installed", __func__,
+ multi->dco_peer_id, ks->key_id, multi->dco_keys_installed);
/* Install a key in the PRIMARY slot only when no other key exist.
* From that moment on, any new key will be installed in the SECONDARY
@@ -71,33 +70,27 @@
slot = OVPN_KEY_SLOT_SECONDARY;
}
- int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot,
- encrypt_key, encrypt_iv,
- decrypt_key, decrypt_iv,
- ciphername);
+ int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot, encrypt_key, encrypt_iv,
+ decrypt_key, decrypt_iv, ciphername);
if ((ret == 0) && (multi->dco_keys_installed < 2))
{
multi->dco_keys_installed++;
- ks->dco_status = (slot == OVPN_KEY_SLOT_PRIMARY) ? DCO_INSTALLED_PRIMARY :
- DCO_INSTALLED_SECONDARY;
+ ks->dco_status =
+ (slot == OVPN_KEY_SLOT_PRIMARY) ? DCO_INSTALLED_PRIMARY : DCO_INSTALLED_SECONDARY;
}
return ret;
}
int
-init_key_dco_bi(struct tls_multi *multi, struct key_state *ks,
- const struct key2 *key2, int key_direction,
- const char *ciphername, bool server)
+init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2,
+ int key_direction, const char *ciphername, bool server)
{
struct key_direction_state kds;
key_direction_state_init(&kds, key_direction);
- return dco_install_key(multi, ks,
- key2->keys[kds.out_key].cipher,
- key2->keys[(int)server].hmac,
- key2->keys[kds.in_key].cipher,
- key2->keys[1 - (int)server].hmac,
+ return dco_install_key(multi, ks, key2->keys[kds.out_key].cipher, key2->keys[(int)server].hmac,
+ key2->keys[kds.in_key].cipher, key2->keys[1 - (int)server].hmac,
ciphername);
}
@@ -183,13 +176,15 @@
{
if (secondary)
{
- msg(D_DCO_DEBUG, "Swapping primary and secondary keys to "
+ msg(D_DCO_DEBUG,
+ "Swapping primary and secondary keys to "
"primary-id=%d secondary-id=%d",
primary->key_id, secondary->key_id);
}
else
{
- msg(D_DCO_DEBUG, "Swapping primary and secondary keys to "
+ msg(D_DCO_DEBUG,
+ "Swapping primary and secondary keys to "
"primary-id=%d secondary-id=(to be deleted)",
primary->key_id);
}
@@ -275,13 +270,15 @@
#if defined(_WIN32)
if (!proto_is_udp(ce->proto) && mode == MODE_SERVER)
{
- msg(msglevel, "NOTE: TCP transport disables data channel offload on Windows in server mode.");
+ msg(msglevel,
+ "NOTE: TCP transport disables data channel offload on Windows in server mode.");
return false;
}
if (!ce->remote && !dco_win_supports_multipeer())
{
- msg(msglevel, "NOTE: --remote is not defined. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
+ msg(msglevel,
+ "NOTE: --remote is not defined. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
return false;
}
@@ -310,7 +307,7 @@
if (!o->tls_client && !o->tls_server)
{
msg(msglevel, "No tls-client or tls-server option in configuration "
- "detected. Disabling data channel offload.");
+ "detected. Disabling data channel offload.");
return false;
}
@@ -354,7 +351,8 @@
#if defined(_WIN32)
if ((o->mode == MODE_SERVER) && !dco_win_supports_multipeer())
{
- msg(msglevel, "--mode server is set. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
+ msg(msglevel,
+ "--mode server is set. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
return false;
}
@@ -385,8 +383,8 @@
}
else if ((ret < 0) && (ret != -ENODEV))
{
- msg(msglevel, "Cannot retrieve type of device %s: %s (%d)", o->dev,
- strerror(-ret), ret);
+ msg(msglevel, "Cannot retrieve type of device %s: %s (%d)", o->dev, strerror(-ret),
+ ret);
}
}
#endif /* if defined(_WIN32) */
@@ -401,13 +399,13 @@
if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP))
{
msg(msglevel, "--user specified but lacking CAP_SETPCAP. "
- "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
+ "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
return false;
}
if (!capng_have_capability(CAPNG_PERMITTED, CAP_NET_ADMIN))
{
msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. "
- "Disabling data channel offload");
+ "Disabling data channel offload");
return false;
}
}
@@ -438,16 +436,18 @@
if (o->enable_ncp_fallback
&& !tls_item_in_cipher_list(o->ciphername, dco_get_supported_ciphers()))
{
- msg(msglevel, "Note: --data-ciphers-fallback with cipher '%s' "
- "disables data channel offload.", o->ciphername);
+ msg(msglevel,
+ "Note: --data-ciphers-fallback with cipher '%s' "
+ "disables data channel offload.",
+ o->ciphername);
return false;
}
#if defined(USE_COMP)
- if (o->comp.alg != COMP_ALG_UNDEF
- || o->comp.flags & COMP_F_ALLOW_ASYM)
+ if (o->comp.alg != COMP_ALG_UNDEF || o->comp.flags & COMP_F_ALLOW_ASYM)
{
- msg(msglevel, "Note: '--allow-compression' is not set to 'no', disabling data channel offload.");
+ msg(msglevel,
+ "Note: '--allow-compression' is not set to 'no', disabling data channel offload.");
if (o->mode == MODE_SERVER && !(o->comp.flags & COMP_F_MIGRATE))
{
@@ -466,8 +466,10 @@
{
if (!tls_item_in_cipher_list(token, dco_get_supported_ciphers()))
{
- msg(msglevel, "Note: cipher '%s' in --data-ciphers is not supported "
- "by ovpn-dco, disabling data channel offload.", token);
+ msg(msglevel,
+ "Note: cipher '%s' in --data-ciphers is not supported "
+ "by ovpn-dco, disabling data channel offload.",
+ token);
gc_free(&gc);
return false;
}
@@ -483,7 +485,7 @@
if (!o->use_peer_id)
{
msg(msglevel, "OPTIONS IMPORT: Server did not request DATA_V2 packet "
- "format required for data channel offload");
+ "format required for data channel offload");
return false;
}
return true;
@@ -513,8 +515,7 @@
}
#endif
int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
- proto_is_dgram(sock->info.proto) ? remoteaddr : NULL,
- NULL, NULL);
+ proto_is_dgram(sock->info.proto) ? remoteaddr : NULL, NULL, NULL);
if (ret < 0)
{
return ret;
@@ -547,7 +548,8 @@
#if ENABLE_IP_PKTINFO
struct context *c = &mi->context;
- if (!proto_is_udp(c->c2.link_sockets[0]->info.proto) || !(c->options.sockflags & SF_USE_IP_PKTINFO))
+ if (!proto_is_udp(c->c2.link_sockets[0]->info.proto)
+ || !(c->options.sockflags & SF_USE_IP_PKTINFO))
{
return false;
}
@@ -631,8 +633,8 @@
localaddr = (struct sockaddr *)&local;
}
- int ret = dco_new_peer(&c->c1.tuntap->dco, peer_id, sd, localaddr,
- remoteaddr, vpn_addr4, vpn_addr6);
+ int ret =
+ dco_new_peer(&c->c1.tuntap->dco, peer_id, sd, localaddr, remoteaddr, vpn_addr4, vpn_addr6);
if (ret < 0)
{
return ret;
@@ -644,8 +646,7 @@
}
void
-dco_install_iroute(struct multi_context *m, struct multi_instance *mi,
- struct mroute_addr *addr)
+dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
{
#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32)
if (!dco_enabled(&m->top.options))
@@ -666,7 +667,8 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
- dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr, addr->netbits, c->c2.tls_multi->peer_id);
+ dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr, addr->netbits,
+ c->c2.tls_multi->peer_id);
#else
net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
&mi->context.c2.push_ifconfig_ipv6_local, c->c1.tuntap->actual_name, 0,
@@ -676,12 +678,12 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
- dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr, addr->netbits, c->c2.tls_multi->peer_id);
+ dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr, addr->netbits,
+ c->c2.tls_multi->peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
- net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits,
- &mi->context.c2.push_ifconfig_local, c->c1.tuntap->actual_name, 0,
- DCO_IROUTE_METRIC);
+ net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits, &mi->context.c2.push_ifconfig_local,
+ c->c1.tuntap->actual_name, 0, DCO_IROUTE_METRIC);
#endif
}
#endif /* if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32) */
@@ -701,32 +703,28 @@
if (mi->context.c2.push_ifconfig_defined)
{
- for (const struct iroute *ir = c->options.iroutes;
- ir;
- ir = ir->next)
+ for (const struct iroute *ir = c->options.iroutes; ir; ir = ir->next)
{
#if defined(_WIN32)
dco_win_del_iroute_ipv4(&c->c1.tuntap->dco, htonl(ir->network), ir->netbits);
#else
net_route_v4_del(&m->top.net_ctx, &ir->network, ir->netbits,
- &mi->context.c2.push_ifconfig_local, c->c1.tuntap->actual_name,
- 0, DCO_IROUTE_METRIC);
+ &mi->context.c2.push_ifconfig_local, c->c1.tuntap->actual_name, 0,
+ DCO_IROUTE_METRIC);
#endif
}
}
if (mi->context.c2.push_ifconfig_ipv6_defined)
{
- for (const struct iroute_ipv6 *ir6 = c->options.iroutes_ipv6;
- ir6;
- ir6 = ir6->next)
+ for (const struct iroute_ipv6 *ir6 = c->options.iroutes_ipv6; ir6; ir6 = ir6->next)
{
#if defined(_WIN32)
dco_win_del_iroute_ipv6(&c->c1.tuntap->dco, ir6->network, ir6->netbits);
#else
net_route_v6_del(&m->top.net_ctx, &ir6->network, ir6->netbits,
- &mi->context.c2.push_ifconfig_ipv6_local, c->c1.tuntap->actual_name,
- 0, DCO_IROUTE_METRIC);
+ &mi->context.c2.push_ifconfig_ipv6_local, c->c1.tuntap->actual_name, 0,
+ DCO_IROUTE_METRIC);
#endif
}
}
@@ -43,8 +43,8 @@
struct tls_multi;
struct tuntap;
-#define DCO_IROUTE_METRIC 100
-#define DCO_DEFAULT_METRIC 200
+#define DCO_IROUTE_METRIC 100
+#define DCO_DEFAULT_METRIC 200
#if defined(ENABLE_DCO)
@@ -153,9 +153,8 @@
*
* @return 0 on success or a negative error code otherwise
*/
-int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks,
- const struct key2 *key2, int key_direction,
- const char *ciphername, bool server);
+int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2,
+ int key_direction, const char *ciphername, bool server);
/**
* Possibly swap or wipe keys from DCO
@@ -187,8 +186,8 @@
*
* @return 0 on success or a negative error code otherwise
*/
-int dco_set_peer(dco_context_t *dco, unsigned int peerid,
- int keepalive_interval, int keepalive_timeout, int mss);
+int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval,
+ int keepalive_timeout, int mss);
/**
* Remove a peer from DCO
@@ -257,7 +256,7 @@
{
return false;
}
-#else /* if defined(ENABLE_DCO) */
+#else /* if defined(ENABLE_DCO) */
typedef void *dco_context_t;
@@ -321,9 +320,8 @@
}
static inline int
-init_key_dco_bi(struct tls_multi *multi, struct key_state *ks,
- const struct key2 *key2, int key_direction,
- const char *ciphername, bool server)
+init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2,
+ int key_direction, const char *ciphername, bool server)
{
return 0;
}
@@ -342,8 +340,8 @@
}
static inline int
-dco_set_peer(dco_context_t *dco, unsigned int peerid,
- int keepalive_interval, int keepalive_timeout, int mss)
+dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout,
+ int mss)
{
return 0;
}
@@ -360,8 +358,7 @@
}
static inline void
-dco_install_iroute(struct multi_context *m, struct multi_instance *mi,
- struct mroute_addr *addr)
+dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
{
}
@@ -133,9 +133,8 @@
}
int
-dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
- struct sockaddr *localaddr, struct sockaddr *remoteaddr,
- struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
+dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr,
+ struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
{
struct ifdrv drv;
nvlist_t *nvl, *local_nvl, *remote_nvl;
@@ -159,8 +158,7 @@
if (vpn_ipv4)
{
- nvlist_add_binary(nvl, "vpn_ipv4", &vpn_ipv4->s_addr,
- sizeof(vpn_ipv4->s_addr));
+ nvlist_add_binary(nvl, "vpn_ipv4", &vpn_ipv4->s_addr, sizeof(vpn_ipv4->s_addr));
}
if (vpn_ipv6)
@@ -278,7 +276,7 @@
if (ret)
{
ret = -errno;
- msg(M_WARN|M_ERRNO, "Failed to create interface %s (SIOCIFCREATE2)", ifr.ifr_name);
+ msg(M_WARN | M_ERRNO, "Failed to create interface %s (SIOCIFCREATE2)", ifr.ifr_name);
return ret;
}
@@ -300,7 +298,7 @@
ret = -errno;
/* Delete the created interface again. */
(void)ioctl(tt->dco.fd, SIOCIFDESTROY, &ifr);
- msg(M_WARN|M_ERRNO, "Failed to create interface %s (SIOCSIFNAME)", ifr.ifr_data);
+ msg(M_WARN | M_ERRNO, "Failed to create interface %s (SIOCSIFNAME)", ifr.ifr_data);
return ret;
}
@@ -412,8 +410,7 @@
}
int
-dco_del_key(dco_context_t *dco, unsigned int peerid,
- dco_key_slot_t slot)
+dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
{
struct ifdrv drv;
nvlist_t *nvl;
@@ -483,18 +480,16 @@
}
int
-dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid,
- dco_key_slot_t slot,
- const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
- const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
- const char *ciphername)
+dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot,
+ const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key,
+ const uint8_t *decrypt_iv, const char *ciphername)
{
struct ifdrv drv;
nvlist_t *nvl, *encrypt_nvl, *decrypt_nvl;
int ret;
- msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s",
- __func__, slot, keyid, peerid, ciphername);
+ msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid,
+ ciphername);
nvl = nvlist_create(0);
@@ -532,16 +527,15 @@
}
int
-dco_set_peer(dco_context_t *dco, unsigned int peerid,
- int keepalive_interval, int keepalive_timeout,
+dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout,
int mss)
{
struct ifdrv drv;
nvlist_t *nvl;
int ret;
- msg(D_DCO_DEBUG, "%s: peer-id %d, ping interval %d, ping timeout %d",
- __func__, peerid, keepalive_interval, keepalive_timeout);
+ msg(D_DCO_DEBUG, "%s: peer-id %d, ping interval %d, ping timeout %d", __func__, peerid,
+ keepalive_interval, keepalive_timeout);
nvl = nvlist_create(0);
nvlist_add_number(nvl, "peerid", peerid);
@@ -633,7 +627,8 @@
dco->dco_message_type = OVPN_CMD_SWAP_KEYS;
break;
- case OVPN_NOTIF_FLOAT: {
+ case OVPN_NOTIF_FLOAT:
+ {
const nvlist_t *address;
if (!nvlist_exists_nvlist(nvl, "address"))
@@ -780,7 +775,6 @@
static void
dco_update_peer_stat(struct multi_context *m, uint32_t peerid, const nvlist_t *nvl)
{
-
if (peerid >= m->max_clients || !m->instances[peerid])
{
msg(M_WARN, "dco_update_peer_stat: invalid peer ID %d returned by kernel", peerid);
@@ -796,7 +790,6 @@
int
dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
{
-
struct ifdrv drv;
uint8_t *buf = NULL;
size_t buf_size = 4096;
@@ -26,26 +26,29 @@
#include "ovpn_dco_freebsd.h"
-#define DCO_IROUTE_METRIC 100
+#define DCO_IROUTE_METRIC 100
typedef enum ovpn_key_slot dco_key_slot_t;
typedef enum ovpn_key_cipher dco_cipher_t;
-enum ovpn_message_type_t {
+enum ovpn_message_type_t
+{
OVPN_CMD_DEL_PEER,
OVPN_CMD_PACKET,
OVPN_CMD_SWAP_KEYS,
OVPN_CMD_FLOAT_PEER,
};
-enum ovpn_del_reason_t {
+enum ovpn_del_reason_t
+{
OVPN_DEL_PEER_REASON_EXPIRED,
OVPN_DEL_PEER_REASON_TRANSPORT_ERROR,
OVPN_DEL_PEER_REASON_USERSPACE,
OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT,
};
-typedef struct dco_context {
+typedef struct dco_context
+{
bool open;
int fd;
int pipefd[2];
@@ -59,17 +59,14 @@
* They are implemented by dco_linux.c
*/
-int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
- struct sockaddr *localaddr, struct sockaddr *remoteaddr,
- struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6);
+int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr,
+ struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6);
int dco_del_peer(dco_context_t *dco, unsigned int peerid);
-int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid,
- dco_key_slot_t slot,
- const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
- const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
- const char *ciphername);
+int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot,
+ const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key,
+ const uint8_t *decrypt_iv, const char *ciphername);
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot);
@@ -54,8 +54,7 @@
* have to explicitly do it to prevent the kernel from failing upon
* parsing of the message
*/
-#define nla_nest_start(_msg, _type) \
- nla_nest_start(_msg, (_type) | NLA_F_NESTED)
+#define nla_nest_start(_msg, _type) nla_nest_start(_msg, (_type) | NLA_F_NESTED)
static int ovpn_get_mcast_id(dco_context_t *dco);
@@ -89,8 +88,7 @@
ret = genl_connect(nl_sock);
if (ret)
{
- msg(msglevel, "Cannot connect to generic netlink: %s",
- nl_geterror(ret));
+ msg(msglevel, "Cannot connect to generic netlink: %s", nl_geterror(ret));
goto err_sock;
}
set_cloexec(nl_socket_get_fd(nl_sock));
@@ -98,8 +96,7 @@
ret = genl_ctrl_resolve(nl_sock, OVPN_FAMILY_NAME);
if (ret < 0)
{
- msg(msglevel, "Cannot find ovpn_dco netlink component: %s",
- nl_geterror(ret));
+ msg(msglevel, "Cannot find ovpn_dco netlink component: %s", nl_geterror(ret));
}
err_sock:
@@ -157,7 +154,8 @@
default:
if (ret)
{
- msg(M_NONFATAL, "%s: netlink reports error (%d): %s", prefix, ret, nl_geterror(-ret));
+ msg(M_NONFATAL, "%s: netlink reports error (%d): %s", prefix, ret,
+ nl_geterror(-ret));
}
break;
}
@@ -188,8 +186,8 @@
if (dco->status < 0)
{
- msg(M_INFO, "%s: failed to send netlink message: %s (%d)",
- prefix, strerror(-dco->status), dco->status);
+ msg(M_INFO, "%s: failed to send netlink message: %s (%d)", prefix, strerror(-dco->status),
+ dco->status);
}
return dco->status;
@@ -201,7 +199,6 @@
struct sockaddr_in6 *sock6 = (struct sockaddr_in6 *)sock;
if (sock->sa_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&sock6->sin6_addr))
{
-
struct sockaddr_in *sock4;
ALLOC_OBJ_CLEAR_GC(sock4, struct sockaddr_in, gc);
memcpy(&sock4->sin_addr, sock6->sin6_addr.s6_addr + 12, 4);
@@ -213,9 +210,8 @@
}
int
-dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
- struct sockaddr *localaddr, struct sockaddr *remoteaddr,
- struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
+dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr,
+ struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
{
struct gc_arena gc = gc_new();
const char *remotestr = "[undefined]";
@@ -223,8 +219,7 @@
{
remotestr = print_sockaddr(remoteaddr, &gc);
}
- msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d, remote addr: %s", __func__,
- peerid, sd, remotestr);
+ msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d, remote addr: %s", __func__, peerid, sd, remotestr);
struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_PEER_NEW);
struct nlattr *attr = nla_nest_start(nl_msg, OVPN_A_PEER);
@@ -242,14 +237,17 @@
{
NLA_PUT(nl_msg, OVPN_A_PEER_REMOTE_IPV4, sizeof(struct in_addr),
&((struct sockaddr_in *)remoteaddr)->sin_addr);
- NLA_PUT_U16(nl_msg, OVPN_A_PEER_REMOTE_PORT, ((struct sockaddr_in *)remoteaddr)->sin_port);
+ NLA_PUT_U16(nl_msg, OVPN_A_PEER_REMOTE_PORT,
+ ((struct sockaddr_in *)remoteaddr)->sin_port);
}
else if (remoteaddr->sa_family == AF_INET6)
{
NLA_PUT(nl_msg, OVPN_A_PEER_REMOTE_IPV6, sizeof(struct in6_addr),
&((struct sockaddr_in6 *)remoteaddr)->sin6_addr);
- NLA_PUT_U16(nl_msg, OVPN_A_PEER_REMOTE_PORT, ((struct sockaddr_in6 *)remoteaddr)->sin6_port);
- NLA_PUT_U32(nl_msg, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, ((struct sockaddr_in6 *)remoteaddr)->sin6_scope_id);
+ NLA_PUT_U16(nl_msg, OVPN_A_PEER_REMOTE_PORT,
+ ((struct sockaddr_in6 *)remoteaddr)->sin6_port);
+ NLA_PUT_U32(nl_msg, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
+ ((struct sockaddr_in6 *)remoteaddr)->sin6_scope_id);
}
}
@@ -275,8 +273,7 @@
}
if (vpn_ipv6)
{
- NLA_PUT(nl_msg, OVPN_A_PEER_VPN_IPV6, sizeof(struct in6_addr),
- vpn_ipv6);
+ NLA_PUT(nl_msg, OVPN_A_PEER_VPN_IPV6, sizeof(struct in6_addr), vpn_ipv6);
}
nla_nest_end(nl_msg, attr);
@@ -289,7 +286,7 @@
}
static int
-ovpn_nl_cb_finish(struct nl_msg (*msg) __attribute__ ((unused)), void *arg)
+ovpn_nl_cb_finish(struct nl_msg(*msg) __attribute__((unused)), void *arg)
{
int *status = arg;
@@ -310,7 +307,8 @@
* missing at the message level
* @NLMSGERR_ATTR_MISS_NEST: offset of the nest where attribute was missing
*/
-enum ovpn_nlmsgerr_attrs {
+enum ovpn_nlmsgerr_attrs
+{
OVPN_NLMSGERR_ATTR_MISS_TYPE = 5,
OVPN_NLMSGERR_ATTR_MISS_NEST = 6,
OVPN_NLMSGERR_ATTR_MAX = 6,
@@ -325,8 +323,7 @@
* reply to see if it contains a human-readable error. If found, it is printed.
*/
static int
-ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)),
- struct nlmsgerr *err, void *arg)
+ovpn_nl_cb_error(struct sockaddr_nl(*nla) __attribute__((unused)), struct nlmsgerr *err, void *arg)
{
struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;
struct nlattr *tb_msg[OVPN_NLMSGERR_ATTR_MAX + 1];
@@ -360,8 +357,7 @@
{
len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),
nla_len(tb_msg[NLMSGERR_ATTR_MSG]));
- msg(M_WARN, "kernel error: %*s", len,
- (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
+ msg(M_WARN, "kernel error: %*s", len, (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
}
if (tb_msg[OVPN_NLMSGERR_ATTR_MISS_NEST])
@@ -387,7 +383,7 @@
if (dco->ovpn_dco_mcast_id < 0)
{
- msg(M_FATAL, "cannot get mcast group: %s", nl_geterror(dco->ovpn_dco_mcast_id));
+ msg(M_FATAL, "cannot get mcast group: %s", nl_geterror(dco->ovpn_dco_mcast_id));
}
/* Register for ovpn-dco specific multicast messages that the kernel may
@@ -417,14 +413,12 @@
int ret = genl_connect(dco->nl_sock);
if (ret)
{
- msg(M_FATAL, "Cannot connect to generic netlink: %s",
- nl_geterror(ret));
+ msg(M_FATAL, "Cannot connect to generic netlink: %s", nl_geterror(ret));
}
/* enable Extended ACK for detailed error reporting */
ret = 1;
- setsockopt(nl_socket_get_fd(dco->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK,
- &ret, sizeof(ret));
+ setsockopt(nl_socket_get_fd(dco->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK, &ret, sizeof(ret));
/* set close on exec and non-block on the netlink socket */
set_cloexec(nl_socket_get_fd(dco->nl_sock));
@@ -440,10 +434,8 @@
dco->dco_message_peer_id = -1;
nl_cb_err(dco->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &dco->status);
- nl_cb_set(dco->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish,
- &dco->status);
- nl_cb_set(dco->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_finish,
- &dco->status);
+ nl_cb_set(dco->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish, &dco->status);
+ nl_cb_set(dco->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_finish, &dco->status);
nl_cb_set(dco->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, dco);
ovpn_dco_register(dco);
@@ -456,7 +448,7 @@
/* nl library sets the buffer size to 32k/32k by default which is sometimes
* overrun with very fast connecting/disconnecting clients.
* TODO: fix this in a better and more reliable way */
- ASSERT(!nl_socket_set_buffer_size(dco->nl_sock, 1024*1024, 1024*1024));
+ ASSERT(!nl_socket_set_buffer_size(dco->nl_sock, 1024 * 1024, 1024 * 1024));
}
bool
@@ -578,8 +570,7 @@
int
-dco_del_key(dco_context_t *dco, unsigned int peerid,
- dco_key_slot_t slot)
+dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
{
int ret = -EMSGSIZE;
msg(D_DCO_DEBUG, "%s: peer-id %d, slot %d", __func__, peerid, slot);
@@ -603,14 +594,12 @@
}
int
-dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid,
- dco_key_slot_t slot,
- const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
- const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
- const char *ciphername)
+dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot,
+ const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key,
+ const uint8_t *decrypt_iv, const char *ciphername)
{
- msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s",
- __func__, slot, keyid, peerid, ciphername);
+ msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid,
+ ciphername);
const size_t key_len = cipher_kt_key_size(ciphername);
const int nonce_tail_len = 8;
@@ -631,23 +620,19 @@
NLA_PUT_U32(nl_msg, OVPN_A_KEYCONF_KEY_ID, keyid);
NLA_PUT_U32(nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, dco_cipher);
- struct nlattr *key_enc = nla_nest_start(nl_msg,
- OVPN_A_KEYCONF_ENCRYPT_DIR);
+ struct nlattr *key_enc = nla_nest_start(nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR);
if (dco_cipher != OVPN_CIPHER_ALG_NONE)
{
NLA_PUT(nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, key_len, encrypt_key);
- NLA_PUT(nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, nonce_tail_len,
- encrypt_iv);
+ NLA_PUT(nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, nonce_tail_len, encrypt_iv);
}
nla_nest_end(nl_msg, key_enc);
- struct nlattr *key_dec = nla_nest_start(nl_msg,
- OVPN_A_KEYCONF_DECRYPT_DIR);
+ struct nlattr *key_dec = nla_nest_start(nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR);
if (dco_cipher != OVPN_CIPHER_ALG_NONE)
{
NLA_PUT(nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, key_len, decrypt_key);
- NLA_PUT(nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, nonce_tail_len,
- decrypt_iv);
+ NLA_PUT(nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, nonce_tail_len, decrypt_iv);
}
nla_nest_end(nl_msg, key_dec);
@@ -662,11 +647,11 @@
}
int
-dco_set_peer(dco_context_t *dco, unsigned int peerid,
- int keepalive_interval, int keepalive_timeout, int mss)
+dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout,
+ int mss)
{
- msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__,
- peerid, keepalive_interval, keepalive_timeout, mss);
+ msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__, peerid,
+ keepalive_interval, keepalive_timeout, mss);
struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_PEER_SET);
if (!nl_msg)
@@ -677,10 +662,8 @@
struct nlattr *attr = nla_nest_start(nl_msg, OVPN_A_PEER);
int ret = -EMSGSIZE;
NLA_PUT_U32(nl_msg, OVPN_A_PEER_ID, peerid);
- NLA_PUT_U32(nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL,
- keepalive_interval);
- NLA_PUT_U32(nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
- keepalive_timeout);
+ NLA_PUT_U32(nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL, keepalive_interval);
+ NLA_PUT_U32(nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, keepalive_timeout);
nla_nest_end(nl_msg, attr);
ret = ovpn_nl_msg_send(dco, nl_msg, __func__);
@@ -704,8 +687,7 @@
struct nlattr *tb[CTRL_ATTR_MAX + 1];
struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
- nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
- genlmsg_attrlen(gnlh, 0), NULL);
+ nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0), genlmsg_attrlen(gnlh, 0), NULL);
if (!tb[CTRL_ATTR_MCAST_GROUPS])
{
@@ -718,18 +700,16 @@
{
struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1];
- nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX,
- nla_data(mcgrp), nla_len(mcgrp), NULL);
+ nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX, nla_data(mcgrp), nla_len(mcgrp), NULL);
- if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]
- || !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID])
+ if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] || !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID])
{
continue;
}
- if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]),
- OVPN_MCGRP_PEERS,
- nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])) != 0)
+ if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]), OVPN_MCGRP_PEERS,
+ nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]))
+ != 0)
{
continue;
}
@@ -829,49 +809,41 @@
if (tb[OVPN_A_PEER_LINK_RX_BYTES])
{
c2->dco_read_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_LINK_RX_BYTES]);
- msg(D_DCO_DEBUG, "%s / dco_read_bytes: " counter_format, __func__,
- c2->dco_read_bytes);
+ msg(D_DCO_DEBUG, "%s / dco_read_bytes: " counter_format, __func__, c2->dco_read_bytes);
}
else
{
- msg(M_WARN, "%s: no link RX bytes provided in reply for peer %u",
- __func__, id);
+ msg(M_WARN, "%s: no link RX bytes provided in reply for peer %u", __func__, id);
}
if (tb[OVPN_A_PEER_LINK_TX_BYTES])
{
c2->dco_write_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_LINK_TX_BYTES]);
- msg(D_DCO_DEBUG, "%s / dco_write_bytes: " counter_format, __func__,
- c2->dco_write_bytes);
+ msg(D_DCO_DEBUG, "%s / dco_write_bytes: " counter_format, __func__, c2->dco_write_bytes);
}
else
{
- msg(M_WARN, "%s: no link TX bytes provided in reply for peer %u",
- __func__, id);
+ msg(M_WARN, "%s: no link TX bytes provided in reply for peer %u", __func__, id);
}
if (tb[OVPN_A_PEER_VPN_RX_BYTES])
{
c2->tun_read_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_VPN_RX_BYTES]);
- msg(D_DCO_DEBUG, "%s / tun_read_bytes: " counter_format, __func__,
- c2->tun_read_bytes);
+ msg(D_DCO_DEBUG, "%s / tun_read_bytes: " counter_format, __func__, c2->tun_read_bytes);
}
else
{
- msg(M_WARN, "%s: no VPN RX bytes provided in reply for peer %u",
- __func__, id);
+ msg(M_WARN, "%s: no VPN RX bytes provided in reply for peer %u", __func__, id);
}
if (tb[OVPN_A_PEER_VPN_TX_BYTES])
{
c2->tun_write_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_VPN_TX_BYTES]);
- msg(D_DCO_DEBUG, "%s / tun_write_bytes: " counter_format, __func__,
- c2->tun_write_bytes);
+ msg(D_DCO_DEBUG, "%s / tun_write_bytes: " counter_format, __func__, c2->tun_write_bytes);
}
else
{
- msg(M_WARN, "%s: no VPN TX bytes provided in reply for peer %u",
- __func__, id);
+ msg(M_WARN, "%s: no VPN TX bytes provided in reply for peer %u", __func__, id);
}
}
@@ -945,8 +917,7 @@
uint32_t ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]);
if (ifindex != dco->ifindex)
{
- msg(D_DCO_DEBUG,
- "ovpn-dco: ignoring message for foreign ifindex %d", ifindex);
+ msg(D_DCO_DEBUG, "ovpn-dco: ignoring message for foreign ifindex %d", ifindex);
return false;
}
@@ -968,8 +939,7 @@
}
struct nlattr *dp_attrs[OVPN_A_PEER_MAX + 1];
- if (nla_parse_nested(dp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER],
- NULL))
+ if (nla_parse_nested(dp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER], NULL))
{
msg(D_DCO, "ovpn-dco: can't parse peer in PEER_DEL_NTF messsage");
return NL_STOP;
@@ -1013,8 +983,7 @@
}
struct nlattr *fp_attrs[OVPN_A_PEER_MAX + 1];
- if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER],
- NULL))
+ if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER], NULL))
{
msg(D_DCO, "ovpn-dco: can't parse peer in PEER_FLOAT_NTF messsage");
return NL_STOP;
@@ -1033,8 +1002,7 @@
}
struct gc_arena gc = gc_new();
- msg(D_DCO_DEBUG,
- "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s",
+ msg(D_DCO_DEBUG, "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s",
dco->ifindex, peerid, print_sockaddr((struct sockaddr *)&dco->dco_float_peer_ss, &gc));
dco->dco_message_peer_id = (int)peerid;
dco->dco_message_type = OVPN_CMD_PEER_FLOAT_NTF;
@@ -1059,8 +1027,7 @@
}
struct nlattr *dp_attrs[OVPN_A_KEYCONF_MAX + 1];
- if (nla_parse_nested(dp_attrs, OVPN_A_KEYCONF_MAX,
- attrs[OVPN_A_KEYCONF], NULL))
+ if (nla_parse_nested(dp_attrs, OVPN_A_KEYCONF_MAX, attrs[OVPN_A_KEYCONF], NULL))
{
msg(D_DCO, "ovpn-dco: can't parse keyconf in KEY_SWAP_NTF message");
return NL_STOP;
@@ -1117,8 +1084,7 @@
return NL_STOP;
}
- if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
- genlmsg_attrlen(gnlh, 0), NULL))
+ if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), genlmsg_attrlen(gnlh, 0), NULL))
{
msg(D_DCO, "received bogus data from ovpn-dco");
return NL_STOP;
@@ -1206,8 +1172,8 @@
if (raise_sigusr1_on_err && ret < 0)
{
msg(M_WARN, "Error retrieving DCO peer stats: the underlying DCO peer"
- "may have been deleted from the kernel without notifying "
- "userspace. Restarting the session");
+ "may have been deleted from the kernel without notifying "
+ "userspace. Restarting the session");
register_signal(dco->c->sig, SIGUSR1, "dco peer stats error");
}
return ret;
@@ -1230,8 +1196,7 @@
{
if (resolve_ovpn_netlink_id(D_DCO_DEBUG) < 0)
{
- msg(msglevel,
- "Note: Kernel support for ovpn-dco missing, disabling data channel offload.");
+ msg(msglevel, "Note: Kernel support for ovpn-dco missing, disabling data channel offload.");
return false;
}
@@ -31,8 +31,8 @@
#include <netlink/netlink.h>
/* Defines to avoid mismatching with other platforms */
-#define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF
-#define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF
+#define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF
+#define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF
#define OVPN_CMD_FLOAT_PEER OVPN_CMD_PEER_FLOAT_NTF
typedef enum ovpn_key_slot dco_key_slot_t;
@@ -42,12 +42,14 @@
#ifndef IFLA_OVPN_MAX
-enum ovpn_mode {
+enum ovpn_mode
+{
OVPN_MODE_P2P,
OVPN_MODE_MP,
};
-enum ovpn_ifla_attrs {
+enum ovpn_ifla_attrs
+{
IFLA_OVPN_UNSPEC = 0,
IFLA_OVPN_MODE,
@@ -75,14 +75,12 @@
bool res = false;
- HANDLE h = CreateFile("\\\\.\\ovpn-dco-ver", GENERIC_READ,
- 0, NULL, OPEN_EXISTING, 0, NULL);
+ HANDLE h = CreateFile("\\\\.\\ovpn-dco-ver", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
if (h == INVALID_HANDLE_VALUE)
{
/* fallback to a "normal" device, this will fail if device is already in use */
- h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ,
- 0, NULL, OPEN_EXISTING, 0, NULL);
+ h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
}
if (h == INVALID_HANDLE_VALUE)
@@ -91,8 +89,8 @@
}
DWORD bytes_returned = 0;
- if (!DeviceIoControl(h, OVPN_IOCTL_GET_VERSION, NULL, 0,
- version, sizeof(*version), &bytes_returned, NULL))
+ if (!DeviceIoControl(h, OVPN_IOCTL_GET_VERSION, NULL, 0, version, sizeof(*version),
+ &bytes_returned, NULL))
{
goto done;
}
@@ -145,7 +143,8 @@
/* set mp mode */
OVPN_MODE m = OVPN_MODE_MP;
DWORD bytes_returned = 0;
- if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_SET_MODE, &m, sizeof(m), NULL, 0, &bytes_returned, NULL))
+ if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_SET_MODE, &m, sizeof(m), NULL, 0,
+ &bytes_returned, NULL))
{
msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_SET_MODE) failed");
}
@@ -221,7 +220,7 @@
{
volatile int *signal_received = &sig_info->signal_received;
/* GetOverlappedResultEx is available starting from Windows 8 */
- typedef BOOL (WINAPI *get_overlapped_result_ex_t)(HANDLE, LPOVERLAPPED, LPDWORD, DWORD, BOOL);
+ typedef BOOL(WINAPI * get_overlapped_result_ex_t)(HANDLE, LPOVERLAPPED, LPDWORD, DWORD, BOOL);
get_overlapped_result_ex_t get_overlapped_result_ex =
(get_overlapped_result_ex_t)GetProcAddress(GetModuleHandle("Kernel32.dll"),
"GetOverlappedResultEx");
@@ -295,8 +294,8 @@
}
if (!cur)
{
- msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record",
- __func__, addr_family_name(ai_family));
+ msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", __func__,
+ addr_family_name(ai_family));
}
OVPN_MP_START_VPN in, out;
@@ -322,7 +321,8 @@
}
void
-dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info)
+dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock,
+ struct signal_info *sig_info)
{
msg(D_DCO_DEBUG, "%s", __func__);
@@ -333,8 +333,7 @@
struct sockaddr *local = NULL;
struct sockaddr *remote = remoteaddr->ai_addr;
- if (remoteaddr->ai_protocol == IPPROTO_TCP
- || remoteaddr->ai_socktype == SOCK_STREAM)
+ if (remoteaddr->ai_protocol == IPPROTO_TCP || remoteaddr->ai_socktype == SOCK_STREAM)
{
peer.Proto = OVPN_PROTO_TCP;
}
@@ -406,15 +405,15 @@
}
else
{
- dco_connect_wait(handle, ov, get_server_poll_remaining_time(sock->server_poll_timeout), sig_info);
+ dco_connect_wait(handle, ov, get_server_poll_remaining_time(sock->server_poll_timeout),
+ sig_info);
}
}
}
int
-dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
- struct sockaddr *localaddr, struct sockaddr *remoteaddr,
- struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
+dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr,
+ struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
{
msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d", __func__, peerid, sd);
@@ -424,7 +423,7 @@
return 0;
}
- OVPN_MP_NEW_PEER newPeer = {0};
+ OVPN_MP_NEW_PEER newPeer = { 0 };
if (remoteaddr)
{
@@ -454,7 +453,8 @@
newPeer.PeerId = peerid;
DWORD bytesReturned;
- if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_NEW_PEER, &newPeer, sizeof(newPeer), NULL, 0, &bytesReturned, NULL))
+ if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_NEW_PEER, &newPeer, sizeof(newPeer), NULL, 0,
+ &bytesReturned, NULL))
{
msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_MP_NEW_PEER) failed");
}
@@ -489,11 +489,11 @@
}
int
-dco_set_peer(dco_context_t *dco, unsigned int peerid,
- int keepalive_interval, int keepalive_timeout, int mss)
+dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout,
+ int mss)
{
- msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__,
- peerid, keepalive_interval, keepalive_timeout, mss);
+ msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__, peerid,
+ keepalive_interval, keepalive_timeout, mss);
OVPN_MP_SET_PEER mp_peer = { peerid, keepalive_interval, keepalive_timeout, mss };
OVPN_SET_PEER peer = { keepalive_interval, keepalive_timeout, mss };
@@ -523,14 +523,12 @@
}
int
-dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid,
- dco_key_slot_t slot,
- const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
- const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
- const char *ciphername)
+dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot,
+ const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key,
+ const uint8_t *decrypt_iv, const char *ciphername)
{
- msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s",
- __func__, slot, keyid, peerid, ciphername);
+ msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid,
+ ciphername);
const int nonce_len = 8;
size_t key_len = cipher_kt_key_size(ciphername);
@@ -555,8 +553,8 @@
DWORD bytes_returned = 0;
- if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NEW_KEY, &crypto_data,
- sizeof(crypto_data), NULL, 0, &bytes_returned, NULL))
+ if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NEW_KEY, &crypto_data, sizeof(crypto_data), NULL,
+ 0, &bytes_returned, NULL))
{
msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_NEW_KEY) failed");
return -1;
@@ -566,8 +564,7 @@
int
dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
{
- msg(D_DCO, "%s: peer-id %d, slot %d called but ignored", __func__, peerid,
- slot);
+ msg(D_DCO, "%s: peer-id %d, slot %d called but ignored", __func__, peerid, slot);
/* FIXME: Implement in driver first */
return 0;
}
@@ -577,7 +574,7 @@
{
msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peer_id);
- OVPN_MP_SWAP_KEYS swap = {peer_id};
+ OVPN_MP_SWAP_KEYS swap = { peer_id };
DWORD ioctl = OVPN_IOCTL_SWAP_KEYS;
VOID *buf = NULL;
DWORD len = 0;
@@ -602,8 +599,8 @@
dco_available(int msglevel)
{
/* try to open device by symbolic name */
- HANDLE h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ | GENERIC_WRITE,
- 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL);
+ HANDLE h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING,
+ FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL);
if (h != INVALID_HANDLE_VALUE)
{
@@ -628,7 +625,7 @@
const char *
dco_version_string(struct gc_arena *gc)
{
- OVPN_VERSION version = {0};
+ OVPN_VERSION version = { 0 };
if (dco_get_version(&version))
{
struct buffer out = alloc_buf_gc(256, gc);
@@ -659,7 +656,8 @@
BOOL res = GetOverlappedResult(dco->tt->hand, &dco->ov, &bytes_read, FALSE);
if (res)
{
- msg(D_DCO_DEBUG, "%s: completion%s success [%ld]", __func__, queued ? "" : " non-queued", bytes_read);
+ msg(D_DCO_DEBUG, "%s: completion%s success [%ld]", __func__, queued ? "" : " non-queued",
+ bytes_read);
dco->dco_message_peer_id = dco->notif_buf.PeerId;
dco->dco_message_type = dco->notif_buf.Cmd;
@@ -734,8 +732,8 @@
ZeroMemory(&stats, sizeof(OVPN_STATS));
DWORD bytes_returned = 0;
- if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_STATS, NULL, 0,
- &stats, sizeof(stats), &bytes_returned, NULL))
+ if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_STATS, NULL, 0, &stats, sizeof(stats),
+ &bytes_returned, NULL))
{
msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_GET_STATS) failed");
return -1;
@@ -765,7 +763,8 @@
/* the overlapped IOCTL will signal this event on I/O completion */
ASSERT(ResetEvent(dco->ov.hEvent));
- if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NOTIFY_EVENT, NULL, 0, &dco->notif_buf, sizeof(dco->notif_buf), NULL, &dco->ov))
+ if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NOTIFY_EVENT, NULL, 0, &dco->notif_buf,
+ sizeof(dco->notif_buf), NULL, &dco->ov))
{
DWORD err = GetLastError();
if (err == ERROR_IO_PENDING) /* operation queued? */
@@ -826,17 +825,21 @@
}
void
-dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id)
+dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits,
+ unsigned int peer_id)
{
struct gc_arena gc = gc_new();
- OVPN_MP_IROUTE route = {.Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 0};
+ OVPN_MP_IROUTE route = {
+ .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 0
+ };
- msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc), netbits, peer_id);
+ msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc),
+ netbits, peer_id);
DWORD bytes_returned = 0;
- if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route,
- sizeof(route), NULL, 0, &bytes_returned, NULL))
+ if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, sizeof(route), NULL, 0,
+ &bytes_returned, NULL))
{
msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_ADD_IROUTE) failed");
}
@@ -845,17 +848,19 @@
}
void
-dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id)
+dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits,
+ unsigned int peer_id)
{
struct gc_arena gc = gc_new();
OVPN_MP_IROUTE route = { .Addr.Addr6 = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 1 };
- msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc), netbits, peer_id);
+ msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc),
+ netbits, peer_id);
DWORD bytes_returned = 0;
- if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route,
- sizeof(route), NULL, 0, &bytes_returned, NULL))
+ if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, sizeof(route), NULL, 0,
+ &bytes_returned, NULL))
{
msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_ADD_IROUTE) failed");
}
@@ -868,13 +873,15 @@
{
struct gc_arena gc = gc_new();
- OVPN_MP_IROUTE route = { .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = -1, .IPv6 = 0 };
+ OVPN_MP_IROUTE route = {
+ .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = -1, .IPv6 = 0
+ };
msg(D_DCO_DEBUG, "%s: %s/%d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc), netbits);
DWORD bytes_returned = 0;
- if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route,
- sizeof(route), NULL, 0, &bytes_returned, NULL))
+ if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, sizeof(route), NULL, 0,
+ &bytes_returned, NULL))
{
msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_DEL_IROUTE) failed");
}
@@ -892,8 +899,8 @@
msg(D_DCO_DEBUG, "%s: %s/%d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc), netbits);
DWORD bytes_returned = 0;
- if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route,
- sizeof(route), NULL, 0, &bytes_returned, NULL))
+ if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, sizeof(route), NULL, 0,
+ &bytes_returned, NULL))
{
msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_DEL_IROUTE) failed");
}
@@ -32,21 +32,23 @@
typedef OVPN_KEY_SLOT dco_key_slot_t;
typedef OVPN_CIPHER_ALG dco_cipher_t;
-typedef enum {
+typedef enum
+{
DCO_MODE_UNINIT,
DCO_MODE_P2P,
DCO_MODE_MP
} dco_mode_type;
-struct dco_context {
+struct dco_context
+{
struct tuntap *tt;
dco_mode_type ifmode;
OVPN_NOTIFY_EVENT notif_buf; /**< Buffer for incoming notifications. */
- OVERLAPPED ov; /**< Used by overlapped I/O for async IOCTL. */
- int iostate; /**< State of overlapped I/O; see definitions in win32.h. */
- struct rw_handle rwhandle; /**< Used to hook async I/O to the OpenVPN event loop. */
- int ov_ret; /**< Win32 error code for overlapped operation, 0 for success */
+ OVERLAPPED ov; /**< Used by overlapped I/O for async IOCTL. */
+ int iostate; /**< State of overlapped I/O; see definitions in win32.h. */
+ struct rw_handle rwhandle; /**< Used to hook async I/O to the OpenVPN event loop. */
+ int ov_ret; /**< Win32 error code for overlapped operation, 0 for success */
int dco_message_peer_id;
int dco_message_type;
@@ -59,31 +61,26 @@
typedef struct dco_context dco_context_t;
-void
-dco_mp_start_vpn(HANDLE handle, struct link_socket *sock);
+void dco_mp_start_vpn(HANDLE handle, struct link_socket *sock);
-void
-dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info);
+void dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock,
+ struct signal_info *sig_info);
-void
-dco_start_tun(struct tuntap *tt);
+void dco_start_tun(struct tuntap *tt);
-bool
-dco_win_supports_multipeer(void);
+bool dco_win_supports_multipeer(void);
-void
-dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id);
+void dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits,
+ unsigned int peer_id);
-void
-dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id);
+void dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits,
+ unsigned int peer_id);
-void
-dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits);
+void dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits);
-void
-dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits);
+void dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits);
-#else /* if defined(ENABLE_DCO) && defined(_WIN32) */
+#else /* if defined(ENABLE_DCO) && defined(_WIN32) */
static inline void
dco_start_tun(struct tuntap *tt)
@@ -35,37 +35,37 @@
static int
get_dhcp_message_type(const struct dhcp *dhcp, const int optlen)
{
- const uint8_t *p = (uint8_t *) (dhcp + 1);
+ const uint8_t *p = (uint8_t *)(dhcp + 1);
int i;
for (i = 0; i < optlen; ++i)
{
const uint8_t type = p[i];
const int room = optlen - i;
- if (type == DHCP_END) /* didn't find what we were looking for */
+ if (type == DHCP_END) /* didn't find what we were looking for */
{
return -1;
}
- else if (type == DHCP_PAD) /* no-operation */
+ else if (type == DHCP_PAD) /* no-operation */
{
}
else if (type == DHCP_MSG_TYPE) /* what we are looking for */
{
if (room >= 3)
{
- if (p[i+1] == 1) /* option length should be 1 */
+ if (p[i + 1] == 1) /* option length should be 1 */
{
- return p[i+2]; /* return message type */
+ return p[i + 2]; /* return message type */
}
}
return -1;
}
- else /* some other option */
+ else /* some other option */
{
if (room >= 2)
{
- const int len = p[i+1]; /* get option length */
- i += (len + 1); /* advance to next option */
+ const int len = p[i + 1]; /* get option length */
+ i += (len + 1); /* advance to next option */
}
}
}
@@ -75,11 +75,11 @@
static in_addr_t
do_extract(struct dhcp *dhcp, int optlen)
{
- uint8_t *p = (uint8_t *) (dhcp + 1);
+ uint8_t *p = (uint8_t *)(dhcp + 1);
int i;
in_addr_t ret = 0;
- for (i = 0; i < optlen; )
+ for (i = 0; i < optlen;)
{
const uint8_t type = p[i];
const int room = optlen - i;
@@ -95,25 +95,25 @@
{
if (room >= 2)
{
- const int len = p[i+1]; /* get option length */
- if (len <= (room-2))
+ const int len = p[i + 1]; /* get option length */
+ if (len <= (room - 2))
{
/* get router IP address */
if (!ret && len >= 4 && (len & 3) == 0)
{
- memcpy(&ret, p+i+2, 4);
+ memcpy(&ret, p + i + 2, 4);
ret = ntohl(ret);
}
{
/* delete the router option */
uint8_t *dest = p + i;
- const int owlen = len + 2; /* len of data to overwrite */
+ const int owlen = len + 2; /* len of data to overwrite */
uint8_t *src = dest + owlen;
uint8_t *end = p + optlen;
const int movlen = end - src;
if (movlen > 0)
{
- memmove(dest, src, movlen); /* overwrite router option */
+ memmove(dest, src, movlen); /* overwrite router option */
}
memset(end - owlen, DHCP_PAD, owlen); /* pad tail */
}
@@ -128,12 +128,12 @@
break;
}
}
- else /* some other option */
+ else /* some other option */
{
if (room >= 2)
{
- const int len = p[i+1]; /* get option length */
- i += (len + 2); /* advance to next option */
+ const int len = p[i + 1]; /* get option length */
+ i += (len + 2); /* advance to next option */
}
else
{
@@ -147,13 +147,13 @@
in_addr_t
dhcp_extract_router_msg(struct buffer *ipbuf)
{
- struct dhcp_full *df = (struct dhcp_full *) BPTR(ipbuf);
- const int optlen = BLEN(ipbuf) - (sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr) + sizeof(struct dhcp));
+ struct dhcp_full *df = (struct dhcp_full *)BPTR(ipbuf);
+ const int optlen =
+ BLEN(ipbuf)
+ - (sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr) + sizeof(struct dhcp));
- if (optlen >= 0
- && df->ip.protocol == OPENVPN_IPPROTO_UDP
- && df->udp.source == htons(BOOTPS_PORT)
- && df->udp.dest == htons(BOOTPC_PORT)
+ if (optlen >= 0 && df->ip.protocol == OPENVPN_IPPROTO_UDP
+ && df->udp.source == htons(BOOTPS_PORT) && df->udp.dest == htons(BOOTPC_PORT)
&& df->dhcp.op == BOOTREPLY)
{
const int message_type = get_dhcp_message_type(&df->dhcp, optlen);
@@ -164,10 +164,10 @@
/* recompute the UDP checksum */
df->udp.check = 0;
- df->udp.check = htons(ip_checksum(AF_INET, (uint8_t *)&df->udp,
- sizeof(struct openvpn_udphdr) + sizeof(struct dhcp) + optlen,
- (uint8_t *)&df->ip.saddr, (uint8_t *)&df->ip.daddr,
- OPENVPN_IPPROTO_UDP));
+ df->udp.check = htons(ip_checksum(
+ AF_INET, (uint8_t *)&df->udp,
+ sizeof(struct openvpn_udphdr) + sizeof(struct dhcp) + optlen,
+ (uint8_t *)&df->ip.saddr, (uint8_t *)&df->ip.daddr, OPENVPN_IPPROTO_UDP));
/* only return the extracted Router address if DHCPACK */
if (message_type == DHCPACK)
@@ -30,10 +30,10 @@
#pragma pack(1)
/* DHCP Option types */
-#define DHCP_PAD 0
-#define DHCP_ROUTER 3
-#define DHCP_MSG_TYPE 53 /* message type (u8) */
-#define DHCP_END 255
+#define DHCP_PAD 0
+#define DHCP_ROUTER 3
+#define DHCP_MSG_TYPE 53 /* message type (u8) */
+#define DHCP_END 255
/* DHCP Messages types */
#define DHCPDISCOVER 1
@@ -49,28 +49,30 @@
#define BOOTPS_PORT 67
#define BOOTPC_PORT 68
-struct dhcp {
+struct dhcp
+{
#define BOOTREQUEST 1
#define BOOTREPLY 2
- uint8_t op; /* message op */
+ uint8_t op; /* message op */
- uint8_t htype; /* hardware address type (e.g. '1' = 10Mb Ethernet) */
- uint8_t hlen; /* hardware address length (e.g. '6' for 10Mb Ethernet) */
- uint8_t hops; /* client sets to 0, may be used by relay agents */
- uint32_t xid; /* transaction ID, chosen by client */
- uint16_t secs; /* seconds since request process began, set by client */
+ uint8_t htype; /* hardware address type (e.g. '1' = 10Mb Ethernet) */
+ uint8_t hlen; /* hardware address length (e.g. '6' for 10Mb Ethernet) */
+ uint8_t hops; /* client sets to 0, may be used by relay agents */
+ uint32_t xid; /* transaction ID, chosen by client */
+ uint16_t secs; /* seconds since request process began, set by client */
uint16_t flags;
- uint32_t ciaddr; /* client IP address, client sets if known */
- uint32_t yiaddr; /* 'your' IP address -- server's response to client */
- uint32_t siaddr; /* server IP address */
- uint32_t giaddr; /* relay agent IP address */
+ uint32_t ciaddr; /* client IP address, client sets if known */
+ uint32_t yiaddr; /* 'your' IP address -- server's response to client */
+ uint32_t siaddr; /* server IP address */
+ uint32_t giaddr; /* relay agent IP address */
uint8_t chaddr[16]; /* client hardware address */
- uint8_t sname[64]; /* optional server host name */
- uint8_t file[128]; /* boot file name */
- uint32_t magic; /* must be 0x63825363 (network order) */
+ uint8_t sname[64]; /* optional server host name */
+ uint8_t file[128]; /* boot file name */
+ uint32_t magic; /* must be 0x63825363 (network order) */
};
-struct dhcp_full {
+struct dhcp_full
+{
struct openvpn_iphdr ip;
struct openvpn_udphdr udp;
struct dhcp dhcp;
@@ -65,7 +65,7 @@
return false;
}
- char addrcopy[INET6_ADDRSTRLEN] = {0};
+ char addrcopy[INET6_ADDRSTRLEN] = { 0 };
size_t copylen = 0;
in_port_t port = 0;
sa_family_t af;
@@ -202,13 +202,13 @@
bool
dns_options_verify(int msglevel, const struct dns_options *o)
{
- const struct dns_server *server =
- o->servers ? o->servers : o->servers_prepull;
+ const struct dns_server *server = o->servers ? o->servers : o->servers_prepull;
while (server)
{
if (server->addr_count == 0)
{
- msg(msglevel, "ERROR: dns server %ld does not have an address assigned", server->priority);
+ msg(msglevel, "ERROR: dns server %ld does not have an address assigned",
+ server->priority);
return false;
}
server = server->next;
@@ -352,8 +352,8 @@
#ifdef _WIN32
static void
-make_domain_list(const char *what, const struct dns_domain *src,
- bool nrpt_domains, char *dst, size_t dst_size)
+make_domain_list(const char *what, const struct dns_domain *src, bool nrpt_domains, char *dst,
+ size_t dst_size)
{
/* NRPT domains need two \0 at the end for REG_MULTI_SZ
* and a leading '.' added in front of the domain name */
@@ -429,11 +429,8 @@
ack_message_t ack;
nrpt_dns_cfg_message_t nrpt = {
- .header = {
- (add ? msg_add_nrpt_cfg : msg_del_nrpt_cfg),
- sizeof(nrpt_dns_cfg_message_t),
- 0
- },
+ .header = { (add ? msg_add_nrpt_cfg : msg_del_nrpt_cfg), sizeof(nrpt_dns_cfg_message_t),
+ 0 },
.iface = { .index = tt->adapter_index, .name = "" },
.flags = server->dnssec == DNS_SECURITY_NO ? 0 : nrpt_dnssec,
};
@@ -447,33 +444,31 @@
break;
}
- if (inet_ntop(server->addr[i].family, &server->addr[i].in,
- nrpt.addresses[i], NRPT_ADDR_SIZE) == NULL)
+ if (inet_ntop(server->addr[i].family, &server->addr[i].in, nrpt.addresses[i],
+ NRPT_ADDR_SIZE)
+ == NULL)
{
msg(M_WARN, "WARNING: could not convert dns server address");
}
}
- make_domain_list("dns server resolve domains", server->domains, true,
- nrpt.resolve_domains, sizeof(nrpt.resolve_domains));
+ make_domain_list("dns server resolve domains", server->domains, true, nrpt.resolve_domains,
+ sizeof(nrpt.resolve_domains));
- make_domain_list("dns search domains", search_domains, false,
- nrpt.search_domains, sizeof(nrpt.search_domains));
+ make_domain_list("dns search domains", search_domains, false, nrpt.search_domains,
+ sizeof(nrpt.search_domains));
msg(D_LOW, "%s NRPT DNS%s%s on '%s' (if_index = %d) using service",
(add ? "Setting" : "Deleting"), nrpt.resolve_domains[0] != 0 ? ", resolve domains" : "",
- nrpt.search_domains[0] != 0 ? ", search domains" : "",
- nrpt.iface.name, nrpt.iface.index);
+ nrpt.search_domains[0] != 0 ? ", search domains" : "", nrpt.iface.name, nrpt.iface.index);
send_msg_iservice(o->msg_channel, &nrpt, sizeof(nrpt), &ack, "DNS");
}
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
static void
-setenv_dns_option(struct env_set *es,
- const char *format, int i, int j,
- const char *value)
+setenv_dns_option(struct env_set *es, const char *format, int i, int j, const char *value)
{
char name[64];
bool name_ok = false;
@@ -539,14 +534,12 @@
if (s->dnssec)
{
- setenv_dns_option(es, "dns_server_%d_dnssec", i, -1,
- dnssec_value(s->dnssec));
+ setenv_dns_option(es, "dns_server_%d_dnssec", i, -1, dnssec_value(s->dnssec));
}
if (s->transport)
{
- setenv_dns_option(es, "dns_server_%d_transport", i, -1,
- transport_value(s->transport));
+ setenv_dns_option(es, "dns_server_%d_transport", i, -1, transport_value(s->transport));
}
if (s->sni)
{
@@ -566,7 +559,8 @@
}
static int
-do_run_up_down_command(bool up, const char *vars_file, const struct dns_options *o, const struct tuntap *tt)
+do_run_up_down_command(bool up, const char *vars_file, const struct dns_options *o,
+ const struct tuntap *tt)
{
struct gc_arena gc = gc_new();
struct argv argv = argv_new();
@@ -598,12 +592,12 @@
}
static bool
-run_updown_runner(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner)
+run_updown_runner(bool up, struct options *o, const struct tuntap *tt,
+ struct dns_updown_runner_info *updown_runner)
{
int dns_pipe_fd[2];
int ack_pipe_fd[2];
- if (pipe(dns_pipe_fd) != 0
- || pipe(ack_pipe_fd) != 0)
+ if (pipe(dns_pipe_fd) != 0 || pipe(ack_pipe_fd) != 0)
{
msg(M_ERR | M_ERRNO, "run_dns_up_down: unable to create pipes");
return false;
@@ -631,8 +625,7 @@
/* Script runner process, close unused FDs */
for (int fd = 3; fd < 100; ++fd)
{
- if (fd != dns_pipe_fd[0]
- && fd != ack_pipe_fd[1])
+ if (fd != dns_pipe_fd[0] && fd != ack_pipe_fd[1])
{
close(fd);
}
@@ -693,7 +686,8 @@
}
static void
-run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner)
+run_up_down_command(bool up, struct options *o, const struct tuntap *tt,
+ struct dns_updown_runner_info *updown_runner)
{
struct dns_options *dns = &o->dns_options;
if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns)))
@@ -851,7 +845,8 @@
}
void
-run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *duri)
+run_dns_up_down(bool up, struct options *o, const struct tuntap *tt,
+ struct dns_updown_runner_info *duri)
{
if (!o->dns_options.servers)
{
@@ -881,14 +876,17 @@
}
if (bad_count == s->addr_count)
{
- msg(M_WARN, "DNS server %ld only has address(es) from a family "
+ msg(M_WARN,
+ "DNS server %ld only has address(es) from a family "
"the tunnel is not configured for - it will not be reachable",
s->priority);
}
else if (bad_count)
{
- msg(M_WARN, "DNS server %ld has address(es) from a family "
- "the tunnel is not configured for", s->priority);
+ msg(M_WARN,
+ "DNS server %ld has address(es) from a family "
+ "the tunnel is not configured for",
+ s->priority);
}
s = s->next;
}
@@ -27,33 +27,39 @@
#include "env_set.h"
#include "tun.h"
-enum dns_security {
+enum dns_security
+{
DNS_SECURITY_UNSET,
DNS_SECURITY_NO,
DNS_SECURITY_YES,
DNS_SECURITY_OPTIONAL
};
-enum dns_server_transport {
+enum dns_server_transport
+{
DNS_TRANSPORT_UNSET,
DNS_TRANSPORT_PLAIN,
DNS_TRANSPORT_HTTPS,
DNS_TRANSPORT_TLS
};
-enum dns_updown_flags {
+enum dns_updown_flags
+{
DNS_UPDOWN_NO_FLAGS,
DNS_UPDOWN_USER_SET,
DNS_UPDOWN_FORCED
};
-struct dns_domain {
+struct dns_domain
+{
struct dns_domain *next;
const char *name;
};
-struct dns_server_addr {
- union {
+struct dns_server_addr
+{
+ union
+ {
struct in_addr a4;
struct in6_addr a6;
} in;
@@ -61,7 +67,8 @@
in_port_t port;
};
-struct dns_server {
+struct dns_server
+{
struct dns_server *next;
long priority;
size_t addr_count;
@@ -72,7 +79,8 @@
const char *sni;
};
-struct dns_updown_runner_info {
+struct dns_updown_runner_info
+{
bool required;
int fds[2];
#if !defined(_WIN32)
@@ -88,7 +96,8 @@
#define N_SEARCH_LIST_LEN 10
#endif
-struct dhcp_options {
+struct dhcp_options
+{
in_addr_t dns[N_DHCP_ADDR];
int dns_len;
@@ -100,7 +109,8 @@
int domain_search_list_len;
};
-struct dns_options {
+struct dns_options
+{
struct dhcp_options from_dhcp;
struct dns_domain *search_domains;
struct dns_server *servers_prepull;
@@ -165,8 +175,7 @@
* @param gc Pointer to the gc_arena to use for the clone
* @return The dns_options clone
*/
-struct dns_options clone_dns_options(const struct dns_options *o,
- struct gc_arena *gc);
+struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc);
/**
* Saves and resets the server options, so that pulled ones don't mix in.
@@ -246,7 +246,7 @@
if (es)
{
- const struct env_item *item = es->list;
+ const struct env_item *item = es->list;
while (item)
{
fputs(item->string, fp);
@@ -356,15 +356,10 @@
}
void
-setenv_str_ex(struct env_set *es,
- const char *name,
- const char *value,
- const unsigned int name_include,
- const unsigned int name_exclude,
- const char name_replace,
- const unsigned int value_include,
- const unsigned int value_exclude,
- const char value_replace)
+setenv_str_ex(struct env_set *es, const char *name, const char *value,
+ const unsigned int name_include, const unsigned int name_exclude,
+ const char name_replace, const unsigned int value_include,
+ const unsigned int value_exclude, const char value_replace)
{
struct gc_arena gc = gc_new();
const char *name_tmp;
@@ -442,9 +437,7 @@
/* Make arrays of strings */
const char **
-make_env_array(const struct env_set *es,
- const bool check_allowed,
- struct gc_arena *gc)
+make_env_array(const struct env_set *es, const bool check_allowed, struct gc_arena *gc)
{
char **ret = NULL;
struct env_item *e = NULL;
@@ -460,7 +453,7 @@
}
/* alloc return array */
- ALLOC_ARRAY_CLEAR_GC(ret, char *, n+1, gc);
+ ALLOC_ARRAY_CLEAR_GC(ret, char *, n + 1, gc);
/* fill return array */
if (es)
@@ -33,26 +33,23 @@
* Handle environmental variable lists
*/
-struct env_item {
+struct env_item
+{
char *string;
struct env_item *next;
};
-struct env_set {
+struct env_set
+{
struct gc_arena *gc;
struct env_item *list;
};
/* set/delete environmental variable */
-void setenv_str_ex(struct env_set *es,
- const char *name,
- const char *value,
- const unsigned int name_include,
- const unsigned int name_exclude,
- const char name_replace,
- const unsigned int value_include,
- const unsigned int value_exclude,
- const char value_replace);
+void setenv_str_ex(struct env_set *es, const char *name, const char *value,
+ const unsigned int name_include, const unsigned int name_exclude,
+ const char name_replace, const unsigned int value_include,
+ const unsigned int value_exclude, const char value_replace);
void setenv_counter(struct env_set *es, const char *name, counter_type value);
@@ -123,8 +120,7 @@
/* returns true if environmental variable may be passed to an external program */
bool env_allowed(const char *str);
-const char **make_env_array(const struct env_set *es,
- const bool check_allowed,
+const char **make_env_array(const struct env_set *es, const bool check_allowed,
struct gc_arena *gc);
#endif /* ifndef ENV_SET_H */
@@ -49,134 +49,134 @@
* of output.
*/
-#define M_VERB0 LOGLEV(0, 0, 0) /* Messages displayed even at --verb 0 (fatal errors only) */
+#define M_VERB0 LOGLEV(0, 0, 0) /* Messages displayed even at --verb 0 (fatal errors only) */
-#define M_INFO LOGLEV(1, 0, 0) /* default informational messages */
+#define M_INFO LOGLEV(1, 0, 0) /* default informational messages */
-#define D_LINK_ERRORS LOGLEV(1, 1, M_NONFATAL) /* show link errors from main event loop */
-#define D_CRYPT_ERRORS LOGLEV(1, 2, M_NONFATAL) /* show errors from encrypt/decrypt */
-#define D_TLS_ERRORS LOGLEV(1, 3, M_NONFATAL) /* show TLS control channel errors */
-#define D_RESOLVE_ERRORS LOGLEV(1, 4, M_NONFATAL) /* show hostname resolve errors */
-#define D_COMP_ERRORS LOGLEV(1, 5, M_NONFATAL) /* show compression errors */
-#define D_REPLAY_ERRORS LOGLEV(1, 6, M_NONFATAL) /* show packet replay errors */
-#define D_STREAM_ERRORS LOGLEV(1, 7, M_NONFATAL) /* TCP stream error requiring restart */
-#define D_IMPORT_ERRORS LOGLEV(1, 8, M_NONFATAL) /* show server import option errors */
-#define D_MULTI_ERRORS LOGLEV(1, 9, M_NONFATAL) /* show multi-client server errors */
-#define D_EVENT_ERRORS LOGLEV(1, 10, M_NONFATAL) /* show event.[ch] errors */
-#define D_PUSH_ERRORS LOGLEV(1, 11, M_NONFATAL) /* show push/pull errors */
-#define D_PID_PERSIST LOGLEV(1, 12, M_NONFATAL) /* show packet_id persist errors */
-#define D_FRAG_ERRORS LOGLEV(1, 13, M_NONFATAL) /* show fragmentation errors */
-#define D_ALIGN_ERRORS LOGLEV(1, 14, M_NONFATAL) /* show bad struct alignments */
+#define D_LINK_ERRORS LOGLEV(1, 1, M_NONFATAL) /* show link errors from main event loop */
+#define D_CRYPT_ERRORS LOGLEV(1, 2, M_NONFATAL) /* show errors from encrypt/decrypt */
+#define D_TLS_ERRORS LOGLEV(1, 3, M_NONFATAL) /* show TLS control channel errors */
+#define D_RESOLVE_ERRORS LOGLEV(1, 4, M_NONFATAL) /* show hostname resolve errors */
+#define D_COMP_ERRORS LOGLEV(1, 5, M_NONFATAL) /* show compression errors */
+#define D_REPLAY_ERRORS LOGLEV(1, 6, M_NONFATAL) /* show packet replay errors */
+#define D_STREAM_ERRORS LOGLEV(1, 7, M_NONFATAL) /* TCP stream error requiring restart */
+#define D_IMPORT_ERRORS LOGLEV(1, 8, M_NONFATAL) /* show server import option errors */
+#define D_MULTI_ERRORS LOGLEV(1, 9, M_NONFATAL) /* show multi-client server errors */
+#define D_EVENT_ERRORS LOGLEV(1, 10, M_NONFATAL) /* show event.[ch] errors */
+#define D_PUSH_ERRORS LOGLEV(1, 11, M_NONFATAL) /* show push/pull errors */
+#define D_PID_PERSIST LOGLEV(1, 12, M_NONFATAL) /* show packet_id persist errors */
+#define D_FRAG_ERRORS LOGLEV(1, 13, M_NONFATAL) /* show fragmentation errors */
+#define D_ALIGN_ERRORS LOGLEV(1, 14, M_NONFATAL) /* show bad struct alignments */
-#define D_HANDSHAKE LOGLEV(2, 20, 0) /* show data & control channel handshakes */
-#define D_CLOSE LOGLEV(2, 22, 0) /* show socket and TUN/TAP close */
-#define D_PROXY LOGLEV(2, 24, 0) /* show http proxy control packets */
-#define D_ARGV LOGLEV(2, 25, 0) /* show struct argv errors */
+#define D_HANDSHAKE LOGLEV(2, 20, 0) /* show data & control channel handshakes */
+#define D_CLOSE LOGLEV(2, 22, 0) /* show socket and TUN/TAP close */
+#define D_PROXY LOGLEV(2, 24, 0) /* show http proxy control packets */
+#define D_ARGV LOGLEV(2, 25, 0) /* show struct argv errors */
-#define D_TLS_DEBUG_LOW LOGLEV(3, 20, 0) /* low frequency info from tls_session routines */
-#define D_GREMLIN LOGLEV(3, 30, 0) /* show simulated outage info from gremlin module */
-#define D_GENKEY LOGLEV(3, 31, 0) /* print message after key generation */
-#define D_ROUTE LOGLEV(3, 0, 0) /* show routes added and deleted (don't mute) */
-#define D_TUNTAP_INFO LOGLEV(3, 32, 0) /* show debugging info from TUN/TAP driver */
-#define D_RESTART LOGLEV(3, 33, 0) /* show certain restart messages */
-#define D_PUSH LOGLEV(3, 34, 0) /* show push/pull info */
-#define D_IFCONFIG_POOL LOGLEV(3, 35, 0) /* show ifconfig pool info */
-#define D_AUTH LOGLEV(3, 37, 0) /* show user/pass auth info */
-#define D_MULTI_LOW LOGLEV(3, 38, 0) /* show point-to-multipoint low-freq debug info */
-#define D_PLUGIN LOGLEV(3, 39, 0) /* show plugin calls */
-#define D_MANAGEMENT LOGLEV(3, 40, 0) /* show --management info */
-#define D_SCHED_EXIT LOGLEV(3, 41, 0) /* show arming of scheduled exit */
-#define D_ROUTE_QUOTA LOGLEV(3, 42, 0) /* show route quota exceeded messages */
-#define D_OSBUF LOGLEV(3, 43, 0) /* show socket/tun/tap buffer sizes */
-#define D_PS_PROXY LOGLEV(3, 44, 0) /* messages related to --port-share option */
-#define D_IFCONFIG LOGLEV(3, 0, 0) /* show ifconfig info (don't mute) */
-#define D_DCO LOGLEV(3, 0, 0) /* show DCO related messages */
+#define D_TLS_DEBUG_LOW LOGLEV(3, 20, 0) /* low frequency info from tls_session routines */
+#define D_GREMLIN LOGLEV(3, 30, 0) /* show simulated outage info from gremlin module */
+#define D_GENKEY LOGLEV(3, 31, 0) /* print message after key generation */
+#define D_ROUTE LOGLEV(3, 0, 0) /* show routes added and deleted (don't mute) */
+#define D_TUNTAP_INFO LOGLEV(3, 32, 0) /* show debugging info from TUN/TAP driver */
+#define D_RESTART LOGLEV(3, 33, 0) /* show certain restart messages */
+#define D_PUSH LOGLEV(3, 34, 0) /* show push/pull info */
+#define D_IFCONFIG_POOL LOGLEV(3, 35, 0) /* show ifconfig pool info */
+#define D_AUTH LOGLEV(3, 37, 0) /* show user/pass auth info */
+#define D_MULTI_LOW LOGLEV(3, 38, 0) /* show point-to-multipoint low-freq debug info */
+#define D_PLUGIN LOGLEV(3, 39, 0) /* show plugin calls */
+#define D_MANAGEMENT LOGLEV(3, 40, 0) /* show --management info */
+#define D_SCHED_EXIT LOGLEV(3, 41, 0) /* show arming of scheduled exit */
+#define D_ROUTE_QUOTA LOGLEV(3, 42, 0) /* show route quota exceeded messages */
+#define D_OSBUF LOGLEV(3, 43, 0) /* show socket/tun/tap buffer sizes */
+#define D_PS_PROXY LOGLEV(3, 44, 0) /* messages related to --port-share option */
+#define D_IFCONFIG LOGLEV(3, 0, 0) /* show ifconfig info (don't mute) */
+#define D_DCO LOGLEV(3, 0, 0) /* show DCO related messages */
-#define D_SHOW_PARMS LOGLEV(4, 50, 0) /* show all parameters on program initiation */
-#define D_LOW LOGLEV(4, 52, 0) /* miscellaneous low-frequency debug info */
-#define D_DHCP_OPT LOGLEV(4, 53, 0) /* show DHCP options binary string */
-#define D_MBUF LOGLEV(4, 54, 0) /* mbuf.[ch] routines */
-#define D_PACKET_TRUNC_ERR LOGLEV(4, 55, 0) /* PACKET_TRUNCATION_CHECK */
-#define D_MULTI_DROPPED LOGLEV(4, 57, 0) /* show point-to-multipoint packet drops */
-#define D_MULTI_MEDIUM LOGLEV(4, 58, 0) /* show medium frequency multi messages */
-#define D_X509_ATTR LOGLEV(4, 59, 0) /* show x509-track attributes on connection */
-#define D_INIT_MEDIUM LOGLEV(4, 60, 0) /* show medium frequency init messages */
-#define D_MTU_INFO LOGLEV(4, 61, 0) /* show terse MTU info */
-#define D_PID_DEBUG_LOW LOGLEV(4, 63, 0) /* show low-freq packet-id debugging info */
-#define D_PID_DEBUG_MEDIUM LOGLEV(4, 64, 0) /* show medium-freq packet-id debugging info */
-#define D_CIPHER_INIT LOGLEV(4, 65, 0) /* show messages about cipher init */
+#define D_SHOW_PARMS LOGLEV(4, 50, 0) /* show all parameters on program initiation */
+#define D_LOW LOGLEV(4, 52, 0) /* miscellaneous low-frequency debug info */
+#define D_DHCP_OPT LOGLEV(4, 53, 0) /* show DHCP options binary string */
+#define D_MBUF LOGLEV(4, 54, 0) /* mbuf.[ch] routines */
+#define D_PACKET_TRUNC_ERR LOGLEV(4, 55, 0) /* PACKET_TRUNCATION_CHECK */
+#define D_MULTI_DROPPED LOGLEV(4, 57, 0) /* show point-to-multipoint packet drops */
+#define D_MULTI_MEDIUM LOGLEV(4, 58, 0) /* show medium frequency multi messages */
+#define D_X509_ATTR LOGLEV(4, 59, 0) /* show x509-track attributes on connection */
+#define D_INIT_MEDIUM LOGLEV(4, 60, 0) /* show medium frequency init messages */
+#define D_MTU_INFO LOGLEV(4, 61, 0) /* show terse MTU info */
+#define D_PID_DEBUG_LOW LOGLEV(4, 63, 0) /* show low-freq packet-id debugging info */
+#define D_PID_DEBUG_MEDIUM LOGLEV(4, 64, 0) /* show medium-freq packet-id debugging info */
+#define D_CIPHER_INIT LOGLEV(4, 65, 0) /* show messages about cipher init */
-#define D_LOG_RW LOGLEV(5, 0, 0) /* Print 'R' or 'W' to stdout for read/write */
+#define D_LOG_RW LOGLEV(5, 0, 0) /* Print 'R' or 'W' to stdout for read/write */
-#define D_RTNL LOGLEV(6, 68, M_DEBUG) /* show RTNL low level operations */
-#define D_LINK_RW LOGLEV(6, 69, M_DEBUG) /* show TCP/UDP reads/writes (terse) */
-#define D_TUN_RW LOGLEV(6, 69, M_DEBUG) /* show TUN/TAP reads/writes */
-#define D_TAP_WIN_DEBUG LOGLEV(6, 69, M_DEBUG) /* show TAP-Windows driver debug info */
-#define D_CLIENT_NAT LOGLEV(6, 69, M_DEBUG) /* show client NAT debug info */
-#define D_XKEY LOGLEV(6, 69, M_DEBUG) /* show xkey-provider debug info */
-#define D_DCO_DEBUG LOGLEV(6, 69, M_DEBUG) /* show DCO related lowlevel debug messages */
-#define D_SIGNAL_DEBUG LOGLEV(6, 69, M_DEBUG) /* show signal related debug messages */
+#define D_RTNL LOGLEV(6, 68, M_DEBUG) /* show RTNL low level operations */
+#define D_LINK_RW LOGLEV(6, 69, M_DEBUG) /* show TCP/UDP reads/writes (terse) */
+#define D_TUN_RW LOGLEV(6, 69, M_DEBUG) /* show TUN/TAP reads/writes */
+#define D_TAP_WIN_DEBUG LOGLEV(6, 69, M_DEBUG) /* show TAP-Windows driver debug info */
+#define D_CLIENT_NAT LOGLEV(6, 69, M_DEBUG) /* show client NAT debug info */
+#define D_XKEY LOGLEV(6, 69, M_DEBUG) /* show xkey-provider debug info */
+#define D_DCO_DEBUG LOGLEV(6, 69, M_DEBUG) /* show DCO related lowlevel debug messages */
+#define D_SIGNAL_DEBUG LOGLEV(6, 69, M_DEBUG) /* show signal related debug messages */
-#define D_SHOW_KEYS LOGLEV(7, 70, M_DEBUG) /* show data channel encryption keys */
-#define D_SHOW_KEY_SOURCE LOGLEV(7, 70, M_DEBUG) /* show data channel key source entropy */
-#define D_REL_LOW LOGLEV(7, 70, M_DEBUG) /* show low frequency info from reliable layer */
-#define D_FRAG_DEBUG LOGLEV(7, 70, M_DEBUG) /* show fragment debugging info */
-#define D_WIN32_IO_LOW LOGLEV(7, 70, M_DEBUG) /* low freq win32 I/O debugging info */
-#define D_MTU_DEBUG LOGLEV(7, 70, M_DEBUG) /* show MTU debugging info */
-#define D_MULTI_DEBUG LOGLEV(7, 70, M_DEBUG) /* show medium-freq multi debugging info */
-#define D_MSS LOGLEV(7, 70, M_DEBUG) /* show MSS adjustments */
-#define D_COMP_LOW LOGLEV(7, 70, M_DEBUG) /* show adaptive compression state changes */
-#define D_CONNECTION_LIST LOGLEV(7, 70, M_DEBUG) /* show <connection> list info */
-#define D_SCRIPT LOGLEV(7, 70, M_DEBUG) /* show parms & env vars passed to scripts */
-#define D_SHOW_NET LOGLEV(7, 70, M_DEBUG) /* show routing table and adapter list */
-#define D_ROUTE_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose route.[ch] output */
-#define D_TLS_STATE_ERRORS LOGLEV(7, 70, M_DEBUG) /* no TLS state for client */
-#define D_SEMAPHORE_LOW LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits (low freq) */
-#define D_SEMAPHORE LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits */
-#define D_TEST_FILE LOGLEV(7, 70, M_DEBUG) /* show test_file() calls */
-#define D_MANAGEMENT_DEBUG LOGLEV(3, 70, M_DEBUG) /* show --management debug info */
-#define D_PLUGIN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose plugin calls */
-#define D_SOCKET_DEBUG LOGLEV(7, 70, M_DEBUG) /* show socket.[ch] debugging info */
-#define D_SHOW_PKCS11 LOGLEV(7, 70, M_DEBUG) /* show PKCS#11 actions */
-#define D_ALIGN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose struct alignment info */
-#define D_PACKET_TRUNC_DEBUG LOGLEV(7, 70, M_DEBUG) /* PACKET_TRUNCATION_CHECK verbose */
-#define D_PING LOGLEV(7, 70, M_DEBUG) /* PING send/receive messages */
-#define D_PS_PROXY_DEBUG LOGLEV(7, 70, M_DEBUG) /* port share proxy debug */
-#define D_TLS_KEYSELECT LOGLEV(7, 70, M_DEBUG) /* show key selection for data channel */
-#define D_ARGV_PARSE_CMD LOGLEV(7, 70, M_DEBUG) /* show parse_line() errors in argv_parse_cmd */
-#define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */
-#define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */
-#define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG) /* show push/pull debugging info */
-#define D_SHOW_OCC LOGLEV(7, 74, M_DEBUG) /* show options compatibility string */
+#define D_SHOW_KEYS LOGLEV(7, 70, M_DEBUG) /* show data channel encryption keys */
+#define D_SHOW_KEY_SOURCE LOGLEV(7, 70, M_DEBUG) /* show data channel key source entropy */
+#define D_REL_LOW LOGLEV(7, 70, M_DEBUG) /* show low frequency info from reliable layer */
+#define D_FRAG_DEBUG LOGLEV(7, 70, M_DEBUG) /* show fragment debugging info */
+#define D_WIN32_IO_LOW LOGLEV(7, 70, M_DEBUG) /* low freq win32 I/O debugging info */
+#define D_MTU_DEBUG LOGLEV(7, 70, M_DEBUG) /* show MTU debugging info */
+#define D_MULTI_DEBUG LOGLEV(7, 70, M_DEBUG) /* show medium-freq multi debugging info */
+#define D_MSS LOGLEV(7, 70, M_DEBUG) /* show MSS adjustments */
+#define D_COMP_LOW LOGLEV(7, 70, M_DEBUG) /* show adaptive compression state changes */
+#define D_CONNECTION_LIST LOGLEV(7, 70, M_DEBUG) /* show <connection> list info */
+#define D_SCRIPT LOGLEV(7, 70, M_DEBUG) /* show parms & env vars passed to scripts */
+#define D_SHOW_NET LOGLEV(7, 70, M_DEBUG) /* show routing table and adapter list */
+#define D_ROUTE_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose route.[ch] output */
+#define D_TLS_STATE_ERRORS LOGLEV(7, 70, M_DEBUG) /* no TLS state for client */
+#define D_SEMAPHORE_LOW LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits (low freq) */
+#define D_SEMAPHORE LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits */
+#define D_TEST_FILE LOGLEV(7, 70, M_DEBUG) /* show test_file() calls */
+#define D_MANAGEMENT_DEBUG LOGLEV(3, 70, M_DEBUG) /* show --management debug info */
+#define D_PLUGIN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose plugin calls */
+#define D_SOCKET_DEBUG LOGLEV(7, 70, M_DEBUG) /* show socket.[ch] debugging info */
+#define D_SHOW_PKCS11 LOGLEV(7, 70, M_DEBUG) /* show PKCS#11 actions */
+#define D_ALIGN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose struct alignment info */
+#define D_PACKET_TRUNC_DEBUG LOGLEV(7, 70, M_DEBUG) /* PACKET_TRUNCATION_CHECK verbose */
+#define D_PING LOGLEV(7, 70, M_DEBUG) /* PING send/receive messages */
+#define D_PS_PROXY_DEBUG LOGLEV(7, 70, M_DEBUG) /* port share proxy debug */
+#define D_TLS_KEYSELECT LOGLEV(7, 70, M_DEBUG) /* show key selection for data channel */
+#define D_ARGV_PARSE_CMD LOGLEV(7, 70, M_DEBUG) /* show parse_line() errors in argv_parse_cmd */
+#define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */
+#define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */
+#define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG) /* show push/pull debugging info */
+#define D_SHOW_OCC LOGLEV(7, 74, M_DEBUG) /* show options compatibility string */
-#define D_VLAN_DEBUG LOGLEV(7, 74, M_DEBUG) /* show VLAN tagging/untagging debug info */
+#define D_VLAN_DEBUG LOGLEV(7, 74, M_DEBUG) /* show VLAN tagging/untagging debug info */
-#define D_HANDSHAKE_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show detailed description of handshake */
-#define D_TLS_DEBUG_MED LOGLEV(8, 70, M_DEBUG) /* limited info from tls_session routines */
-#define D_INTERVAL LOGLEV(8, 70, M_DEBUG) /* show interval.h debugging info */
-#define D_SCHEDULER LOGLEV(8, 70, M_DEBUG) /* show scheduler debugging info */
-#define D_GREMLIN_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show verbose info from gremlin module */
-#define D_REL_DEBUG LOGLEV(8, 70, M_DEBUG) /* show detailed info from reliable routines */
-#define D_EVENT_WAIT LOGLEV(8, 70, M_DEBUG) /* show detailed info from event waits */
-#define D_MULTI_TCP LOGLEV(8, 70, M_DEBUG) /* show debug info from mtcp.c */
+#define D_HANDSHAKE_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show detailed description of handshake */
+#define D_TLS_DEBUG_MED LOGLEV(8, 70, M_DEBUG) /* limited info from tls_session routines */
+#define D_INTERVAL LOGLEV(8, 70, M_DEBUG) /* show interval.h debugging info */
+#define D_SCHEDULER LOGLEV(8, 70, M_DEBUG) /* show scheduler debugging info */
+#define D_GREMLIN_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show verbose info from gremlin module */
+#define D_REL_DEBUG LOGLEV(8, 70, M_DEBUG) /* show detailed info from reliable routines */
+#define D_EVENT_WAIT LOGLEV(8, 70, M_DEBUG) /* show detailed info from event waits */
+#define D_MULTI_TCP LOGLEV(8, 70, M_DEBUG) /* show debug info from mtcp.c */
-#define D_TLS_DEBUG LOGLEV(9, 70, M_DEBUG) /* show detailed info from TLS routines */
-#define D_COMP LOGLEV(9, 70, M_DEBUG) /* show compression info */
-#define D_READ_WRITE LOGLEV(9, 70, M_DEBUG) /* show all tun/tcp/udp reads/writes/opens */
-#define D_PACKET_CONTENT LOGLEV(9, 70, M_DEBUG) /* show before/after encryption packet content */
-#define D_TLS_NO_SEND_KEY LOGLEV(9, 70, M_DEBUG) /* show when no data channel send-key exists */
-#define D_PID_PERSIST_DEBUG LOGLEV(9, 70, M_DEBUG) /* show packet-id persist debugging info */
-#define D_LINK_RW_VERBOSE LOGLEV(9, 70, M_DEBUG) /* increase link reads/writes verbosity */
-#define D_STREAM_DEBUG LOGLEV(9, 70, M_DEBUG) /* show TCP stream debug info */
-#define D_WIN32_IO LOGLEV(9, 70, M_DEBUG) /* win32 I/O debugging info */
-#define D_PKCS11_DEBUG LOGLEV(9, 70, M_DEBUG) /* show PKCS#11 debugging */
+#define D_TLS_DEBUG LOGLEV(9, 70, M_DEBUG) /* show detailed info from TLS routines */
+#define D_COMP LOGLEV(9, 70, M_DEBUG) /* show compression info */
+#define D_READ_WRITE LOGLEV(9, 70, M_DEBUG) /* show all tun/tcp/udp reads/writes/opens */
+#define D_PACKET_CONTENT LOGLEV(9, 70, M_DEBUG) /* show before/after encryption packet content */
+#define D_TLS_NO_SEND_KEY LOGLEV(9, 70, M_DEBUG) /* show when no data channel send-key exists */
+#define D_PID_PERSIST_DEBUG LOGLEV(9, 70, M_DEBUG) /* show packet-id persist debugging info */
+#define D_LINK_RW_VERBOSE LOGLEV(9, 70, M_DEBUG) /* increase link reads/writes verbosity */
+#define D_STREAM_DEBUG LOGLEV(9, 70, M_DEBUG) /* show TCP stream debug info */
+#define D_WIN32_IO LOGLEV(9, 70, M_DEBUG) /* win32 I/O debugging info */
+#define D_PKCS11_DEBUG LOGLEV(9, 70, M_DEBUG) /* show PKCS#11 debugging */
-#define D_SHAPER_DEBUG LOGLEV(10, 70, M_DEBUG) /* show traffic shaper info */
+#define D_SHAPER_DEBUG LOGLEV(10, 70, M_DEBUG) /* show traffic shaper info */
-#define D_REGISTRY LOGLEV(11, 70, M_DEBUG) /* win32 registry debugging info */
-#define D_OPENSSL_LOCK LOGLEV(11, 70, M_DEBUG) /* show OpenSSL locks */
+#define D_REGISTRY LOGLEV(11, 70, M_DEBUG) /* win32 registry debugging info */
+#define D_OPENSSL_LOCK LOGLEV(11, 70, M_DEBUG) /* show OpenSSL locks */
-/*#define D_THREAD_DEBUG LOGLEV(4, 70, M_DEBUG)*/ /* show pthread debug information */
+/*#define D_THREAD_DEBUG LOGLEV(4, 70, M_DEBUG)*/ /* show pthread debug information */
-#endif /* ifndef ERRLEVEL_H */
+#endif /* ifndef ERRLEVEL_H */
@@ -51,9 +51,9 @@
unsigned int x_debug_level; /* GLOBAL */
/* Mute state */
-static int mute_cutoff; /* GLOBAL */
-static int mute_count; /* GLOBAL */
-static int mute_category; /* GLOBAL */
+static int mute_cutoff; /* GLOBAL */
+static int mute_count; /* GLOBAL */
+static int mute_category; /* GLOBAL */
/*
* Output mode priorities are as follows:
@@ -67,28 +67,28 @@
/* If true, indicates that stdin/stdout/stderr
* have been redirected due to --log */
-static bool std_redir; /* GLOBAL */
+static bool std_redir; /* GLOBAL */
/* Should messages be written to the syslog? */
-static bool use_syslog; /* GLOBAL */
+static bool use_syslog; /* GLOBAL */
/* Should stdout/stderr be be parsable and always be prefixed with time
* and message flags */
-static bool machine_readable_output; /* GLOBAL */
+static bool machine_readable_output; /* GLOBAL */
/* Should timestamps be included on messages to stdout/stderr? */
static bool suppress_timestamps; /* GLOBAL */
/* The program name passed to syslog */
#if SYSLOG_CAPABILITY
-static char *pgmname_syslog; /* GLOBAL */
+static char *pgmname_syslog; /* GLOBAL */
#endif
/* If non-null, messages should be written here (used for debugging only) */
-static FILE *msgfp; /* GLOBAL */
+static FILE *msgfp; /* GLOBAL */
/* If true, we forked from main OpenVPN process */
-static bool forked; /* GLOBAL */
+static bool forked; /* GLOBAL */
/* our default output targets */
static FILE *default_out; /* GLOBAL */
@@ -175,7 +175,7 @@
{
openvpn_exit(OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE); /* exit point */
}
-#else /* ifdef OPENVPN_DEBUG_COMMAND_LINE */
+#else /* ifdef OPENVPN_DEBUG_COMMAND_LINE */
msgfp = NULL;
#endif
}
@@ -195,7 +195,7 @@
FILE *fp = msgfp;
if (!fp)
{
- fp = (flags & (M_FATAL|M_USAGE_SMALL)) ? default_err : default_out;
+ fp = (flags & (M_FATAL | M_USAGE_SMALL)) ? default_err : default_out;
}
if (!fp)
{
@@ -204,7 +204,12 @@
return fp;
}
-#define SWAP { tmp = m1; m1 = m2; m2 = tmp; }
+#define SWAP \
+ { \
+ tmp = m1; \
+ m1 = m2; \
+ m2 = tmp; \
+ }
int x_msg_line_num; /* GLOBAL */
@@ -265,16 +270,15 @@
gc_init(&gc);
- m1 = (char *) gc_malloc(ERR_BUF_SIZE, false, &gc);
- m2 = (char *) gc_malloc(ERR_BUF_SIZE, false, &gc);
+ m1 = (char *)gc_malloc(ERR_BUF_SIZE, false, &gc);
+ m2 = (char *)gc_malloc(ERR_BUF_SIZE, false, &gc);
vsnprintf(m1, ERR_BUF_SIZE, format, arglist);
m1[ERR_BUF_SIZE - 1] = 0; /* windows vsnprintf needs this */
if ((flags & M_ERRNO) && e)
{
- snprintf(m2, ERR_BUF_SIZE, "%s: %s (errno=%d)",
- m1, openvpn_strerror(e, crt_error, &gc), e);
+ snprintf(m2, ERR_BUF_SIZE, "%s: %s (errno=%d)", m1, openvpn_strerror(e, crt_error, &gc), e);
SWAP;
}
@@ -285,7 +289,7 @@
}
#if SYSLOG_CAPABILITY
- if (flags & (M_FATAL|M_NONFATAL|M_USAGE_SMALL))
+ if (flags & (M_FATAL | M_NONFATAL | M_USAGE_SMALL))
{
level = LOG_ERR;
}
@@ -320,10 +324,7 @@
const struct virtual_output *vo = msg_get_virtual_output();
if (vo)
{
- snprintf(m2, ERR_BUF_SIZE, "%s%s%s",
- prefix,
- prefix_sep,
- m1);
+ snprintf(m2, ERR_BUF_SIZE, "%s%s%s", prefix, prefix_sep, m1);
virtual_output_print(vo, flags, m2);
}
}
@@ -333,10 +334,7 @@
if (use_syslog && !std_redir && !forked)
{
#if SYSLOG_CAPABILITY
- syslog(level, "%s%s%s",
- prefix,
- prefix_sep,
- m1);
+ syslog(level, "%s%s%s", prefix, prefix_sep, m1);
#endif
}
else
@@ -349,32 +347,17 @@
struct timeval tv;
gettimeofday(&tv, NULL);
- fprintf(fp, "%" PRIi64 ".%06ld %x %s%s%s%s",
- (int64_t)tv.tv_sec,
- (long)tv.tv_usec,
- flags,
- prefix,
- prefix_sep,
- m1,
- "\n");
-
+ fprintf(fp, "%" PRIi64 ".%06ld %x %s%s%s%s", (int64_t)tv.tv_sec, (long)tv.tv_usec,
+ flags, prefix, prefix_sep, m1, "\n");
}
else if ((flags & M_NOPREFIX) || suppress_timestamps)
{
- fprintf(fp, "%s%s%s%s",
- prefix,
- prefix_sep,
- m1,
- (flags&M_NOLF) ? "" : "\n");
+ fprintf(fp, "%s%s%s%s", prefix, prefix_sep, m1, (flags & M_NOLF) ? "" : "\n");
}
else
{
- fprintf(fp, "%s %s%s%s%s",
- time_string(0, 0, show_usec, &gc),
- prefix,
- prefix_sep,
- m1,
- (flags&M_NOLF) ? "" : "\n");
+ fprintf(fp, "%s %s%s%s%s", time_string(0, 0, show_usec, &gc), prefix, prefix_sep,
+ m1, (flags & M_NOLF) ? "" : "\n");
}
fflush(fp);
++x_msg_line_num;
@@ -389,7 +372,6 @@
if (flags & M_FATAL)
{
openvpn_exit(OPENVPN_EXIT_STATUS_ERROR); /* exit point */
-
}
if (flags & M_USAGE_SMALL)
{
@@ -426,8 +408,7 @@
if (suppressed > 0)
{
msg(M_INFO | M_NOMUTE,
- "%d variation(s) on previous %d message(s) suppressed by --mute",
- suppressed,
+ "%d variation(s) on previous %d message(s) suppressed by --mute", suppressed,
mute_cutoff);
}
mute_count = 1;
@@ -481,8 +462,9 @@
}
}
}
-#else /* if SYSLOG_CAPABILITY */
- msg(M_WARN, "Warning on use of --daemon: this operating system lacks daemon logging features, therefore when I become a daemon, I won't be able to log status or error messages");
+#else /* if SYSLOG_CAPABILITY */
+ msg(M_WARN,
+ "Warning on use of --daemon: this operating system lacks daemon logging features, therefore when I become a daemon, I won't be able to log status or error messages");
#endif
}
@@ -525,19 +507,14 @@
saAttr.bInheritHandle = TRUE;
saAttr.lpSecurityDescriptor = NULL;
- log_handle = CreateFileW(wide_string(file, &gc),
- GENERIC_WRITE,
- FILE_SHARE_READ,
- &saAttr,
- append ? OPEN_ALWAYS : CREATE_ALWAYS,
- FILE_ATTRIBUTE_NORMAL,
- NULL);
+ log_handle = CreateFileW(wide_string(file, &gc), GENERIC_WRITE, FILE_SHARE_READ, &saAttr,
+ append ? OPEN_ALWAYS : CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
gc_free(&gc);
if (log_handle == INVALID_HANDLE_VALUE)
{
- msg(M_WARN|M_ERRNO, "Warning: cannot open --log file: %s", file);
+ msg(M_WARN | M_ERRNO, "Warning: cannot open --log file: %s", file);
return;
}
@@ -554,7 +531,8 @@
orig_stderr = _dup(_fileno(stderr));
if (orig_stderr == -1)
{
- msg(M_WARN | M_ERRNO, "Warning: cannot duplicate stderr, password prompts will appear in log file instead of console.");
+ msg(M_WARN | M_ERRNO,
+ "Warning: cannot duplicate stderr, password prompts will appear in log file instead of console.");
orig_stderr = _fileno(stderr);
}
@@ -584,13 +562,12 @@
#elif defined(HAVE_DUP2)
if (!std_redir)
{
- int out = open(file,
- O_CREAT | O_WRONLY | (append ? O_APPEND : O_TRUNC),
- S_IRUSR | S_IWUSR);
+ int out = open(file, O_CREAT | O_WRONLY | (append ? O_APPEND : O_TRUNC), S_IRUSR | S_IWUSR);
if (out < 0)
{
- msg(M_WARN|M_ERRNO, "Warning: Error redirecting stdout/stderr to --log file: %s", file);
+ msg(M_WARN | M_ERRNO, "Warning: Error redirecting stdout/stderr to --log file: %s",
+ file);
return;
}
@@ -612,7 +589,8 @@
}
#else /* if defined(_WIN32) */
- msg(M_WARN, "WARNING: The --log option is not supported on this OS because it lacks the dup2 function");
+ msg(M_WARN,
+ "WARNING: The --log option is not supported on this OS because it lacks the dup2 function");
#endif /* if defined(_WIN32) */
}
@@ -648,10 +626,7 @@
* from the OS.
*/
void
-x_check_status(int status,
- const char *description,
- struct link_socket *sock,
- struct tuntap *tt)
+x_check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
{
const char *extended_msg = NULL;
@@ -659,9 +634,7 @@
int my_errno = openvpn_errno_maybe_crt(&crt_error);
msg(x_cs_verbose_level, "%s %s returned %d",
- sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "",
- description,
- status);
+ sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", description, status);
if (status < 0)
{
@@ -693,16 +666,14 @@
if (extended_msg)
{
msg(x_cs_info_level, "%s %s [%s]: %s (fd=" SOCKET_PRINTF ",code=%d)", description,
- sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "",
- extended_msg, openvpn_strerror(my_errno, crt_error, &gc),
- sock ? sock->sd : -1, my_errno);
+ sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", extended_msg,
+ openvpn_strerror(my_errno, crt_error, &gc), sock ? sock->sd : -1, my_errno);
}
else
{
msg(x_cs_info_level, "%s %s: %s (fd=" SOCKET_PRINTF ",code=%d)", description,
sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "",
- openvpn_strerror(my_errno, crt_error, &gc),
- sock ? sock->sd : -1, my_errno);
+ openvpn_strerror(my_errno, crt_error, &gc), sock ? sock->sd : -1, my_errno);
}
if (x_cs_err_delay_ms)
@@ -970,16 +941,10 @@
wchar_t wmessage[256];
char *message = NULL;
struct buffer out = alloc_buf_gc(256, gc);
- const DWORD status = FormatMessageW(
- FORMAT_MESSAGE_IGNORE_INSERTS
- | FORMAT_MESSAGE_FROM_SYSTEM
- | FORMAT_MESSAGE_ARGUMENT_ARRAY,
- NULL,
- errnum,
- 0,
- wmessage,
- SIZE(wmessage),
- NULL);
+ const DWORD status =
+ FormatMessageW(FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM
+ | FORMAT_MESSAGE_ARGUMENT_ARRAY,
+ NULL, errnum, 0, wmessage, SIZE(wmessage), NULL);
if (status)
{
message = utf16to8(wmessage, gc);
@@ -49,10 +49,10 @@
* Exit status codes
*/
-#define OPENVPN_EXIT_STATUS_GOOD 0
-#define OPENVPN_EXIT_STATUS_ERROR 1
-#define OPENVPN_EXIT_STATUS_USAGE 1
-#define OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE 1
+#define OPENVPN_EXIT_STATUS_GOOD 0
+#define OPENVPN_EXIT_STATUS_ERROR 1
+#define OPENVPN_EXIT_STATUS_USAGE 1
+#define OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE 1
/*
* Special command line debugging mode.
@@ -83,27 +83,27 @@
/* msg() flags */
-#define M_DEBUG_LEVEL (0x0F) /* debug level mask */
+#define M_DEBUG_LEVEL (0x0F) /* debug level mask */
-#define M_FATAL (1<<4) /* exit program */
-#define M_NONFATAL (1<<5) /* non-fatal error */
-#define M_WARN (1<<6) /* call syslog with LOG_WARNING */
-#define M_DEBUG (1<<7)
+#define M_FATAL (1 << 4) /* exit program */
+#define M_NONFATAL (1 << 5) /* non-fatal error */
+#define M_WARN (1 << 6) /* call syslog with LOG_WARNING */
+#define M_DEBUG (1 << 7)
-#define M_ERRNO (1<<8) /* show errno description */
+#define M_ERRNO (1 << 8) /* show errno description */
-#define M_NOMUTE (1<<11) /* don't do mute processing */
-#define M_NOPREFIX (1<<12) /* don't show date/time prefix */
-#define M_USAGE_SMALL (1<<13) /* fatal options error, call usage_small */
-#define M_MSG_VIRT_OUT (1<<14) /* output message through msg_status_output callback */
-#define M_OPTERR (1<<15) /* print "Options error:" prefix */
-#define M_NOLF (1<<16) /* don't print new line */
-#define M_NOIPREFIX (1<<17) /* don't print instance prefix */
+#define M_NOMUTE (1 << 11) /* don't do mute processing */
+#define M_NOPREFIX (1 << 12) /* don't show date/time prefix */
+#define M_USAGE_SMALL (1 << 13) /* fatal options error, call usage_small */
+#define M_MSG_VIRT_OUT (1 << 14) /* output message through msg_status_output callback */
+#define M_OPTERR (1 << 15) /* print "Options error:" prefix */
+#define M_NOLF (1 << 16) /* don't print new line */
+#define M_NOIPREFIX (1 << 17) /* don't print instance prefix */
/* flag combinations which are frequently used */
-#define M_ERR (M_FATAL | M_ERRNO)
-#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR)
-#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX)
+#define M_ERR (M_FATAL | M_ERRNO)
+#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR)
+#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX)
/*
* Mute levels are designed to avoid large numbers of
@@ -112,10 +112,10 @@
* A mute level of 0 is always printed.
*/
#define MUTE_LEVEL_SHIFT 24
-#define MUTE_LEVEL_MASK 0xFF
+#define MUTE_LEVEL_MASK 0xFF
#define ENCODE_MUTE_LEVEL(mute_level) (((mute_level) & MUTE_LEVEL_MASK) << MUTE_LEVEL_SHIFT)
-#define DECODE_MUTE_LEVEL(flags) (((flags) >> MUTE_LEVEL_SHIFT) & MUTE_LEVEL_MASK)
+#define DECODE_MUTE_LEVEL(flags) (((flags) >> MUTE_LEVEL_SHIFT) & MUTE_LEVEL_MASK)
/*
* log_level: verbosity level n (--verb n) must be >= log_level to print.
@@ -138,11 +138,34 @@
bool dont_mute(unsigned int flags);
/* Macro to ensure (and teach static analysis tools) we exit on fatal errors */
-#define EXIT_FATAL(flags) do { if ((flags) & M_FATAL) {_exit(1);}} while (false)
+#define EXIT_FATAL(flags) \
+ do \
+ { \
+ if ((flags) & M_FATAL) \
+ { \
+ _exit(1); \
+ } \
+ } while (false)
-#define msg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false)
+#define msg(flags, ...) \
+ do \
+ { \
+ if (msg_test(flags)) \
+ { \
+ x_msg((flags), __VA_ARGS__); \
+ } \
+ EXIT_FATAL(flags); \
+ } while (false)
#ifdef ENABLE_DEBUG
-#define dmsg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false)
+#define dmsg(flags, ...) \
+ do \
+ { \
+ if (msg_test(flags)) \
+ { \
+ x_msg((flags), __VA_ARGS__); \
+ } \
+ EXIT_FATAL(flags); \
+ } while (false)
#else
#define dmsg(flags, ...)
#endif
@@ -150,12 +173,12 @@
void x_msg(const unsigned int flags, const char *format, ...)
#ifdef __GNUC__
#if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format(gnu_printf, 2, 3)))
+ __attribute__((format(gnu_printf, 2, 3)))
#else
-__attribute__ ((format(__printf__, 2, 3)))
+ __attribute__((format(__printf__, 2, 3)))
#endif
#endif
-; /* should be called via msg above */
+ ; /* should be called via msg above */
void x_msg_va(const unsigned int flags, const char *format, va_list arglist);
@@ -173,7 +196,7 @@
void set_machine_readable_output(bool parsable);
-#define SDL_CONSTRAIN (1<<0)
+#define SDL_CONSTRAIN (1 << 0)
bool set_debug_level(const int level, const unsigned int flags);
bool set_mute_cutoff(const int cutoff);
@@ -191,26 +214,41 @@
/* Fatal logic errors */
#ifndef ENABLE_SMALL
-#define ASSERT(x) do { if (!(x)) {assert_failed(__FILE__, __LINE__, #x);}} while (false)
+#define ASSERT(x) \
+ do \
+ { \
+ if (!(x)) \
+ { \
+ assert_failed(__FILE__, __LINE__, #x); \
+ } \
+ } while (false)
#else
-#define ASSERT(x) do { if (!(x)) {assert_failed(__FILE__, __LINE__, NULL);}} while (false)
+#define ASSERT(x) \
+ do \
+ { \
+ if (!(x)) \
+ { \
+ assert_failed(__FILE__, __LINE__, NULL); \
+ } \
+ } while (false)
#endif
#ifdef _MSC_VER
__declspec(noreturn)
#endif
-void assert_failed(const char *filename, int line, const char *condition)
+void
+assert_failed(const char *filename, int line, const char *condition)
#ifndef _MSC_VER
-__attribute__((__noreturn__))
+ __attribute__((__noreturn__))
#endif
-;
+ ;
/* Poor-man's static_assert() for when not supplied by assert.h, taken from
* Linux's sys/cdefs.h under GPLv2 */
#ifndef static_assert
-#define static_assert(expr, diagnostic) \
- extern int (*__OpenVPN_static_assert_function(void)) \
- [!!sizeof(struct { int __error_if_negative : (expr) ? 2 : -1; })]
+#define static_assert(expr, diagnostic) \
+ extern int (*__OpenVPN_static_assert_function( \
+ void))[!!sizeof(struct { int __error_if_negative : (expr) ? 2 : -1; })]
#endif
/* Inline functions */
@@ -267,9 +305,7 @@
void set_check_status(unsigned int info_level, unsigned int verbose_level);
-void x_check_status(int status,
- const char *description,
- struct link_socket *sock,
+void x_check_status(int status, const char *description, struct link_socket *sock,
struct tuntap *tt);
static inline void
@@ -383,7 +419,7 @@
*crt_error = true;
err = errno;
}
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
*crt_error = true;
err = errno;
#endif
@@ -176,8 +176,8 @@
ASSERT(index >= 0 && index < wes->n_events);
for (i = index; i < wes->n_events - 1; ++i)
{
- wes->events[i] = wes->events[i+1];
- wes->esr[i] = wes->esr[i+1];
+ wes->events[i] = wes->events[i + 1];
+ wes->esr[i] = wes->esr[i + 1];
}
--wes->n_events;
}
@@ -206,7 +206,7 @@
static void
we_free(struct event_set *es)
{
- struct we_set *wes = (struct we_set *) es;
+ struct we_set *wes = (struct we_set *)es;
free(wes->events);
free(wes->esr);
free(wes);
@@ -215,7 +215,7 @@
static void
we_reset(struct event_set *es)
{
- struct we_set *wes = (struct we_set *) es;
+ struct we_set *wes = (struct we_set *)es;
ASSERT(wes->fast);
wes->n_events = 0;
}
@@ -223,7 +223,7 @@
static void
we_del(struct event_set *es, event_t event)
{
- struct we_set *wes = (struct we_set *) es;
+ struct we_set *wes = (struct we_set *)es;
ASSERT(!wes->fast);
we_del_event(wes, event);
}
@@ -231,13 +231,10 @@
static void
we_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
{
- struct we_set *wes = (struct we_set *) es;
+ struct we_set *wes = (struct we_set *)es;
- dmsg(D_EVENT_WAIT, "WE_CTL n=%d ev=%p rwflags=0x%04x arg=" ptr_format,
- wes->n_events,
- event,
- rwflags,
- (ptr_type)arg);
+ dmsg(D_EVENT_WAIT, "WE_CTL n=%d ev=%p rwflags=0x%04x arg=" ptr_format, wes->n_events, event,
+ rwflags, (ptr_type)arg);
if (wes->fast)
{
@@ -330,11 +327,11 @@
}
break;
- case EVENT_READ|EVENT_WRITE:
+ case EVENT_READ | EVENT_WRITE:
switch (n)
{
case 0:
- if (!we_append_event(wes, event, EVENT_READ|EVENT_WRITE, arg))
+ if (!we_append_event(wes, event, EVENT_READ | EVENT_WRITE, arg))
{
goto err;
}
@@ -377,13 +374,15 @@
return;
err:
- msg(D_EVENT_ERRORS, "Error: Windows resource limit WSA_MAXIMUM_WAIT_EVENTS (%d) has been exceeded", WSA_MAXIMUM_WAIT_EVENTS);
+ msg(D_EVENT_ERRORS,
+ "Error: Windows resource limit WSA_MAXIMUM_WAIT_EVENTS (%d) has been exceeded",
+ WSA_MAXIMUM_WAIT_EVENTS);
}
static int
we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
{
- struct we_set *wes = (struct we_set *) es;
+ struct we_set *wes = (struct we_set *)es;
const int timeout = tv_to_ms_timeout(tv);
DWORD status;
@@ -395,11 +394,8 @@
int i;
for (i = 0; i < wes->n_events; ++i)
{
- dmsg(D_EVENT_WAIT, "[%d] ev=%p rwflags=0x%04x arg=" ptr_format,
- i,
- wes->events[i],
- wes->esr[i].rwflags,
- (ptr_type)wes->esr[i].arg);
+ dmsg(D_EVENT_WAIT, "[%d] ev=%p rwflags=0x%04x arg=" ptr_format, i, wes->events[i],
+ wes->esr[i].rwflags, (ptr_type)wes->esr[i].arg);
}
}
#endif
@@ -407,18 +403,13 @@
/*
* First poll our event list with 0 timeout
*/
- status = WSAWaitForMultipleEvents(
- (DWORD) wes->n_events,
- wes->events,
- FALSE,
- (DWORD) 0,
- FALSE);
+ status = WSAWaitForMultipleEvents((DWORD)wes->n_events, wes->events, FALSE, (DWORD)0, FALSE);
/*
* If at least one event is already set, we must
* individually poll the whole list.
*/
- if (status >= WSA_WAIT_EVENT_0 && status < WSA_WAIT_EVENT_0 + (DWORD) wes->n_events)
+ if (status >= WSA_WAIT_EVENT_0 && status < WSA_WAIT_EVENT_0 + (DWORD)wes->n_events)
{
int i;
int j = 0;
@@ -431,8 +422,8 @@
if (WaitForSingleObject(wes->events[i], 0) == WAIT_OBJECT_0)
{
*out = wes->esr[i];
- dmsg(D_EVENT_WAIT, "WE_WAIT leave [%d,%d] rwflags=0x%04x arg=" ptr_format,
- i, j, out->rwflags, (ptr_type)out->arg);
+ dmsg(D_EVENT_WAIT, "WE_WAIT leave [%d,%d] rwflags=0x%04x arg=" ptr_format, i, j,
+ out->rwflags, (ptr_type)out->arg);
++j;
++out;
}
@@ -452,19 +443,16 @@
*/
if (timeout > 0)
{
- status = WSAWaitForMultipleEvents(
- (DWORD) wes->n_events,
- wes->events,
- FALSE,
- (DWORD) timeout,
- FALSE);
+ status = WSAWaitForMultipleEvents((DWORD)wes->n_events, wes->events, FALSE,
+ (DWORD)timeout, FALSE);
}
- if (outlen >= 1 && status >= WSA_WAIT_EVENT_0 && status < WSA_WAIT_EVENT_0 + (DWORD) wes->n_events)
+ if (outlen >= 1 && status >= WSA_WAIT_EVENT_0
+ && status < WSA_WAIT_EVENT_0 + (DWORD)wes->n_events)
{
*out = wes->esr[status - WSA_WAIT_EVENT_0];
- dmsg(D_EVENT_WAIT, "WE_WAIT leave rwflags=0x%04x arg=" ptr_format,
- out->rwflags, (ptr_type)out->arg);
+ dmsg(D_EVENT_WAIT, "WE_WAIT leave rwflags=0x%04x arg=" ptr_format, out->rwflags,
+ (ptr_type)out->arg);
return 1;
}
else if (status == WSA_WAIT_TIMEOUT)
@@ -511,10 +499,9 @@
/* Allocate space for event_set_return objects */
ALLOC_ARRAY_CLEAR(wes->esr, struct event_set_return, wes->capacity);
- dmsg(D_EVENT_WAIT, "WE_INIT maxevents=%d capacity=%d",
- *maxevents, wes->capacity);
+ dmsg(D_EVENT_WAIT, "WE_INIT maxevents=%d capacity=%d", *maxevents, wes->capacity);
- return (struct event_set *) wes;
+ return (struct event_set *)wes;
}
#endif /* _WIN32 */
@@ -533,7 +520,7 @@
static void
ep_free(struct event_set *es)
{
- struct ep_set *eps = (struct ep_set *) es;
+ struct ep_set *eps = (struct ep_set *)es;
close(eps->epfd);
free(eps->events);
free(eps);
@@ -542,7 +529,7 @@
static void
ep_reset(struct event_set *es)
{
- const struct ep_set *eps = (struct ep_set *) es;
+ const struct ep_set *eps = (struct ep_set *)es;
ASSERT(eps->fast);
}
@@ -550,7 +537,7 @@
ep_del(struct event_set *es, event_t event)
{
struct epoll_event ev;
- struct ep_set *eps = (struct ep_set *) es;
+ struct ep_set *eps = (struct ep_set *)es;
dmsg(D_EVENT_WAIT, "EP_DEL ev=%d", (int)event);
@@ -558,14 +545,14 @@
CLEAR(ev);
if (epoll_ctl(eps->epfd, EPOLL_CTL_DEL, event, &ev) < 0)
{
- msg(M_WARN|M_ERRNO, "EVENT: epoll_ctl EPOLL_CTL_DEL failed, sd=%d", (int)event);
+ msg(M_WARN | M_ERRNO, "EVENT: epoll_ctl EPOLL_CTL_DEL failed, sd=%d", (int)event);
}
}
static void
ep_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
{
- struct ep_set *eps = (struct ep_set *) es;
+ struct ep_set *eps = (struct ep_set *)es;
struct epoll_event ev;
CLEAR(ev);
@@ -580,11 +567,8 @@
ev.events |= EPOLLOUT;
}
- dmsg(D_EVENT_WAIT, "EP_CTL fd=%d rwflags=0x%04x ev=0x%08x arg=" ptr_format,
- (int)event,
- rwflags,
- (unsigned int)ev.events,
- (ptr_type)ev.data.ptr);
+ dmsg(D_EVENT_WAIT, "EP_CTL fd=%d rwflags=0x%04x ev=0x%08x arg=" ptr_format, (int)event, rwflags,
+ (unsigned int)ev.events, (ptr_type)ev.data.ptr);
if (epoll_ctl(eps->epfd, EPOLL_CTL_MOD, event, &ev) < 0)
{
@@ -605,7 +589,7 @@
static int
ep_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
{
- struct ep_set *eps = (struct ep_set *) es;
+ struct ep_set *eps = (struct ep_set *)es;
int stat;
if (outlen > eps->maxevents)
@@ -624,7 +608,7 @@
for (i = 0; i < stat; ++i)
{
esr->rwflags = 0;
- if (ev->events & (EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP))
+ if (ev->events & (EPOLLIN | EPOLLPRI | EPOLLERR | EPOLLHUP))
{
esr->rwflags |= EVENT_READ;
}
@@ -633,8 +617,8 @@
esr->rwflags |= EVENT_WRITE;
}
esr->arg = ev->data.ptr;
- dmsg(D_EVENT_WAIT, "EP_WAIT[%d] rwflags=0x%04x ev=0x%08x arg=" ptr_format,
- i, esr->rwflags, ev->events, (ptr_type)ev->data.ptr);
+ dmsg(D_EVENT_WAIT, "EP_WAIT[%d] rwflags=0x%04x ev=0x%08x arg=" ptr_format, i,
+ esr->rwflags, ev->events, (ptr_type)ev->data.ptr);
++ev;
++esr;
}
@@ -682,7 +666,7 @@
/* set epoll control fd */
eps->epfd = fd;
- return (struct event_set *) eps;
+ return (struct event_set *)eps;
}
#endif /* EPOLL */
@@ -701,7 +685,7 @@
static void
po_free(struct event_set *es)
{
- struct po_set *pos = (struct po_set *) es;
+ struct po_set *pos = (struct po_set *)es;
free(pos->events);
free(pos->args);
free(pos);
@@ -710,7 +694,7 @@
static void
po_reset(struct event_set *es)
{
- struct po_set *pos = (struct po_set *) es;
+ struct po_set *pos = (struct po_set *)es;
ASSERT(pos->fast);
pos->n_events = 0;
}
@@ -718,7 +702,7 @@
static void
po_del(struct event_set *es, event_t event)
{
- struct po_set *pos = (struct po_set *) es;
+ struct po_set *pos = (struct po_set *)es;
int i;
dmsg(D_EVENT_WAIT, "PO_DEL ev=%d", (int)event);
@@ -731,8 +715,8 @@
int j;
for (j = i; j < pos->n_events - 1; ++j)
{
- pos->events[j] = pos->events[j+1];
- pos->args[j] = pos->args[j+1];
+ pos->events[j] = pos->events[j + 1];
+ pos->args[j] = pos->args[j + 1];
}
--pos->n_events;
break;
@@ -750,7 +734,7 @@
}
if (rwflags & EVENT_READ)
{
- pfdp->events |= (POLLIN|POLLPRI);
+ pfdp->events |= (POLLIN | POLLPRI);
}
}
@@ -775,10 +759,10 @@
static void
po_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
{
- struct po_set *pos = (struct po_set *) es;
+ struct po_set *pos = (struct po_set *)es;
- dmsg(D_EVENT_WAIT, "PO_CTL rwflags=0x%04x ev=%d arg=" ptr_format,
- rwflags, (int)event, (ptr_type)arg);
+ dmsg(D_EVENT_WAIT, "PO_CTL rwflags=0x%04x ev=%d arg=" ptr_format, rwflags, (int)event,
+ (ptr_type)arg);
if (pos->fast)
{
@@ -816,7 +800,7 @@
static int
po_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
{
- struct po_set *pos = (struct po_set *) es;
+ struct po_set *pos = (struct po_set *)es;
int stat;
stat = poll(pos->events, pos->n_events, tv_to_ms_timeout(tv));
@@ -829,10 +813,10 @@
const struct pollfd *pfdp = pos->events;
for (i = 0; i < pos->n_events && j < outlen; ++i)
{
- if (pfdp->revents & (POLLIN|POLLPRI|POLLERR|POLLHUP|POLLOUT))
+ if (pfdp->revents & (POLLIN | POLLPRI | POLLERR | POLLHUP | POLLOUT))
{
out->rwflags = 0;
- if (pfdp->revents & (POLLIN|POLLPRI|POLLERR|POLLHUP))
+ if (pfdp->revents & (POLLIN | POLLPRI | POLLERR | POLLHUP))
{
out->rwflags |= EVENT_READ;
}
@@ -841,8 +825,10 @@
out->rwflags |= EVENT_WRITE;
}
out->arg = pos->args[i];
- dmsg(D_EVENT_WAIT, "PO_WAIT[%d,%d] fd=%d rev=0x%08x rwflags=0x%04x arg=" ptr_format " %s",
- i, j, pfdp->fd, pfdp->revents, out->rwflags, (ptr_type)out->arg, pos->fast ? "" : "[scalable]");
+ dmsg(D_EVENT_WAIT,
+ "PO_WAIT[%d,%d] fd=%d rev=0x%08x rwflags=0x%04x arg=" ptr_format " %s", i, j,
+ pfdp->fd, pfdp->revents, out->rwflags, (ptr_type)out->arg,
+ pos->fast ? "" : "[scalable]");
++out;
++j;
}
@@ -891,7 +877,7 @@
/* Allocate space for event_set_return objects */
ALLOC_ARRAY_CLEAR(pos->args, void *, pos->capacity);
- return (struct event_set *) pos;
+ return (struct event_set *)pos;
}
#endif /* POLL */
@@ -903,15 +889,15 @@
bool fast;
fd_set readfds;
fd_set writefds;
- void **args; /* allocated to capacity size */
- int maxfd; /* largest fd seen so far, always < capacity */
+ void **args; /* allocated to capacity size */
+ int maxfd; /* largest fd seen so far, always < capacity */
int capacity; /* fixed largest fd + 1 */
};
static void
se_free(struct event_set *es)
{
- struct se_set *ses = (struct se_set *) es;
+ struct se_set *ses = (struct se_set *)es;
free(ses->args);
free(ses);
}
@@ -919,7 +905,7 @@
static void
se_reset(struct event_set *es)
{
- struct se_set *ses = (struct se_set *) es;
+ struct se_set *ses = (struct se_set *)es;
int i;
ASSERT(ses->fast);
@@ -937,7 +923,7 @@
static void
se_del(struct event_set *es, event_t event)
{
- struct se_set *ses = (struct se_set *) es;
+ struct se_set *ses = (struct se_set *)es;
ASSERT(!ses->fast);
dmsg(D_EVENT_WAIT, "SE_DEL ev=%d", (int)event);
@@ -958,7 +944,7 @@
static void
se_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
{
- struct se_set *ses = (struct se_set *) es;
+ struct se_set *ses = (struct se_set *)es;
dmsg(D_EVENT_WAIT, "SE_CTL rwflags=0x%04x ev=%d fast=%d cap=%d maxfd=%d arg=" ptr_format,
rwflags, (int)event, (int)ses->fast, ses->capacity, ses->maxfd, (ptr_type)arg);
@@ -1000,17 +986,13 @@
}
else
{
- msg(D_EVENT_ERRORS, "Error: select: too many I/O wait events, fd=%d cap=%d",
- (int) event,
+ msg(D_EVENT_ERRORS, "Error: select: too many I/O wait events, fd=%d cap=%d", (int)event,
ses->capacity);
}
}
static int
-se_wait_return(struct se_set *ses,
- fd_set *read,
- fd_set *write,
- struct event_set_return *out,
+se_wait_return(struct se_set *ses, fd_set *read, fd_set *write, struct event_set_return *out,
int outlen)
{
int i, j = 0;
@@ -1030,8 +1012,8 @@
out->rwflags |= EVENT_WRITE;
}
out->arg = ses->args[i];
- dmsg(D_EVENT_WAIT, "SE_WAIT[%d,%d] rwflags=0x%04x arg=" ptr_format,
- i, j, out->rwflags, (ptr_type)out->arg);
+ dmsg(D_EVENT_WAIT, "SE_WAIT[%d,%d] rwflags=0x%04x arg=" ptr_format, i, j, out->rwflags,
+ (ptr_type)out->arg);
++out;
++j;
}
@@ -1040,16 +1022,15 @@
}
static int
-se_wait_fast(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
+se_wait_fast(struct event_set *es, const struct timeval *tv, struct event_set_return *out,
+ int outlen)
{
- struct se_set *ses = (struct se_set *) es;
+ struct se_set *ses = (struct se_set *)es;
struct timeval tv_tmp = *tv;
int stat;
- dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%" PRIi64 "/%ld",
- ses->maxfd,
- (int64_t)tv_tmp.tv_sec,
- (long)tv_tmp.tv_usec);
+ dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%" PRIi64 "/%ld", ses->maxfd,
+ (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec);
stat = select(ses->maxfd + 1, &ses->readfds, &ses->writefds, NULL, &tv_tmp);
@@ -1062,16 +1043,17 @@
}
static int
-se_wait_scalable(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
+se_wait_scalable(struct event_set *es, const struct timeval *tv, struct event_set_return *out,
+ int outlen)
{
- struct se_set *ses = (struct se_set *) es;
+ struct se_set *ses = (struct se_set *)es;
struct timeval tv_tmp = *tv;
fd_set read = ses->readfds;
fd_set write = ses->writefds;
int stat;
- dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%" PRIi64 "/%ld",
- ses->maxfd, (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec);
+ dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%" PRIi64 "/%ld", ses->maxfd,
+ (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec);
stat = select(ses->maxfd + 1, &read, &write, NULL, &tv_tmp);
@@ -1116,7 +1098,7 @@
/* Allocate space for event_set_return void * args */
ALLOC_ARRAY_CLEAR(ses->args, void *, ses->capacity);
- return (struct event_set *) ses;
+ return (struct event_set *)ses;
}
#endif /* SELECT */
@@ -1142,7 +1124,7 @@
{
ret = po_init(maxevents, flags);
}
-#else /* ifdef SELECT_PREFERRED_OVER_POLL */
+#else /* ifdef SELECT_PREFERRED_OVER_POLL */
if (!ret)
{
ret = po_init(maxevents, flags);
@@ -1174,7 +1156,7 @@
msg(M_WARN, "Note: sys_epoll API is unavailable, falling back to poll/select API");
ret = event_set_init_simple(maxevents, flags);
}
-#else /* if EPOLL */
+#else /* if EPOLL */
ret = event_set_init_simple(maxevents, flags);
#endif
ASSERT(ret);
@@ -31,12 +31,12 @@
* rwflags passed to event_ctl and returned by
* struct event_set_return.
*/
-#define READ_SHIFT 0
-#define WRITE_SHIFT 1
+#define READ_SHIFT 0
+#define WRITE_SHIFT 1
-#define EVENT_UNDEF 4
-#define EVENT_READ (1 << READ_SHIFT)
-#define EVENT_WRITE (1 << WRITE_SHIFT)
+#define EVENT_UNDEF 4
+#define EVENT_READ (1 << READ_SHIFT)
+#define EVENT_WRITE (1 << WRITE_SHIFT)
/* event flags returned by io_wait.
*
@@ -57,35 +57,35 @@
* signals.
*/
-#define SOCKET_SHIFT 0
-#define SOCKET_READ (1 << (SOCKET_SHIFT + READ_SHIFT))
-#define SOCKET_WRITE (1 << (SOCKET_SHIFT + WRITE_SHIFT))
-#define TUN_SHIFT 2
-#define TUN_READ (1 << (TUN_SHIFT + READ_SHIFT))
-#define TUN_WRITE (1 << (TUN_SHIFT + WRITE_SHIFT))
-#define ERR_SHIFT 4
-#define ES_ERROR (1 << (ERR_SHIFT + READ_SHIFT))
-#define ES_TIMEOUT (1 << (ERR_SHIFT + WRITE_SHIFT))
-#define MANAGEMENT_SHIFT 6
-#define MANAGEMENT_READ (1 << (MANAGEMENT_SHIFT + READ_SHIFT))
-#define MANAGEMENT_WRITE (1 << (MANAGEMENT_SHIFT + WRITE_SHIFT))
-#define FILE_SHIFT 8
-#define FILE_CLOSED (1 << (FILE_SHIFT + READ_SHIFT))
-#define DCO_SHIFT 10
-#define DCO_READ (1 << (DCO_SHIFT + READ_SHIFT))
-#define DCO_WRITE (1 << (DCO_SHIFT + WRITE_SHIFT))
+#define SOCKET_SHIFT 0
+#define SOCKET_READ (1 << (SOCKET_SHIFT + READ_SHIFT))
+#define SOCKET_WRITE (1 << (SOCKET_SHIFT + WRITE_SHIFT))
+#define TUN_SHIFT 2
+#define TUN_READ (1 << (TUN_SHIFT + READ_SHIFT))
+#define TUN_WRITE (1 << (TUN_SHIFT + WRITE_SHIFT))
+#define ERR_SHIFT 4
+#define ES_ERROR (1 << (ERR_SHIFT + READ_SHIFT))
+#define ES_TIMEOUT (1 << (ERR_SHIFT + WRITE_SHIFT))
+#define MANAGEMENT_SHIFT 6
+#define MANAGEMENT_READ (1 << (MANAGEMENT_SHIFT + READ_SHIFT))
+#define MANAGEMENT_WRITE (1 << (MANAGEMENT_SHIFT + WRITE_SHIFT))
+#define FILE_SHIFT 8
+#define FILE_CLOSED (1 << (FILE_SHIFT + READ_SHIFT))
+#define DCO_SHIFT 10
+#define DCO_READ (1 << (DCO_SHIFT + READ_SHIFT))
+#define DCO_WRITE (1 << (DCO_SHIFT + WRITE_SHIFT))
/*
* Initialization flags passed to event_set_init
*/
-#define EVENT_METHOD_US_TIMEOUT (1<<0)
-#define EVENT_METHOD_FAST (1<<1)
+#define EVENT_METHOD_US_TIMEOUT (1 << 0)
+#define EVENT_METHOD_FAST (1 << 1)
/*
* The following constant is used as boundary between integer value
* and real addresses when passing arguments to event handlers as (void *)
*/
-#define MULTI_N ((void *)16) /* upper bound on MTCP_x */
+#define MULTI_N ((void *)16) /* upper bound on MTCP_x */
#ifdef _WIN32
@@ -93,7 +93,7 @@
#define UNDEFINED_EVENT (NULL)
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
typedef int event_t;
@@ -117,7 +117,8 @@
* 0 on timeout
* length of event_set_return if at least 1 event is returned
*/
- int (*wait)(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen);
+ int (*wait)(struct event_set *es, const struct timeval *tv, struct event_set_return *out,
+ int outlen);
};
struct event_set_return
@@ -131,7 +132,8 @@
struct event_set_functions func;
};
-typedef enum {
+typedef enum
+{
EVENT_ARG_MULTI_INSTANCE = 0,
EVENT_ARG_LINK_SOCKET,
} event_arg_t;
@@ -140,9 +142,10 @@
struct event_arg
{
event_arg_t type;
- union {
+ union
+ {
struct multi_instance *mi; /* if type = EVENT_ARG_MULTI_INSTANCE */
- struct link_socket *sock; /* if type = EVENT_ARG_LINK_SOCKET */
+ struct link_socket *sock; /* if type = EVENT_ARG_LINK_SOCKET */
} u;
};
@@ -210,7 +213,7 @@
}
}
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
static inline void
wait_signal(struct event_set *es, void *arg)
@@ -41,7 +41,7 @@
{
return false;
}
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
{
return false;
@@ -45,4 +45,4 @@
}
#undef FD_SET /* prevent direct use of FD_SET() */
-#endif /* FD_MISC_H */
+#endif /* FD_MISC_H */
@@ -58,14 +58,11 @@
{
struct buffer out = alloc_buf_gc(64, gc);
- buf_printf(&out, "I/O WAIT %s|%s| %s",
- tun_stat(c->c1.tuntap, EVENT_READ, gc),
- tun_stat(c->c1.tuntap, EVENT_WRITE, gc),
- tv_string(&c->c2.timeval, gc));
+ buf_printf(&out, "I/O WAIT %s|%s| %s", tun_stat(c->c1.tuntap, EVENT_READ, gc),
+ tun_stat(c->c1.tuntap, EVENT_WRITE, gc), tv_string(&c->c2.timeval, gc));
for (int i = 0; i < c->c1.link_sockets_num; i++)
{
- buf_printf(&out, "\n %s|%s",
- socket_stat(c->c2.link_sockets[i], EVENT_READ, gc),
+ buf_printf(&out, "\n %s|%s", socket_stat(c->c2.link_sockets[i], EVENT_READ, gc),
socket_stat(c->c2.link_sockets[i], EVENT_WRITE, gc));
}
return BSTR(&out);
@@ -127,7 +124,7 @@
static inline void
context_immediate_reschedule(struct context *c)
{
- c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
+ c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
c->c2.timeval.tv_usec = 0;
}
@@ -185,9 +182,8 @@
if (interval_test(&c->c2.tmp_int))
{
- const int tmp_status = tls_multi_process
- (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
- get_link_socket_info(c), &wakeup);
+ const int tmp_status = tls_multi_process(
+ c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, get_link_socket_info(c), &wakeup);
if (tmp_status == TLSMP_RECONNECT)
{
@@ -345,12 +341,7 @@
#ifdef ENABLE_MANAGEMENT
if (management)
{
- management_set_state(management,
- OPENVPN_STATE_GET_CONFIG,
- NULL,
- NULL,
- NULL,
- NULL,
+ management_set_state(management, OPENVPN_STATE_GET_CONFIG, NULL, NULL, NULL, NULL,
NULL);
}
#endif
@@ -377,8 +368,7 @@
}
bool
-send_control_channel_string_dowork(struct tls_session *session,
- const char *str, int msglevel)
+send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel)
{
struct gc_arena gc = gc_new();
bool stat;
@@ -387,12 +377,11 @@
struct key_state *ks = &session->key[KS_PRIMARY];
/* buffered cleartext write onto TLS control channel */
- stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1);
+ stat = tls_send_payload(ks, (uint8_t *)str, strlen(str) + 1);
msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
- session->common_name ? session->common_name : "UNDEF",
- sanitize_control_message(str, &gc),
- (int) stat);
+ session->common_name ? session->common_name : "UNDEF", sanitize_control_message(str, &gc),
+ (int)stat);
gc_free(&gc);
return stat;
@@ -425,8 +414,8 @@
static void
check_add_routes_action(struct context *c, const bool errors)
{
- bool route_status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
- c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
+ bool route_status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap,
+ c->plugins, c->c2.es, &c->net_ctx);
int flags = (errors ? ISC_ERRORS : 0);
flags |= (!route_status ? ISC_ROUTE_ERRORS : 0);
@@ -458,8 +447,8 @@
register_signal(c->sig, SIGHUP, "ip-fail");
c->persist.restart_sleep_seconds = 10;
#ifdef _WIN32
- show_routes(M_INFO|M_NOPREFIX);
- show_adapters(M_INFO|M_NOPREFIX);
+ show_routes(M_INFO | M_NOPREFIX);
+ show_adapters(M_INFO | M_NOPREFIX);
#endif
}
}
@@ -602,7 +591,8 @@
* Buffer reallocation, for use with null encryption.
*/
static inline void
-buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
+buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub,
+ struct buffer *storage)
{
if (orig_buf == src_stub->data && src_stub->data != storage->data)
{
@@ -630,7 +620,7 @@
if (dco_enabled(&c->options))
{
msg(M_WARN, "Attempting to send data packet while data channel offload is in use. "
- "Dropping packet");
+ "Dropping packet");
c->c2.buf.len = 0;
}
@@ -650,7 +640,8 @@
/* Compress the packet. */
if (c->c2.comp_context)
{
- (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame);
+ (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context,
+ &c->c2.frame);
}
#endif
#ifdef ENABLE_FRAGMENT
@@ -697,8 +688,7 @@
/*
* Get the address we will be sending the packet to.
*/
- link_socket_get_outgoing_addr(&c->c2.buf, get_link_socket_info(c),
- &c->c2.to_link_addr);
+ link_socket_get_outgoing_addr(&c->c2.buf, get_link_socket_info(c), &c->c2.to_link_addr);
/* if null encryption, copy result to read_tun_buf */
buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
@@ -711,8 +701,7 @@
check_session_timeout(struct context *c)
{
if (c->options.session_timeout
- && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval,
- ETT_DEFAULT))
+ && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval, ETT_DEFAULT))
{
msg(M_INFO, "Session timeout, exiting");
register_signal(c->sig, SIGTERM, "session-timeout");
@@ -726,7 +715,7 @@
process_coarse_timers(struct context *c)
{
/* flush current packet-id to file once per 60
- * seconds if --replay-persist was specified */
+ * seconds if --replay-persist was specified */
if (packet_id_persist_enabled(&c->c1.pid_persist)
&& event_timeout_trigger(&c->c2.packet_id_persist_interval, &c->c2.timeval, ETT_DEFAULT))
{
@@ -849,7 +838,8 @@
process_coarse_timers(c);
c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
- dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
+ dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds",
+ (int64_t)c->c2.timeval.tv_sec);
/* Is the coarse timeout NOT the earliest one? */
if (c->c2.timeval.tv_sec > save.tv_sec)
@@ -863,10 +853,10 @@
{
const int update_interval = 10; /* seconds */
c->c2.update_timeout_random_component = now + update_interval;
- c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF;
+ c->c2.timeout_random_component.tv_usec = (time_t)get_random() & 0x0003FFFF;
c->c2.timeout_random_component.tv_sec = 0;
- dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long) c->c2.timeout_random_component.tv_usec);
+ dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long)c->c2.timeout_random_component.tv_usec);
}
static inline void
@@ -897,10 +887,8 @@
}
static inline void
-socks_preprocess_outgoing_link(struct context *c,
- struct link_socket *sock,
- struct link_socket_actual **to_addr,
- int *size_delta)
+socks_preprocess_outgoing_link(struct context *c, struct link_socket *sock,
+ struct link_socket_actual **to_addr, int *size_delta)
{
if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
{
@@ -911,9 +899,7 @@
/* undo effect of socks_preprocess_outgoing_link */
static inline void
-link_socket_write_post_size_adjust(int *size,
- int size_delta,
- struct buffer *buf)
+link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
{
if (size_delta > 0 && *size > size_delta)
{
@@ -945,9 +931,7 @@
c->c2.buf = c->c2.buffers->read_link_buf;
ASSERT(buf_init(&c->c2.buf, c->c2.frame.buf.headroom));
- status = link_socket_read(sock,
- &c->c2.buf,
- &c->c2.from);
+ status = link_socket_read(sock, &c->c2.buf, &c->c2.from);
if (socket_connection_reset(sock, status))
{
@@ -965,12 +949,14 @@
/* received a disconnect from a connection-oriented protocol */
if (event_timeout_defined(&c->c2.explicit_exit_notification_interval))
{
- msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
+ msg(D_STREAM_ERRORS,
+ "Connection reset during exit notification period, ignoring [%d]", status);
management_sleep(1);
}
else
{
- register_signal(c->sig, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
+ register_signal(c->sig, SIGUSR1,
+ "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
}
}
@@ -1016,7 +1002,8 @@
if (management)
{
management_bytes_client(management, c->c2.buf.len, 0);
- management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
+ management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes,
+ &c->c2.mda_context);
}
#endif
}
@@ -1044,11 +1031,8 @@
fprintf(stderr, "R");
}
#endif
- msg(D_LINK_RW, "%s READ [%d] from %s: %s",
- proto2ascii(lsi->proto, lsi->af, true),
- BLEN(&c->c2.buf),
- print_link_socket_actual(&c->c2.from, &gc),
- PROTO_DUMP(&c->c2.buf, &gc));
+ msg(D_LINK_RW, "%s READ [%d] from %s: %s", proto2ascii(lsi->proto, lsi->af, true),
+ BLEN(&c->c2.buf), print_link_socket_actual(&c->c2.from, &gc), PROTO_DUMP(&c->c2.buf, &gc));
/*
* Good, non-zero length packet received.
@@ -1080,9 +1064,8 @@
*/
if ((opcode == P_DATA_V1) && dco_enabled(&c->options))
{
- msg(D_LINK_ERRORS,
- "Data Channel Offload doesn't support DATA_V1 packets. "
- "Upgrade your server to 2.4.5 or newer.");
+ msg(D_LINK_ERRORS, "Data Channel Offload doesn't support DATA_V1 packets. "
+ "Upgrade your server to 2.4.5 or newer.");
c->c2.buf.len = 0;
}
@@ -1096,8 +1079,7 @@
* will load crypto_options with the correct encryption key
* and return false.
*/
- if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
- floated, &ad_start))
+ if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, floated, &ad_start))
{
interval_action(&c->c2.tmp_int);
@@ -1124,15 +1106,16 @@
}
/* authenticate and decrypt the incoming packet */
- decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf,
- co, &c->c2.frame, ad_start);
+ decrypt_status =
+ openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf, co, &c->c2.frame, ad_start);
if (!decrypt_status
/* on the instance context we have only one socket, so just check the first one */
&& link_socket_connection_oriented(c->c2.link_sockets[0]))
{
/* decryption errors are fatal in TCP mode */
- register_signal(c->sig, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
+ register_signal(c->sig, SIGUSR1,
+ "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
}
}
@@ -1146,7 +1129,8 @@
}
void
-process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
+process_incoming_link_part2(struct context *c, struct link_socket_info *lsi,
+ const uint8_t *orig_buf)
{
if (c->c2.buf.len > 0)
{
@@ -1161,17 +1145,15 @@
/* decompress the incoming packet */
if (c->c2.comp_context)
{
- (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame);
+ (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf,
+ c->c2.comp_context, &c->c2.frame);
}
#endif
#ifdef PACKET_TRUNCATION_CHECK
/* if (c->c2.buf.len > 1) --c->c2.buf.len; */
- ipv4_packet_size_verify(BPTR(&c->c2.buf),
- BLEN(&c->c2.buf),
- TUNNEL_TYPE(c->c1.tuntap),
- "POST_DECRYPT",
- &c->c2.n_trunc_post_decrypt);
+ ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap),
+ "POST_DECRYPT", &c->c2.n_trunc_post_decrypt);
#endif
/*
@@ -1198,7 +1180,8 @@
if (c->c2.buf.len > 0)
{
c->c2.link_read_bytes_auth += c->c2.buf.len;
- c->c2.max_recv_size_local = max_int(c->c2.original_recv_size, c->c2.max_recv_size_local);
+ c->c2.max_recv_size_local =
+ max_int(c->c2.original_recv_size, c->c2.max_recv_size_local);
}
/* Did we just receive an openvpn ping packet? */
@@ -1243,8 +1226,7 @@
}
void
-extract_dco_float_peer_addr(const sa_family_t socket_family,
- struct openvpn_sockaddr *out_osaddr,
+extract_dco_float_peer_addr(const sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr,
const struct sockaddr *float_sa)
{
if (float_sa->sa_family == AF_INET)
@@ -1262,8 +1244,8 @@
memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
- memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
- &float4->sin_addr.s_addr, sizeof(in_addr_t));
+ memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12], &float4->sin_addr.s_addr,
+ sizeof(in_addr_t));
}
else
{
@@ -1296,9 +1278,10 @@
* ourselves in the foot and removing the just established session */
if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id)
{
- msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, "
- "expected %d", __func__, dco->dco_message_peer_id,
- c->c2.tls_multi->dco_peer_id);
+ msg(D_DCO_DEBUG,
+ "%s: received message for mismatching peer-id %d, "
+ "expected %d",
+ __func__, dco->dco_message_peer_id, c->c2.tls_multi->dco_peer_id);
return;
}
@@ -1309,16 +1292,18 @@
c->c2.tls_multi->dco_peer_id = -1;
if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
{
- msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id "
- "%d", __func__, dco->dco_message_peer_id);
+ msg(D_DCO_DEBUG,
+ "%s: received peer expired notification of for peer-id "
+ "%d",
+ __func__, dco->dco_message_peer_id);
trigger_ping_timeout_signal(c);
return;
}
break;
case OVPN_CMD_SWAP_KEYS:
- msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d",
- __func__, dco->dco_message_peer_id);
+ msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d", __func__,
+ dco->dco_message_peer_id);
tls_session_soft_reset(c->c2.tls_multi);
break;
@@ -1358,7 +1343,8 @@
ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size));
if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
{
- c->c2.buf.len = read_tun_afunix(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
+ c->c2.buf.len =
+ read_tun_afunix(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
}
else
{
@@ -1367,11 +1353,8 @@
#endif /* ifdef _WIN32 */
#ifdef PACKET_TRUNCATION_CHECK
- ipv4_packet_size_verify(BPTR(&c->c2.buf),
- BLEN(&c->c2.buf),
- TUNNEL_TYPE(c->c1.tuntap),
- "READ_TUN",
- &c->c2.n_trunc_tun_read);
+ ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap),
+ "READ_TUN", &c->c2.n_trunc_tun_read);
#endif
/* Was TUN/TAP interface stopped? */
@@ -1426,7 +1409,7 @@
if (proto_ver == 4)
{
/* make sure we got whole IP header */
- if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
+ if (BLEN(buf) < ((int)sizeof(struct openvpn_iphdr) + ip_hdr_offset))
{
return;
}
@@ -1437,7 +1420,7 @@
return;
}
- struct openvpn_iphdr *pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
+ struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset);
/* drop packets with same dest addr as gateway */
if (memcmp(&tun_sa.addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0)
@@ -1448,7 +1431,7 @@
else if (proto_ver == 6)
{
/* make sure we got whole IPv6 header */
- if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
+ if (BLEN(buf) < ((int)sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
{
return;
}
@@ -1459,7 +1442,7 @@
return;
}
- struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
+ struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)(BPTR(buf) + ip_hdr_offset);
/* drop packets with same dest addr as gateway */
if (OPENVPN_IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
@@ -1517,19 +1500,15 @@
* The --passtos and --mssfix options require
* us to examine the IP header (IPv4 or IPv6).
*/
- unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_ICMP_NOHOST_CLIENT;
+ unsigned int flags =
+ PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT | PIPV6_ICMP_NOHOST_CLIENT;
process_ip_header(c, flags, &c->c2.buf, out_sock);
#ifdef PACKET_TRUNCATION_CHECK
/* if (c->c2.buf.len > 1) --c->c2.buf.len; */
- ipv4_packet_size_verify(BPTR(&c->c2.buf),
- BLEN(&c->c2.buf),
- TUNNEL_TYPE(c->c1.tuntap),
- "PRE_ENCRYPT",
- &c->c2.n_trunc_pre_encrypt);
+ ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap),
+ "PRE_ENCRYPT", &c->c2.n_trunc_pre_encrypt);
#endif
-
}
if (c->c2.buf.len > 0)
{
@@ -1605,8 +1584,7 @@
icmp6out.icmp6_type = OPENVPN_ICMP6_DESTINATION_UNREACHABLE;
icmp6out.icmp6_code = OPENVPN_ICMP6_DU_NOROUTE;
- int icmpheader_len = sizeof(struct openvpn_ipv6hdr)
- + sizeof(struct openvpn_icmp6hdr);
+ int icmpheader_len = sizeof(struct openvpn_ipv6hdr) + sizeof(struct openvpn_icmp6hdr);
int totalheader_len = icmpheader_len;
if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
@@ -1619,8 +1597,7 @@
* frame should be <= 1280 and have as much as possible of the original
* packet
*/
- int max_payload_size = min_int(MAX_ICMPV6LEN,
- c->c2.frame.tun_mtu - icmpheader_len);
+ int max_payload_size = min_int(MAX_ICMPV6LEN, c->c2.frame.tun_mtu - icmpheader_len);
int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len);
@@ -1648,10 +1625,10 @@
/* Calculate checksum over the packet and write to header */
- uint16_t new_csum = ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf),
- (const uint8_t *)&pip6out.saddr,
- (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6);
- ((struct openvpn_icmp6hdr *) BPTR(outbuf))->icmp6_cksum = htons(new_csum);
+ uint16_t new_csum =
+ ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf), (const uint8_t *)&pip6out.saddr,
+ (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6);
+ ((struct openvpn_icmp6hdr *)BPTR(outbuf))->icmp6_cksum = htons(new_csum);
/* IPv6 Header */
@@ -1667,7 +1644,7 @@
return;
}
- const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *) BPTR(buf);
+ const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *)BPTR(buf);
/* Copy frametype and reverse source/destination for the response */
struct openvpn_ethhdr ethhdr;
@@ -1748,15 +1725,13 @@
{
mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
}
- if (!(flags & PIP_OUTGOING) && (flags
- &(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER)))
+ if (!(flags & PIP_OUTGOING)
+ && (flags & (PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER)))
{
- ipv6_send_icmp_unreachable(c, buf,
- (bool)(flags & PIPV6_ICMP_NOHOST_CLIENT));
+ ipv6_send_icmp_unreachable(c, buf, (bool)(flags & PIPV6_ICMP_NOHOST_CLIENT));
/* Drop the IPv6 packet */
buf->len = 0;
}
-
}
}
}
@@ -1793,10 +1768,9 @@
*/
if (c->options.shaper)
{
- int overhead = datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family,
- sock->info.proto);
- shaper_wrote_bytes(&c->c2.shaper,
- BLEN(&c->c2.to_link) + overhead);
+ int overhead =
+ datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family, sock->info.proto);
+ shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link) + overhead);
}
/*
@@ -1820,10 +1794,8 @@
}
#endif
msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
- proto2ascii(sock->info.proto, sock->info.af, true),
- BLEN(&c->c2.to_link),
- print_link_socket_actual(c->c2.to_link_addr, &gc),
- PROTO_DUMP(&c->c2.to_link, &gc));
+ proto2ascii(sock->info.proto, sock->info.af, true), BLEN(&c->c2.to_link),
+ print_link_socket_actual(c->c2.to_link_addr, &gc), PROTO_DUMP(&c->c2.to_link, &gc));
/* Packet send complexified by possible Socks5 usage */
{
@@ -1834,9 +1806,7 @@
socks_preprocess_outgoing_link(c, sock, &to_addr, &size_delta);
/* Send packet */
- size = (int)link_socket_write(sock,
- &c->c2.to_link,
- to_addr);
+ size = (int)link_socket_write(sock, &c->c2.to_link, to_addr);
/* Undo effect of prepend */
link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
@@ -1857,7 +1827,8 @@
if (management)
{
management_bytes_client(management, 0, size);
- management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
+ management_bytes_server(management, &c->c2.link_read_bytes,
+ &c->c2.link_write_bytes, &c->c2.mda_context);
}
#endif
}
@@ -1874,9 +1845,7 @@
{
msg(D_LINK_ERRORS,
"TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
- print_link_socket_actual(c->c2.to_link_addr, &gc),
- BLEN(&c->c2.to_link),
- size);
+ print_link_socket_actual(c->c2.to_link_addr, &gc), BLEN(&c->c2.to_link), size);
}
}
@@ -1895,7 +1864,8 @@
ENETUNREACH;
#endif
if (size < 0 && unreachable && c->c2.tls_multi
- && !tls_initial_packet_received(c->c2.tls_multi) && c->options.mode == MODE_POINT_TO_POINT)
+ && !tls_initial_packet_received(c->c2.tls_multi)
+ && c->options.mode == MODE_POINT_TO_POINT)
{
msg(M_INFO, "Network unreachable, restarting");
register_signal(c->sig, SIGUSR1, "network-unreachable");
@@ -1906,8 +1876,7 @@
if (c->c2.to_link.len > 0)
{
msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
- print_link_socket_actual(c->c2.to_link_addr, &gc),
- c->c2.to_link.len,
+ print_link_socket_actual(c->c2.to_link_addr, &gc), c->c2.to_link.len,
c->c2.frame.buf.payload_size);
}
}
@@ -1940,8 +1909,8 @@
* The --mssfix option requires
* us to examine the IP header (IPv4 or IPv6).
*/
- process_ip_header(c, PIP_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_CLIENT_NAT|PIP_OUTGOING, &c->c2.to_tun,
- in_sock);
+ process_ip_header(c, PIP_MSSFIX | PIPV4_EXTRACT_DHCP_ROUTER | PIPV4_CLIENT_NAT | PIP_OUTGOING,
+ &c->c2.to_tun, in_sock);
if (c->c2.to_tun.len <= c->c2.frame.buf.payload_size)
{
@@ -1959,11 +1928,8 @@
dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
#ifdef PACKET_TRUNCATION_CHECK
- ipv4_packet_size_verify(BPTR(&c->c2.to_tun),
- BLEN(&c->c2.to_tun),
- TUNNEL_TYPE(c->c1.tuntap),
- "WRITE_TUN",
- &c->c2.n_trunc_tun_write);
+ ipv4_packet_size_verify(BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun), TUNNEL_TYPE(c->c1.tuntap),
+ "WRITE_TUN", &c->c2.n_trunc_tun_write);
#endif
#ifdef _WIN32
@@ -1993,9 +1959,7 @@
{
msg(D_LINK_ERRORS,
"TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
- c->c1.tuntap->actual_name,
- BLEN(&c->c2.to_tun),
- size);
+ c->c1.tuntap->actual_name, BLEN(&c->c2.to_tun), size);
}
/* indicate activity regarding --inactive parameter */
@@ -2008,8 +1972,7 @@
* This should never happen, probably indicates some kind
* of MTU mismatch.
*/
- msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
- c->c2.to_tun.len,
+ msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", c->c2.to_tun.len,
c->c2.frame.buf.payload_size);
}
@@ -2085,9 +2048,8 @@
}
static void
-multi_io_process_flags(struct context *c, struct event_set *es,
- const unsigned int flags, unsigned int *out_socket,
- unsigned int *out_tuntap)
+multi_io_process_flags(struct context *c, struct event_set *es, const unsigned int flags,
+ unsigned int *out_socket, unsigned int *out_tuntap)
{
unsigned int socket = 0;
unsigned int tuntap = 0;
@@ -2178,8 +2140,7 @@
*/
for (int i = 0; i < c->c1.link_sockets_num; i++)
{
- socket_set(c->c2.link_sockets[i], es, socket,
- &c->c2.link_sockets[i]->ev_arg, NULL);
+ socket_set(c->c2.link_sockets[i], es, socket, &c->c2.link_sockets[i]->ev_arg, NULL);
}
tun_set(c->c1.tuntap, es, tuntap, (void *)tun_shift, NULL);
@@ -2193,7 +2154,6 @@
{
*out_tuntap = tuntap;
}
-
}
/*
@@ -2244,15 +2204,16 @@
struct event_set_return esr[4];
/* These shifts all depend on EVENT_READ and EVENT_WRITE */
- static uintptr_t socket_shift = SOCKET_SHIFT; /* depends on SOCKET_READ and SOCKET_WRITE */
+ static uintptr_t socket_shift = SOCKET_SHIFT; /* depends on SOCKET_READ and SOCKET_WRITE */
#ifdef ENABLE_MANAGEMENT
- static uintptr_t management_shift = MANAGEMENT_SHIFT; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
+ static uintptr_t management_shift =
+ MANAGEMENT_SHIFT; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
#endif
#ifdef ENABLE_ASYNC_PUSH
static uintptr_t file_shift = FILE_SHIFT;
#endif
#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
- static uintptr_t dco_shift = DCO_SHIFT; /* Event from DCO linux kernel module */
+ static uintptr_t dco_shift = DCO_SHIFT; /* Event from DCO linux kernel module */
#endif
/*
@@ -2331,8 +2292,7 @@
if (ev_arg->type != EVENT_ARG_LINK_SOCKET)
{
c->c2.event_set_status = ES_ERROR;
- msg(D_LINK_ERRORS,
- "io_work: non socket event delivered");
+ msg(D_LINK_ERRORS, "io_work: non socket event delivered");
return;
}
@@ -2375,7 +2335,7 @@
const unsigned int status = c->c2.event_set_status;
#ifdef ENABLE_MANAGEMENT
- if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
+ if (status & (MANAGEMENT_READ | MANAGEMENT_WRITE))
{
ASSERT(management);
management_io(management);
@@ -34,9 +34,9 @@
* file
*/
-#define TUN_OUT(c) (BLEN(&(c)->c2.to_tun) > 0)
-#define LINK_OUT(c) (BLEN(&(c)->c2.to_link) > 0)
-#define ANY_OUT(c) (TUN_OUT(c) || LINK_OUT(c))
+#define TUN_OUT(c) (BLEN(&(c)->c2.to_tun) > 0)
+#define LINK_OUT(c) (BLEN(&(c)->c2.to_link) > 0)
+#define ANY_OUT(c) (TUN_OUT(c) || LINK_OUT(c))
#ifdef ENABLE_FRAGMENT
#define TO_LINK_FRAG(c) ((c)->c2.fragment && fragment_outgoing_defined((c)->c2.fragment))
@@ -44,31 +44,32 @@
#define TO_LINK_FRAG(c) (false)
#endif
-#define TO_LINK_DEF(c) (LINK_OUT(c) || TO_LINK_FRAG(c))
+#define TO_LINK_DEF(c) (LINK_OUT(c) || TO_LINK_FRAG(c))
#include "openvpn.h"
#include "occ.h"
#include "ping.h"
#include "multi_io.h"
-#define IOW_TO_TUN (1<<0)
-#define IOW_TO_LINK (1<<1)
-#define IOW_READ_TUN (1<<2)
-#define IOW_READ_LINK (1<<3)
-#define IOW_SHAPER (1<<4)
-#define IOW_CHECK_RESIDUAL (1<<5)
-#define IOW_FRAG (1<<6)
-#define IOW_MBUF (1<<7)
-#define IOW_READ_TUN_FORCE (1<<8)
-#define IOW_WAIT_SIGNAL (1<<9)
+#define IOW_TO_TUN (1 << 0)
+#define IOW_TO_LINK (1 << 1)
+#define IOW_READ_TUN (1 << 2)
+#define IOW_READ_LINK (1 << 3)
+#define IOW_SHAPER (1 << 4)
+#define IOW_CHECK_RESIDUAL (1 << 5)
+#define IOW_FRAG (1 << 6)
+#define IOW_MBUF (1 << 7)
+#define IOW_READ_TUN_FORCE (1 << 8)
+#define IOW_WAIT_SIGNAL (1 << 9)
-#define IOW_READ (IOW_READ_TUN|IOW_READ_LINK)
+#define IOW_READ (IOW_READ_TUN | IOW_READ_LINK)
extern counter_type link_read_bytes_global;
extern counter_type link_write_bytes_global;
-void get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags);
+void get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io,
+ const unsigned int flags);
void get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags);
@@ -192,7 +193,8 @@
* @param orig_buf - Pointer to a buffer data.
*
*/
-void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
+void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi,
+ const uint8_t *orig_buf);
/**
* Transfers \c float_sa data extracted from an incoming DCO
@@ -204,10 +206,8 @@
* @param float_sa - The sockaddr struct containing the data received from the
* DCO notification
*/
-void
-extract_dco_float_peer_addr(sa_family_t socket_family,
- struct openvpn_sockaddr *out_osaddr,
- const struct sockaddr *float_sa);
+void extract_dco_float_peer_addr(sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa);
/**
* Write a packet to the external network interface.
@@ -285,8 +285,7 @@
* @param str - The message to be sent
* @param msglevel - Message level to use for logging
*/
-bool
-send_control_channel_string(struct context *c, const char *str, int msglevel);
+bool send_control_channel_string(struct context *c, const char *str, int msglevel);
/*
* Send a string to remote over the TLS control channel.
@@ -304,9 +303,7 @@
* @param msglevel - Message level to use for logging
*/
-bool
-send_control_channel_string_dowork(struct tls_session *session,
- const char *str, int msglevel);
+bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel);
/**
@@ -317,13 +314,13 @@
*/
void reschedule_multi_process(struct context *c);
-#define PIPV4_PASSTOS (1<<0)
-#define PIP_MSSFIX (1<<1) /* v4 and v6 */
-#define PIP_OUTGOING (1<<2)
-#define PIPV4_EXTRACT_DHCP_ROUTER (1<<3)
-#define PIPV4_CLIENT_NAT (1<<4)
-#define PIPV6_ICMP_NOHOST_CLIENT (1<<5)
-#define PIPV6_ICMP_NOHOST_SERVER (1<<6)
+#define PIPV4_PASSTOS (1 << 0)
+#define PIP_MSSFIX (1 << 1) /* v4 and v6 */
+#define PIP_OUTGOING (1 << 2)
+#define PIPV4_EXTRACT_DHCP_ROUTER (1 << 3)
+#define PIPV4_CLIENT_NAT (1 << 4)
+#define PIPV6_ICMP_NOHOST_CLIENT (1 << 5)
+#define PIPV6_ICMP_NOHOST_SERVER (1 << 6)
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf,
@@ -365,7 +362,7 @@
static inline unsigned int
p2p_iow_flags(const struct context *c)
{
- unsigned int flags = (IOW_SHAPER|IOW_CHECK_RESIDUAL|IOW_FRAG|IOW_READ|IOW_WAIT_SIGNAL);
+ unsigned int flags = (IOW_SHAPER | IOW_CHECK_RESIDUAL | IOW_FRAG | IOW_READ | IOW_WAIT_SIGNAL);
if (c->c2.to_link.len > 0)
{
flags |= IOW_TO_LINK;
@@ -384,8 +381,8 @@
static inline void
io_wait(struct context *c, const unsigned int flags)
{
- if (proto_is_dgram(c->c2.link_sockets[0]->info.proto)
- && c->c2.fast_io && (flags & (IOW_TO_TUN|IOW_TO_LINK|IOW_MBUF)))
+ if (proto_is_dgram(c->c2.link_sockets[0]->info.proto) && c->c2.fast_io
+ && (flags & (IOW_TO_TUN | IOW_TO_LINK | IOW_MBUF)))
{
/* fast path -- only for TUN/TAP/UDP writes */
unsigned int ret = 0;
@@ -393,7 +390,7 @@
{
ret |= TUN_WRITE;
}
- if (flags & (IOW_TO_LINK|IOW_MBUF))
+ if (flags & (IOW_TO_LINK | IOW_MBUF))
{
ret |= SOCKET_WRITE;
}
@@ -34,7 +34,11 @@
#include "integer.h"
#include "memdbg.h"
-#define FRAG_ERR(s) { errmsg = s; goto error; }
+#define FRAG_ERR(s) \
+ { \
+ errmsg = s; \
+ goto error; \
+ }
static void
fragment_list_buf_init(struct fragment_list *list, const struct frame *frame)
@@ -132,8 +136,7 @@
* If a fragment fully completes the datagram, return the datagram.
*/
void
-fragment_incoming(struct fragment_master *f, struct buffer *buf,
- const struct frame *frame)
+fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
{
const char *errmsg = NULL;
fragment_header_type flags = 0;
@@ -164,11 +167,8 @@
/* handle the fragment type */
if (frag_type == FRAG_WHOLE)
{
- dmsg(D_FRAG_DEBUG,
- "FRAG_IN buf->len=%d type=FRAG_WHOLE flags="
- fragment_header_format,
- buf->len,
- flags);
+ dmsg(D_FRAG_DEBUG, "FRAG_IN buf->len=%d type=FRAG_WHOLE flags=" fragment_header_format,
+ buf->len, flags);
if (flags & (FRAG_SEQ_ID_MASK | FRAG_ID_MASK))
{
@@ -179,22 +179,18 @@
{
const int seq_id = ((flags >> FRAG_SEQ_ID_SHIFT) & FRAG_SEQ_ID_MASK);
const int n = ((flags >> FRAG_ID_SHIFT) & FRAG_ID_MASK);
- const int size = ((frag_type == FRAG_YES_LAST)
- ? (int)(((flags >> FRAG_SIZE_SHIFT) & FRAG_SIZE_MASK) << FRAG_SIZE_ROUND_SHIFT)
- : buf->len);
+ const int size =
+ ((frag_type == FRAG_YES_LAST)
+ ? (int)(((flags >> FRAG_SIZE_SHIFT) & FRAG_SIZE_MASK) << FRAG_SIZE_ROUND_SHIFT)
+ : buf->len);
/* get the appropriate fragment buffer based on received seq_id */
struct fragment *frag = fragment_list_get_buf(&f->incoming, seq_id);
- dmsg(D_FRAG_DEBUG,
- "FRAG_IN len=%d type=%d seq_id=%d frag_id=%d size=%d flags="
- fragment_header_format,
- buf->len,
- frag_type,
- seq_id,
- n,
- size,
- flags);
+ dmsg(
+ D_FRAG_DEBUG,
+ "FRAG_IN len=%d type=%d seq_id=%d frag_id=%d size=%d flags=" fragment_header_format,
+ buf->len, frag_type, seq_id, n, size, flags);
/* make sure that size is an even multiple of 1<<FRAG_SIZE_ROUND_SHIFT */
if (size & FRAG_SIZE_ROUND_MASK)
@@ -257,11 +253,7 @@
/* pack fragment parms into a uint32_t and prepend to buffer */
static void
-fragment_prepend_flags(struct buffer *buf,
- int type,
- int seq_id,
- int frag_id,
- int frag_size)
+fragment_prepend_flags(struct buffer *buf, int type, int seq_id, int frag_id, int frag_size)
{
fragment_header_type flags = ((type & FRAG_TYPE_MASK) << FRAG_TYPE_SHIFT)
| ((seq_id & FRAG_SEQ_ID_MASK) << FRAG_SEQ_ID_SHIFT)
@@ -273,19 +265,19 @@
* If you want to set FRAG_EXTRA_MASK/FRAG_EXTRA_SHIFT bits,
* do it here.
*/
- dmsg(D_FRAG_DEBUG,
- "FRAG_OUT len=%d type=%d seq_id=%d frag_id=%d frag_size=%d flags="
- fragment_header_format,
- buf->len, type, seq_id, frag_id, frag_size, flags);
+ dmsg(
+ D_FRAG_DEBUG,
+ "FRAG_OUT len=%d type=%d seq_id=%d frag_id=%d frag_size=%d flags=" fragment_header_format,
+ buf->len, type, seq_id, frag_id, frag_size, flags);
}
else
{
flags |= (((frag_size >> FRAG_SIZE_ROUND_SHIFT) & FRAG_SIZE_MASK) << FRAG_SIZE_SHIFT);
- dmsg(D_FRAG_DEBUG,
- "FRAG_OUT len=%d type=%d seq_id=%d frag_id=%d frag_size=%d flags="
- fragment_header_format,
- buf->len, type, seq_id, frag_id, frag_size, flags);
+ dmsg(
+ D_FRAG_DEBUG,
+ "FRAG_OUT len=%d type=%d seq_id=%d frag_id=%d frag_size=%d flags=" fragment_header_format,
+ buf->len, type, seq_id, frag_id, frag_size, flags);
}
flags = hton_fragment_header_type(flags);
@@ -306,8 +298,9 @@
if (div > 0 && mod > 0 && mod < mfs_aligned * 3 / 4)
{
- return min_int(mfs_aligned, (max_frag_size - ((max_frag_size - mod) / (div + 1))
- + FRAG_SIZE_ROUND_MASK) & ~FRAG_SIZE_ROUND_MASK);
+ return min_int(mfs_aligned,
+ (max_frag_size - ((max_frag_size - mod) / (div + 1)) + FRAG_SIZE_ROUND_MASK)
+ & ~FRAG_SIZE_ROUND_MASK);
}
else
{
@@ -317,8 +310,7 @@
/* process an outgoing datagram, possibly breaking it up into fragments */
void
-fragment_outgoing(struct fragment_master *f, struct buffer *buf,
- const struct frame *frame)
+fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
{
const char *errmsg = NULL;
if (buf->len > 0)
@@ -326,8 +318,8 @@
/* The outgoing buffer should be empty so we can put new data in it */
if (f->outgoing.len)
{
- msg(D_FRAG_ERRORS, "FRAG: outgoing buffer is not empty, len=[%d,%d]",
- buf->len, f->outgoing.len);
+ msg(D_FRAG_ERRORS, "FRAG: outgoing buffer is not empty, len=[%d,%d]", buf->len,
+ f->outgoing.len);
}
if (buf->len > frame->max_fragment_size) /* should we fragment? */
{
@@ -351,11 +343,7 @@
/*
* Send the datagram whole.
*/
- fragment_prepend_flags(buf,
- FRAG_WHOLE,
- 0,
- 0,
- 0);
+ fragment_prepend_flags(buf, FRAG_WHOLE, 0, 0, 0);
}
}
return;
@@ -363,8 +351,8 @@
error:
if (errmsg)
{
- msg(D_FRAG_ERRORS, "FRAG_OUT error, len=%d frag_size=%d MAX_FRAGS=%d: %s",
- buf->len, f->outgoing_frag_size, MAX_FRAGS, errmsg);
+ msg(D_FRAG_ERRORS, "FRAG_OUT error, len=%d frag_size=%d MAX_FRAGS=%d: %s", buf->len,
+ f->outgoing_frag_size, MAX_FRAGS, errmsg);
}
buf->len = 0;
return;
@@ -372,8 +360,7 @@
/* return true (and set buf) if we have an outgoing fragment which is ready to send */
bool
-fragment_ready_to_send(struct fragment_master *f, struct buffer *buf,
- const struct frame *frame)
+fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
{
if (fragment_outgoing_defined(f))
{
@@ -392,13 +379,12 @@
ASSERT(buf_copy_n(buf, &f->outgoing, size));
/* fragment flags differ based on whether or not we are sending the last fragment */
- fragment_prepend_flags(buf,
- last ? FRAG_YES_LAST : FRAG_YES_NOTLAST,
- f->outgoing_seq_id,
- f->outgoing_frag_id++,
- f->outgoing_frag_size);
+ fragment_prepend_flags(buf, last ? FRAG_YES_LAST : FRAG_YES_NOTLAST, f->outgoing_seq_id,
+ f->outgoing_frag_id++, f->outgoing_frag_size);
- ASSERT(!last || !f->outgoing.len); /* outgoing buffer length should be zero after last fragment sent */
+ ASSERT(!last
+ || !f->outgoing
+ .len); /* outgoing buffer length should be zero after last fragment sent */
return true;
}
@@ -45,15 +45,15 @@
#include "error.h"
-#define N_FRAG_BUF 25
+#define N_FRAG_BUF 25
/**< Number of packet buffers for
* reassembling incoming fragmented
* packets. */
-#define FRAG_TTL_SEC 10
+#define FRAG_TTL_SEC 10
/**< Time-to-live in seconds for a %fragment. */
-#define FRAG_WAKEUP_INTERVAL 5
+#define FRAG_WAKEUP_INTERVAL 5
/**< Interval in seconds between calls to
* wakeup code. */
@@ -61,15 +61,16 @@
/**
* Structure for reassembling one incoming fragmented packet.
*/
-struct fragment {
- bool defined; /**< Whether reassembly is currently
- * taking place in this structure. */
+struct fragment
+{
+ bool defined; /**< Whether reassembly is currently
+ * taking place in this structure. */
- int max_frag_size; /**< Maximum size of each %fragment. */
+ int max_frag_size; /**< Maximum size of each %fragment. */
#define FRAG_MAP_MASK 0xFFFFFFFF
/**< Mask for reassembly map. */
-#define MAX_FRAGS 32 /**< Maximum number of fragments per packet. */
+#define MAX_FRAGS 32 /**< Maximum number of fragments per packet. */
unsigned int map;
/**< Reassembly map for recording which
* fragments have been received.
@@ -80,10 +81,10 @@
* n has been received. Needs to have
* at least \c MAX_FRAGS bits. */
- time_t timestamp; /**< Timestamp for time-to-live purposes. */
+ time_t timestamp; /**< Timestamp for time-to-live purposes. */
- struct buffer buf; /**< Buffer in which received datagrams
- * are reassembled. */
+ struct buffer buf; /**< Buffer in which received datagrams
+ * are reassembled. */
};
@@ -135,11 +136,12 @@
* fragment_incoming() function adds newly received parts into this array
* and returns the whole packets once reassembly is complete.
*/
-struct fragment_master {
+struct fragment_master
+{
struct event_timeout wakeup; /**< Timeout structure used by the main
* event loop to know when to do
* fragmentation housekeeping. */
-#define N_SEQ_ID 256
+#define N_SEQ_ID 256
/**< One more than the maximum fragment
* sequence ID, above which the IDs wrap
* to zero. Should be a power of 2. */
@@ -195,24 +197,24 @@
#define ntoh_fragment_header_type(x) ntohl(x)
/**< Convert a \c fragment_header_type from network to host order. */
-#define FRAG_TYPE_MASK 0x00000003 /**< Bit mask for %fragment type info. */
-#define FRAG_TYPE_SHIFT 0 /**< Bit shift for %fragment type info. */
+#define FRAG_TYPE_MASK 0x00000003 /**< Bit mask for %fragment type info. */
+#define FRAG_TYPE_SHIFT 0 /**< Bit shift for %fragment type info. */
-#define FRAG_WHOLE 0 /**< Fragment type indicating packet is whole. */
-#define FRAG_YES_NOTLAST 1
+#define FRAG_WHOLE 0 /**< Fragment type indicating packet is whole. */
+#define FRAG_YES_NOTLAST 1
/**< Fragment type indicating packet is part of a fragmented packet, but not
* the last part in the sequence. */
-#define FRAG_YES_LAST 2
+#define FRAG_YES_LAST 2
/**< Fragment type indicating packet is the last part in the sequence of parts. */
-#define FRAG_TEST 3
+#define FRAG_TEST 3
/**< Fragment type not implemented yet.
* In the future might be used as a control packet for establishing MTU size. */
-#define FRAG_SEQ_ID_MASK 0x000000ff /**< Bit mask for %fragment sequence ID. */
-#define FRAG_SEQ_ID_SHIFT 2 /**< Bit shift for %fragment sequence ID. */
+#define FRAG_SEQ_ID_MASK 0x000000ff /**< Bit mask for %fragment sequence ID. */
+#define FRAG_SEQ_ID_SHIFT 2 /**< Bit shift for %fragment sequence ID. */
-#define FRAG_ID_MASK 0x0000001f /**< Bit mask for %fragment ID. */
-#define FRAG_ID_SHIFT 10 /**< Bit shift for %fragment ID. */
+#define FRAG_ID_MASK 0x0000001f /**< Bit mask for %fragment ID. */
+#define FRAG_ID_SHIFT 10 /**< Bit shift for %fragment ID. */
/*
@@ -224,10 +226,10 @@
* max_frag_size is only sent over the wire if FRAG_LAST is set. Otherwise it is assumed
* to be the actual %fragment size received.
*/
-#define FRAG_SIZE_MASK 0x00003fff /**< Bit mask for %fragment size. */
-#define FRAG_SIZE_SHIFT 15 /**< Bit shift for %fragment size. */
-#define FRAG_SIZE_ROUND_SHIFT 2 /**< Bit shift for %fragment size rounding. */
-#define FRAG_SIZE_ROUND_MASK ((1 << FRAG_SIZE_ROUND_SHIFT) - 1)
+#define FRAG_SIZE_MASK 0x00003fff /**< Bit mask for %fragment size. */
+#define FRAG_SIZE_SHIFT 15 /**< Bit shift for %fragment size. */
+#define FRAG_SIZE_ROUND_SHIFT 2 /**< Bit shift for %fragment size rounding. */
+#define FRAG_SIZE_ROUND_MASK ((1 << FRAG_SIZE_ROUND_SHIFT) - 1)
/**< Bit mask for %fragment size rounding. */
/*
@@ -235,14 +237,14 @@
*
* IF FRAG_WHOLE or FRAG_YES_NOTLAST, these 16 bits are available (not currently used)
*/
-#define FRAG_EXTRA_MASK 0x0000ffff /**< Bit mask for extra bits. */
-#define FRAG_EXTRA_SHIFT 15 /**< Bit shift for extra bits. */
+#define FRAG_EXTRA_MASK 0x0000ffff /**< Bit mask for extra bits. */
+#define FRAG_EXTRA_SHIFT 15 /**< Bit shift for extra bits. */
-/** @} name Fragment header *//********************************************/
+/** @} name Fragment header */ /********************************************/
/**************************************************************************/
-/** @name Functions for initialization and cleanup *//** @{ *//************/
+/** @name Functions for initialization and cleanup */ /** @{ */ /************/
/**
* Allocate and initialize a \c fragment_master structure.
@@ -278,7 +280,7 @@
*/
void fragment_free(struct fragment_master *f);
-/** @} name Functions for initialization and cleanup *//*******************/
+/** @} name Functions for initialization and cleanup */ /*******************/
/**************************************************************************/
@@ -326,8 +328,7 @@
* complete. If an error occurs during processing, the buffer length
* is also set to zero.
*/
-void fragment_incoming(struct fragment_master *f, struct buffer *buf,
- const struct frame *frame);
+void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame);
/** @} name Functions for processing packets received from a VPN tunnel */
@@ -378,8 +379,7 @@
* cases a fragmentation header will have been prepended to inform the
* remote peer how to handle the packet.
*/
-void fragment_outgoing(struct fragment_master *f, struct buffer *buf,
- const struct frame *frame);
+void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame);
/**
* Check whether outgoing fragments are ready to be send, and if so make
@@ -435,7 +435,7 @@
/**************************************************************************/
-/** @name Functions for regular housekeeping *//** @{ *//******************/
+/** @name Functions for regular housekeeping */ /** @{ */ /******************/
/**
* Perform housekeeping of a \c fragment_master structure.
@@ -459,10 +459,10 @@
}
}
-/** @} name Functions for regular housekeeping *//*************************/
+/** @} name Functions for regular housekeeping */ /*************************/
-/** @} addtogroup fragmentation *//****************************************/
+/** @} addtogroup fragmentation */ /****************************************/
#endif /* ifdef ENABLE_FRAGMENT */
@@ -64,28 +64,29 @@
* When network goes up, it will be up for between
* UP_LOW and UP_HIGH seconds.
*/
-static const int up_low[] = { 60, 10, 5 };
+static const int up_low[] = { 60, 10, 5 };
static const int up_high[] = { 600, 60, 10 };
/*
* When network goes down, it will be down for between
* DOWN_LOW and DOWN_HIGH seconds.
*/
-static const int down_low[] = { 5, 10, 10 };
+static const int down_low[] = { 5, 10, 10 };
static const int down_high[] = { 10, 60, 120 };
/*
* Packet flood levels:
* { number of packets, packet size }
*/
-static const struct packet_flood_parms packet_flood_data[] =
-{{10, 100}, {10, 1500}, {100, 1500}};
+static const struct packet_flood_parms packet_flood_data[] = { { 10, 100 },
+ { 10, 1500 },
+ { 100, 1500 } };
struct packet_flood_parms
get_packet_flood_parms(int level)
{
ASSERT(level > 0 && level < 4);
- return packet_flood_data [level - 1];
+ return packet_flood_data[level - 1];
}
/*
@@ -147,18 +148,16 @@
int delta;
if (up)
{
- delta = roll(down_low[up_down_level-1], down_high[up_down_level-1]);
+ delta = roll(down_low[up_down_level - 1], down_high[up_down_level - 1]);
up = false;
}
else
{
- delta = roll(up_low[up_down_level-1], up_high[up_down_level-1]);
+ delta = roll(up_low[up_down_level - 1], up_high[up_down_level - 1]);
up = true;
}
- msg(D_GREMLIN,
- "GREMLIN: CONNECTION GOING %s FOR %d SECONDS",
- (up ? "UP" : "DOWN"),
+ msg(D_GREMLIN, "GREMLIN: CONNECTION GOING %s FOR %d SECONDS", (up ? "UP" : "DOWN"),
delta);
next = now + delta;
}
@@ -166,7 +165,7 @@
if (drop_level)
{
- if (up && flip(drop_freq[drop_level-1]))
+ if (up && flip(drop_freq[drop_level - 1]))
{
dmsg(D_GREMLIN_VERBOSE, "GREMLIN: Random packet drop");
return false;
@@ -185,7 +184,7 @@
const int corrupt_level = GREMLIN_CORRUPT_LEVEL(flags);
if (corrupt_level)
{
- if (flip(corrupt_freq[corrupt_level-1]))
+ if (flip(corrupt_freq[corrupt_level - 1]))
{
do
{
@@ -226,7 +225,7 @@
{
break;
}
- } while (flip(2)); /* a 50% chance we will corrupt again */
+ } while (flip(2)); /* a 50% chance we will corrupt again */
}
}
}
@@ -29,30 +29,32 @@
* Gremlin options, presented as bitmask argument to --gremlin directive
*/
-#define GREMLIN_CONNECTION_FLOOD_SHIFT (0)
-#define GREMLIN_CONNECTION_FLOOD_MASK (0x07)
+#define GREMLIN_CONNECTION_FLOOD_SHIFT (0)
+#define GREMLIN_CONNECTION_FLOOD_MASK (0x07)
-#define GREMLIN_PACKET_FLOOD_SHIFT (3)
-#define GREMLIN_PACKET_FLOOD_MASK (0x03)
+#define GREMLIN_PACKET_FLOOD_SHIFT (3)
+#define GREMLIN_PACKET_FLOOD_MASK (0x03)
-#define GREMLIN_CORRUPT_SHIFT (5)
-#define GREMLIN_CORRUPT_MASK (0x03)
+#define GREMLIN_CORRUPT_SHIFT (5)
+#define GREMLIN_CORRUPT_MASK (0x03)
-#define GREMLIN_UP_DOWN_SHIFT (7)
-#define GREMLIN_UP_DOWN_MASK (0x03)
+#define GREMLIN_UP_DOWN_SHIFT (7)
+#define GREMLIN_UP_DOWN_MASK (0x03)
/* 512:1/500 1024:1/100 1536:1/50 */
-#define GREMLIN_DROP_SHIFT (9)
-#define GREMLIN_DROP_MASK (0x03)
+#define GREMLIN_DROP_SHIFT (9)
+#define GREMLIN_DROP_MASK (0x03)
/* extract gremlin parms */
-#define GREMLIN_CONNECTION_FLOOD_LEVEL(x) (((x)>>GREMLIN_CONNECTION_FLOOD_SHIFT) & GREMLIN_CONNECTION_FLOOD_MASK)
-#define GREMLIN_PACKET_FLOOD_LEVEL(x) (((x)>>GREMLIN_PACKET_FLOOD_SHIFT) & GREMLIN_PACKET_FLOOD_MASK)
-#define GREMLIN_CORRUPT_LEVEL(x) (((x)>>GREMLIN_CORRUPT_SHIFT) & GREMLIN_CORRUPT_MASK)
-#define GREMLIN_UP_DOWN_LEVEL(x) (((x)>>GREMLIN_UP_DOWN_SHIFT) & GREMLIN_UP_DOWN_MASK)
-#define GREMLIN_DROP_LEVEL(x) (((x)>>GREMLIN_DROP_SHIFT) & GREMLIN_DROP_MASK)
+#define GREMLIN_CONNECTION_FLOOD_LEVEL(x) \
+ (((x) >> GREMLIN_CONNECTION_FLOOD_SHIFT) & GREMLIN_CONNECTION_FLOOD_MASK)
+#define GREMLIN_PACKET_FLOOD_LEVEL(x) \
+ (((x) >> GREMLIN_PACKET_FLOOD_SHIFT) & GREMLIN_PACKET_FLOOD_MASK)
+#define GREMLIN_CORRUPT_LEVEL(x) (((x) >> GREMLIN_CORRUPT_SHIFT) & GREMLIN_CORRUPT_MASK)
+#define GREMLIN_UP_DOWN_LEVEL(x) (((x) >> GREMLIN_UP_DOWN_SHIFT) & GREMLIN_UP_DOWN_MASK)
+#define GREMLIN_DROP_LEVEL(x) (((x) >> GREMLIN_DROP_SHIFT) & GREMLIN_DROP_MASK)
#include "buffer.h"
@@ -70,14 +70,12 @@
if (netmask)
{
- buf_printf(&out, "route %s %s",
- print_in_addr_t(network, 0, gc),
+ buf_printf(&out, "route %s %s", print_in_addr_t(network, 0, gc),
print_in_addr_t(netmask, 0, gc));
}
else
{
- buf_printf(&out, "route %s",
- print_in_addr_t(network, 0, gc));
+ buf_printf(&out, "route %s", print_in_addr_t(network, 0, gc));
}
return BSTR(&out);
@@ -113,11 +111,8 @@
helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o)
{
rol_check_alloc(o);
- add_route_to_option_list(o->routes,
- print_in_addr_t(network, 0, &o->gc),
- print_in_addr_t(netmask, 0, &o->gc),
- NULL,
- NULL,
+ add_route_to_option_list(o->routes, print_in_addr_t(network, 0, &o->gc),
+ print_in_addr_t(netmask, 0, &o->gc), NULL, NULL,
o->route_default_table_id);
}
@@ -127,10 +122,8 @@
struct gc_arena gc = gc_new();
if ((a & subnet) != (b & subnet))
{
- msg(M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet",
- opt,
- print_in_addr_t(a, 0, &gc),
- print_in_addr_t(b, 0, &gc),
+ msg(M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet", opt,
+ print_in_addr_t(a, 0, &gc), print_in_addr_t(b, 0, &gc),
print_in_addr_t(subnet, 0, &gc));
}
gc_free(&gc);
@@ -206,17 +199,17 @@
}
if (o->ifconfig_ipv6_pool_defined)
{
- msg(M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly");
+ msg(M_USAGE,
+ "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly");
}
o->mode = MODE_SERVER;
o->tls_server = true;
/* local ifconfig is "base address + 1" and "+2" */
- o->ifconfig_ipv6_local =
- print_in6_addr( add_in6_addr( o->server_network_ipv6, 1), 0, &o->gc );
+ o->ifconfig_ipv6_local = print_in6_addr(add_in6_addr(o->server_network_ipv6, 1), 0, &o->gc);
o->ifconfig_ipv6_remote =
- print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc );
+ print_in6_addr(add_in6_addr(o->server_network_ipv6, 2), 0, &o->gc);
o->ifconfig_ipv6_netbits = o->server_netbits_ipv6;
/* basic sanity check */
@@ -228,8 +221,8 @@
*
* Smaller pools can't get that far, therefore we just increase by 2
*/
- o->ifconfig_ipv6_pool_base = add_in6_addr(o->server_network_ipv6,
- o->server_netbits_ipv6 < 112 ? 0x1000 : 2);
+ o->ifconfig_ipv6_pool_base =
+ add_in6_addr(o->server_network_ipv6, o->server_netbits_ipv6 < 112 ? 0x1000 : 2);
o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;
push_option(o, "tun-ipv6", M_USAGE);
@@ -283,12 +276,14 @@
if (o->shared_secret_file)
{
- msg(M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)");
+ msg(M_USAGE,
+ "--server and --secret cannot be used together (you must use SSL/TLS keys)");
}
if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
{
- msg(M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
+ msg(M_USAGE,
+ "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
}
if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN))
@@ -309,7 +304,8 @@
if (netbits < IFCONFIG_POOL_MIN_NETBITS)
{
- msg(M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)",
+ msg(M_USAGE,
+ "--server directive netmask allows for too many host addresses (subnet must be %s or higher)",
print_netmask(IFCONFIG_POOL_MIN_NETBITS, &gc));
}
@@ -319,7 +315,8 @@
if (netbits > 29)
{
- msg(M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower",
+ msg(M_USAGE,
+ "--server directive when used with --dev tun must define a subnet of %s or lower",
print_netmask(29, &gc));
}
@@ -342,14 +339,17 @@
{
o->ifconfig_pool_defined = true;
o->ifconfig_pool_start = o->server_network + 4;
- o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve;
- ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
+ o->ifconfig_pool_end =
+ (o->server_network | ~o->server_netmask) - pool_end_reserve;
+ ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start,
+ o->ifconfig_pool_end);
}
helper_add_route(o->server_network, o->server_netmask, o);
if (o->enable_c2c)
{
- push_option(o, print_opt_route(o->server_network, o->server_netmask, &o->gc), M_USAGE);
+ push_option(o, print_opt_route(o->server_network, o->server_netmask, &o->gc),
+ M_USAGE);
}
else if (o->topology == TOP_NET30)
{
@@ -366,7 +366,8 @@
o->ifconfig_pool_defined = true;
o->ifconfig_pool_start = o->server_network + 2;
o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1;
- ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
+ ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start,
+ o->ifconfig_pool_end);
}
o->ifconfig_pool_netmask = o->server_netmask;
@@ -386,16 +387,17 @@
if (o->topology == TOP_NET30 && !(o->server_flags & SF_NOPOOL))
{
msg(M_WARN, "WARNING: --topology net30 support for server "
- "configs with IPv4 pools will be removed in a future "
- "release. Please migrate to --topology subnet as soon "
- "as possible.");
+ "configs with IPv4 pools will be removed in a future "
+ "release. Please migrate to --topology subnet as soon "
+ "as possible.");
}
}
else if (dev == DEV_TYPE_TAP)
{
if (netbits > 30)
{
- msg(M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower",
+ msg(M_USAGE,
+ "--server directive when used with --dev tap must define a subnet of %s or lower",
print_netmask(30, &gc));
}
@@ -463,12 +465,14 @@
if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
{
- msg(M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
+ msg(M_USAGE,
+ "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
}
if (o->shared_secret_file)
{
- msg(M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)");
+ msg(M_USAGE,
+ "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)");
}
if (dev != DEV_TYPE_TAP)
@@ -478,9 +482,12 @@
if (o->server_bridge_defined)
{
- verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_start, o->server_bridge_netmask);
- verify_common_subnet("--server-bridge", o->server_bridge_pool_start, o->server_bridge_pool_end, o->server_bridge_netmask);
- verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end, o->server_bridge_netmask);
+ verify_common_subnet("--server-bridge", o->server_bridge_ip,
+ o->server_bridge_pool_start, o->server_bridge_netmask);
+ verify_common_subnet("--server-bridge", o->server_bridge_pool_start,
+ o->server_bridge_pool_end, o->server_bridge_netmask);
+ verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end,
+ o->server_bridge_netmask);
}
o->mode = MODE_SERVER;
@@ -551,13 +558,14 @@
}
if (o->keepalive_ping * 2 > o->keepalive_timeout)
{
- msg(M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.",
- o->keepalive_timeout,
- o->keepalive_ping);
+ msg(M_USAGE,
+ "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.",
+ o->keepalive_timeout, o->keepalive_ping);
}
if (o->ping_send_timeout || o->ping_rec_timeout)
{
- msg(M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.");
+ msg(M_USAGE,
+ "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.");
}
/*
@@ -32,10 +32,7 @@
#include "httpdigest.h"
static void
-CvtHex(
- IN HASH Bin,
- OUT HASHHEX Hex
- )
+CvtHex(IN HASH Bin, OUT HASHHEX Hex)
{
unsigned short i;
unsigned char j;
@@ -45,20 +42,20 @@
j = (Bin[i] >> 4) & 0xf;
if (j <= 9)
{
- Hex[i*2] = (j + '0');
+ Hex[i * 2] = (j + '0');
}
else
{
- Hex[i*2] = (j + 'a' - 10);
+ Hex[i * 2] = (j + 'a' - 10);
}
j = Bin[i] & 0xf;
if (j <= 9)
{
- Hex[i*2+1] = (j + '0');
+ Hex[i * 2 + 1] = (j + '0');
}
else
{
- Hex[i*2+1] = (j + 'a' - 10);
+ Hex[i * 2 + 1] = (j + 'a' - 10);
}
}
Hex[HASHHEXLEN] = '\0';
@@ -66,34 +63,27 @@
/* calculate H(A1) as per spec */
void
-DigestCalcHA1(
- IN char *pszAlg,
- IN char *pszUserName,
- IN char *pszRealm,
- IN char *pszPassword,
- IN char *pszNonce,
- IN char *pszCNonce,
- OUT HASHHEX SessionKey
- )
+DigestCalcHA1(IN char *pszAlg, IN char *pszUserName, IN char *pszRealm, IN char *pszPassword,
+ IN char *pszNonce, IN char *pszCNonce, OUT HASHHEX SessionKey)
{
HASH HA1;
md_ctx_t *md5_ctx = md_ctx_new();
md_ctx_init(md5_ctx, "MD5");
- md_ctx_update(md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName));
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm));
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword));
+ md_ctx_update(md5_ctx, (const uint8_t *)pszUserName, strlen(pszUserName));
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)pszRealm, strlen(pszRealm));
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)pszPassword, strlen(pszPassword));
md_ctx_final(md5_ctx, HA1);
if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0)
{
md_ctx_init(md5_ctx, "MD5");
md_ctx_update(md5_ctx, HA1, HASHLEN);
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)pszNonce, strlen(pszNonce));
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)pszCNonce, strlen(pszCNonce));
md_ctx_final(md5_ctx, HA1);
}
md_ctx_cleanup(md5_ctx);
@@ -103,17 +93,16 @@
/* calculate request-digest/response-digest as per HTTP Digest spec */
void
-DigestCalcResponse(
- IN HASHHEX HA1, /* H(A1) */
- IN char *pszNonce, /* nonce from server */
- IN char *pszNonceCount, /* 8 hex digits */
- IN char *pszCNonce, /* client nonce */
- IN char *pszQop, /* qop-value: "", "auth", "auth-int" */
- IN char *pszMethod, /* method from the request */
- IN char *pszDigestUri, /* requested URL */
- IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */
- OUT HASHHEX Response /* request-digest or response-digest */
- )
+DigestCalcResponse(IN HASHHEX HA1, /* H(A1) */
+ IN char *pszNonce, /* nonce from server */
+ IN char *pszNonceCount, /* 8 hex digits */
+ IN char *pszCNonce, /* client nonce */
+ IN char *pszQop, /* qop-value: "", "auth", "auth-int" */
+ IN char *pszMethod, /* method from the request */
+ IN char *pszDigestUri, /* requested URL */
+ IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */
+ OUT HASHHEX Response /* request-digest or response-digest */
+)
{
HASH HA2;
HASH RespHash;
@@ -123,12 +112,12 @@
/* calculate H(A2) */
md_ctx_init(md5_ctx, "MD5");
- md_ctx_update(md5_ctx, (const uint8_t *) pszMethod, strlen(pszMethod));
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(md5_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri));
+ md_ctx_update(md5_ctx, (const uint8_t *)pszMethod, strlen(pszMethod));
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)pszDigestUri, strlen(pszDigestUri));
if (strcasecmp(pszQop, "auth-int") == 0)
{
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
md_ctx_update(md5_ctx, HEntity, HASHHEXLEN);
}
md_ctx_final(md5_ctx, HA2);
@@ -137,17 +126,17 @@
/* calculate response */
md_ctx_init(md5_ctx, "MD5");
md_ctx_update(md5_ctx, HA1, HASHHEXLEN);
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)pszNonce, strlen(pszNonce));
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
if (*pszQop)
{
- md_ctx_update(md5_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount));
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(md5_ctx, (const uint8_t *) pszQop, strlen(pszQop));
- md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)pszNonceCount, strlen(pszNonceCount));
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)pszCNonce, strlen(pszCNonce));
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *)pszQop, strlen(pszQop));
+ md_ctx_update(md5_ctx, (const uint8_t *)":", 1);
}
md_ctx_update(md5_ctx, HA2Hex, HASHHEXLEN);
md_ctx_final(md5_ctx, RespHash);
@@ -25,34 +25,26 @@
#define HASHLEN 16
typedef unsigned char HASH[HASHLEN];
#define HASHHEXLEN 32
-typedef unsigned char HASHHEX[HASHHEXLEN+1];
+typedef unsigned char HASHHEX[HASHHEXLEN + 1];
#undef IN
#undef OUT
#define IN const
#define OUT
/* calculate H(A1) as per HTTP Digest spec */
-void DigestCalcHA1(
- IN char *pszAlg,
- IN char *pszUserName,
- IN char *pszRealm,
- IN char *pszPassword,
- IN char *pszNonce,
- IN char *pszCNonce,
- OUT HASHHEX SessionKey
- );
+void DigestCalcHA1(IN char *pszAlg, IN char *pszUserName, IN char *pszRealm, IN char *pszPassword,
+ IN char *pszNonce, IN char *pszCNonce, OUT HASHHEX SessionKey);
/* calculate request-digest/response-digest as per HTTP Digest spec */
-void DigestCalcResponse(
- IN HASHHEX HA1, /* H(A1) */
- IN char *pszNonce, /* nonce from server */
- IN char *pszNonceCount, /* 8 hex digits */
- IN char *pszCNonce, /* client nonce */
- IN char *pszQop, /* qop-value: "", "auth", "auth-int" */
- IN char *pszMethod, /* method from the request */
- IN char *pszDigestUri, /* requested URL */
- IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */
- OUT HASHHEX Response /* request-digest or response-digest */
- );
+void DigestCalcResponse(IN HASHHEX HA1, /* H(A1) */
+ IN char *pszNonce, /* nonce from server */
+ IN char *pszNonceCount, /* 8 hex digits */
+ IN char *pszCNonce, /* client nonce */
+ IN char *pszQop, /* qop-value: "", "auth", "auth-int" */
+ IN char *pszMethod, /* method from the request */
+ IN char *pszDigestUri, /* requested URL */
+ IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */
+ OUT HASHHEX Response /* request-digest or response-digest */
+);
#endif /* if PROXY_DIGEST_AUTH */
@@ -58,15 +58,15 @@
#include "memdbg.h"
-static struct context *static_context; /* GLOBAL */
+static struct context *static_context; /* GLOBAL */
static const char *saved_pid_file_name; /* GLOBAL */
/*
* Crypto initialization flags
*/
-#define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
-#define CF_INIT_TLS_MULTI (1<<1)
-#define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
+#define CF_LOAD_PERSISTED_PACKET_ID (1 << 0)
+#define CF_INIT_TLS_MULTI (1 << 1)
+#define CF_INIT_TLS_AUTH_STANDALONE (1 << 2)
static void do_init_first_time(struct context *c);
@@ -105,21 +105,14 @@
* Used to execute the up/down script/plugins.
*/
static void
-run_up_down(const char *command,
- const struct plugin_list *plugins,
- int plugin_type,
+run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type,
const char *arg,
#ifdef _WIN32
DWORD adapter_index,
#endif
- const char *dev_type,
- int tun_mtu,
- const char *ifconfig_local,
- const char *ifconfig_remote,
- const char *context,
- const char *signal_text,
- const char *script_type,
- struct env_set *es)
+ const char *dev_type, int tun_mtu, const char *ifconfig_local,
+ const char *ifconfig_remote, const char *context, const char *signal_text,
+ const char *script_type, struct env_set *es)
{
struct gc_arena gc = gc_new();
@@ -155,9 +148,8 @@
{
struct argv argv = argv_new();
ASSERT(arg);
- argv_printf(&argv,
- "%s %d 0 %s %s %s",
- arg, tun_mtu, ifconfig_local, ifconfig_remote, context);
+ argv_printf(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
+ context);
if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
{
@@ -173,8 +165,8 @@
ASSERT(arg);
setenv_str(es, "script_type", script_type);
argv_parse_cmd(&argv, command);
- argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu,
- ifconfig_local, ifconfig_remote, context);
+ argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
+ context);
argv_msg(M_INFO, &argv);
openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
argv_free(&argv);
@@ -196,8 +188,7 @@
* for the period of time before we pull the --ping-restart parameter
* from the server.
*/
- if (options->pull
- && options->ping_rec_timeout_action == PING_UNDEF
+ if (options->pull && options->ping_rec_timeout_action == PING_UNDEF
&& proto_is_dgram(options->ce.proto))
{
options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
@@ -303,11 +294,9 @@
* @return if sending was successful
*/
static bool
-management_callback_send_cc_message(void *arg,
- const char *command,
- const char *parameters)
+management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
{
- struct context *c = (struct context *) arg;
+ struct context *c = (struct context *)arg;
size_t len = strlen(command) + 1 + strlen(parameters) + 1;
if (len > PUSH_BUNDLE_SIZE)
{
@@ -331,7 +320,7 @@
management_callback_remote_entry_count(void *arg)
{
assert(arg);
- struct context *c = (struct context *) arg;
+ struct context *c = (struct context *)arg;
struct connection_list *l = c->options.connection_list;
return l->len;
@@ -343,7 +332,7 @@
assert(arg);
assert(remote);
- struct context *c = (struct context *) arg;
+ struct context *c = (struct context *)arg;
struct connection_list *l = c->options.connection_list;
bool ret = true;
@@ -354,8 +343,8 @@
const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
/* space for output including 3 commas and a nul */
- int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto)
- + strlen(status) + 3 + 1;
+ int len =
+ strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + strlen(status) + 3 + 1;
char *out = malloc(len);
check_malloc_return(out);
@@ -374,10 +363,12 @@
static bool
management_callback_remote_cmd(void *arg, const char **p)
{
- struct context *c = (struct context *) arg;
+ struct context *c = (struct context *)arg;
struct connection_entry *ce = &c->options.ce;
int ret = false;
- if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
+ if (p[1]
+ && ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK)
+ == CE_MAN_QUERY_REMOTE_QUERY)
{
int flags = 0;
if (!strcmp(p[1], "ACCEPT"))
@@ -412,8 +403,8 @@
}
if (ret)
{
- ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
- ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
+ ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
+ ce->flags |= ((flags & CE_MAN_QUERY_REMOTE_MASK) << CE_MAN_QUERY_REMOTE_SHIFT);
}
}
return ret;
@@ -438,8 +429,8 @@
ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
- while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
- & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
+ while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK)
+ == CE_MAN_QUERY_REMOTE_QUERY)
{
management_event_loop_n_seconds(management, 1);
if (IS_SIG(c))
@@ -457,8 +448,7 @@
/* If it is likely a connection entry was modified,
* check what changed in the flags and that it was not skipped
*/
- const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
- & CE_MAN_QUERY_REMOTE_MASK);
+ const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
}
return ce_changed;
@@ -635,7 +625,7 @@
/* Check if this connection attempt would bring us over the limit */
if (c->options.connect_retry_max > 0
- && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
+ && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
{
msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
c->options.connect_retry_max);
@@ -660,12 +650,11 @@
{
enable_auth_user_pass();
#ifdef ENABLE_MANAGEMENT
- auth_user_pass_setup(c->options.auth_user_pass_file,
- c->options.auth_user_pass_file_inline,
+ auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline,
&c->options.sc_info);
#else
- auth_user_pass_setup(c->options.auth_user_pass_file,
- c->options.auth_user_pass_file_inline, NULL);
+ auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline,
+ NULL);
#endif
}
}
@@ -713,9 +702,9 @@
if (!did_http && c->options.ce.socks_proxy_server)
{
- c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
- c->options.ce.socks_proxy_port,
- c->options.ce.socks_proxy_authfile);
+ c->c1.socks_proxy =
+ socks_proxy_new(c->options.ce.socks_proxy_server, c->options.ce.socks_proxy_port,
+ c->options.ce.socks_proxy_authfile);
if (c->c1.socks_proxy)
{
c->c1.socks_proxy_owned = true;
@@ -738,8 +727,8 @@
static void
do_link_socket_addr_new(struct context *c)
{
- ALLOC_ARRAY_CLEAR_GC(c->c1.link_socket_addrs, struct link_socket_addr,
- c->c1.link_sockets_num, &c->gc);
+ ALLOC_ARRAY_CLEAR_GC(c->c1.link_socket_addrs, struct link_socket_addr, c->c1.link_sockets_num,
+ &c->gc);
}
void
@@ -760,10 +749,11 @@
{
int i;
pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
- for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
+ for (i = 0; i < MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
{
- pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
- c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
+ pkcs11_addProvider(
+ c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
+ c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
}
}
#endif
@@ -788,9 +778,8 @@
* See possibly_become_daemon() [init.c] for more details.
*/
sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
- (unsigned long) getpid());
+ (unsigned long)getpid());
#endif
-
}
void
@@ -818,10 +807,9 @@
{
if (!port_share && (c->options.port_share_host && c->options.port_share_port))
{
- port_share = port_share_open(c->options.port_share_host,
- c->options.port_share_port,
- c->c2.frame.buf.payload_size,
- c->options.port_share_journal_dir);
+ port_share =
+ port_share_open(c->options.port_share_host, c->options.port_share_port,
+ c->c2.frame.buf.payload_size, c->options.port_share_journal_dir);
if (port_share == NULL)
{
msg(M_FATAL, "Fatal error: Port sharing failed");
@@ -849,12 +837,12 @@
struct timeval tv;
if (!gettimeofday(&tv, NULL))
{
- const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
+ const unsigned int seed = (unsigned int)tv.tv_sec ^ tv.tv_usec;
srandom(seed);
}
- error_reset(); /* initialize error.c */
- reset_check_status(); /* initialize status check code in socket.c */
+ error_reset(); /* initialize error.c */
+ reset_check_status(); /* initialize status check code in socket.c */
#ifdef _WIN32
init_win32();
@@ -892,9 +880,7 @@
#ifdef GEN_PATH_TEST
{
struct gc_arena gc = gc_new();
- const char *fn = gen_path("foo",
- "bar",
- &gc);
+ const char *fn = gen_path("foo", "bar", &gc);
printf("%s\n", fn);
gc_free(&gc);
}
@@ -1011,8 +997,7 @@
}
if (options->show_tls_ciphers)
{
- show_available_tls_ciphers(options->cipher_list,
- options->cipher_list_tls13,
+ show_available_tls_ciphers(options->cipher_list, options->cipher_list_tls13,
options->tls_cert_profile);
}
if (options->show_curves)
@@ -1040,11 +1025,10 @@
* We do not want user to use --genkey with --secret. In the transistion
* phase we for secret.
*/
- if (options->genkey && options->genkey_type != GENKEY_SECRET
- && options->shared_secret_file)
+ if (options->genkey && options->genkey_type != GENKEY_SECRET && options->shared_secret_file)
{
msg(M_USAGE, "Using --genkey type with --secret filename is "
- "not supported. Use --genkey type filename instead.");
+ "not supported. Use --genkey type filename instead.");
}
if (options->genkey && options->genkey_type == GENKEY_SECRET)
{
@@ -1053,7 +1037,7 @@
if (options->shared_secret_file && options->genkey_filename)
{
msg(M_USAGE, "You must provide a filename to either --genkey "
- "or --secret, not both");
+ "or --secret, not both");
}
/*
@@ -1063,7 +1047,7 @@
if (options->shared_secret_file)
{
msg(M_WARN, "WARNING: Using --genkey --secret filename is "
- "DEPRECATED. Use --genkey secret filename instead.");
+ "DEPRECATED. Use --genkey secret filename instead.");
genkey_filename = options->shared_secret_file;
}
@@ -1073,8 +1057,7 @@
msg(M_FATAL, "Failed to write key file");
}
- msg(D_GENKEY | M_NOPREFIX,
- "Randomly generated %d bit key written to %s", nbits_written,
+ msg(D_GENKEY | M_NOPREFIX, "Randomly generated %d bit key written to %s", nbits_written,
options->shared_secret_file);
return true;
}
@@ -1091,8 +1074,8 @@
"--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
}
- tls_crypt_v2_write_client_key_file(options->genkey_filename,
- options->genkey_extra_data, options->tls_crypt_v2_file,
+ tls_crypt_v2_write_client_key_file(options->genkey_filename, options->genkey_extra_data,
+ options->tls_crypt_v2_file,
options->tls_crypt_v2_file_inline);
return true;
}
@@ -1120,13 +1103,10 @@
/* sanity check on options for --mktun or --rmtun */
notnull(options->dev, "TUN/TAP device (--dev)");
- if (options->ce.remote || options->ifconfig_local
- || options->ifconfig_remote_netmask
- || options->shared_secret_file
- || options->tls_server || options->tls_client
- )
+ if (options->ce.remote || options->ifconfig_local || options->ifconfig_remote_netmask
+ || options->shared_secret_file || options->tls_server || options->tls_client)
{
- msg(M_FATAL|M_OPTERR,
+ msg(M_FATAL | M_OPTERR,
"options --mktun or --rmtun should only be used together with --dev");
}
@@ -1150,21 +1130,20 @@
#endif
#ifdef ENABLE_FEATURE_TUN_PERSIST
- tuncfg(options->dev, options->dev_type, options->dev_node,
- options->persist_mode,
- options->username, options->groupname, &options->tuntap_options,
- ctx);
+ tuncfg(options->dev, options->dev_type, options->dev_node, options->persist_mode,
+ options->username, options->groupname, &options->tuntap_options, ctx);
if (options->persist_mode && options->lladdr)
{
set_lladdr(ctx, options->dev, options->lladdr, NULL);
}
return true;
-#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
- msg(M_FATAL|M_OPTERR,
+#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
+ msg(M_FATAL | M_OPTERR,
"options --mktun and --rmtun are not available on your operating "
"system. Please check 'man tun' (or 'tap'), whether your system "
"supports using 'ifconfig %s create' / 'destroy' to create/remove "
- "persistent tunnel interfaces.", options->dev );
+ "persistent tunnel interfaces.",
+ options->dev);
#endif
return false;
}
@@ -1241,9 +1220,7 @@
{
if (no_delay)
{
- platform_user_group_set(&c0->platform_state_user,
- &c0->platform_state_group,
- c);
+ platform_user_group_set(&c0->platform_state_user, &c0->platform_state_group, c);
}
else if (c->first_time)
{
@@ -1271,7 +1248,8 @@
{
if (-1 == setcon(c->options.selinux_context))
{
- msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
+ msg(M_ERR, "setcon to '%s' failed; is /proc accessible?",
+ c->options.selinux_context);
}
else
{
@@ -1316,17 +1294,12 @@
#ifdef _WIN32
if (options->exit_event_name)
{
- win32_signal_open(&win32_signal,
- WSO_FORCE_SERVICE,
- options->exit_event_name,
+ win32_signal_open(&win32_signal, WSO_FORCE_SERVICE, options->exit_event_name,
options->exit_event_initial_state);
}
else
{
- win32_signal_open(&win32_signal,
- WSO_FORCE_CONSOLE,
- NULL,
- false);
+ win32_signal_open(&win32_signal, WSO_FORCE_CONSOLE, NULL, false);
/* put a title on the top window bar */
if (win32_signal.mode == WSO_MODE_CONSOLE)
@@ -1377,8 +1350,7 @@
/* initialize inactivity timeout */
if (c->options.session_timeout)
{
- event_timeout_init(&c->c2.session_interval, c->options.session_timeout,
- now);
+ event_timeout_init(&c->c2.session_interval, c->options.session_timeout, now);
}
/* initialize pings */
@@ -1409,8 +1381,7 @@
if (c->options.auth_token_generate
&& c->options.auth_token_renewal < c->options.renegotiate_seconds)
{
- event_timeout_init(&c->c2.auth_token_renewal_interval,
- c->options.auth_token_renewal, now);
+ event_timeout_init(&c->c2.auth_token_renewal_interval, c->options.auth_token_renewal, now);
}
if (!deferred)
@@ -1420,16 +1391,16 @@
/* initialize occ timers */
- if (c->options.occ
- && !TLS_MODE(c)
- && c->c2.options_string_local && c->c2.options_string_remote)
+ if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_local
+ && c->c2.options_string_remote)
{
event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
}
if (c->options.mtu_test)
{
- event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
+ event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS,
+ now);
}
/* initialize packet_id persistence timer */
@@ -1482,10 +1453,8 @@
* options and saving routes in the environment.
*/
static void
-do_init_route_list(const struct options *options,
- struct route_list *route_list,
- const struct link_socket_info *link_socket_info,
- struct env_set *es,
+do_init_route_list(const struct options *options, struct route_list *route_list,
+ const struct link_socket_info *link_socket_info, struct env_set *es,
openvpn_net_ctx_t *ctx)
{
const char *gw = NULL;
@@ -1514,13 +1483,8 @@
metric = options->route_default_metric;
}
- if (init_route_list(route_list,
- options->routes,
- gw,
- metric,
- link_socket_current_remote(link_socket_info),
- es,
- ctx))
+ if (init_route_list(route_list, options->routes, gw, metric,
+ link_socket_current_remote(link_socket_info), es, ctx))
{
/* copy routes to environment */
setenv_routes(es, route_list);
@@ -1528,14 +1492,12 @@
}
static void
-do_init_route_ipv6_list(const struct options *options,
- struct route_ipv6_list *route_ipv6_list,
- const struct link_socket_info *link_socket_info,
- struct env_set *es,
+do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list,
+ const struct link_socket_info *link_socket_info, struct env_set *es,
openvpn_net_ctx_t *ctx)
{
const char *gw = NULL;
- int metric = -1; /* no metric set */
+ int metric = -1; /* no metric set */
/* see explanation in do_init_route_list() */
if (dco_enabled(options))
@@ -1543,7 +1505,7 @@
metric = DCO_DEFAULT_METRIC;
}
- gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
+ gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
if (options->route_ipv6_default_gateway)
{
gw = options->route_ipv6_default_gateway;
@@ -1563,19 +1525,14 @@
for (i = 0; opt_list[i]; i++)
{
- add_route_ipv6_to_option_list( options->routes_ipv6,
- string_alloc(opt_list[i], options->routes_ipv6->gc),
- NULL, NULL, options->route_default_table_id);
+ add_route_ipv6_to_option_list(options->routes_ipv6,
+ string_alloc(opt_list[i], options->routes_ipv6->gc), NULL,
+ NULL, options->route_default_table_id);
}
}
- if (init_route_ipv6_list(route_ipv6_list,
- options->routes_ipv6,
- gw,
- metric,
- link_socket_current_remote_ipv6(link_socket_info),
- es,
- ctx))
+ if (init_route_ipv6_list(route_ipv6_list, options->routes_ipv6, gw, metric,
+ link_socket_current_remote_ipv6(link_socket_info), es, ctx))
{
/* copy routes to environment */
setenv_routes_ipv6(es, route_ipv6_list);
@@ -1601,8 +1558,8 @@
if (flags & ISC_ERRORS)
{
#ifdef _WIN32
- show_routes(M_INFO|M_NOPREFIX);
- show_adapters(M_INFO|M_NOPREFIX);
+ show_routes(M_INFO | M_NOPREFIX);
+ show_adapters(M_INFO | M_NOPREFIX);
msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
#else
#ifdef ENABLE_SYSTEMD
@@ -1620,7 +1577,7 @@
}
/* Flag that we initialized */
- if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
+ if ((flags & (ISC_ERRORS | ISC_SERVER)) == 0)
{
c->options.no_advance = true;
}
@@ -1682,13 +1639,8 @@
tun_local = &c->c1.tuntap->local;
tun_local6 = &c->c1.tuntap->local_ipv6;
}
- management_set_state(management,
- OPENVPN_STATE_CONNECTED,
- detail,
- tun_local,
- tun_local6,
- &local,
- &remote);
+ management_set_state(management, OPENVPN_STATE_CONNECTED, detail, tun_local, tun_local6,
+ &local, &remote);
if (tun_local)
{
management_post_tunnel_open(management, *tun_local);
@@ -1704,8 +1656,7 @@
static bool
route_noexec_enabled(const struct options *o, const struct tuntap *tt)
{
- return o->route_noexec
- || (tt && tt->backend_driver == DRIVER_AFUNIX)
+ return o->route_noexec || (tt && tt->backend_driver == DRIVER_AFUNIX)
|| (tt && tt->backend_driver == DRIVER_NULL);
}
@@ -1714,19 +1665,14 @@
* based on options.
*/
bool
-do_route(const struct options *options,
- struct route_list *route_list,
- struct route_ipv6_list *route_ipv6_list,
- const struct tuntap *tt,
- const struct plugin_list *plugins,
- struct env_set *es,
- openvpn_net_ctx_t *ctx)
+do_route(const struct options *options, struct route_list *route_list,
+ struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt,
+ const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
{
bool ret = true;
- if (!route_noexec_enabled(options, tt) && ( route_list || route_ipv6_list ) )
+ if (!route_noexec_enabled(options, tt) && (route_list || route_ipv6_list))
{
- ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
- es, ctx);
+ ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es, ctx);
setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
}
#ifdef ENABLE_MANAGEMENT
@@ -1738,7 +1684,8 @@
if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
{
- if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
+ if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es)
+ != OPENVPN_PLUGIN_FUNC_SUCCESS)
{
msg(M_WARN, "WARNING: route-up plugin call failed");
}
@@ -1756,13 +1703,13 @@
#ifdef _WIN32
if (options->show_net_up)
{
- show_routes(M_INFO|M_NOPREFIX);
- show_adapters(M_INFO|M_NOPREFIX);
+ show_routes(M_INFO | M_NOPREFIX);
+ show_adapters(M_INFO | M_NOPREFIX);
}
else if (check_debug_level(D_SHOW_NET))
{
- show_routes(D_SHOW_NET|M_NOPREFIX);
- show_adapters(D_SHOW_NET|M_NOPREFIX);
+ show_routes(D_SHOW_NET | M_NOPREFIX);
+ show_adapters(D_SHOW_NET | M_NOPREFIX);
}
#endif
return ret;
@@ -1774,27 +1721,19 @@
static void
do_init_tun(struct context *c)
{
- c->c1.tuntap = init_tun(c->options.dev,
- c->options.dev_type,
- c->options.topology,
- c->options.ifconfig_local,
- c->options.ifconfig_remote_netmask,
- c->options.ifconfig_ipv6_local,
- c->options.ifconfig_ipv6_netbits,
- c->options.ifconfig_ipv6_remote,
- c->c1.link_socket_addrs[0].bind_local,
- c->c1.link_socket_addrs[0].remote_list,
- !c->options.ifconfig_nowarn,
- c->c2.es,
- &c->net_ctx,
- c->c1.tuntap);
+ c->c1.tuntap = init_tun(c->options.dev, c->options.dev_type, c->options.topology,
+ c->options.ifconfig_local, c->options.ifconfig_remote_netmask,
+ c->options.ifconfig_ipv6_local, c->options.ifconfig_ipv6_netbits,
+ c->options.ifconfig_ipv6_remote, c->c1.link_socket_addrs[0].bind_local,
+ c->c1.link_socket_addrs[0].remote_list, !c->options.ifconfig_nowarn,
+ c->c2.es, &c->net_ctx, c->c1.tuntap);
if (is_tun_afunix(c->options.dev_node))
{
/* Using AF_UNIX trumps using DCO */
c->c1.tuntap->backend_driver = DRIVER_AFUNIX;
}
- else if (is_dev_type(c->options.dev, c->options.dev_type, "null"))
+ else if (is_dev_type(c->options.dev, c->options.dev_type, "null"))
{
c->c1.tuntap->backend_driver = DRIVER_NULL;
}
@@ -1814,9 +1753,7 @@
}
#endif
- init_tun_post(c->c1.tuntap,
- &c->c2.frame,
- &c->options.tuntap_options);
+ init_tun_post(c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options);
c->c1.tuntap_owned = true;
}
@@ -1916,10 +1853,10 @@
}
else
{
- open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
- tt, &c->net_ctx);
+ open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, tt, &c->net_ctx);
}
- msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver), tt->actual_name);
+ msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver),
+ tt->actual_name);
}
@@ -1958,8 +1895,7 @@
#ifdef _WIN32
/* store (hide) interactive service handle in tuntap_options */
c->c1.tuntap->options.msg_channel = c->options.msg_channel;
- msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR,
- (intptr_t) c->options.msg_channel);
+ msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR, (intptr_t)c->options.msg_channel);
#endif
/* allocate route list structure */
@@ -1969,8 +1905,8 @@
ASSERT(c->c2.link_sockets[0]);
if (c->options.routes && c->c1.route_list)
{
- do_init_route_list(&c->options, c->c1.route_list,
- &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
+ do_init_route_list(&c->options, c->c1.route_list, &c->c2.link_sockets[0]->info,
+ c->c2.es, &c->net_ctx);
}
if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
{
@@ -1979,15 +1915,12 @@
}
/* do ifconfig */
- if (!ifconfig_noexec_enabled(c)
- && ifconfig_order(c->c1.tuntap) == IFCONFIG_BEFORE_TUN_OPEN)
+ if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_BEFORE_TUN_OPEN)
{
/* guess actual tun/tap unit number that will be returned
* by open_tun */
- const char *guess = guess_tuntap_dev(c->options.dev,
- c->options.dev_type,
- c->options.dev_node,
- &gc);
+ const char *guess =
+ guess_tuntap_dev(c->options.dev, c->options.dev_type, c->options.dev_node, &gc);
do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
}
@@ -2019,31 +1952,23 @@
}
/* do ifconfig */
- if (!ifconfig_noexec_enabled(c)
- && ifconfig_order(c->c1.tuntap) == IFCONFIG_AFTER_TUN_OPEN)
+ if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_AFTER_TUN_OPEN)
{
- do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
- c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
+ do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, c->c2.frame.tun_mtu, c->c2.es,
+ &c->net_ctx);
}
run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
/* run the up script */
- run_up_down(c->options.up_script,
- c->plugins,
- OPENVPN_PLUGIN_UP,
- c->c1.tuntap->actual_name,
+ run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name,
#ifdef _WIN32
c->c1.tuntap->adapter_index,
#endif
- dev_type_string(c->options.dev, c->options.dev_type),
- c->c2.frame.tun_mtu,
+ dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu,
print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
- print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
- "init",
- NULL,
- "up",
- c->c2.es);
+ print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
+ NULL, "up", c->c2.es);
add_wfp_block(c);
@@ -2060,8 +1985,7 @@
}
else
{
- msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
- c->c1.tuntap->actual_name);
+ msg(M_INFO, "Preserving previous TUN/TAP instance: %s", c->c1.tuntap->actual_name);
/* explicitly set the ifconfig_* env vars */
do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
@@ -2071,21 +1995,15 @@
/* run the up script if user specified --up-restart */
if (c->options.up_restart)
{
- run_up_down(c->options.up_script,
- c->plugins,
- OPENVPN_PLUGIN_UP,
+ run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP,
c->c1.tuntap->actual_name,
#ifdef _WIN32
c->c1.tuntap->adapter_index,
#endif
- dev_type_string(c->options.dev, c->options.dev_type),
- c->c2.frame.tun_mtu,
+ dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu,
print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
- "restart",
- NULL,
- "up",
- c->c2.es);
+ "restart", NULL, "up", c->c2.es);
}
add_wfp_block(c);
@@ -2101,8 +2019,7 @@
static void
do_close_tun_simple(struct context *c)
{
- msg(D_CLOSE, "Closing %s interface",
- print_tun_backend_driver(c->c1.tuntap->backend_driver));
+ msg(D_CLOSE, "Closing %s interface", print_tun_backend_driver(c->c1.tuntap->backend_driver));
if (c->c1.tuntap)
{
@@ -2174,26 +2091,18 @@
/* delete any routes we added */
if (c->c1.route_list || c->c1.route_ipv6_list)
{
- run_up_down(c->options.route_predown_script,
- c->plugins,
- OPENVPN_PLUGIN_ROUTE_PREDOWN,
+ run_up_down(c->options.route_predown_script, c->plugins, OPENVPN_PLUGIN_ROUTE_PREDOWN,
tuntap_actual,
#ifdef _WIN32
adapter_index,
#endif
- NULL,
- c->c2.frame.tun_mtu,
- print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
- print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
- "init",
- signal_description(c->sig->signal_received,
- c->sig->signal_text),
- "route-pre-down",
- c->c2.es);
+ NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
+ print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
+ signal_description(c->sig->signal_received, c->sig->signal_text),
+ "route-pre-down", c->c2.es);
- delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
- c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
- c->c2.es, &c->net_ctx);
+ delete_routes(c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap,
+ ROUTE_OPTION_FLAGS(&c->options), c->c2.es, &c->net_ctx);
}
/* actually close tun/tap device based on --down-pre flag */
@@ -2204,21 +2113,13 @@
/* Run the down script -- note that it will run at reduced
* privilege if, for example, "--user" was used. */
- run_up_down(c->options.down_script,
- c->plugins,
- OPENVPN_PLUGIN_DOWN,
- tuntap_actual,
+ run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
#ifdef _WIN32
adapter_index,
#endif
- NULL,
- c->c2.frame.tun_mtu,
- print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
- print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
- "init",
- signal_description(c->sig->signal_received,
- c->sig->signal_text),
- "down",
+ NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
+ print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
+ signal_description(c->sig->signal_received, c->sig->signal_text), "down",
c->c2.es);
del_wfp_block(c, adapter_index);
@@ -2234,21 +2135,13 @@
/* run the down script on this restart if --up-restart was specified */
if (c->options.up_restart)
{
- run_up_down(c->options.down_script,
- c->plugins,
- OPENVPN_PLUGIN_DOWN,
- tuntap_actual,
+ run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
#ifdef _WIN32
adapter_index,
#endif
- NULL,
- c->c2.frame.tun_mtu,
- print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
- print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
- "restart",
- signal_description(c->sig->signal_received,
- c->sig->signal_text),
- "down",
+ NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
+ print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart",
+ signal_description(c->sig->signal_received, c->sig->signal_text), "down",
c->c2.es);
}
@@ -2277,10 +2170,9 @@
* equal, or either one is all-zeroes.
*/
static bool
-options_hash_changed_or_zero(const struct sha256_digest *a,
- const struct sha256_digest *b)
+options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
{
- const struct sha256_digest zero = {{0}};
+ const struct sha256_digest zero = { { 0 } };
return memcmp(a, b, sizeof(struct sha256_digest))
|| !memcmp(a, &zero, sizeof(struct sha256_digest));
}
@@ -2316,13 +2208,12 @@
if (cipher_kt_mode_aead(o->ciphername))
{
- buf_printf(&out, "Data Channel: cipher '%s'",
- cipher_kt_name(o->ciphername));
+ buf_printf(&out, "Data Channel: cipher '%s'", cipher_kt_name(o->ciphername));
}
else
{
- buf_printf(&out, "Data Channel: cipher '%s', auth '%s'",
- cipher_kt_name(o->ciphername), md_kt_name(o->authname));
+ buf_printf(&out, "Data Channel: cipher '%s', auth '%s'", cipher_kt_name(o->ciphername),
+ md_kt_name(o->authname));
}
if (o->use_peer_id)
@@ -2393,8 +2284,7 @@
if (c->options.ce.explicit_exit_notification)
{
- buf_printf(&out, "explicit-exit-notify %d",
- c->options.ce.explicit_exit_notification);
+ buf_printf(&out, "explicit-exit-notify %d", c->options.ce.explicit_exit_notification);
}
if (c->options.imported_protocol_flags)
{
@@ -2446,10 +2336,8 @@
#endif
struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
- if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
- &c->options, &c->c2.frame,
- frame_fragment,
- get_link_socket_info(c),
+ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
+ frame_fragment, get_link_socket_info(c),
&c->c1.tuntap->dco))
{
msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
@@ -2486,14 +2374,13 @@
* Was tun interface object persisted from previous restart iteration,
* and if so did pulled options string change from previous iteration?
*/
- if (!c->c2.did_open_tun
- && PULL_DEFINED(&c->options)
- && c->c1.tuntap
+ if (!c->c2.did_open_tun && PULL_DEFINED(&c->options) && c->c1.tuntap
&& options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
&c->c2.pulled_options_digest))
{
/* if so, close tun, delete routes, then reinitialize tun and add routes */
- msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
+ msg(M_INFO,
+ "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
do_close_tun(c, true);
@@ -2519,7 +2406,8 @@
* reconnects to setup various things (like DCO and NCP cipher) that
* might have changed from the previous connection.
*/
- if (!c->c2.do_up_ran || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING))
+ if (!c->c2.do_up_ran
+ || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING))
{
if (c->mode == MODE_POINT_TO_POINT)
{
@@ -2567,7 +2455,8 @@
if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
{
event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
- event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
+ event_timeout_init(&c->c2.route_wakeup_expire,
+ c->options.route_delay + c->options.route_delay_window, now);
tun_standby_init(c->c1.tuntap);
}
else
@@ -2630,7 +2519,8 @@
if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
{
event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
- event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
+ event_timeout_init(&c->c2.route_wakeup_expire,
+ c->options.route_delay + c->options.route_delay_window, now);
tun_standby_init(c->c1.tuntap);
}
@@ -2648,23 +2538,10 @@
unsigned int
pull_permission_mask(const struct context *c)
{
- unsigned int flags =
- OPT_P_UP
- | OPT_P_ROUTE_EXTRAS
- | OPT_P_SOCKBUF
- | OPT_P_SOCKFLAGS
- | OPT_P_SETENV
- | OPT_P_SHAPER
- | OPT_P_TIMER
- | OPT_P_COMP
- | OPT_P_PERSIST
- | OPT_P_MESSAGES
- | OPT_P_EXPLICIT_NOTIFY
- | OPT_P_ECHO
- | OPT_P_PULL_MODE
- | OPT_P_PEER_ID
- | OPT_P_NCP
- | OPT_P_PUSH_MTU;
+ unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS
+ | OPT_P_SETENV | OPT_P_SHAPER | OPT_P_TIMER | OPT_P_COMP | OPT_P_PERSIST
+ | OPT_P_MESSAGES | OPT_P_EXPLICIT_NOTIFY | OPT_P_ECHO | OPT_P_PULL_MODE
+ | OPT_P_PEER_ID | OPT_P_NCP | OPT_P_PUSH_MTU;
if (!c->options.route_nopull)
{
@@ -2686,8 +2563,8 @@
struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
- const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
- &c->options.gc);
+ const char *ncp_cipher =
+ get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, &c->options.gc);
if (ncp_cipher)
{
@@ -2696,8 +2573,8 @@
else if (!c->options.enable_ncp_fallback)
{
msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
- "--data-ciphers-fallback not enabled. No usable "
- "data channel cipher");
+ "--data-ciphers-fallback not enabled. No usable "
+ "data channel cipher");
return false;
}
@@ -2709,9 +2586,8 @@
}
#endif
- if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
- &c->c2.frame, frame_fragment,
- get_link_socket_info(c),
+ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
+ frame_fragment, get_link_socket_info(c),
&c->c1.tuntap->dco))
{
msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
@@ -2725,7 +2601,7 @@
{
if (found & OPT_P_MESSAGES)
{
- init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
+ init_verb_mute(c, IVM_LEVEL_1 | IVM_LEVEL_2);
msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
}
if (found & OPT_P_TIMER)
@@ -2754,9 +2630,9 @@
if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS))
{
msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
- "settings that are not allowed and will result "
- "in a non-working connection. "
- "See also allow-compression in the manual.");
+ "settings that are not allowed and will result "
+ "in a non-working connection. "
+ "See also allow-compression in the manual.");
return false;
}
#ifdef USE_COMP
@@ -2778,8 +2654,7 @@
for (int i = 0; i < c->c1.link_sockets_num; i++)
{
- link_socket_update_buffer_sizes(c->c2.link_sockets[i],
- c->options.rcvbuf,
+ link_socket_update_buffer_sizes(c->c2.link_sockets[i], c->options.rcvbuf,
c->options.sndbuf);
}
}
@@ -2789,8 +2664,7 @@
msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
for (int i = 0; i < c->c1.link_sockets_num; i++)
{
- link_socket_update_flags(c->c2.link_sockets[i],
- c->options.sockflags);
+ link_socket_update_flags(c->c2.link_sockets[i], c->options.sockflags);
}
}
@@ -2838,12 +2712,11 @@
}
/* Check if pushed options are compatible with DCO, if enabled */
- if (dco_enabled(&c->options)
- && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
+ if (dco_enabled(&c->options) && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
{
msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
- "with data channel offload. Use --disable-dco to connect to "
- "this server");
+ "with data channel offload. Use --disable-dco to connect to "
+ "this server");
return false;
}
}
@@ -2856,7 +2729,7 @@
if (epoch_data && !datav2_enabled)
{
msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires "
- "data v2 (peer-id) to be enabled.");
+ "data v2 (peer-id) to be enabled.");
return false;
}
@@ -2871,7 +2744,8 @@
if (c->options.ce.tun_mtu > frame->tun_max_mtu)
{
- msg(D_PUSH_ERRORS, "Server-pushed tun-mtu is too large, please add "
+ msg(D_PUSH_ERRORS,
+ "Server-pushed tun-mtu is too large, please add "
"tun-mtu-max %d in the client configuration",
c->options.ce.tun_mtu);
}
@@ -2935,8 +2809,7 @@
}
/* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
- if (c->mode == CM_CHILD_TCP
- || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
+ if (c->mode == CM_CHILD_TCP || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
{
backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
if (backoff > 0)
@@ -3005,10 +2878,8 @@
ASSERT(o->ce.link_mtu_defined);
/* if we have a link mtu defined we calculate what the old code
* would have come up with as tun-mtu */
- size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type,
- o, true);
+ size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, o, true);
mtu = o->ce.link_mtu - overhead;
-
}
else
{
@@ -3093,7 +2964,8 @@
size_t tailroom = headroom;
#ifdef USE_COMP
- msg(D_MTU_DEBUG, "MTU: adding %zu buffer tailroom for compression for %zu "
+ msg(D_MTU_DEBUG,
+ "MTU: adding %zu buffer tailroom for compression for %zu "
"bytes of payload",
COMP_EXTRA_BUFFER(payload_size), payload_size);
tailroom += COMP_EXTRA_BUFFER(payload_size);
@@ -3162,14 +3034,11 @@
}
/* Initialize packet ID tracking */
- packet_id_init(&c->c2.crypto_options.packet_id,
- options->replay_window,
- options->replay_time,
+ packet_id_init(&c->c2.crypto_options.packet_id, options->replay_window, options->replay_time,
"STATIC", 0);
c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
- packet_id_persist_load_obj(&c->c1.pid_persist,
- &c->c2.crypto_options.packet_id);
+ packet_id_persist_load_obj(&c->c1.pid_persist, &c->c2.crypto_options.packet_id);
if (!key_ctx_bi_defined(&c->c1.ks.static_key))
{
@@ -3179,10 +3048,8 @@
/* Read cipher and hmac keys from shared secret file */
crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
- options->shared_secret_file,
- options->shared_secret_file_inline,
- options->key_direction, "Static Key Encryption",
- "secret", NULL);
+ options->shared_secret_file, options->shared_secret_file_inline,
+ options->key_direction, "Static Key Encryption", "secret", NULL);
}
else
{
@@ -3210,26 +3077,23 @@
c->c1.ks.tls_auth_key_type.digest = options->authname;
if (!md_valid(options->authname))
{
- msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
- "algorithm specified ('%s')", options->authname);
+ msg(M_FATAL,
+ "ERROR: tls-auth enabled, but no valid --auth "
+ "algorithm specified ('%s')",
+ options->authname);
}
- crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
- &c->c1.ks.tls_wrap_key,
- options->ce.tls_auth_file,
- options->ce.tls_auth_file_inline,
- options->ce.key_direction,
- "Control Channel Authentication", "tls-auth",
- &c->c1.ks.original_wrap_keydata);
+ crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, &c->c1.ks.tls_wrap_key,
+ options->ce.tls_auth_file, options->ce.tls_auth_file_inline,
+ options->ce.key_direction, "Control Channel Authentication",
+ "tls-auth", &c->c1.ks.original_wrap_keydata);
}
/* TLS handshake encryption+authentication (--tls-crypt) */
if (options->ce.tls_crypt_file)
{
- tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
- &c->c1.ks.original_wrap_keydata,
- options->ce.tls_crypt_file,
- options->ce.tls_crypt_file_inline,
+ tls_crypt_init_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata,
+ options->ce.tls_crypt_file, options->ce.tls_crypt_file_inline,
options->tls_server);
}
@@ -3238,16 +3102,14 @@
{
if (options->tls_server)
{
- tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
- true, options->ce.tls_crypt_v2_file,
+ tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key, true,
+ options->ce.tls_crypt_v2_file,
options->ce.tls_crypt_v2_file_inline);
}
else
{
- tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
- &c->c1.ks.original_wrap_keydata,
- &c->c1.ks.tls_crypt_v2_wkc,
- options->ce.tls_crypt_v2_file,
+ tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata,
+ &c->c1.ks.tls_crypt_v2_wkc, options->ce.tls_crypt_v2_file,
options->ce.tls_crypt_v2_file_inline);
}
/* We have to ensure that the loaded tls-crypt key is small enough
@@ -3259,15 +3121,14 @@
if (required_size > c->options.ce.tls_mtu)
{
- msg(M_WARN, "ERROR: tls-crypt-v2 client key too large to work with "
+ msg(M_WARN,
+ "ERROR: tls-crypt-v2 client key too large to work with "
"requested --max-packet-size %d, requires at least "
"--max-packet-size %d. Packets will ignore requested "
- "maximum packet size", c->options.ce.tls_mtu,
- required_size);
+ "maximum packet size",
+ c->options.ce.tls_mtu, required_size);
}
}
-
-
}
/*
@@ -3296,7 +3157,7 @@
case AR_INTERACT:
ssl_purge_auth(false);
- /* Intentional [[fallthrough]]; */
+ /* Intentional [[fallthrough]]; */
case AR_NOINTERACT:
/* SOFT-SIGUSR1 -- Password failure error */
@@ -3337,8 +3198,7 @@
/* Do not warn if the cipher is used only in OCC */
bool warn = options->enable_ncp_fallback;
- init_key_type(&c->c1.ks.key_type, ciphername, options->authname,
- true, warn);
+ init_key_type(&c->c1.ks.key_type, ciphername, options->authname, true, warn);
/* initialize tls-auth/crypt/crypt-v2 key */
do_init_tls_wrap_key(c);
@@ -3346,8 +3206,7 @@
/* initialise auth-token crypto support */
if (c->options.auth_token_generate)
{
- auth_token_init_secret(&c->c1.ks.auth_token_key,
- c->options.auth_token_secret_file,
+ auth_token_init_secret(&c->c1.ks.auth_token_key, c->options.auth_token_secret_file,
c->options.auth_token_secret_file_inline);
}
@@ -3425,25 +3284,27 @@
if (options->renegotiate_seconds_min < 0)
{
/* Add 10% jitter to reneg-sec by default (server side only) */
- int auto_jitter = options->mode != MODE_SERVER ? 0 :
- get_random() % max_int(options->renegotiate_seconds / 10, 1);
+ int auto_jitter = options->mode != MODE_SERVER
+ ? 0
+ : get_random() % max_int(options->renegotiate_seconds / 10, 1);
to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
}
else
{
/* Add user-specified jitter to reneg-sec */
- to.renegotiate_seconds = options->renegotiate_seconds
- -(get_random() % max_int(options->renegotiate_seconds
- - options->renegotiate_seconds_min, 1));
+ to.renegotiate_seconds =
+ options->renegotiate_seconds
+ - (get_random()
+ % max_int(options->renegotiate_seconds - options->renegotiate_seconds_min, 1));
}
to.single_session = options->single_session;
to.mode = options->mode;
to.pull = options->pull;
- if (options->push_peer_info) /* all there is */
+ if (options->push_peer_info) /* all there is */
{
to.push_peer_info_detail = 3;
}
- else if (options->pull) /* pull clients send some details */
+ else if (options->pull) /* pull clients send some details */
{
to.push_peer_info_detail = 2;
}
@@ -3451,7 +3312,7 @@
{
to.push_peer_info_detail = 0;
}
- else /* default: minimal info to allow NCP in P2P mode */
+ else /* default: minimal info to allow NCP in P2P mode */
{
to.push_peer_info_detail = 1;
}
@@ -3554,8 +3415,7 @@
}
/* TLS handshake encryption (--tls-crypt) */
- if (options->ce.tls_crypt_file
- || (options->ce.tls_crypt_v2_file && options->tls_client))
+ if (options->ce.tls_crypt_file || (options->ce.tls_crypt_v2_file && options->tls_client))
{
to.tls_wrap.mode = TLS_WRAP_CRYPT;
}
@@ -3613,10 +3473,8 @@
if (c->c2.tls_multi)
{
tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
- ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <=
- c->c2.frame.buf.payload_size);
- frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
- "Control Channel MTU parms");
+ ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= c->c2.frame.buf.payload_size);
+ frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms");
/* Keep the max mtu also in the frame of tls multi so it can access
* it in push_peer_info */
@@ -3624,9 +3482,9 @@
}
if (c->c2.tls_auth_standalone)
{
- tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame, c->options.ce.tls_mtu);
- frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
- "TLS-Auth MTU parms");
+ tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame,
+ c->options.ce.tls_mtu);
+ frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, "TLS-Auth MTU parms");
c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
}
@@ -3642,14 +3500,12 @@
/* Initialise key_type with auth/cipher "none", so the key_type struct is
* valid */
- init_key_type(&c->c1.ks.key_type, "none", "none",
- c->options.test_crypto, true);
+ init_key_type(&c->c1.ks.key_type, "none", "none", c->options.test_crypto, true);
- msg(M_WARN,
- "******* WARNING *******: All encryption and authentication features "
- "disabled -- All data will be tunnelled as clear text and will not be "
- "protected against man-in-the-middle changes. "
- "PLEASE DO RECONSIDER THIS CONFIGURATION!");
+ msg(M_WARN, "******* WARNING *******: All encryption and authentication features "
+ "disabled -- All data will be tunnelled as clear text and will not be "
+ "protected against man-in-the-middle changes. "
+ "PLEASE DO RECONSIDER THIS CONFIGURATION!");
}
static void
@@ -3663,7 +3519,7 @@
{
do_init_crypto_tls(c, flags);
}
- else /* no encryption or authentication. */
+ else /* no encryption or authentication. */
{
do_init_crypto_none(c);
}
@@ -3701,7 +3557,8 @@
#ifdef ENABLE_FRAGMENT
if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
{
- msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
+ msg(M_WARN,
+ "WARNING: if you use --mssfix and --fragment, you should "
"set --fragment (%d) larger or equal than --mssfix (%d)",
c->options.ce.fragment, c->options.ce.mssfix);
}
@@ -3709,7 +3566,7 @@
&& c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
{
msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
- "use the \"mtu\" flag for both or none of of them.");
+ "use the \"mtu\" flag for both or none of of them.");
}
#endif
}
@@ -3728,34 +3585,39 @@
#ifdef ENABLE_SELINUX
|| o->selinux_context
#endif
- )
+ )
{
if (!o->persist_tun)
{
- msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
+ msg(M_WARN,
+ "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
}
}
if (o->chroot_dir && !(o->username && o->groupname))
{
- msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
+ msg(M_WARN,
+ "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
}
if (o->pull && o->ifconfig_local && c->first_time)
{
- msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
+ msg(M_WARN,
+ "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
}
if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
{
- msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
+ msg(M_WARN,
+ "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
}
if (o->mode == MODE_SERVER)
{
if (o->duplicate_cn && o->client_config_dir)
{
- msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
+ msg(M_WARN,
+ "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
}
if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
{
@@ -3771,14 +3633,12 @@
{
warn_on_use_of_common_subnets(&c->net_ctx);
}
- if (o->tls_client
- && !o->tls_verify
- && o->verify_x509_type == VERIFY_X509_NONE
- && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
- && !o->remote_cert_eku
+ if (o->tls_client && !o->tls_verify && o->verify_x509_type == VERIFY_X509_NONE
+ && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) && !o->remote_cert_eku
&& !(o->verify_hash_depth == 0 && o->verify_hash))
{
- msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
+ msg(M_WARN,
+ "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
}
if (o->ns_cert_type)
{
@@ -3790,15 +3650,19 @@
{
if (script_security() >= SSEC_SCRIPTS)
{
- msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
+ msg(M_WARN,
+ "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
}
else if (script_security() >= SSEC_PW_ENV)
{
- msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
+ msg(M_WARN,
+ "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
}
else
{
- msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
+ msg(M_WARN,
+ "NOTE: starting with " PACKAGE_NAME
+ " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
}
}
}
@@ -3877,8 +3741,8 @@
*/
c->c2.frame_fragment = c->c2.frame;
- frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type,
- &c->options, get_link_socket_info(c));
+ frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, &c->options,
+ get_link_socket_info(c));
fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
}
#endif
@@ -3891,8 +3755,7 @@
{
ASSERT(!c->c2.link_sockets);
- ALLOC_ARRAY_GC(c->c2.link_sockets, struct link_socket *,
- c->c1.link_sockets_num, &c->c2.gc);
+ ALLOC_ARRAY_GC(c->c2.link_sockets, struct link_socket *, c->c1.link_sockets_num, &c->c2.gc);
for (int i = 0; i < c->c1.link_sockets_num; i++)
{
@@ -3955,8 +3818,7 @@
#ifdef ENABLE_FRAGMENT
if (c->c2.fragment)
{
- frame_print(&c->c2.frame_fragment, D_MTU_INFO,
- "Fragmentation MTU parms");
+ frame_print(&c->c2.frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
}
#endif
}
@@ -3970,23 +3832,18 @@
struct gc_arena gc = gc_new();
c->c2.options_string_local =
- options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
- false, &gc);
+ options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, false, &gc);
c->c2.options_string_remote =
- options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
- true, &gc);
+ options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, true, &gc);
msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
- options_string_version(c->c2.options_string_local, &gc),
- c->c2.options_string_local);
+ options_string_version(c->c2.options_string_local, &gc), c->c2.options_string_local);
msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
- options_string_version(c->c2.options_string_remote, &gc),
- c->c2.options_string_remote);
+ options_string_version(c->c2.options_string_remote, &gc), c->c2.options_string_remote);
if (c->c2.tls_multi)
{
- tls_multi_init_set_options(c->c2.tls_multi,
- c->c2.options_string_local,
+ tls_multi_init_set_options(c->c2.tls_multi, c->c2.options_string_local,
c->c2.options_string_remote);
}
@@ -4010,10 +3867,8 @@
/* get user and/or group that we want to setuid/setgid to,
* sets also platform_x_state */
- bool group_defined = platform_group_get(c->options.groupname,
- &c0->platform_state_group);
- bool user_defined = platform_user_get(c->options.username,
- &c0->platform_state_user);
+ bool group_defined = platform_group_get(c->options.groupname, &c0->platform_state_group);
+ bool user_defined = platform_user_get(c->options.username, &c0->platform_state_user);
c0->uid_gid_specified = user_defined || group_defined;
@@ -4122,16 +3977,13 @@
* reconnect to the same host again or there are still addresses that need
* to be tried */
if (!(c->sig->signal_received == SIGUSR1
- && ( (c->options.persist_remote_ip)
- ||
- ( c->sig->source != SIG_SOURCE_HARD
- && ((c->c1.link_socket_addrs[0].current_remote
- && c->c1.link_socket_addrs[0].current_remote->ai_next)
- || c->options.no_advance))
- )))
+ && ((c->options.persist_remote_ip)
+ || (c->sig->source != SIG_SOURCE_HARD
+ && ((c->c1.link_socket_addrs[0].current_remote
+ && c->c1.link_socket_addrs[0].current_remote->ai_next)
+ || c->options.no_advance)))))
{
- clear_remote_addrlist(&c->c1.link_socket_addrs[0],
- !c->options.resolve_in_advance);
+ clear_remote_addrlist(&c->c1.link_socket_addrs[0], !c->options.resolve_in_advance);
}
/* Clear the remote actual address when persist_remote_ip is not in use */
@@ -4147,8 +3999,7 @@
{
for (int i = 0; i < c->c1.link_sockets_num; i++)
{
- if (c->c1.link_socket_addrs[i].bind_local
- && !c->options.resolve_in_advance)
+ if (c->c1.link_socket_addrs[i].bind_local && !c->options.resolve_in_advance)
{
freeaddrinfo(c->c1.link_socket_addrs[i].bind_local);
}
@@ -4192,8 +4043,7 @@
*/
static void
-do_event_set_init(struct context *c,
- bool need_us_timeout)
+do_event_set_init(struct context *c, bool need_us_timeout)
{
unsigned int flags = 0;
@@ -4230,11 +4080,9 @@
{
if (!c->c1.status_output)
{
- c->c1.status_output = status_open(c->options.status_file,
- c->options.status_file_update_freq,
- -1,
- NULL,
- STATUS_OUTPUT_WRITE);
+ c->c1.status_output =
+ status_open(c->options.status_file, c->options.status_file_update_freq, -1, NULL,
+ STATUS_OUTPUT_WRITE);
c->c1.status_output_owned = true;
}
}
@@ -4261,8 +4109,9 @@
{
if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
{
- c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
- c->options.ifconfig_pool_persist_refresh_freq);
+ c->c1.ifconfig_pool_persist =
+ ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
+ c->options.ifconfig_pool_persist_refresh_freq);
c->c1.ifconfig_pool_persist_owned = true;
}
}
@@ -4376,12 +4225,9 @@
unsigned int option_types_found = 0;
if (config.list[i] && config.list[i]->value)
{
- options_string_import(&c->options,
- config.list[i]->value,
- D_IMPORT_ERRORS|M_OPTERR,
- OPT_P_DEFAULT & ~OPT_P_PLUGIN,
- &option_types_found,
- c->es);
+ options_string_import(
+ &c->options, config.list[i]->value, D_IMPORT_ERRORS | M_OPTERR,
+ OPT_P_DEFAULT & ~OPT_P_PLUGIN, &option_types_found, c->es);
}
}
}
@@ -4422,7 +4268,7 @@
static void
management_callback_status_p2p(void *arg, const int version, struct status_output *so)
{
- struct context *c = (struct context *) arg;
+ struct context *c = (struct context *)arg;
print_status(c, so);
}
@@ -4455,7 +4301,7 @@
*/
int socketfd = -1;
- struct context *c = (struct context *) arg;
+ struct context *c = (struct context *)arg;
if (!c->c2.link_sockets || !c->c2.link_sockets[0])
{
return -1;
@@ -4536,24 +4382,14 @@
{
flags |= MF_SERVER;
}
- if (management_open(management,
- c->options.management_addr,
- c->options.management_port,
- c->options.management_user_pass,
- c->options.management_client_user,
- c->options.management_client_group,
- c->options.management_log_history_cache,
- c->options.management_echo_buffer_size,
- c->options.management_state_buffer_size,
- c->options.remap_sigusr1,
- flags))
+ if (management_open(
+ management, c->options.management_addr, c->options.management_port,
+ c->options.management_user_pass, c->options.management_client_user,
+ c->options.management_client_group, c->options.management_log_history_cache,
+ c->options.management_echo_buffer_size, c->options.management_state_buffer_size,
+ c->options.remap_sigusr1, flags))
{
- management_set_state(management,
- OPENVPN_STATE_CONNECTING,
- NULL,
- NULL,
- NULL,
- NULL,
+ management_set_state(management, OPENVPN_STATE_CONNECTING, NULL, NULL, NULL, NULL,
NULL);
}
@@ -4932,9 +4768,7 @@
/* close event objects */
do_close_event_set(c);
- if (c->mode == CM_P2P
- || c->mode == CM_CHILD_TCP
- || c->mode == CM_CHILD_UDP
+ if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP
|| c->mode == CM_TOP)
{
#ifdef USE_COMP
@@ -5002,9 +4836,7 @@
}
void
-inherit_context_child(struct context *dest,
- const struct context *src,
- struct link_socket *sock)
+inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
{
CLEAR(*dest);
@@ -5092,8 +4924,7 @@
}
void
-inherit_context_top(struct context *dest,
- const struct context *src)
+inherit_context_top(struct context *dest, const struct context *src)
{
/* copy parent */
*dest = *src;
@@ -5221,7 +5052,7 @@
static void *
test_crypto_thread(void *arg)
{
- struct context *c = (struct context *) arg;
+ struct context *c = (struct context *)arg;
const struct options *options = &c->options;
ASSERT(options->test_crypto);
@@ -5255,7 +5086,7 @@
c.options = *o;
options_detach(&c.options);
c.first_time = true;
- test_crypto_thread((void *) &c);
+ test_crypto_thread((void *)&c);
return true;
}
return false;
@@ -45,8 +45,8 @@
void uninit_static(void);
-#define IVM_LEVEL_1 (1<<0)
-#define IVM_LEVEL_2 (1<<1)
+#define IVM_LEVEL_1 (1 << 0)
+#define IVM_LEVEL_2 (1 << 1)
void init_verb_mute(struct context *c, unsigned int flags);
void init_options_dev(struct options *options);
@@ -61,7 +61,8 @@
void pre_setup(const struct options *options);
-void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags);
+void init_instance_handle_signals(struct context *c, const struct env_set *env,
+ const unsigned int flags);
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags);
@@ -72,8 +73,7 @@
bool do_route(const struct options *options, struct route_list *route_list,
struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt,
- const struct plugin_list *plugins, struct env_set *es,
- openvpn_net_ctx_t *ctx);
+ const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx);
void close_instance(struct context *c);
@@ -81,9 +81,7 @@
void context_gc_free(struct context *c);
-bool do_up(struct context *c,
- bool pulled_options,
- unsigned int option_types_found);
+bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found);
/**
* @brief A simplified version of the do_up() function. This function is called
@@ -109,17 +107,15 @@
*/
bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update);
-void inherit_context_child(struct context *dest,
- const struct context *src,
+void inherit_context_child(struct context *dest, const struct context *src,
struct link_socket *sock);
-void inherit_context_top(struct context *dest,
- const struct context *src);
+void inherit_context_top(struct context *dest, const struct context *src);
-#define CC_GC_FREE (1<<0)
-#define CC_USR1_TO_HUP (1<<1)
-#define CC_HARD_USR1_TO_HUP (1<<2)
-#define CC_NO_CLOSE (1<<3)
+#define CC_GC_FREE (1 << 0)
+#define CC_USR1_TO_HUP (1 << 1)
+#define CC_HARD_USR1_TO_HUP (1 << 2)
+#define CC_NO_CLOSE (1 << 3)
void close_context(struct context *c, int sig, unsigned int flags);
@@ -127,9 +123,9 @@
void free_context_buffers(struct context_buffers *b);
-#define ISC_ERRORS (1<<0)
-#define ISC_SERVER (1<<1)
-#define ISC_ROUTE_ERRORS (1<<2)
+#define ISC_ERRORS (1 << 0)
+#define ISC_SERVER (1 << 1)
+#define ISC_ROUTE_ERRORS (1 << 2)
void initialization_sequence_completed(struct context *c, const unsigned int flags);
#ifdef ENABLE_MANAGEMENT
@@ -26,13 +26,17 @@
#include "error.h"
#ifndef htonll
-#define htonll(x) ((1==htonl(1)) ? (x) : \
- ((uint64_t)htonl((uint32_t)((x) & 0xFFFFFFFF)) << 32) | htonl((uint32_t)((x) >> 32)))
+#define htonll(x) \
+ ((1 == htonl(1)) \
+ ? (x) \
+ : ((uint64_t)htonl((uint32_t)((x) & 0xFFFFFFFF)) << 32) | htonl((uint32_t)((x) >> 32)))
#endif
#ifndef ntohll
-#define ntohll(x) ((1==ntohl(1)) ? (x) : \
- ((uint64_t)ntohl((uint32_t)((x) & 0xFFFFFFFF)) << 32) | ntohl((uint32_t)((x) >> 32)))
+#define ntohll(x) \
+ ((1 == ntohl(1)) \
+ ? (x) \
+ : ((uint64_t)ntohl((uint32_t)((x) & 0xFFFFFFFF)) << 32) | ntohl((uint32_t)((x) >> 32)))
#endif
static inline int
@@ -196,10 +200,7 @@
if (index < 0 || index >= size)
{
msg(M_FATAL, "Assertion Failed: Array index=%d out of bounds for array size=%d in %s:%d",
- index,
- size,
- file,
- line);
+ index, size, file, line);
}
return index;
}
@@ -39,9 +39,7 @@
}
bool
-event_timeout_trigger(struct event_timeout *et,
- struct timeval *tv,
- const int et_const_retry)
+event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
{
if (!et->defined)
{
@@ -54,8 +52,7 @@
if (wakeup <= 0)
{
#if INTERVAL_DEBUG
- dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n,
- et_const_retry);
+ dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, et_const_retry);
#endif
if (et_const_retry < 0)
{
@@ -72,8 +69,8 @@
if (tv && wakeup < tv->tv_sec)
{
#if INTERVAL_DEBUG
- dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d",
- (int) wakeup, et->n, et_const_retry);
+ dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", (int)wakeup, et->n,
+ et_const_retry);
#endif
tv->tv_sec = wakeup;
tv->tv_usec = 0;
@@ -74,8 +74,7 @@
}
if (top->last_action + top->horizon > local_now
- || top->last_test_true + top->refresh <= local_now
- || trigger)
+ || top->last_test_true + top->refresh <= local_now || trigger)
{
top->last_test_true = local_now;
#if INTERVAL_DEBUG
@@ -134,9 +133,9 @@
struct event_timeout
{
- bool defined; /**< This timeout is active */
- interval_t n; /**< periodic interval for periodic timeouts */
- time_t last; /**< time of last event */
+ bool defined; /**< This timeout is active */
+ interval_t n; /**< periodic interval for periodic timeouts */
+ time_t last; /**< time of last event */
};
static inline bool
@@ -217,7 +216,7 @@
static inline interval_t
event_timeout_remaining(struct event_timeout *et)
{
- return (interval_t) ((et->last + et->n) - now);
+ return (interval_t)((et->last + et->n) - now);
}
#define ETT_DEFAULT (-1)
@@ -254,19 +253,18 @@
* @param et_const_retry see above
* @return if the timeout has triggered and event has been reset
*/
-bool event_timeout_trigger(struct event_timeout *et,
- struct timeval *tv,
- int et_const_retry);
+bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, int et_const_retry);
/*
* Measure time intervals in microseconds
*/
-#define USEC_TIMER_MAX 60 /* maximum interval size in seconds */
+#define USEC_TIMER_MAX 60 /* maximum interval size in seconds */
#define USEC_TIMER_MAX_USEC (USEC_TIMER_MAX * 1000000)
-struct usec_timer {
+struct usec_timer
+{
struct timeval start;
struct timeval end;
};
@@ -34,8 +34,7 @@
#include "memdbg.h"
struct hash *
-hash_init(const int n_buckets,
- const uint32_t iv,
+hash_init(const int n_buckets, const uint32_t iv,
uint32_t (*hash_function)(const void *key, uint32_t iv),
bool (*compare_function)(const void *key1, const void *key2))
{
@@ -44,7 +43,7 @@
ASSERT(n_buckets > 0);
ALLOC_OBJ_CLEAR(h, struct hash);
- h->n_buckets = (int) adjust_power_of_2(n_buckets);
+ h->n_buckets = (int)adjust_power_of_2(n_buckets);
h->mask = h->n_buckets - 1;
h->hash_function = hash_function;
h->compare_function = compare_function;
@@ -79,10 +78,7 @@
}
struct hash_element *
-hash_lookup_fast(struct hash *hash,
- struct hash_bucket *bucket,
- const void *key,
- uint32_t hv)
+hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
{
struct hash_element *he;
struct hash_element *prev = NULL;
@@ -110,10 +106,7 @@
}
bool
-hash_remove_fast(struct hash *hash,
- struct hash_bucket *bucket,
- const void *key,
- uint32_t hv)
+hash_remove_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
{
struct hash_element *he;
struct hash_element *prev = NULL;
@@ -219,9 +212,7 @@
}
void
-hash_iterator_init_range(struct hash *hash,
- struct hash_iterator *hi,
- int start_bucket,
+hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket,
int end_bucket)
{
if (end_bucket > hash->n_buckets)
@@ -242,8 +233,7 @@
}
void
-hash_iterator_init(struct hash *hash,
- struct hash_iterator *hi)
+hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
{
hash_iterator_init_range(hash, hi, 0, hash->n_buckets);
}
@@ -390,17 +380,35 @@
* --------------------------------------------------------------------
*/
-#define mix(a, b, c) \
- { \
- a -= b; a -= c; a ^= (c>>13); \
- b -= c; b -= a; b ^= (a<<8); \
- c -= a; c -= b; c ^= (b>>13); \
- a -= b; a -= c; a ^= (c>>12); \
- b -= c; b -= a; b ^= (a<<16); \
- c -= a; c -= b; c ^= (b>>5); \
- a -= b; a -= c; a ^= (c>>3); \
- b -= c; b -= a; b ^= (a<<10); \
- c -= a; c -= b; c ^= (b>>15); \
+#define mix(a, b, c) \
+ { \
+ a -= b; \
+ a -= c; \
+ a ^= (c >> 13); \
+ b -= c; \
+ b -= a; \
+ b ^= (a << 8); \
+ c -= a; \
+ c -= b; \
+ c ^= (b >> 13); \
+ a -= b; \
+ a -= c; \
+ a ^= (c >> 12); \
+ b -= c; \
+ b -= a; \
+ b ^= (a << 16); \
+ c -= a; \
+ c -= b; \
+ c ^= (b >> 5); \
+ a -= b; \
+ a -= c; \
+ a ^= (c >> 3); \
+ b -= c; \
+ b -= a; \
+ b ^= (a << 10); \
+ c -= a; \
+ c -= b; \
+ c ^= (b >> 15); \
}
uint32_t
@@ -410,21 +418,15 @@
/* Set up the internal state */
len = length;
- a = b = 0x9e3779b9; /* the golden ratio; an arbitrary value */
- c = initval; /* the previous hash value */
+ a = b = 0x9e3779b9; /* the golden ratio; an arbitrary value */
+ c = initval; /* the previous hash value */
/*---------------------------------------- handle most of the key */
while (len >= 12)
{
- a += (k[0] + ((uint32_t) k[1] << 8)
- + ((uint32_t) k[2] << 16)
- + ((uint32_t) k[3] << 24));
- b += (k[4] + ((uint32_t) k[5] << 8)
- + ((uint32_t) k[6] << 16)
- + ((uint32_t) k[7] << 24));
- c += (k[8] + ((uint32_t) k[9] << 8)
- + ((uint32_t) k[10] << 16)
- + ((uint32_t) k[11] << 24));
+ a += (k[0] + ((uint32_t)k[1] << 8) + ((uint32_t)k[2] << 16) + ((uint32_t)k[3] << 24));
+ b += (k[4] + ((uint32_t)k[5] << 8) + ((uint32_t)k[6] << 16) + ((uint32_t)k[7] << 24));
+ c += (k[8] + ((uint32_t)k[9] << 8) + ((uint32_t)k[10] << 16) + ((uint32_t)k[11] << 24));
mix(a, b, c);
k += 12;
len -= 12;
@@ -432,48 +434,48 @@
/*------------------------------------- handle the last 11 bytes */
c += length;
- switch (len) /* all the case statements fall through */
+ switch (len) /* all the case statements fall through */
{
case 11:
- c += ((uint32_t) k[10] << 24);
- /* Intentional [[fallthrough]]; */
+ c += ((uint32_t)k[10] << 24);
+ /* Intentional [[fallthrough]]; */
case 10:
- c += ((uint32_t) k[9] << 16);
- /* Intentional [[fallthrough]]; */
+ c += ((uint32_t)k[9] << 16);
+ /* Intentional [[fallthrough]]; */
case 9:
- c += ((uint32_t) k[8] << 8);
+ c += ((uint32_t)k[8] << 8);
/* Intentional [[fallthrough]]; */
/* the first byte of c is reserved for the length */
case 8:
- b += ((uint32_t) k[7] << 24);
- /* Intentional [[fallthrough]]; */
+ b += ((uint32_t)k[7] << 24);
+ /* Intentional [[fallthrough]]; */
case 7:
- b += ((uint32_t) k[6] << 16);
- /* Intentional [[fallthrough]]; */
+ b += ((uint32_t)k[6] << 16);
+ /* Intentional [[fallthrough]]; */
case 6:
- b += ((uint32_t) k[5] << 8);
- /* Intentional [[fallthrough]]; */
+ b += ((uint32_t)k[5] << 8);
+ /* Intentional [[fallthrough]]; */
case 5:
b += k[4];
- /* Intentional [[fallthrough]]; */
+ /* Intentional [[fallthrough]]; */
case 4:
- a += ((uint32_t) k[3] << 24);
- /* Intentional [[fallthrough]]; */
+ a += ((uint32_t)k[3] << 24);
+ /* Intentional [[fallthrough]]; */
case 3:
- a += ((uint32_t) k[2] << 16);
- /* Intentional [[fallthrough]]; */
+ a += ((uint32_t)k[2] << 16);
+ /* Intentional [[fallthrough]]; */
case 2:
- a += ((uint32_t) k[1] << 8);
- /* Intentional [[fallthrough]]; */
+ a += ((uint32_t)k[1] << 8);
+ /* Intentional [[fallthrough]]; */
case 1:
a += k[0];
@@ -36,8 +36,8 @@
#include "basic.h"
#include "buffer.h"
-#define hashsize(n) ((uint32_t)1<<(n))
-#define hashmask(n) (hashsize(n)-1)
+#define hashsize(n) ((uint32_t)1 << (n))
+#define hashmask(n) (hashsize(n) - 1)
struct hash_element
{
@@ -63,8 +63,7 @@
struct hash_bucket *buckets;
};
-struct hash *hash_init(const int n_buckets,
- const uint32_t iv,
+struct hash *hash_init(const int n_buckets, const uint32_t iv,
uint32_t (*hash_function)(const void *key, uint32_t iv),
bool (*compare_function)(const void *key1, const void *key2));
@@ -72,15 +71,10 @@
bool hash_add(struct hash *hash, const void *key, void *value, bool replace);
-struct hash_element *hash_lookup_fast(struct hash *hash,
- struct hash_bucket *bucket,
- const void *key,
- uint32_t hv);
+struct hash_element *hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket,
+ const void *key, uint32_t hv);
-bool hash_remove_fast(struct hash *hash,
- struct hash_bucket *bucket,
- const void *key,
- uint32_t hv);
+bool hash_remove_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv);
void hash_remove_by_value(struct hash *hash, void *value);
@@ -96,9 +90,7 @@
int bucket_index_end;
};
-void hash_iterator_init_range(struct hash *hash,
- struct hash_iterator *hi,
- int start_bucket,
+void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket,
int end_bucket);
void hash_iterator_init(struct hash *hash, struct hash_iterator *iter);
@@ -154,10 +146,7 @@
/* NOTE: assumes that key is not a duplicate */
static inline void
-hash_add_fast(struct hash *hash,
- struct hash_bucket *bucket,
- const void *key,
- uint32_t hv,
+hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv,
void *value)
{
struct hash_element *he;
@@ -14,8 +14,7 @@
#include "proto.h"
int
-set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr,
- const struct env_set *es)
+set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
{
int r;
@@ -32,27 +31,16 @@
#else /* if defined(TARGET_LINUX) */
struct argv argv = argv_new();
#if defined(TARGET_SOLARIS)
- argv_printf(&argv,
- "%s %s ether %s",
- IFCONFIG_PATH,
- ifname, lladdr);
+ argv_printf(&argv, "%s %s ether %s", IFCONFIG_PATH, ifname, lladdr);
#elif defined(TARGET_OPENBSD)
- argv_printf(&argv,
- "%s %s lladdr %s",
- IFCONFIG_PATH,
- ifname, lladdr);
+ argv_printf(&argv, "%s %s lladdr %s", IFCONFIG_PATH, ifname, lladdr);
#elif defined(TARGET_DARWIN)
- argv_printf(&argv,
- "%s %s lladdr %s",
- IFCONFIG_PATH,
- ifname, lladdr);
+ argv_printf(&argv, "%s %s lladdr %s", IFCONFIG_PATH, ifname, lladdr);
#elif defined(TARGET_FREEBSD)
- argv_printf(&argv,
- "%s %s ether %s",
- IFCONFIG_PATH,
- ifname, lladdr);
+ argv_printf(&argv, "%s %s ether %s", IFCONFIG_PATH, ifname, lladdr);
#else /* if defined(TARGET_SOLARIS) */
- msg(M_WARN, "Sorry, but I don't know how to configure link layer addresses on this operating system.");
+ msg(M_WARN,
+ "Sorry, but I don't know how to configure link layer addresses on this operating system.");
return -1;
#endif /* if defined(TARGET_SOLARIS) */
argv_msg(M_INFO, &argv);
@@ -50,9 +50,10 @@
int lzo_status = lzo_init();
if (lzo_status != LZO_E_OK)
{
- msg(M_FATAL, "Cannot initialize LZO compression library (lzo_init() returns %d)", lzo_status);
+ msg(M_FATAL, "Cannot initialize LZO compression library (lzo_init() returns %d)",
+ lzo_status);
}
- compctx->wu.lzo.wmem = (lzo_voidp) malloc(compctx->wu.lzo.wmem_size);
+ compctx->wu.lzo.wmem = (lzo_voidp)malloc(compctx->wu.lzo.wmem_size);
check_malloc_return(compctx->wu.lzo.wmem);
}
@@ -64,8 +65,7 @@
}
static void
-lzo_compress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+lzo_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
uint8_t *header = buf_prepend(buf, 1);
@@ -73,13 +73,12 @@
}
static void
-lzo_decompress(struct buffer *buf, struct buffer work,
- struct compress_context *compctx,
+lzo_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx,
const struct frame *frame)
{
lzo_uint zlen = frame->buf.payload_size;
int err;
- uint8_t c; /* flag indicating whether or not our peer compressed */
+ uint8_t c; /* flag indicating whether or not our peer compressed */
if (buf->len <= 0)
{
@@ -94,8 +93,7 @@
if (c == LZO_COMPRESS_BYTE) /* packet was compressed */
{
ASSERT(buf_safe(&work, zlen));
- err = LZO_DECOMPRESS(BPTR(buf), BLEN(buf), BPTR(&work), &zlen,
- compctx->wu.lzo.wmem);
+ err = LZO_DECOMPRESS(BPTR(buf), BLEN(buf), BPTR(&work), &zlen, compctx->wu.lzo.wmem);
if (err != LZO_E_OK)
{
dmsg(D_COMP_ERRORS, "LZO decompression error: %d", err);
@@ -112,7 +110,7 @@
*buf = work;
}
- else if (c == NO_COMPRESS_BYTE) /* packet was not compressed */
+ else if (c == NO_COMPRESS_BYTE) /* packet was not compressed */
{
/* nothing to do */
}
@@ -123,11 +121,6 @@
}
}
-const struct compress_alg lzo_alg = {
- "lzo",
- lzo_compress_init,
- lzo_compress_uninit,
- lzo_compress,
- lzo_decompress
-};
+const struct compress_alg lzo_alg = { "lzo", lzo_compress_init, lzo_compress_uninit, lzo_compress,
+ lzo_decompress };
#endif /* ENABLE_LZO */
@@ -56,19 +56,19 @@
extern const struct compress_alg lzo_alg;
/**************************************************************************/
-/** @name LZO library interface defines *//** @{ *//***********************/
-#define LZO_COMPRESS lzo1x_1_15_compress
+/** @name LZO library interface defines */ /** @{ */ /***********************/
+#define LZO_COMPRESS lzo1x_1_15_compress
/**< LZO library compression function.
*
* Use \c lzo1x_1_15_compress because it
* is described as faster than the
* standard routine, although it does
* need a bit more memory. */
-#define LZO_WORKSPACE LZO1X_1_15_MEM_COMPRESS
+#define LZO_WORKSPACE LZO1X_1_15_MEM_COMPRESS
/**< The size in bytes of the memory
* %buffer required by the LZO library
* compression algorithm. */
-#define LZO_DECOMPRESS lzo1x_decompress_safe
+#define LZO_DECOMPRESS lzo1x_decompress_safe
/**< LZO library decompression function.
*
* Use safe decompress because it
@@ -78,26 +78,30 @@
* verify the integrity of incoming
* packets, you might want to consider
* using the non-safe version. */
-/** @} name LZO library interface *//**************************************/
+/** @} name LZO library interface */ /**************************************/
/**************************************************************************/
-/** @name Adaptive compression defines *//** @{ *//************************/
-#define AC_SAMP_SEC 2 /**< Number of seconds in a sample period. */
-#define AC_MIN_BYTES 1000 /**< Minimum number of bytes a sample
- * period must contain for it to be
- * evaluated. */
-#define AC_SAVE_PCT 5 /**< Minimum size reduction percentage
- * below which compression will be
- * turned off. */
-#define AC_OFF_SEC 60 /**< Seconds to wait after compression has
- * been turned off before retesting. */
-/** @} name Adaptive compression defines *//*******************************/
+/** @name Adaptive compression defines */ /** @{ */ /************************/
+#define AC_SAMP_SEC 2 /**< Number of seconds in a sample period. */
+#define AC_MIN_BYTES \
+ 1000 /**< Minimum number of bytes a sample \
+ * period must contain for it to be \
+ * evaluated. */
+#define AC_SAVE_PCT \
+ 5 /**< Minimum size reduction percentage \
+ * below which compression will be \
+ * turned off. */
+#define AC_OFF_SEC \
+ 60 /**< Seconds to wait after compression has \
+ * been turned off before retesting. */
+/** @} name Adaptive compression defines */ /*******************************/
/**
* Adaptive compression state.
*/
-struct lzo_adaptive_compress {
+struct lzo_adaptive_compress
+{
bool compress_state;
time_t next;
int n_total;
@@ -74,7 +74,8 @@
msg(M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract).");
msg(M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off).");
msg(M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer.");
- msg(M_CLIENT, "cr-response response : Send a challenge response answer via CR_RESPONSE to server");
+ msg(M_CLIENT,
+ "cr-response response : Send a challenge response answer via CR_RESPONSE to server");
msg(M_CLIENT, "exit|quit : Close management session.");
msg(M_CLIENT, "forget-passwords : Forget passwords entered so far.");
msg(M_CLIENT, "help : Print this message.");
@@ -85,7 +86,8 @@
msg(M_CLIENT, "load-stats : Show global server load stats.");
msg(M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display");
msg(M_CLIENT, " + show last N lines or 'all' for entire history.");
- msg(M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent.");
+ msg(M_CLIENT,
+ "mute [n] : Set log mute level to n, or show level if n is absent.");
msg(M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',");
msg(M_CLIENT, " where action = 'ok' or 'cancel'.");
msg(M_CLIENT, "needstr type action : Enter confirmation for NEED-STR request of 'type',");
@@ -103,18 +105,25 @@
#endif
msg(M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
- msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
+ msg(M_CLIENT,
+ "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
msg(M_CLIENT, " text R and optional client reason text CR");
- msg(M_CLIENT, "client-pending-auth CID KID MSG timeout : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg");
- msg(M_CLIENT, " to the client and wait for a final client-auth/client-deny");
+ msg(M_CLIENT,
+ "client-pending-auth CID KID MSG timeout : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg");
+ msg(M_CLIENT,
+ " to the client and wait for a final client-auth/client-deny");
msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)");
msg(M_CLIENT, "env-filter [level] : Set env-var filter level");
msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge");
- msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
+ msg(M_CLIENT,
+ " Enter signature base64 on subsequent lines followed by END");
msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge");
- msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
- msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge");
- msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END");
+ msg(M_CLIENT,
+ " Enter signature base64 on subsequent lines followed by END");
+ msg(M_CLIENT,
+ "certificate : Enter a client certificate in response to >NEED-CERT challenge");
+ msg(M_CLIENT,
+ " Enter certificate base64 on subsequent lines followed by END");
msg(M_CLIENT, "signal s : Send signal s to daemon,");
msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history.");
@@ -122,7 +131,8 @@
msg(M_CLIENT, "test n : Produce n lines of output for testing/debugging.");
msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
- msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon.");
+ msg(M_CLIENT,
+ "version [n] : Set client's version to n or show current version of daemon.");
msg(M_CLIENT, "END");
}
@@ -305,7 +315,7 @@
man_delete_unix_socket(struct management *man)
{
#if UNIX_SOCK_SUPPORT
- if ((man->settings.flags & (MF_UNIX_SOCK|MF_CONNECT_AS_CLIENT)) == MF_UNIX_SOCK)
+ if ((man->settings.flags & (MF_UNIX_SOCK | MF_CONNECT_AS_CLIENT)) == MF_UNIX_SOCK)
{
socket_delete_unix(&man->settings.local_unix);
}
@@ -331,11 +341,11 @@
static void
virtual_output_callback_func(void *arg, const unsigned int flags, const char *str)
{
- struct management *man = (struct management *) arg;
+ struct management *man = (struct management *)arg;
static int recursive_level = 0; /* GLOBAL */
-#define AF_DID_PUSH (1<<0)
-#define AF_DID_RESET (1<<1)
+#define AF_DID_PUSH (1 << 0)
+#define AF_DID_RESET (1 << 1)
if (recursive_level < 5) /* limit recursion */
{
struct gc_arena gc = gc_new();
@@ -369,10 +379,10 @@
}
else if (man->connection.log_realtime)
{
- out = log_entry_print(&e, LOG_PRINT_INT_DATE
- | LOG_PRINT_MSG_FLAGS
- | LOG_PRINT_LOG_PREFIX
- | LOG_PRINT_CRLF, &gc);
+ out = log_entry_print(&e,
+ LOG_PRINT_INT_DATE | LOG_PRINT_MSG_FLAGS
+ | LOG_PRINT_LOG_PREFIX | LOG_PRINT_CRLF,
+ &gc);
}
if (out)
{
@@ -381,11 +391,11 @@
}
if (flags & M_FATAL)
{
- out = log_entry_print(&e, LOG_FATAL_NOTIFY|LOG_PRINT_CRLF, &gc);
+ out = log_entry_print(&e, LOG_FATAL_NOTIFY | LOG_PRINT_CRLF, &gc);
if (out)
{
man_output_list_push_str(man, out);
- action_flags |= (AF_DID_PUSH|AF_DID_RESET);
+ action_flags |= (AF_DID_PUSH | AF_DID_RESET);
}
}
}
@@ -407,7 +417,8 @@
{
/* cannot use msg here */
printf("virtual_output: message to management interface "
- "dropped due to recursion: <%s>\n", str);
+ "dropped due to recursion: <%s>\n",
+ str);
}
}
@@ -471,7 +482,8 @@
static void
man_command_unsupported(const char *command_name)
{
- msg(M_CLIENT, "ERROR: The '%s' command is not supported by the current daemon mode", command_name);
+ msg(M_CLIENT, "ERROR: The '%s' command is not supported by the current daemon mode",
+ command_name);
}
static void
@@ -494,8 +506,7 @@
{
man->connection.bytecount_update_seconds = update_seconds;
event_timeout_init(&man->connection.bytecount_update_interval,
- man->connection.bytecount_update_seconds,
- now);
+ man->connection.bytecount_update_seconds, now);
}
else
{
@@ -506,8 +517,7 @@
}
static void
-man_bytecount_output_client(struct management *man,
- counter_type dco_read_bytes,
+man_bytecount_output_client(struct management *man, counter_type dco_read_bytes,
counter_type dco_write_bytes)
{
char in[32];
@@ -520,8 +530,7 @@
}
void
-man_bytecount_output_server(const counter_type *bytes_in_total,
- const counter_type *bytes_out_total,
+man_bytecount_output_server(const counter_type *bytes_in_total, const counter_type *bytes_out_total,
struct man_def_auth_context *mdac)
{
char in[32];
@@ -546,7 +555,7 @@
char p3[128];
int n_killed;
- buf_set_read(&buf, (uint8_t *) victim, strlen(victim) + 1);
+ buf_set_read(&buf, (uint8_t *)victim, strlen(victim) + 1);
buf_parse(&buf, ':', p1, sizeof(p1));
buf_parse(&buf, ':', p2, sizeof(p2));
buf_parse(&buf, ':', p3, sizeof(p3));
@@ -555,29 +564,29 @@
{
/* IP:port specified */
bool status;
- const in_addr_t addr = getaddr(GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p2, 0, &status, NULL);
+ const in_addr_t addr =
+ getaddr(GETADDR_HOST_ORDER | GETADDR_MSG_VIRT_OUT, p2, 0, &status, NULL);
if (status)
{
const int port = atoi(p3);
- const int proto = (streq(p1, "tcp")) ? PROTO_TCP_SERVER :
- (streq(p1, "udp")) ? PROTO_UDP : PROTO_NONE;
+ const int proto = (streq(p1, "tcp")) ? PROTO_TCP_SERVER
+ : (streq(p1, "udp")) ? PROTO_UDP
+ : PROTO_NONE;
if ((port > 0 && port < 65536) && (proto != PROTO_NONE))
{
- n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port, proto);
+ n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg,
+ addr, port, proto);
if (n_killed > 0)
{
- msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%s:%d killed",
- n_killed,
- proto2ascii(proto, AF_UNSPEC, false),
- print_in_addr_t(addr, 0, &gc),
+ msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%s:%d killed", n_killed,
+ proto2ascii(proto, AF_UNSPEC, false), print_in_addr_t(addr, 0, &gc),
port);
}
else
{
msg(M_CLIENT, "ERROR: client at address %s:%s:%d not found",
- proto2ascii(proto, AF_UNSPEC, false),
- print_in_addr_t(addr, 0, &gc),
+ proto2ascii(proto, AF_UNSPEC, false), print_in_addr_t(addr, 0, &gc),
port);
}
}
@@ -622,12 +631,8 @@
* for the log and echo commands.
*/
static void
-man_history(struct management *man,
- const char *parm,
- const char *type,
- struct log_history *log,
- bool *realtime,
- const unsigned int lep_flags)
+man_history(struct management *man, const char *parm, const char *type, struct log_history *log,
+ bool *realtime, const unsigned int lep_flags)
{
struct gc_arena gc = gc_new();
int n = 0;
@@ -670,35 +675,22 @@
static void
man_log(struct management *man, const char *parm)
{
- man_history(man,
- parm,
- "log",
- man->persist.log,
- &man->connection.log_realtime,
- LOG_PRINT_INT_DATE|LOG_PRINT_MSG_FLAGS);
+ man_history(man, parm, "log", man->persist.log, &man->connection.log_realtime,
+ LOG_PRINT_INT_DATE | LOG_PRINT_MSG_FLAGS);
}
static void
man_echo(struct management *man, const char *parm)
{
- man_history(man,
- parm,
- "echo",
- man->persist.echo,
- &man->connection.echo_realtime,
- LOG_PRINT_INT_DATE|MANAGEMENT_ECHO_FLAGS);
+ man_history(man, parm, "echo", man->persist.echo, &man->connection.echo_realtime,
+ LOG_PRINT_INT_DATE | MANAGEMENT_ECHO_FLAGS);
}
static void
man_state(struct management *man, const char *parm)
{
- man_history(man,
- parm,
- "state",
- man->persist.state,
- &man->connection.state_realtime,
- LOG_PRINT_INT_DATE|LOG_PRINT_STATE
- |LOG_PRINT_LOCAL_IP|LOG_PRINT_REMOTE_IP);
+ man_history(man, parm, "state", man->persist.state, &man->connection.state_realtime,
+ LOG_PRINT_INT_DATE | LOG_PRINT_STATE | LOG_PRINT_LOCAL_IP | LOG_PRINT_REMOTE_IP);
}
static void
@@ -732,13 +724,8 @@
}
static void
-man_query_user_pass(struct management *man,
- const char *type,
- const char *string,
- const bool needed,
- const char *prompt,
- char *dest,
- int len)
+man_query_user_pass(struct management *man, const char *type, const char *string, const bool needed,
+ const char *prompt, char *dest, int len)
{
if (needed)
{
@@ -747,16 +734,12 @@
{
strncpynt(dest, string, len);
man_up_finalize(man);
- msg(M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified",
- type,
- prompt);
+ msg(M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified", type, prompt);
}
else
{
- msg(M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'",
- prompt,
- type,
- man->connection.up_query_type);
+ msg(M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'", prompt,
+ type, man->connection.up_query_type);
}
}
else
@@ -768,36 +751,42 @@
static void
man_query_username(struct management *man, const char *type, const char *string)
{
- const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS
- ) && man->connection.up_query_type);
- man_query_user_pass(man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN);
+ const bool needed =
+ ((man->connection.up_query_mode == UP_QUERY_USER_PASS) && man->connection.up_query_type);
+ man_query_user_pass(man, type, string, needed, "username", man->connection.up_query.username,
+ USER_PASS_LEN);
}
static void
man_query_password(struct management *man, const char *type, const char *string)
{
const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS
- || man->connection.up_query_mode == UP_QUERY_USER_PASS
- ) && man->connection.up_query_type);
+ || man->connection.up_query_mode == UP_QUERY_USER_PASS)
+ && man->connection.up_query_type);
if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */
{
string = blank_up;
}
- man_query_user_pass(man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN);
+ man_query_user_pass(man, type, string, needed, "password", man->connection.up_query.password,
+ USER_PASS_LEN);
}
static void
man_query_need_ok(struct management *man, const char *type, const char *action)
{
- const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
- man_query_user_pass(man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
+ const bool needed =
+ ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
+ man_query_user_pass(man, type, action, needed, "needok-confirmation",
+ man->connection.up_query.password, USER_PASS_LEN);
}
static void
man_query_need_str(struct management *man, const char *type, const char *action)
{
- const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type);
- man_query_user_pass(man, type, action, needed, "needstr-string", man->connection.up_query.password, USER_PASS_LEN);
+ const bool needed =
+ ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type);
+ man_query_user_pass(man, type, action, needed, "needstr-string",
+ man->connection.up_query.password, USER_PASS_LEN);
}
static void
@@ -826,8 +815,8 @@
{
if (man->persist.callback.send_cc_message)
{
- const bool status = (*man->persist.callback.send_cc_message)
- (man->persist.callback.arg, message, parameters);
+ const bool status = (*man->persist.callback.send_cc_message)(man->persist.callback.arg,
+ message, parameters);
if (status)
{
msg(M_CLIENT, "SUCCESS: command succeeded");
@@ -892,13 +881,12 @@
{
ASSERT(p1);
- if (man->persist.callback.remote_entry_get
- && man->persist.callback.remote_entry_count)
+ if (man->persist.callback.remote_entry_get && man->persist.callback.remote_entry_count)
{
unsigned int count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg);
- unsigned int from = (unsigned int) atoi(p1);
- unsigned int to = p2 ? (unsigned int) atoi(p2) : from + 1;
+ unsigned int from = (unsigned int)atoi(p1);
+ unsigned int to = p2 ? (unsigned int)atoi(p2) : from + 1;
if (!strcmp(p1, "all"))
{
@@ -909,7 +897,8 @@
for (unsigned int i = from; i < min_uint(to, count); i++)
{
char *remote = NULL;
- bool res = (*man->persist.callback.remote_entry_get)(man->persist.callback.arg, i, &remote);
+ bool res =
+ (*man->persist.callback.remote_entry_get)(man->persist.callback.arg, i, &remote);
if (res && remote)
{
msg(M_CLIENT, "%u,%s", i, remote);
@@ -955,8 +944,8 @@
}
}
-#define IER_RESET 0
-#define IER_NEW 1
+#define IER_RESET 0
+#define IER_NEW 1
static void
in_extra_reset(struct man_connection *mc, const int mode)
@@ -989,14 +978,9 @@
case IEC_CLIENT_AUTH:
if (man->persist.callback.client_auth)
{
- const bool status = (*man->persist.callback.client_auth)
- (man->persist.callback.arg,
- man->connection.in_extra_cid,
- man->connection.in_extra_kid,
- true,
- NULL,
- NULL,
- man->connection.in_extra);
+ const bool status = (*man->persist.callback.client_auth)(
+ man->persist.callback.arg, man->connection.in_extra_cid,
+ man->connection.in_extra_kid, true, NULL, NULL, man->connection.in_extra);
man->connection.in_extra = NULL;
report_command_status(status, "client-auth");
}
@@ -1063,9 +1047,8 @@
* @param timeout_str The timeout value in string form
*/
static void
-man_client_pending_auth(struct management *man, const char *cid_str,
- const char *kid_str, const char *extra,
- const char *timeout_str)
+man_client_pending_auth(struct management *man, const char *cid_str, const char *kid_str,
+ const char *extra, const char *timeout_str)
{
unsigned long cid = 0;
unsigned int kid = 0;
@@ -1075,8 +1058,8 @@
{
if (man->persist.callback.client_pending_auth)
{
- bool ret = (*man->persist.callback.client_pending_auth)
- (man->persist.callback.arg, cid, kid, extra, timeout);
+ bool ret = (*man->persist.callback.client_pending_auth)(man->persist.callback.arg, cid,
+ kid, extra, timeout);
if (ret)
{
@@ -1085,7 +1068,7 @@
else
{
msg(M_CLIENT, "ERROR: client-pending-auth command failed."
- " Extra parameter might be too long");
+ " Extra parameter might be too long");
}
}
else
@@ -1101,8 +1084,7 @@
struct man_connection *mc = &man->connection;
mc->in_extra_cid = 0;
mc->in_extra_kid = 0;
- if (parse_cid(cid_str, &mc->in_extra_cid)
- && parse_uint(kid_str, "KID", &mc->in_extra_kid))
+ if (parse_cid(cid_str, &mc->in_extra_cid) && parse_uint(kid_str, "KID", &mc->in_extra_kid))
{
mc->in_extra_cmd = IEC_CLIENT_AUTH;
in_extra_reset(mc, IER_NEW);
@@ -1114,7 +1096,8 @@
}
static void
-man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
+man_client_deny(struct management *man, const char *cid_str, const char *kid_str,
+ const char *reason, const char *client_reason)
{
unsigned long cid = 0;
unsigned int kid = 0;
@@ -1122,14 +1105,8 @@
{
if (man->persist.callback.client_auth)
{
- const bool status = (*man->persist.callback.client_auth)
- (man->persist.callback.arg,
- cid,
- kid,
- false,
- reason,
- client_reason,
- NULL);
+ const bool status = (*man->persist.callback.client_auth)(
+ man->persist.callback.arg, cid, kid, false, reason, client_reason, NULL);
if (status)
{
msg(M_CLIENT, "SUCCESS: client-deny command succeeded");
@@ -1154,7 +1131,8 @@
{
if (man->persist.callback.kill_by_cid)
{
- const bool status = (*man->persist.callback.kill_by_cid)(man->persist.callback.arg, cid, kill_msg);
+ const bool status =
+ (*man->persist.callback.kill_by_cid)(man->persist.callback.arg, cid, kill_msg);
if (status)
{
msg(M_CLIENT, "SUCCESS: client-kill command succeeded");
@@ -1237,12 +1215,10 @@
nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
}
msg(M_CLIENT, "SUCCESS: nclients=%d,bytesin=" counter_format ",bytesout=" counter_format,
- nclients,
- link_read_bytes_global,
- link_write_bytes_global);
+ nclients, link_read_bytes_global, link_write_bytes_global);
}
-#define MN_AT_LEAST (1<<0)
+#define MN_AT_LEAST (1 << 0)
/**
* Checks if the correct number of arguments to a management command are present
* and otherwise prints an error and returns false.
@@ -1262,11 +1238,8 @@
{
if (!p[i])
{
- msg(M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s",
- p[0],
- (flags & MN_AT_LEAST) ? "at least " : "",
- n,
- n > 1 ? "s" : "");
+ msg(M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s", p[0],
+ (flags & MN_AT_LEAST) ? "at least " : "", n, n > 1 ? "s" : "");
return false;
}
}
@@ -1312,8 +1285,7 @@
*/
if (man->persist.callback.network_change)
{
- int fd = (*man->persist.callback.network_change)
- (man->persist.callback.arg, samenetwork);
+ int fd = (*man->persist.callback.network_change)(man->persist.callback.arg, samenetwork);
man->connection.fdtosend = fd;
msg(M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd);
if (fd == -2)
@@ -1334,7 +1306,8 @@
}
static void
-man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
+man_dispatch_command(struct management *man, struct status_output *so, const char **p,
+ const int nparms)
{
struct gc_arena gc = gc_new();
@@ -1664,7 +1637,8 @@
const int n = atoi(p[1]);
for (i = 0; i < n; ++i)
{
- msg(M_CLIENT, "[%d] The purpose of this command is to generate large amounts of output.", i);
+ msg(M_CLIENT,
+ "[%d] The purpose of this command is to generate large amounts of output.", i);
}
}
}
@@ -1691,7 +1665,8 @@
case MS_CC_WAIT_READ:
case MS_CC_WAIT_WRITE:
- net_event_win32_start(&man->connection.ne32, FD_READ|FD_WRITE|FD_CLOSE, man->connection.sd_cli);
+ net_event_win32_start(&man->connection.ne32, FD_READ | FD_WRITE | FD_CLOSE,
+ man->connection.sd_cli);
break;
default:
@@ -1736,27 +1711,24 @@
#if UNIX_SOCK_SUPPORT
if (man->settings.flags & MF_UNIX_SOCK)
{
- msg(D_MANAGEMENT, "MANAGEMENT: %s %s",
- description,
+ msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description,
sockaddr_unix_name(&man->settings.local_unix, "NULL"));
}
else
#endif
- if (man->settings.flags & MF_CONNECT_AS_CLIENT)
+ if (man->settings.flags & MF_CONNECT_AS_CLIENT)
{
- msg(D_MANAGEMENT, "MANAGEMENT: %s %s",
- description,
+ msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description,
print_sockaddr(man->settings.local->ai_addr, &gc));
}
else
{
struct sockaddr_storage addr;
socklen_t addrlen = sizeof(addr);
- if (!getpeername(man->connection.sd_cli, (struct sockaddr *) &addr,
- &addrlen))
+ if (!getpeername(man->connection.sd_cli, (struct sockaddr *)&addr, &addrlen))
{
msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description,
- print_sockaddr((struct sockaddr *) &addr, &gc));
+ print_sockaddr((struct sockaddr *)&addr, &gc));
}
else
{
@@ -1782,19 +1754,22 @@
{
if (socket_defined(sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1))
{
- static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --";
+ static const char err_prefix[] =
+ "MANAGEMENT: unix domain socket client connection rejected --";
int uid, gid;
if (unix_socket_get_peer_uid_gid(man->connection.sd_cli, &uid, &gid))
{
if (man->settings.client_uid != -1 && man->settings.client_uid != uid)
{
- msg(D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user",
+ msg(D_MANAGEMENT,
+ "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user",
err_prefix, uid, man->settings.client_uid);
return false;
}
if (man->settings.client_gid != -1 && man->settings.client_gid != gid)
{
- msg(D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group",
+ msg(D_MANAGEMENT,
+ "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group",
err_prefix, gid, man->settings.client_gid);
return false;
}
@@ -1876,8 +1851,8 @@
#endif
{
man->connection.sd_top = create_socket_tcp(man->settings.local);
- socket_bind(man->connection.sd_top, man->settings.local,
- man->settings.local->ai_family, "MANAGEMENT", false);
+ socket_bind(man->connection.sd_top, man->settings.local, man->settings.local->ai_family,
+ "MANAGEMENT", false);
}
/*
@@ -1905,14 +1880,13 @@
const struct sockaddr *man_addr = man->settings.local->ai_addr;
struct sockaddr_storage addr;
socklen_t addrlen = sizeof(addr);
- if (!getsockname(man->connection.sd_top, (struct sockaddr *) &addr, &addrlen))
+ if (!getsockname(man->connection.sd_top, (struct sockaddr *)&addr, &addrlen))
{
- man_addr = (struct sockaddr *) &addr;
+ man_addr = (struct sockaddr *)&addr;
}
else
{
- msg(M_WARN|M_ERRNO,
- "Failed to get the management socket address");
+ msg(M_WARN | M_ERRNO, "Failed to get the management socket address");
}
msg(D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s",
print_sockaddr(man_addr, &gc));
@@ -1958,9 +1932,7 @@
#endif
{
man->connection.sd_cli = create_socket_tcp(man->settings.local);
- status = openvpn_connect(man->connection.sd_cli,
- man->settings.local->ai_addr,
- 5,
+ status = openvpn_connect(man->connection.sd_cli, man->settings.local->ai_addr, 5,
&signal_received);
}
@@ -1975,15 +1947,13 @@
#if UNIX_SOCK_SUPPORT
if (man->settings.flags & MF_UNIX_SOCK)
{
- msg(D_LINK_ERRORS | M_ERRNO,
- "MANAGEMENT: connect to unix socket %s failed",
+ msg(D_LINK_ERRORS | M_ERRNO, "MANAGEMENT: connect to unix socket %s failed",
sockaddr_unix_name(&man->settings.local_unix, "NULL"));
}
else
#endif
{
- msg(D_LINK_ERRORS | M_ERRNO,
- "MANAGEMENT: connect to %s failed",
+ msg(D_LINK_ERRORS | M_ERRNO, "MANAGEMENT: connect to %s failed",
print_sockaddr(man->settings.local->ai_addr, &gc));
}
throw_signal_soft(SIGTERM, "management-connect-failed");
@@ -2048,7 +2018,7 @@
struct gc_arena gc = gc_new();
struct status_output *so;
int nparms;
- char *parms[MAX_PARMS+1];
+ char *parms[MAX_PARMS + 1];
CLEAR(parms);
so = status_open(NULL, 0, -1, &man->persist.vout, 0);
@@ -2101,8 +2071,7 @@
if (!ignore_sys_error(err, crt_error))
{
struct gc_arena gc = gc_new();
- msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix,
- strerror(err));
+ msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix, strerror(err));
gc_free(&gc);
return true;
}
@@ -2119,7 +2088,8 @@
struct msghdr msg = { 0 };
struct iovec iov[1];
- union {
+ union
+ {
struct cmsghdr cm;
char control[CMSG_SPACE(sizeof(int))];
} control_un;
@@ -2132,7 +2102,7 @@
cmptr->cmsg_len = CMSG_LEN(sizeof(int));
cmptr->cmsg_level = SOL_SOCKET;
cmptr->cmsg_type = SCM_RIGHTS;
- *((int *) CMSG_DATA(cmptr)) = sendfd;
+ *((int *)CMSG_DATA(cmptr)) = sendfd;
msg.msg_name = NULL;
msg.msg_namelen = 0;
@@ -2152,13 +2122,14 @@
struct iovec iov[1];
ssize_t n;
- union {
+ union
+ {
struct cmsghdr cm;
char control[CMSG_SPACE(sizeof(int))];
} control_un;
- struct cmsghdr *cmptr;
+ struct cmsghdr *cmptr;
- msghdr.msg_control = control_un.control;
+ msghdr.msg_control = control_un.control;
msghdr.msg_controllen = sizeof(control_un.control);
msghdr.msg_name = NULL;
@@ -2169,13 +2140,12 @@
msghdr.msg_iov = iov;
msghdr.msg_iovlen = 1;
- if ( (n = recvmsg(fd, &msghdr, flags)) <= 0)
+ if ((n = recvmsg(fd, &msghdr, flags)) <= 0)
{
return (n);
}
- if ( (cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL
- && cmptr->cmsg_len == CMSG_LEN(sizeof(int)))
+ if ((cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL && cmptr->cmsg_len == CMSG_LEN(sizeof(int)))
{
if (cmptr->cmsg_level != SOL_SOCKET)
{
@@ -2185,12 +2155,11 @@
{
msg(M_ERR, "control type != SCM_RIGHTS");
}
- *recvfd = *((int *) CMSG_DATA(cmptr));
+ *recvfd = *((int *)CMSG_DATA(cmptr));
}
else
{
- *recvfd = -1; /* descriptor was not passed */
-
+ *recvfd = -1; /* descriptor was not passed */
}
return (n);
}
@@ -2208,10 +2177,10 @@
}
struct user_pass up;
CLEAR(up);
- strncpy(up.username, msg, sizeof(up.username)-1);
+ strncpy(up.username, msg, sizeof(up.username) - 1);
- management_query_user_pass(management, &up, command, GET_USER_PASS_NEED_OK, (void *) 0);
- return strcmp("ok", up.password)==0;
+ management_query_user_pass(management, &up, command, GET_USER_PASS_NEED_OK, (void *)0);
+ return strcmp("ok", up.password) == 0;
}
/*
@@ -2226,8 +2195,8 @@
struct user_pass up;
CLEAR(up);
strcpy(up.username, "tunmethod");
- management_query_user_pass(management, &up, "PERSIST_TUN_ACTION",
- GET_USER_PASS_NEED_OK, (void *) 0);
+ management_query_user_pass(management, &up, "PERSIST_TUN_ACTION", GET_USER_PASS_NEED_OK,
+ (void *)0);
if (!strcmp("NOACTION", up.password))
{
return ANDROID_KEEP_OLD_TUN;
@@ -2238,7 +2207,8 @@
}
else
{
- msg(M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up.password);
+ msg(M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query",
+ up.password);
}
ASSERT(0);
@@ -2264,7 +2234,7 @@
{
man->connection.lastfdreceived = fd;
}
-#else /* ifdef TARGET_ANDROID */
+#else /* ifdef TARGET_ANDROID */
len = recv(man->connection.sd_cli, (void *)buf, sizeof(buf), MSG_NOSIGNAL);
#endif
@@ -2276,7 +2246,7 @@
{
bool processed_command = false;
- ASSERT(len <= (int) sizeof(buf));
+ ASSERT(len <= (int)sizeof(buf));
command_line_add(man->connection.in, buf, len);
/*
@@ -2304,7 +2274,7 @@
}
else
{
- man_process_command(man, (char *) line);
+ man_process_command(man, (char *)line);
}
if (man->connection.halt)
{
@@ -2357,12 +2327,13 @@
#ifdef TARGET_ANDROID
if (man->connection.fdtosend > 0)
{
- sent = man_send_with_fd(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL, man->connection.fdtosend);
+ sent = man_send_with_fd(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL,
+ man->connection.fdtosend);
man->connection.fdtosend = -1;
}
else
#endif
- sent = send(man->connection.sd_cli, (const void *)BPTR(buf), len, MSG_NOSIGNAL);
+ sent = send(man->connection.sd_cli, (const void *)BPTR(buf), len, MSG_NOSIGNAL);
if (sent >= 0)
{
buffer_list_advance(man->connection.out, sent);
@@ -2398,9 +2369,7 @@
}
static void
-man_persist_init(struct management *man,
- const int log_history_cache,
- const int echo_buffer_size,
+man_persist_init(struct management *man, const int log_history_cache, const int echo_buffer_size,
const int state_buffer_size)
{
struct man_persist *mp = &man->persist;
@@ -2458,17 +2427,10 @@
}
static void
-man_settings_init(struct man_settings *ms,
- const char *addr,
- const char *port,
- const char *pass_file,
- const char *client_user,
- const char *client_group,
- const int log_history_cache,
- const int echo_buffer_size,
- const int state_buffer_size,
- const int remap_sigusr1,
- const unsigned int flags)
+man_settings_init(struct man_settings *ms, const char *addr, const char *port,
+ const char *pass_file, const char *client_user, const char *client_group,
+ const int log_history_cache, const int echo_buffer_size,
+ const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
{
if (!ms->defined)
{
@@ -2514,7 +2476,6 @@
else
#endif
{
-
/*
* Run management over tunnel, or
* separate channel?
@@ -2526,16 +2487,16 @@
else
{
int status;
- int resolve_flags = GETADDR_RESOLVE|GETADDR_WARN_ON_SIGNAL|GETADDR_FATAL;
+ int resolve_flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | GETADDR_FATAL;
if (!(flags & MF_CONNECT_AS_CLIENT))
{
resolve_flags |= GETADDR_PASSIVE;
}
- status = openvpn_getaddrinfo(resolve_flags, addr, port, 0,
- NULL, AF_UNSPEC, &ms->local);
- ASSERT(status==0);
+ status =
+ openvpn_getaddrinfo(resolve_flags, addr, port, 0, NULL, AF_UNSPEC, &ms->local);
+ ASSERT(status == 0);
}
}
@@ -2653,9 +2614,7 @@
struct management *man;
ALLOC_OBJ_CLEAR(man, struct management);
- man_persist_init(man,
- MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
- MANAGEMENT_ECHO_BUFFER_SIZE,
+ man_persist_init(man, MANAGEMENT_LOG_HISTORY_INITIAL_SIZE, MANAGEMENT_ECHO_BUFFER_SIZE,
MANAGEMENT_STATE_BUFFER_SIZE);
man_connection_clear(&man->connection);
@@ -2664,16 +2623,9 @@
}
bool
-management_open(struct management *man,
- const char *addr,
- const char *port,
- const char *pass_file,
- const char *client_user,
- const char *client_group,
- const int log_history_cache,
- const int echo_buffer_size,
- const int state_buffer_size,
- const int remap_sigusr1,
+management_open(struct management *man, const char *addr, const char *port, const char *pass_file,
+ const char *client_user, const char *client_group, const int log_history_cache,
+ const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1,
const unsigned int flags)
{
bool ret = false;
@@ -2682,17 +2634,8 @@
* Save the settings only if they have not
* been saved before.
*/
- man_settings_init(&man->settings,
- addr,
- port,
- pass_file,
- client_user,
- client_group,
- log_history_cache,
- echo_buffer_size,
- state_buffer_size,
- remap_sigusr1,
- flags);
+ man_settings_init(&man->settings, addr, port, pass_file, client_user, client_group,
+ log_history_cache, echo_buffer_size, state_buffer_size, remap_sigusr1, flags);
/*
* The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
@@ -2729,8 +2672,7 @@
}
void
-management_set_callback(struct management *man,
- const struct management_callback *cb)
+management_set_callback(struct management *man, const struct management_callback *cb)
{
man->persist.standalone_disabled = true;
man->persist.callback = *cb;
@@ -2746,15 +2688,12 @@
}
void
-management_set_state(struct management *man,
- const int state,
- const char *detail,
- const in_addr_t *tun_local_ip,
- const struct in6_addr *tun_local_ip6,
- const struct openvpn_sockaddr *local,
- const struct openvpn_sockaddr *remote)
+management_set_state(struct management *man, const int state, const char *detail,
+ const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6,
+ const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
{
- if (man->persist.state && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE))
+ if (man->persist.state
+ && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE))
{
struct gc_arena gc = gc_new();
struct log_entry e;
@@ -2786,13 +2725,11 @@
if (man->connection.state_realtime)
{
- out = log_entry_print(&e, LOG_PRINT_STATE_PREFIX
- | LOG_PRINT_INT_DATE
- | LOG_PRINT_STATE
- | LOG_PRINT_LOCAL_IP
- | LOG_PRINT_REMOTE_IP
- | LOG_PRINT_CRLF
- | LOG_ECHO_TO_LOG, &gc);
+ out = log_entry_print(&e,
+ LOG_PRINT_STATE_PREFIX | LOG_PRINT_INT_DATE | LOG_PRINT_STATE
+ | LOG_PRINT_LOCAL_IP | LOG_PRINT_REMOTE_IP | LOG_PRINT_CRLF
+ | LOG_ECHO_TO_LOG,
+ &gc);
}
if (out)
@@ -2807,25 +2744,23 @@
static bool
env_filter_match(const char *env_str, const int env_filter_level)
{
- static const char *env_names[] = {
- "username=",
- "password=",
- "X509_0_CN=",
- "tls_serial_",
- "untrusted_ip=",
- "ifconfig_local=",
- "ifconfig_netmask=",
- "daemon_start_time=",
- "daemon_pid=",
- "dev=",
- "ifconfig_pool_remote_ip=",
- "ifconfig_pool_netmask=",
- "time_duration=",
- "bytes_sent=",
- "bytes_received=",
- "session_id=",
- "session_state="
- };
+ static const char *env_names[] = { "username=",
+ "password=",
+ "X509_0_CN=",
+ "tls_serial_",
+ "untrusted_ip=",
+ "ifconfig_local=",
+ "ifconfig_netmask=",
+ "daemon_start_time=",
+ "daemon_pid=",
+ "dev=",
+ "ifconfig_pool_remote_ip=",
+ "ifconfig_pool_netmask=",
+ "time_duration=",
+ "bytes_sent=",
+ "bytes_received=",
+ "session_id=",
+ "session_state=" };
if (env_filter_level == 0)
{
@@ -2853,7 +2788,8 @@
}
static void
-man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix)
+man_output_env(const struct env_set *es, const bool tail, const int env_filter_level,
+ const char *prefix)
{
if (es)
{
@@ -2914,11 +2850,12 @@
char line[256];
if (man->persist.callback.get_peer_info)
{
- const char *peer_info = (*man->persist.callback.get_peer_info)(man->persist.callback.arg, mdac->cid);
+ const char *peer_info =
+ (*man->persist.callback.get_peer_info)(man->persist.callback.arg, mdac->cid);
if (peer_info)
{
struct buffer buf;
- buf_set_read(&buf, (const uint8_t *) peer_info, strlen(peer_info));
+ buf_set_read(&buf, (const uint8_t *)peer_info, strlen(peer_info));
while (buf_parse(&buf, '\n', line, sizeof(line)))
{
chomp(line);
@@ -2936,10 +2873,8 @@
}
void
-management_notify_client_needing_auth(struct management *management,
- const unsigned int mda_key_id,
- struct man_def_auth_context *mdac,
- const struct env_set *es)
+management_notify_client_needing_auth(struct management *management, const unsigned int mda_key_id,
+ struct man_def_auth_context *mdac, const struct env_set *es)
{
if (!(mdac->flags & DAF_CONNECTION_CLOSED))
{
@@ -2950,7 +2885,7 @@
}
msg(M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id);
man_output_extra_env(management, "CLIENT");
- if (management->connection.env_filter_level>0)
+ if (management->connection.env_filter_level > 0)
{
man_output_peer_info_env(management, mdac);
}
@@ -2960,18 +2895,15 @@
}
void
-management_notify_client_cr_response(unsigned mda_key_id,
- const struct man_def_auth_context *mdac,
- const struct env_set *es,
- const char *response)
+management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac,
+ const struct env_set *es, const char *response)
{
struct gc_arena gc;
if (management)
{
gc = gc_new();
- msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s",
- mdac->cid, mda_key_id, response);
+ msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s", mdac->cid, mda_key_id, response);
man_output_extra_env(management, "CLIENT");
if (management->connection.env_filter_level > 0)
{
@@ -2983,8 +2915,7 @@
}
void
-management_connection_established(struct management *management,
- struct man_def_auth_context *mdac,
+management_connection_established(struct management *management, struct man_def_auth_context *mdac,
const struct env_set *es)
{
mdac->flags |= DAF_CONNECTION_ESTABLISHED;
@@ -2994,8 +2925,7 @@
}
void
-management_notify_client_close(struct management *management,
- struct man_def_auth_context *mdac,
+management_notify_client_close(struct management *management, struct man_def_auth_context *mdac,
const struct env_set *es)
{
if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
@@ -3007,18 +2937,14 @@
}
void
-management_learn_addr(struct management *management,
- struct man_def_auth_context *mdac,
- const struct mroute_addr *addr,
- const bool primary)
+management_learn_addr(struct management *management, struct man_def_auth_context *mdac,
+ const struct mroute_addr *addr, const bool primary)
{
struct gc_arena gc = gc_new();
if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
{
- msg(M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d",
- mdac->cid,
- mroute_addr_print_ex(addr, MAPF_SUBNET, &gc),
- BOOL_CAST(primary));
+ msg(M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d", mdac->cid,
+ mroute_addr_print_ex(addr, MAPF_SUBNET, &gc), BOOL_CAST(primary));
}
gc_free(&gc);
}
@@ -3042,7 +2968,10 @@
if (man->connection.echo_realtime)
{
- out = log_entry_print(&e, LOG_PRINT_INT_DATE|LOG_PRINT_ECHO_PREFIX|LOG_PRINT_CRLF|MANAGEMENT_ECHO_FLAGS, &gc);
+ out = log_entry_print(&e,
+ LOG_PRINT_INT_DATE | LOG_PRINT_ECHO_PREFIX | LOG_PRINT_CRLF
+ | MANAGEMENT_ECHO_FLAGS,
+ &gc);
}
if (out)
@@ -3061,8 +2990,7 @@
* If we are running management over the tunnel,
* this is the place to initialize the connection.
*/
- if (man->settings.management_over_tunnel
- && man->connection.state == MS_INITIAL)
+ if (man->settings.management_over_tunnel && man->connection.state == MS_INITIAL)
{
/* listen on our local TUN/TAP IP address */
struct in_addr ia;
@@ -3071,12 +2999,11 @@
ia.s_addr = htonl(tun_local_ip);
inet_ntop(AF_INET, &ia, buf, sizeof(buf));
- ret = openvpn_getaddrinfo(GETADDR_PASSIVE, buf, NULL, 0, NULL,
- AF_INET, &man->settings.local);
- ASSERT(ret==0);
+ ret =
+ openvpn_getaddrinfo(GETADDR_PASSIVE, buf, NULL, 0, NULL, AF_INET, &man->settings.local);
+ ASSERT(ret == 0);
man_connection_init(man);
}
-
}
void
@@ -3124,9 +3051,7 @@
#ifdef _WIN32
void
-management_socket_set(struct management *man,
- struct event_set *es,
- void *arg,
+management_socket_set(struct management *man, struct event_set *es, void *arg,
unsigned int *persistent)
{
if (man->connection.state != MS_INITIAL)
@@ -3153,7 +3078,7 @@
case MS_CC_WAIT_WRITE:
if (man_persist_state(persistent, 3))
{
- event_ctl(es, ev, EVENT_READ|EVENT_WRITE, arg);
+ event_ctl(es, ev, EVENT_READ | EVENT_WRITE, arg);
}
break;
@@ -3186,7 +3111,8 @@
net_event_win32_clear_selected_events(&man->connection.ne32, FD_ACCEPT);
}
}
- else if (man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE)
+ else if (man->connection.state == MS_CC_WAIT_READ
+ || man->connection.state == MS_CC_WAIT_WRITE)
{
if (net_events & FD_READ)
{
@@ -3213,9 +3139,7 @@
#else /* ifdef _WIN32 */
void
-management_socket_set(struct management *man,
- struct event_set *es,
- void *arg,
+management_socket_set(struct management *man, struct event_set *es, void *arg,
unsigned int *persistent)
{
switch (man->connection.state)
@@ -3382,7 +3306,8 @@
* Process management event loop outside primary event loop
*/
static int
-man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire)
+man_standalone_event_loop(struct management *man, volatile int *signal_received,
+ const time_t expire)
{
int status = -1;
if (man_standalone_ok(man))
@@ -3396,18 +3321,16 @@
return status;
}
-#define MWCC_PASSWORD_WAIT (1<<0)
-#define MWCC_HOLD_WAIT (1<<1)
-#define MWCC_OTHER_WAIT (1<<2)
+#define MWCC_PASSWORD_WAIT (1 << 0)
+#define MWCC_HOLD_WAIT (1 << 1)
+#define MWCC_OTHER_WAIT (1 << 2)
/*
* Block until client connects
*/
static void
-man_wait_for_client_connection(struct management *man,
- volatile int *signal_received,
- const time_t expire,
- unsigned int flags)
+man_wait_for_client_connection(struct management *man, volatile int *signal_received,
+ const time_t expire, unsigned int flags)
{
ASSERT(man_standalone_ok(man));
if (man->connection.state == MS_LISTEN)
@@ -3492,11 +3415,8 @@
* Get a username/password from management channel in standalone mode.
*/
bool
-management_query_user_pass(struct management *man,
- struct user_pass *up,
- const char *type,
- const unsigned int flags,
- const char *static_challenge)
+management_query_user_pass(struct management *man, struct user_pass *up, const char *type,
+ const unsigned int flags, const char *static_challenge)
{
struct gc_arena gc = gc_new();
bool ret = false;
@@ -3545,10 +3465,7 @@
sc = static_challenge;
}
}
- buf_printf(&alert_msg, ">%s:Need '%s' %s",
- prefix,
- type,
- alert_type);
+ buf_printf(&alert_msg, ">%s:Need '%s' %s", prefix, type, alert_type);
if (flags & (GET_USER_PASS_NEED_OK | GET_USER_PASS_NEED_STR))
{
@@ -3559,7 +3476,7 @@
{
buf_printf(&alert_msg, " SC:%d,%s",
BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO)
- |(BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_CONCAT) << 1),
+ | (BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_CONCAT) << 1),
sc);
}
@@ -3624,8 +3541,8 @@
}
static int
-management_query_multiline(struct management *man,
- const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
+management_query_multiline(struct management *man, const char *b64_data, const char *prompt,
+ const char *cmd, int *state, struct buffer_list **input)
{
struct gc_arena gc = gc_new();
int ret = 0;
@@ -3644,12 +3561,12 @@
if (b64_data)
{
- alert_msg = alloc_buf_gc(strlen(b64_data)+strlen(prompt)+3, &gc);
+ alert_msg = alloc_buf_gc(strlen(b64_data) + strlen(prompt) + 3, &gc);
buf_printf(&alert_msg, ">%s:%s", prompt, b64_data);
}
else
{
- alert_msg = alloc_buf_gc(strlen(prompt)+3, &gc);
+ alert_msg = alloc_buf_gc(strlen(prompt) + 3, &gc);
buf_printf(&alert_msg, ">%s", prompt);
}
@@ -3702,8 +3619,9 @@
static char *
/* returns allocated base64 signature */
-management_query_multiline_flatten_newline(struct management *man,
- const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
+management_query_multiline_flatten_newline(struct management *man, const char *b64_data,
+ const char *prompt, const char *cmd, int *state,
+ struct buffer_list **input)
{
int ok;
char *result = NULL;
@@ -3716,7 +3634,7 @@
buf = buffer_list_peek(*input);
if (buf && BLEN(buf) > 0)
{
- result = (char *) malloc(BLEN(buf)+1);
+ result = (char *)malloc(BLEN(buf) + 1);
check_malloc_return(result);
memcpy(result, buf->data, BLEN(buf));
result[BLEN(buf)] = '\0';
@@ -3731,8 +3649,8 @@
static char *
/* returns allocated base64 signature */
-management_query_multiline_flatten(struct management *man,
- const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
+management_query_multiline_flatten(struct management *man, const char *b64_data, const char *prompt,
+ const char *cmd, int *state, struct buffer_list **input)
{
int ok;
char *result = NULL;
@@ -3745,7 +3663,7 @@
buf = buffer_list_peek(*input);
if (buf && BLEN(buf) > 0)
{
- result = (char *) malloc(BLEN(buf)+1);
+ result = (char *)malloc(BLEN(buf) + 1);
check_malloc_return(result);
memcpy(result, buf->data, BLEN(buf));
result[BLEN(buf)] = '\0';
@@ -3760,8 +3678,7 @@
char *
/* returns allocated base64 signature */
-management_query_pk_sig(struct management *man, const char *b64_data,
- const char *algorithm)
+management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
{
const char *prompt = "PK_SIGN";
const char *desc = "pk-sign";
@@ -3773,15 +3690,15 @@
desc = "rsa-sign";
}
- buf_write(&buf_data, b64_data, (int) strlen(b64_data));
+ buf_write(&buf_data, b64_data, (int)strlen(b64_data));
if (man->connection.client_version > 2)
{
- buf_write(&buf_data, ",", (int) strlen(","));
- buf_write(&buf_data, algorithm, (int) strlen(algorithm));
+ buf_write(&buf_data, ",", (int)strlen(","));
+ buf_write(&buf_data, algorithm, (int)strlen(algorithm));
}
- char *ret = management_query_multiline_flatten(man,
- (char *)buf_bptr(&buf_data), prompt, desc,
- &man->connection.ext_key_state, &man->connection.ext_key_input);
+ char *ret = management_query_multiline_flatten(man, (char *)buf_bptr(&buf_data), prompt, desc,
+ &man->connection.ext_key_state,
+ &man->connection.ext_key_input);
free_buf(&buf_data);
return ret;
}
@@ -3792,12 +3709,12 @@
const char prompt_1[] = "NEED-CERTIFICATE:";
struct buffer buf_prompt = alloc_buf(strlen(cert_name) + 20);
buf_write(&buf_prompt, prompt_1, strlen(prompt_1));
- buf_write(&buf_prompt, cert_name, strlen(cert_name)+1); /* +1 for \0 */
+ buf_write(&buf_prompt, cert_name, strlen(cert_name) + 1); /* +1 for \0 */
char *result;
- result = management_query_multiline_flatten_newline(management,
- NULL, (char *)buf_bptr(&buf_prompt), "certificate",
- &man->connection.ext_cert_state, &man->connection.ext_cert_input);
+ result = management_query_multiline_flatten_newline(
+ management, NULL, (char *)buf_bptr(&buf_prompt), "certificate",
+ &man->connection.ext_cert_state, &man->connection.ext_cert_input);
free_buf(&buf_prompt);
return result;
}
@@ -3824,7 +3741,8 @@
const bool standalone_disabled_save = man->persist.standalone_disabled;
struct gc_arena gc = gc_new();
- man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
+ man->persist.standalone_disabled =
+ false; /* This is so M_CLIENT messages will be correctly passed through msg() */
man->persist.special_state_msg = NULL;
man->settings.mansig |= MANSIG_IGNORE_USR1_HUP;
@@ -3903,7 +3821,7 @@
int i;
for (i = 0; i < len; ++i)
{
- if (buf[i] && char_class(buf[i], (CC_PRINT|CC_NEWLINE)))
+ if (buf[i] && char_class(buf[i], (CC_PRINT | CC_NEWLINE)))
{
if (!buf_write_u8(&cl->buf, buf[i]))
{
@@ -3987,10 +3905,16 @@
}
if (flags & LOG_PRINT_REMOTE_IP)
{
- buf_printf(&out, ",%s", (!addr_defined(&e->remote_sock) ? "," :
- print_sockaddr_ex(&e->remote_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc)));
- buf_printf(&out, ",%s", (!addr_defined(&e->local_sock) ? "," :
- print_sockaddr_ex(&e->local_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc)));
+ buf_printf(&out, ",%s",
+ (!addr_defined(&e->remote_sock)
+ ? ","
+ : print_sockaddr_ex(&e->remote_sock.addr.sa, ",",
+ PS_DONT_SHOW_FAMILY | PS_SHOW_PORT, gc)));
+ buf_printf(&out, ",%s",
+ (!addr_defined(&e->local_sock)
+ ? ","
+ : print_sockaddr_ex(&e->local_sock.addr.sa, ",",
+ PS_DONT_SHOW_FAMILY | PS_SHOW_PORT, gc)));
}
if (flags & LOG_PRINT_LOCAL_IP && !IN6_IS_ADDR_UNSPECIFIED(&e->local_ip6))
{
@@ -4143,8 +4067,7 @@
void
management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval)
{
- if (event_timeout_trigger(&man->connection.bytecount_update_interval,
- timeval, ETT_DEFAULT))
+ if (event_timeout_trigger(&man->connection.bytecount_update_interval, timeval, ETT_DEFAULT))
{
counter_type dco_read_bytes = 0;
counter_type dco_write_bytes = 0;
@@ -4181,7 +4104,7 @@
}
}
-#else /* ifdef ENABLE_MANAGEMENT */
+#else /* ifdef ENABLE_MANAGEMENT */
#include "win32.h"
void
@@ -24,24 +24,24 @@
#define MANAGE_H
/* management_open flags */
-#define MF_SERVER (1<<0)
-#define MF_QUERY_PASSWORDS (1<<1)
-#define MF_HOLD (1<<2)
-#define MF_SIGNAL (1<<3)
-#define MF_FORGET_DISCONNECT (1<<4)
-#define MF_CONNECT_AS_CLIENT (1<<5)
-#define MF_CLIENT_AUTH (1<<6)
+#define MF_SERVER (1 << 0)
+#define MF_QUERY_PASSWORDS (1 << 1)
+#define MF_HOLD (1 << 2)
+#define MF_SIGNAL (1 << 3)
+#define MF_FORGET_DISCONNECT (1 << 4)
+#define MF_CONNECT_AS_CLIENT (1 << 5)
+#define MF_CLIENT_AUTH (1 << 6)
/* #define MF_CLIENT_PF (1<<7) *REMOVED FEATURE* */
-#define MF_UNIX_SOCK (1<<8)
-#define MF_EXTERNAL_KEY (1<<9)
-#define MF_EXTERNAL_KEY_NOPADDING (1<<10)
-#define MF_EXTERNAL_KEY_PKCS1PAD (1<<11)
-#define MF_UP_DOWN (1<<12)
-#define MF_QUERY_REMOTE (1<<13)
-#define MF_QUERY_PROXY (1<<14)
-#define MF_EXTERNAL_CERT (1<<15)
-#define MF_EXTERNAL_KEY_PSSPAD (1<<16)
-#define MF_EXTERNAL_KEY_DIGEST (1<<17)
+#define MF_UNIX_SOCK (1 << 8)
+#define MF_EXTERNAL_KEY (1 << 9)
+#define MF_EXTERNAL_KEY_NOPADDING (1 << 10)
+#define MF_EXTERNAL_KEY_PKCS1PAD (1 << 11)
+#define MF_UP_DOWN (1 << 12)
+#define MF_QUERY_REMOTE (1 << 13)
+#define MF_QUERY_PROXY (1 << 14)
+#define MF_EXTERNAL_CERT (1 << 15)
+#define MF_EXTERNAL_KEY_PSSPAD (1 << 16)
+#define MF_EXTERNAL_KEY_DIGEST (1 << 17)
#ifdef ENABLE_MANAGEMENT
@@ -51,21 +51,22 @@
#include "socket.h"
#include "mroute.h"
-#define MANAGEMENT_VERSION 5
-#define MANAGEMENT_N_PASSWORD_RETRIES 3
-#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100
-#define MANAGEMENT_ECHO_BUFFER_SIZE 100
-#define MANAGEMENT_STATE_BUFFER_SIZE 100
+#define MANAGEMENT_VERSION 5
+#define MANAGEMENT_N_PASSWORD_RETRIES 3
+#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100
+#define MANAGEMENT_ECHO_BUFFER_SIZE 100
+#define MANAGEMENT_STATE_BUFFER_SIZE 100
/*
* Management-interface-based deferred authentication
*/
-struct man_def_auth_context {
+struct man_def_auth_context
+{
unsigned long cid;
-#define DAF_CONNECTION_ESTABLISHED (1<<0)
-#define DAF_CONNECTION_CLOSED (1<<1)
-#define DAF_INITIAL_AUTH (1<<2)
+#define DAF_CONNECTION_ESTABLISHED (1 << 0)
+#define DAF_CONNECTION_CLOSED (1 << 1)
+#define DAF_INITIAL_AUTH (1 << 2)
unsigned int flags;
unsigned int mda_key_id_counter;
@@ -98,7 +99,8 @@
* Manage log file history
*/
-union log_entry_union {
+union log_entry_union
+{
unsigned int msg_flags;
int state;
int intval;
@@ -115,23 +117,23 @@
union log_entry_union u;
};
-#define LOG_PRINT_LOG_PREFIX (1<<0)
-#define LOG_PRINT_ECHO_PREFIX (1<<1)
-#define LOG_PRINT_STATE_PREFIX (1<<2)
+#define LOG_PRINT_LOG_PREFIX (1 << 0)
+#define LOG_PRINT_ECHO_PREFIX (1 << 1)
+#define LOG_PRINT_STATE_PREFIX (1 << 2)
-#define LOG_PRINT_INT_DATE (1<<3)
-#define LOG_PRINT_MSG_FLAGS (1<<4)
-#define LOG_PRINT_STATE (1<<5)
-#define LOG_PRINT_LOCAL_IP (1<<6)
+#define LOG_PRINT_INT_DATE (1 << 3)
+#define LOG_PRINT_MSG_FLAGS (1 << 4)
+#define LOG_PRINT_STATE (1 << 5)
+#define LOG_PRINT_LOCAL_IP (1 << 6)
-#define LOG_PRINT_CRLF (1<<7)
-#define LOG_FATAL_NOTIFY (1<<8)
+#define LOG_PRINT_CRLF (1 << 7)
+#define LOG_FATAL_NOTIFY (1 << 8)
-#define LOG_PRINT_INTVAL (1<<9)
+#define LOG_PRINT_INTVAL (1 << 9)
-#define LOG_PRINT_REMOTE_IP (1<<10)
+#define LOG_PRINT_REMOTE_IP (1 << 10)
-#define LOG_ECHO_TO_LOG (1<<11)
+#define LOG_ECHO_TO_LOG (1 << 11)
const char *log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc);
@@ -173,32 +175,25 @@
{
void *arg;
-#define MCF_SERVER (1<<0) /* is OpenVPN being run as a server? */
+#define MCF_SERVER (1 << 0) /* is OpenVPN being run as a server? */
unsigned int flags;
- void (*status) (void *arg, const int version, struct status_output *so);
- void (*show_net) (void *arg, const int msglevel);
- int (*kill_by_cn) (void *arg, const char *common_name);
- int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port, const int proto);
- void (*delete_event) (void *arg, event_t event);
- int (*n_clients) (void *arg);
- bool (*send_cc_message) (void *arg, const char *message, const char *parameter);
+ void (*status)(void *arg, const int version, struct status_output *so);
+ void (*show_net)(void *arg, const int msglevel);
+ int (*kill_by_cn)(void *arg, const char *common_name);
+ int (*kill_by_addr)(void *arg, const in_addr_t addr, const int port, const int proto);
+ void (*delete_event)(void *arg, event_t event);
+ int (*n_clients)(void *arg);
+ bool (*send_cc_message)(void *arg, const char *message, const char *parameter);
bool (*kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg);
- bool (*client_auth) (void *arg,
- const unsigned long cid,
- const unsigned int mda_key_id,
- const bool auth,
- const char *reason,
- const char *client_reason,
- struct buffer_list *cc_config); /* ownership transferred */
- bool (*client_pending_auth) (void *arg,
- const unsigned long cid,
- const unsigned int kid,
- const char *extra,
- unsigned int timeout);
- char *(*get_peer_info) (void *arg, const unsigned long cid);
+ bool (*client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id,
+ const bool auth, const char *reason, const char *client_reason,
+ struct buffer_list *cc_config); /* ownership transferred */
+ bool (*client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid,
+ const char *extra, unsigned int timeout);
+ char *(*get_peer_info)(void *arg, const unsigned long cid);
bool (*proxy_cmd)(void *arg, const char **p);
- bool (*remote_cmd) (void *arg, const char **p);
+ bool (*remote_cmd)(void *arg, const char **p);
#ifdef TARGET_ANDROID
int (*network_change)(void *arg, bool samenetwork);
#endif
@@ -220,7 +215,8 @@
* connections.
*/
-struct man_persist {
+struct man_persist
+{
bool defined;
struct log_history *log;
@@ -240,7 +236,8 @@
counter_type bytes_out;
};
-struct man_settings {
+struct man_settings
+{
bool defined;
unsigned int flags; /* MF_x flags */
struct addrinfo *local;
@@ -256,9 +253,9 @@
int client_gid;
/* flags for handling the management interface "signal" command */
-#define MANSIG_IGNORE_USR1_HUP (1<<0)
-#define MANSIG_MAP_USR1_TO_HUP (1<<1)
-#define MANSIG_MAP_USR1_TO_TERM (1<<2)
+#define MANSIG_IGNORE_USR1_HUP (1 << 0)
+#define MANSIG_MAP_USR1_TO_HUP (1 << 1)
+#define MANSIG_MAP_USR1_TO_TERM (1 << 2)
unsigned int mansig;
};
@@ -270,12 +267,13 @@
#define UP_QUERY_NEED_STR 4
/* states */
-#define MS_INITIAL 0 /* all sockets are closed */
-#define MS_LISTEN 1 /* no client is connected */
-#define MS_CC_WAIT_READ 2 /* client is connected, waiting for read on socket */
-#define MS_CC_WAIT_WRITE 3 /* client is connected, waiting for ability to write to socket */
+#define MS_INITIAL 0 /* all sockets are closed */
+#define MS_LISTEN 1 /* no client is connected */
+#define MS_CC_WAIT_READ 2 /* client is connected, waiting for read on socket */
+#define MS_CC_WAIT_WRITE 3 /* client is connected, waiting for ability to write to socket */
-struct man_connection {
+struct man_connection
+{
int state;
socket_descriptor_t sd_top;
@@ -344,16 +342,10 @@
struct management *management_init(void);
-bool management_open(struct management *man,
- const char *addr,
- const char *port,
- const char *pass_file,
- const char *client_user,
- const char *client_group,
- const int log_history_cache,
- const int echo_buffer_size,
- const int state_buffer_size,
- const int remap_sigusr1,
+bool management_open(struct management *man, const char *addr, const char *port,
+ const char *pass_file, const char *client_user, const char *client_group,
+ const int log_history_cache, const int echo_buffer_size,
+ const int state_buffer_size, const int remap_sigusr1,
const unsigned int flags);
void management_close(struct management *man);
@@ -362,28 +354,22 @@
void management_pre_tunnel_close(struct management *man);
-void management_socket_set(struct management *man,
- struct event_set *es,
- void *arg,
+void management_socket_set(struct management *man, struct event_set *es, void *arg,
unsigned int *persistent);
void management_io(struct management *man);
-void management_set_callback(struct management *man,
- const struct management_callback *cb);
+void management_set_callback(struct management *man, const struct management_callback *cb);
void management_clear_callback(struct management *man);
-bool management_query_user_pass(struct management *man,
- struct user_pass *up,
- const char *type,
- const unsigned int flags,
- const char *static_challenge);
+bool management_query_user_pass(struct management *man, struct user_pass *up, const char *type,
+ const unsigned int flags, const char *static_challenge);
#ifdef TARGET_ANDROID
bool management_android_control(struct management *man, const char *command, const char *msg);
-#define ANDROID_KEEP_OLD_TUN 1
+#define ANDROID_KEEP_OLD_TUN 1
#define ANDROID_OPEN_BEFORE_CLOSE 2
int managment_android_persisttun_action(struct management *man);
@@ -397,7 +383,8 @@
void management_up_down(struct management *man, const char *updown, const struct env_set *es);
-void management_notify(struct management *man, const char *severity, const char *type, const char *text);
+void management_notify(struct management *man, const char *severity, const char *type,
+ const char *text);
void management_notify_generic(struct management *man, const char *str);
@@ -407,25 +394,19 @@
const struct env_set *es);
void management_connection_established(struct management *management,
- struct man_def_auth_context *mdac,
- const struct env_set *es);
+ struct man_def_auth_context *mdac, const struct env_set *es);
void management_notify_client_close(struct management *management,
- struct man_def_auth_context *mdac,
- const struct env_set *es);
+ struct man_def_auth_context *mdac, const struct env_set *es);
-void management_learn_addr(struct management *management,
- struct man_def_auth_context *mdac,
- const struct mroute_addr *addr,
- const bool primary);
+void management_learn_addr(struct management *management, struct man_def_auth_context *mdac,
+ const struct mroute_addr *addr, const bool primary);
void management_notify_client_cr_response(unsigned mda_key_id,
const struct man_def_auth_context *mdac,
- const struct env_set *es,
- const char *response);
+ const struct env_set *es, const char *response);
-char *management_query_pk_sig(struct management *man, const char *b64_data,
- const char *algorithm);
+char *management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm);
char *management_query_cert(struct management *man, const char *cert_name);
@@ -465,30 +446,28 @@
*/
/* client/server states */
-#define OPENVPN_STATE_INITIAL 0 /* Initial, undefined state */
-#define OPENVPN_STATE_CONNECTING 1 /* Management interface has been initialized */
-#define OPENVPN_STATE_ASSIGN_IP 2 /* Assigning IP address to virtual network interface */
-#define OPENVPN_STATE_ADD_ROUTES 3 /* Adding routes to system */
-#define OPENVPN_STATE_CONNECTED 4 /* Initialization sequence completed */
-#define OPENVPN_STATE_RECONNECTING 5 /* Restart */
-#define OPENVPN_STATE_EXITING 6 /* Exit */
+#define OPENVPN_STATE_INITIAL 0 /* Initial, undefined state */
+#define OPENVPN_STATE_CONNECTING 1 /* Management interface has been initialized */
+#define OPENVPN_STATE_ASSIGN_IP 2 /* Assigning IP address to virtual network interface */
+#define OPENVPN_STATE_ADD_ROUTES 3 /* Adding routes to system */
+#define OPENVPN_STATE_CONNECTED 4 /* Initialization sequence completed */
+#define OPENVPN_STATE_RECONNECTING 5 /* Restart */
+#define OPENVPN_STATE_EXITING 6 /* Exit */
/* client-only states */
-#define OPENVPN_STATE_WAIT 7 /* Waiting for initial response from server */
-#define OPENVPN_STATE_AUTH 8 /* Authenticating with server */
-#define OPENVPN_STATE_GET_CONFIG 9 /* Downloading configuration from server */
-#define OPENVPN_STATE_RESOLVE 10 /* DNS lookup */
-#define OPENVPN_STATE_TCP_CONNECT 11 /* Connecting to TCP server */
-#define OPENVPN_STATE_AUTH_PENDING 12 /* Waiting in auth-pending mode
- * technically variant of GET_CONFIG */
+#define OPENVPN_STATE_WAIT 7 /* Waiting for initial response from server */
+#define OPENVPN_STATE_AUTH 8 /* Authenticating with server */
+#define OPENVPN_STATE_GET_CONFIG 9 /* Downloading configuration from server */
+#define OPENVPN_STATE_RESOLVE 10 /* DNS lookup */
+#define OPENVPN_STATE_TCP_CONNECT 11 /* Connecting to TCP server */
+#define OPENVPN_STATE_AUTH_PENDING \
+ 12 /* Waiting in auth-pending mode \
+ * technically variant of GET_CONFIG */
-#define OPENVPN_STATE_CLIENT_BASE 7 /* Base index of client-only states */
+#define OPENVPN_STATE_CLIENT_BASE 7 /* Base index of client-only states */
-void management_set_state(struct management *man,
- const int state,
- const char *detail,
- const in_addr_t *tun_local_ip,
- const struct in6_addr *tun_local_ip6,
+void management_set_state(struct management *man, const int state, const char *detail,
+ const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6,
const struct openvpn_sockaddr *local_addr,
const struct openvpn_sockaddr *remote_addr);
@@ -513,15 +492,10 @@
* These functions drive the bytecount in/out counters.
*/
-void
-management_check_bytecount(struct context *c,
- struct management *man,
- struct timeval *timeval);
+void management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval);
static inline void
-management_bytes_client(struct management *man,
- const int size_in,
- const int size_out)
+management_bytes_client(struct management *man, const int size_in, const int size_out)
{
if (!(man->persist.callback.flags & MCF_SERVER))
{
@@ -530,27 +504,24 @@
}
}
-void
-man_bytecount_output_server(const counter_type *bytes_in_total,
- const counter_type *bytes_out_total,
- struct man_def_auth_context *mdac);
+void man_bytecount_output_server(const counter_type *bytes_in_total,
+ const counter_type *bytes_out_total,
+ struct man_def_auth_context *mdac);
static inline void
-management_bytes_server(struct management *man,
- const counter_type *bytes_in_total,
- const counter_type *bytes_out_total,
- struct man_def_auth_context *mdac)
+management_bytes_server(struct management *man, const counter_type *bytes_in_total,
+ const counter_type *bytes_out_total, struct man_def_auth_context *mdac)
{
if (man->connection.bytecount_update_seconds > 0
&& now >= mdac->bytecount_last_update + man->connection.bytecount_update_seconds
- && (mdac->flags & (DAF_CONNECTION_ESTABLISHED | DAF_CONNECTION_CLOSED)) == DAF_CONNECTION_ESTABLISHED)
+ && (mdac->flags & (DAF_CONNECTION_ESTABLISHED | DAF_CONNECTION_CLOSED))
+ == DAF_CONNECTION_ESTABLISHED)
{
man_bytecount_output_server(bytes_in_total, bytes_out_total, mdac);
}
}
-void
-man_persist_client_stats(struct management *man, struct context *c);
+void man_persist_client_stats(struct management *man, struct context *c);
#endif /* ifdef ENABLE_MANAGEMENT */
@@ -48,7 +48,7 @@
#include <mbedtls/x509_crt.h>
#ifdef HAVE_PSA_CRYPTO_H
- #include <psa/crypto.h>
+#include <psa/crypto.h>
#endif
#if MBEDTLS_VERSION_NUMBER >= 0x03000000
@@ -89,8 +89,7 @@
* an error code.
*/
static inline int
-mbedtls_compat_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
- const unsigned char *additional,
+mbedtls_compat_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx, const unsigned char *additional,
size_t add_len)
{
#if MBEDTLS_VERSION_NUMBER > 0x03000000
@@ -115,8 +114,7 @@
}
static inline int
-mbedtls_compat_pk_parse_key(mbedtls_pk_context *ctx,
- const unsigned char *key, size_t keylen,
+mbedtls_compat_pk_parse_key(mbedtls_pk_context *ctx, const unsigned char *key, size_t keylen,
const unsigned char *pwd, size_t pwdlen,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
@@ -128,8 +126,7 @@
}
static inline int
-mbedtls_compat_pk_parse_keyfile(mbedtls_pk_context *ctx,
- const char *path, const char *password,
+mbedtls_compat_pk_parse_keyfile(mbedtls_pk_context *ctx, const char *path, const char *password,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
#if MBEDTLS_VERSION_NUMBER < 0x03020100
@@ -140,8 +137,9 @@
}
#if MBEDTLS_VERSION_NUMBER < 0x03020100
-typedef enum {
- MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */
+typedef enum
+{
+ MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */
MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */
MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */
} mbedtls_ssl_protocol_version;
@@ -50,7 +50,7 @@
if (ms)
{
int i;
- for (i = 0; i < (int) ms->len; ++i)
+ for (i = 0; i < (int)ms->len; ++i)
{
struct mbuf_item *item = &ms->array[MBUF_INDEX(ms->head, i, ms->capacity)];
mbuf_free_buf(item->buffer);
@@ -134,7 +134,7 @@
if (ms)
{
int i;
- for (i = 0; i < (int) ms->len; ++i)
+ for (i = 0; i < (int)ms->len; ++i)
{
struct mbuf_item *item = &ms->array[MBUF_INDEX(ms->head, i, ms->capacity)];
if (item->instance)
@@ -153,7 +153,7 @@
if (ms)
{
int i;
- for (i = 0; i < (int) ms->len; ++i)
+ for (i = 0; i < (int)ms->len; ++i)
{
struct mbuf_item *item = &ms->array[MBUF_INDEX(ms->head, i, ms->capacity)];
if (item->instance == mi)
@@ -35,14 +35,14 @@
struct multi_instance;
-#define MBUF_INDEX(head, offset, size) (((head) + (offset)) & ((size)-1))
+#define MBUF_INDEX(head, offset, size) (((head) + (offset)) & ((size) - 1))
struct mbuf_buffer
{
struct buffer buf;
int refcount;
-#define MF_UNICAST (1<<0)
+#define MF_UNICAST (1 << 0)
unsigned int flags;
};
@@ -90,7 +90,7 @@
static inline int
mbuf_maximum_queued(const struct mbuf_set *ms)
{
- return (int) ms->max_queued;
+ return (int)ms->max_queued;
}
struct multi_instance *mbuf_peek_dowork(struct mbuf_set *ms);
@@ -38,7 +38,8 @@
* from uninitialized data, we need to untaint it before use --
* otherwise we will get a lot of useless warnings.
*
- * valgrind --tool=memcheck --error-limit=no --suppressions=debug/valgrind-suppress --gen-suppressions=yes ./openvpn ...
+ * valgrind --tool=memcheck --error-limit=no --suppressions=debug/valgrind-suppress
+ * --gen-suppressions=yes ./openvpn ...
*/
#ifdef USE_VALGRIND
@@ -47,7 +48,7 @@
#define VALGRIND_MAKE_READABLE(addr, len)
-#else /* ifdef USE_VALGRIND */
+#else /* ifdef USE_VALGRIND */
#define VALGRIND_MAKE_READABLE(addr, len)
@@ -85,7 +86,8 @@
#include <dmalloc.h>
-#define openvpn_dmalloc(file, line, size) dmalloc_malloc((file), (line), (size), DMALLOC_FUNC_MALLOC, 0, 0)
+#define openvpn_dmalloc(file, line, size) \
+ dmalloc_malloc((file), (line), (size), DMALLOC_FUNC_MALLOC, 0, 0)
/*
* This #define will put the line number of the log
@@ -84,7 +84,7 @@
uint8_t rnd_bytes[n_rnd_bytes];
const char *rnd_str;
- struct buffer hname = alloc_buf_gc(strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
+ struct buffer hname = alloc_buf_gc(strlen(hostname) + sizeof(rnd_bytes) * 2 + 4, gc);
prng_bytes(rnd_bytes, sizeof(rnd_bytes));
rnd_str = format_hex_ex(rnd_bytes, sizeof(rnd_bytes), 40, 0, NULL, gc);
@@ -118,7 +118,9 @@
}
else
{
- msg(M_FATAL, "ERROR: could not read %s username/password/ok/string from management interface", prefix);
+ msg(M_FATAL,
+ "ERROR: could not read %s username/password/ok/string from management interface",
+ prefix);
}
}
return true;
@@ -134,7 +136,8 @@
* @param auth_challenge The authentication challenge string to parse. Can't be NULL.
* @param gc The gc_arena structure for memory allocation.
*
- * @return A pointer to the parsed auth_challenge_info structure, or NULL if parsing fails.
+ * @return A pointer to the parsed auth_challenge_info structure, or NULL if parsing
+ * fails.
*/
static struct auth_challenge_info *
parse_auth_challenge(const char *auth_challenge, struct gc_arena *gc)
@@ -143,7 +146,7 @@
struct auth_challenge_info *ac;
const int len = strlen(auth_challenge);
- char *work = (char *) gc_malloc(len+1, false, gc);
+ char *work = (char *)gc_malloc(len + 1, false, gc);
char *cp;
struct buffer b;
@@ -191,7 +194,7 @@
{
return NULL;
}
- ac->user = (char *) gc_malloc(strlen(work)+1, true, gc);
+ ac->user = (char *)gc_malloc(strlen(work) + 1, true, gc);
openvpn_base64_decode(work, (void *)ac->user, -1);
/* parse challenge text */
@@ -207,11 +210,8 @@
*/
bool
-get_user_pass_cr(struct user_pass *up,
- const char *auth_file,
- const char *prefix,
- const unsigned int flags,
- const char *auth_challenge)
+get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix,
+ const unsigned int flags, const char *auth_challenge)
{
struct gc_arena gc = gc_new();
@@ -232,8 +232,7 @@
/*
* Get username/password from management interface?
*/
- if (management
- && (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT))
+ if (management && (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT))
&& management_query_user_pass_enabled(management))
{
response_from_stdin = false;
@@ -244,118 +243,119 @@
}
else
#endif /* ifdef ENABLE_MANAGEMENT */
- /*
- * Get NEED_OK confirmation from the console
- */
- if (flags & GET_USER_PASS_NEED_OK)
- {
- struct buffer user_prompt = alloc_buf_gc(128, &gc);
-
- buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username);
- if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt),
- up->password, USER_PASS_LEN, false))
- {
- msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix);
- }
-
- if (!strlen(up->password))
- {
- strcpy(up->password, "ok");
- }
- }
- else if (flags & GET_USER_PASS_INLINE_CREDS)
- {
- struct buffer buf;
- buf_set_read(&buf, (uint8_t *) auth_file, strlen(auth_file) + 1);
- if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
- {
- buf_parse(&buf, '\n', up->username, USER_PASS_LEN);
- }
- buf_parse(&buf, '\n', up->password, USER_PASS_LEN);
-
- if (strlen(up->password) == 0)
- {
- password_from_stdin = 1;
- }
- }
- /*
- * Read from auth file unless this is a dynamic challenge request.
- */
- else if (from_authfile && !(flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
- {
/*
- * Try to get username/password from a file.
+ * Get NEED_OK confirmation from the console
*/
- FILE *fp;
- char password_buf[USER_PASS_LEN] = { '\0' };
-
- fp = platform_fopen(auth_file, "r");
- if (!fp)
+ if (flags & GET_USER_PASS_NEED_OK)
{
- msg(M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file);
- }
+ struct buffer user_prompt = alloc_buf_gc(128, &gc);
- if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0)
- {
- /* Read username first */
- if (fgets(up->username, USER_PASS_LEN, fp) == NULL)
+ buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username);
+ if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt), up->password,
+ USER_PASS_LEN, false))
{
- msg(M_FATAL, "Error reading username from %s authfile: %s",
- prefix,
+ msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix);
+ }
+
+ if (!strlen(up->password))
+ {
+ strcpy(up->password, "ok");
+ }
+ }
+ else if (flags & GET_USER_PASS_INLINE_CREDS)
+ {
+ struct buffer buf;
+ buf_set_read(&buf, (uint8_t *)auth_file, strlen(auth_file) + 1);
+ if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
+ {
+ buf_parse(&buf, '\n', up->username, USER_PASS_LEN);
+ }
+ buf_parse(&buf, '\n', up->password, USER_PASS_LEN);
+
+ if (strlen(up->password) == 0)
+ {
+ password_from_stdin = 1;
+ }
+ }
+ /*
+ * Read from auth file unless this is a dynamic challenge request.
+ */
+ else if (from_authfile && !(flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
+ {
+ /*
+ * Try to get username/password from a file.
+ */
+ FILE *fp;
+ char password_buf[USER_PASS_LEN] = { '\0' };
+
+ fp = platform_fopen(auth_file, "r");
+ if (!fp)
+ {
+ msg(M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file);
+ }
+
+ if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0)
+ {
+ /* Read username first */
+ if (fgets(up->username, USER_PASS_LEN, fp) == NULL)
+ {
+ msg(M_FATAL, "Error reading username from %s authfile: %s", prefix,
+ auth_file);
+ }
+ }
+ chomp(up->username);
+
+ if (fgets(password_buf, USER_PASS_LEN, fp) != NULL)
+ {
+ chomp(password_buf);
+ }
+
+ if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0])
+ {
+ msg(M_FATAL, "Error reading password from %s authfile: %s", prefix, auth_file);
+ }
+
+ if (password_buf[0])
+ {
+ strncpy(up->password, password_buf, USER_PASS_LEN);
+ }
+ /* The auth-file does not have the password: get both username
+ * and password from the management interface if possible.
+ * Otherwise set to read password from console.
+ */
+#if defined(ENABLE_MANAGEMENT)
+ else if (management && (flags & GET_USER_PASS_MANAGEMENT)
+ && management_query_user_pass_enabled(management))
+ {
+ msg(D_LOW,
+ "No password found in %s authfile '%s'. Querying the management interface",
+ prefix, auth_file);
+ if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge))
+ {
+ fclose(fp);
+ return false;
+ }
+ }
+#endif
+ else
+ {
+ password_from_stdin = 1;
+ }
+
+ fclose(fp);
+
+ if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen(up->username) == 0)
+ {
+ msg(M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix,
auth_file);
}
}
- chomp(up->username);
-
- if (fgets(password_buf, USER_PASS_LEN, fp) != NULL)
- {
- chomp(password_buf);
- }
-
- if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0])
- {
- msg(M_FATAL, "Error reading password from %s authfile: %s", prefix, auth_file);
- }
-
- if (password_buf[0])
- {
- strncpy(up->password, password_buf, USER_PASS_LEN);
- }
- /* The auth-file does not have the password: get both username
- * and password from the management interface if possible.
- * Otherwise set to read password from console.
- */
-#if defined(ENABLE_MANAGEMENT)
- else if (management
- && (flags & GET_USER_PASS_MANAGEMENT)
- && management_query_user_pass_enabled(management))
- {
- msg(D_LOW, "No password found in %s authfile '%s'. Querying the management interface", prefix, auth_file);
- if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge))
- {
- fclose(fp);
- return false;
- }
- }
-#endif
else
{
- password_from_stdin = 1;
+ username_from_stdin = true;
+ password_from_stdin = true;
}
- fclose(fp);
-
- if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen(up->username) == 0)
- {
- msg(M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file);
- }
- }
- else
- {
- username_from_stdin = true;
- password_from_stdin = true;
- }
-
/*
* Get username/password from standard input?
*/
@@ -367,15 +367,15 @@
struct auth_challenge_info *ac = parse_auth_challenge(auth_challenge, &gc);
if (ac)
{
- char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc);
+ char *response = (char *)gc_malloc(USER_PASS_LEN, false, &gc);
struct buffer packed_resp, challenge;
- challenge = alloc_buf_gc(14+strlen(ac->challenge_text), &gc);
+ challenge = alloc_buf_gc(14 + strlen(ac->challenge_text), &gc);
buf_printf(&challenge, "CHALLENGE: %s", ac->challenge_text);
buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN);
- if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge),
- response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO)))
+ if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), response,
+ USER_PASS_LEN, BOOL_CAST(ac->flags & CR_ECHO)))
{
msg(M_FATAL, "ERROR: could not read challenge response from stdin");
}
@@ -399,17 +399,17 @@
if (username_from_stdin && !(flags & GET_USER_PASS_PASSWORD_ONLY))
{
- query_user_add(BSTR(&user_prompt), BLEN(&user_prompt),
- up->username, USER_PASS_LEN, true);
+ query_user_add(BSTR(&user_prompt), BLEN(&user_prompt), up->username,
+ USER_PASS_LEN, true);
}
if (password_from_stdin)
{
- query_user_add(BSTR(&pass_prompt), BLEN(&pass_prompt),
- up->password, USER_PASS_LEN, false);
+ query_user_add(BSTR(&pass_prompt), BLEN(&pass_prompt), up->password,
+ USER_PASS_LEN, false);
}
- if (!query_user_exec() )
+ if (!query_user_exec())
{
msg(M_FATAL, "ERROR: Failed retrieving username or password");
}
@@ -423,17 +423,18 @@
}
#ifdef ENABLE_MANAGEMENT
- if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin)
+ if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE)
+ && response_from_stdin)
{
- char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc);
+ char *response = (char *)gc_malloc(USER_PASS_LEN, false, &gc);
struct buffer packed_resp, challenge;
char *pw64 = NULL, *resp64 = NULL;
- challenge = alloc_buf_gc(14+strlen(auth_challenge), &gc);
+ challenge = alloc_buf_gc(14 + strlen(auth_challenge), &gc);
buf_printf(&challenge, "CHALLENGE: %s", auth_challenge);
- if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge),
- response, USER_PASS_LEN,
+ if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), response,
+ USER_PASS_LEN,
BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO)))
{
msg(M_FATAL, "ERROR: could not retrieve static challenge response");
@@ -456,7 +457,8 @@
{
if (strlen(up->password) + strlen(response) >= USER_PASS_LEN)
{
- msg(M_FATAL, "ERROR: could not concatenate password/static_response: string too long");
+ msg(M_FATAL,
+ "ERROR: could not concatenate password/static_response: string too long");
}
strncat(up->password, response, USER_PASS_LEN - strlen(up->password) - 1);
}
@@ -499,7 +501,8 @@
*/
if (!warn_shown)
{
- msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this");
+ msg(M_WARN,
+ "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this");
warn_shown = true;
}
}
@@ -594,7 +597,7 @@
char **ret = NULL;
int i = 0;
- buf_set_read(&buf, (const uint8_t *) str, strlen(str));
+ buf_set_read(&buf, (const uint8_t *)str, strlen(str));
while (buf_parse(&buf, '\n', line, sizeof(line)))
{
++len;
@@ -603,7 +606,7 @@
/* alloc return array */
ALLOC_ARRAY_CLEAR_GC(ret, char *, len + 1, gc);
- buf_set_read(&buf, (const uint8_t *) str, strlen(str));
+ buf_set_read(&buf, (const uint8_t *)str, strlen(str));
while (buf_parse(&buf, '\n', line, sizeof(line)))
{
chomp(line);
@@ -668,12 +671,12 @@
const char *
sanitize_control_message(const char *src, struct gc_arena *gc)
{
- char *ret = gc_malloc(strlen(src)+1, false, gc);
+ char *ret = gc_malloc(strlen(src) + 1, false, gc);
char *dest = ret;
bool redact = false;
int skip = 0;
- for (;; )
+ for (;;)
{
const char c = *src;
if (c == '\0')
@@ -690,8 +693,7 @@
skip = 4;
redact = true;
}
- else if (!check_debug_level(D_SHOW_KEYS)
- && (c == 'a' && !strncmp(src, "auth-token ", 11)))
+ else if (!check_debug_level(D_SHOW_KEYS) && (c == 'a' && !strncmp(src, "auth-token ", 11)))
{
/* Unless --verb is 7 or higher (D_SHOW_KEYS), hide
* the auth-token value coming in the src string
@@ -755,8 +757,7 @@
case 2:
/* after the '=', replace non-printable or shell meta with '_' */
- if (!isprint(c) || isspace(c)
- || c == '$' || c == '(' || c == '`')
+ if (!isprint(c) || isspace(c) || c == '$' || c == '(' || c == '`')
{
*line = '_';
}
@@ -771,12 +772,12 @@
{
char line[256];
struct buffer buf;
- buf_set_read(&buf, (const uint8_t *) peer_info, strlen(peer_info));
+ buf_set_read(&buf, (const uint8_t *)peer_info, strlen(peer_info));
while (buf_parse(&buf, '\n', line, sizeof(line)))
{
chomp(line);
if (validate_peer_info_line(line)
- && (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) )
+ && (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0))
{
msg(M_INFO, "peer info: %s", line);
env_set_add(es, line);
@@ -42,8 +42,7 @@
const char **make_arg_array(const char *first, const char *parms, struct gc_arena *gc);
-const char **make_extended_arg_array(char **p, bool is_inline,
- struct gc_arena *gc);
+const char **make_extended_arg_array(char **p, bool is_inline, struct gc_arena *gc);
/* prepend a random prefix to hostname */
const char *hostname_randomize(const char *hostname, struct gc_arena *gc);
@@ -76,9 +75,10 @@
/*
* Challenge response info on client as pushed by server.
*/
-struct auth_challenge_info {
-#define CR_ECHO (1<<0) /* echo response when typed by user */
-#define CR_RESPONSE (1<<1) /* response needed */
+struct auth_challenge_info
+{
+#define CR_ECHO (1 << 0) /* echo response when typed by user */
+#define CR_RESPONSE (1 << 1) /* response needed */
unsigned int flags;
const char *user;
@@ -89,38 +89,43 @@
/*
* Challenge response info on client as pushed by server.
*/
-struct static_challenge_info {
-#define SC_ECHO (1<<0) /* echo response when typed by user */
-#define SC_CONCAT (1<<1) /* concatenate password and response and do not base64 encode */
+struct static_challenge_info
+{
+#define SC_ECHO (1 << 0) /* echo response when typed by user */
+#define SC_CONCAT (1 << 1) /* concatenate password and response and do not base64 encode */
unsigned int flags;
const char *challenge_text;
};
#else /* ifdef ENABLE_MANAGEMENT */
-struct auth_challenge_info {};
-struct static_challenge_info {};
+struct auth_challenge_info
+{
+};
+struct static_challenge_info
+{
+};
#endif /* ifdef ENABLE_MANAGEMENT */
/*
* Flags for get_user_pass and management_query_user_pass
*/
-#define GET_USER_PASS_MANAGEMENT (1<<0)
+#define GET_USER_PASS_MANAGEMENT (1 << 0)
/* GET_USER_PASS_SENSITIVE (1<<1) not used anymore */
-#define GET_USER_PASS_PASSWORD_ONLY (1<<2)
-#define GET_USER_PASS_NEED_OK (1<<3)
-#define GET_USER_PASS_NOFATAL (1<<4)
-#define GET_USER_PASS_NEED_STR (1<<5)
-#define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1<<6)
+#define GET_USER_PASS_PASSWORD_ONLY (1 << 2)
+#define GET_USER_PASS_NEED_OK (1 << 3)
+#define GET_USER_PASS_NOFATAL (1 << 4)
+#define GET_USER_PASS_NEED_STR (1 << 5)
+#define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1 << 6)
-#define GET_USER_PASS_DYNAMIC_CHALLENGE (1<<7) /**< CRV1 protocol -- dynamic challenge */
-#define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /**< SCRV1 protocol -- static challenge */
-#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /**< SCRV1 protocol -- echo response */
+#define GET_USER_PASS_DYNAMIC_CHALLENGE (1 << 7) /**< CRV1 protocol -- dynamic challenge */
+#define GET_USER_PASS_STATIC_CHALLENGE (1 << 8) /**< SCRV1 protocol -- static challenge */
+#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1 << 9) /**< SCRV1 protocol -- echo response */
/** indicates that auth_file is actually inline creds */
-#define GET_USER_PASS_INLINE_CREDS (1<<10)
+#define GET_USER_PASS_INLINE_CREDS (1 << 10)
/** indicates password and response should be concatenated */
-#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT (1<<11)
+#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT (1 << 11)
/**
* Retrieves the user credentials from various sources depending on the flags.
@@ -132,11 +137,8 @@
* @param auth_challenge The authentication challenge string.
* @return true if the user credentials were successfully retrieved, false otherwise.
*/
-bool get_user_pass_cr(struct user_pass *up,
- const char *auth_file,
- const char *prefix,
- const unsigned int flags,
- const char *auth_challenge);
+bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix,
+ const unsigned int flags, const char *auth_challenge);
/**
* Retrieves the user credentials from various sources depending on the flags.
@@ -148,9 +150,7 @@
* @return true if the user credentials were successfully retrieved, false otherwise.
*/
static inline bool
-get_user_pass(struct user_pass *up,
- const char *auth_file,
- const char *prefix,
+get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix,
const unsigned int flags)
{
return get_user_pass_cr(up, auth_file, prefix, flags, NULL);
@@ -205,29 +205,24 @@
/**
* Prepend a directory to a path.
*/
-struct buffer
-prepend_dir(const char *dir, const char *path, struct gc_arena *gc);
+struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc);
/**
* Encrypt username and password buffers in user_pass
*/
-void
-protect_user_pass(struct user_pass *up);
+void protect_user_pass(struct user_pass *up);
/**
* Decrypt username and password buffers in user_pass
*/
-void
-unprotect_user_pass(struct user_pass *up);
+void unprotect_user_pass(struct user_pass *up);
-#define _STRINGIFY(S) #S
+#define _STRINGIFY(S) #S
/* *INDENT-OFF* - uncrustify need to ignore this macro */
-#define MAC_FMT _STRINGIFY(%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx)
+#define MAC_FMT _STRINGIFY(%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx)
/* *INDENT-ON* */
-#define MAC_PRINT_ARG(_mac) _mac[0], _mac[1], _mac[2], \
- _mac[3], _mac[4], _mac[5]
-#define MAC_SCAN_ARG(_mac) &_mac[0], &_mac[1], &_mac[2], \
- &_mac[3], &_mac[4], &_mac[5]
+#define MAC_PRINT_ARG(_mac) _mac[0], _mac[1], _mac[2], _mac[3], _mac[4], _mac[5]
+#define MAC_SCAN_ARG(_mac) &_mac[0], &_mac[1], &_mac[2], &_mac[3], &_mac[4], &_mac[5]
#endif /* ifndef MISC_H */
@@ -47,14 +47,13 @@
static inline bool
is_mac_mcast_addr(const uint8_t *mac)
{
- return (bool) (mac[0] & 1);
+ return (bool)(mac[0] & 1);
}
static inline bool
is_mac_mcast_maddr(const struct mroute_addr *addr)
{
- return (addr->type & MR_ADDR_MASK) == MR_ADDR_ETHER
- && is_mac_mcast_addr(addr->ether.addr);
+ return (addr->type & MR_ADDR_MASK) == MR_ADDR_ETHER && is_mac_mcast_addr(addr->ether.addr);
}
/*
@@ -81,8 +80,7 @@
}
/* only networkss shorter than 8 bits are allowed to be all 0s. */
- if (all_zeros
- && !((addr->type & MR_WITH_NETBITS) && (addr->netbits < 8)))
+ if (all_zeros && !((addr->type & MR_WITH_NETBITS) && (addr->netbits < 8)))
{
msg(D_MULTI_LOW, "Can't learn %s: network is all 0s, but netbits >= 8",
mroute_addr_print(addr, gc));
@@ -91,8 +89,7 @@
if (all_ones)
{
- msg(D_MULTI_LOW, "Can't learn %s: network is all 1s",
- mroute_addr_print(addr, gc));
+ msg(D_MULTI_LOW, "Can't learn %s: network is all 1s", mroute_addr_print(addr, gc));
return false;
}
@@ -147,8 +144,7 @@
unsigned int
-mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest,
- const struct buffer *buf)
+mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest, const struct buffer *buf)
{
unsigned int ret = 0;
if (BLEN(buf) >= 1)
@@ -156,9 +152,9 @@
switch (OPENVPN_IPH_GET_VER(*BPTR(buf)))
{
case 4:
- if (BLEN(buf) >= (int) sizeof(struct openvpn_iphdr))
+ if (BLEN(buf) >= (int)sizeof(struct openvpn_iphdr))
{
- const struct openvpn_iphdr *ip = (const struct openvpn_iphdr *) BPTR(buf);
+ const struct openvpn_iphdr *ip = (const struct openvpn_iphdr *)BPTR(buf);
mroute_get_in_addr_t(src, ip->saddr, 0);
mroute_get_in_addr_t(dest, ip->daddr, 0);
@@ -180,10 +176,10 @@
break;
case 6:
- if (BLEN(buf) >= (int) sizeof(struct openvpn_ipv6hdr))
+ if (BLEN(buf) >= (int)sizeof(struct openvpn_ipv6hdr))
{
- const struct openvpn_ipv6hdr *ipv6 = (const struct openvpn_ipv6hdr *) BPTR(buf);
-#if 0 /* very basic debug */
+ const struct openvpn_ipv6hdr *ipv6 = (const struct openvpn_ipv6hdr *)BPTR(buf);
+#if 0 /* very basic debug */
struct gc_arena gc = gc_new();
msg( M_INFO, "IPv6 packet! src=%s, dst=%s",
print_in6_addr( ipv6->saddr, 0, &gc ),
@@ -212,9 +208,7 @@
}
static void
-mroute_copy_ether_to_addr(struct mroute_addr *maddr,
- const uint8_t *ether_addr,
- uint16_t vid)
+mroute_copy_ether_to_addr(struct mroute_addr *maddr, const uint8_t *ether_addr, uint16_t vid)
{
maddr->type = MR_ADDR_ETHER;
maddr->netbits = 0;
@@ -225,15 +219,13 @@
}
unsigned int
-mroute_extract_addr_ether(struct mroute_addr *src,
- struct mroute_addr *dest,
- uint16_t vid,
+mroute_extract_addr_ether(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid,
const struct buffer *buf)
{
unsigned int ret = 0;
- if (BLEN(buf) >= (int) sizeof(struct openvpn_ethhdr))
+ if (BLEN(buf) >= (int)sizeof(struct openvpn_ethhdr))
{
- const struct openvpn_ethhdr *eth = (const struct openvpn_ethhdr *) BPTR(buf);
+ const struct openvpn_ethhdr *eth = (const struct openvpn_ethhdr *)BPTR(buf);
if (src)
{
mroute_copy_ether_to_addr(src, eth->source, vid);
@@ -250,7 +242,6 @@
}
ret |= MROUTE_EXTRACT_SUCCEEDED;
-
}
return ret;
}
@@ -260,8 +251,7 @@
* to a struct mroute_addr (addr).
*/
bool
-mroute_extract_openvpn_sockaddr(struct mroute_addr *addr,
- const struct openvpn_sockaddr *osaddr,
+mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr,
bool use_port)
{
switch (osaddr->addr.sa.sa_family)
@@ -335,7 +325,7 @@
}
else if ((ma->type & MR_ADDR_MASK) == MR_ADDR_IPV6)
{
- int byte = sizeof(ma->v6.addr) - 1; /* rightmost byte in address */
+ int byte = sizeof(ma->v6.addr) - 1; /* rightmost byte in address */
int bits_to_clear = 128 - ma->netbits;
while (byte >= 0 && bits_to_clear > 0)
@@ -351,7 +341,7 @@
bits_to_clear = 0;
}
}
- ASSERT( bits_to_clear == 0 );
+ ASSERT(bits_to_clear == 0);
}
else
{
@@ -367,29 +357,24 @@
uint32_t
mroute_addr_hash_function(const void *key, uint32_t iv)
{
- return hash_func(mroute_addr_hash_ptr((const struct mroute_addr *) key),
- mroute_addr_hash_len((const struct mroute_addr *) key),
- iv);
+ return hash_func(mroute_addr_hash_ptr((const struct mroute_addr *)key),
+ mroute_addr_hash_len((const struct mroute_addr *)key), iv);
}
bool
mroute_addr_compare_function(const void *key1, const void *key2)
{
- return mroute_addr_equal((const struct mroute_addr *) key1,
- (const struct mroute_addr *) key2);
+ return mroute_addr_equal((const struct mroute_addr *)key1, (const struct mroute_addr *)key2);
}
const char *
-mroute_addr_print(const struct mroute_addr *ma,
- struct gc_arena *gc)
+mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
{
return mroute_addr_print_ex(ma, MAPF_IA_EMPTY_IF_UNDEF, gc);
}
const char *
-mroute_addr_print_ex(const struct mroute_addr *ma,
- const unsigned int flags,
- struct gc_arena *gc)
+mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc(64, gc);
if (ma)
@@ -399,8 +384,8 @@
switch (maddr.type & MR_ADDR_MASK)
{
case MR_ADDR_ETHER:
- buf_printf(&out, "%s", format_hex_ex(ma->ether.addr,
- sizeof(ma->ether.addr), 0, 1, ":", gc));
+ buf_printf(&out, "%s",
+ format_hex_ex(ma->ether.addr, sizeof(ma->ether.addr), 0, 1, ":", gc));
buf_printf(&out, "@%hu", ma->ether.vid);
break;
@@ -418,8 +403,10 @@
{
buf_printf(&out, "[AF_INET]");
}
- buf_printf(&out, "%s", print_in_addr_t(ntohl(maddr.v4.addr),
- (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc));
+ buf_printf(&out, "%s",
+ print_in_addr_t(ntohl(maddr.v4.addr),
+ (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0,
+ gc));
if (maddr.type & MR_WITH_NETBITS)
{
if (flags & MAPF_SUBNET)
@@ -449,10 +436,10 @@
{
buf_printf(&out, "[AF_INET6]");
}
- if (IN6_IS_ADDR_V4MAPPED( &maddr.v6.addr ) )
+ if (IN6_IS_ADDR_V4MAPPED(&maddr.v6.addr))
{
- buf_printf(&out, "%s", print_in_addr_t(maddr.v4mappedv6.addr,
- IA_NET_ORDER, gc));
+ buf_printf(&out, "%s",
+ print_in_addr_t(maddr.v4mappedv6.addr, IA_NET_ORDER, gc));
}
else if (maddr.type & MR_WITH_PORT)
{
@@ -508,7 +495,7 @@
{
if (mh->net_len_refcount[i] > 0)
{
- mh->net_len[j++] = (uint8_t) i;
+ mh->net_len[j++] = (uint8_t)i;
}
}
mh->n_net_len = j;
@@ -29,22 +29,22 @@
#include <stddef.h>
-#define IP_MCAST_SUBNET_MASK ((in_addr_t)240<<24)
-#define IP_MCAST_NETWORK ((in_addr_t)224<<24)
+#define IP_MCAST_SUBNET_MASK ((in_addr_t)240 << 24)
+#define IP_MCAST_NETWORK ((in_addr_t)224 << 24)
/* Return status values for mroute_extract_addr_from_packet */
-#define MROUTE_EXTRACT_SUCCEEDED (1<<0)
-#define MROUTE_EXTRACT_BCAST (1<<1)
-#define MROUTE_EXTRACT_MCAST (1<<2)
-#define MROUTE_EXTRACT_IGMP (1<<3)
+#define MROUTE_EXTRACT_SUCCEEDED (1 << 0)
+#define MROUTE_EXTRACT_BCAST (1 << 1)
+#define MROUTE_EXTRACT_MCAST (1 << 2)
+#define MROUTE_EXTRACT_IGMP (1 << 3)
-#define MROUTE_SEC_EXTRACT_SUCCEEDED (1<<(0+MROUTE_SEC_SHIFT))
-#define MROUTE_SEC_EXTRACT_BCAST (1<<(1+MROUTE_SEC_SHIFT))
-#define MROUTE_SEC_EXTRACT_MCAST (1<<(2+MROUTE_SEC_SHIFT))
-#define MROUTE_SEC_EXTRACT_IGMP (1<<(3+MROUTE_SEC_SHIFT))
+#define MROUTE_SEC_EXTRACT_SUCCEEDED (1 << (0 + MROUTE_SEC_SHIFT))
+#define MROUTE_SEC_EXTRACT_BCAST (1 << (1 + MROUTE_SEC_SHIFT))
+#define MROUTE_SEC_EXTRACT_MCAST (1 << (2 + MROUTE_SEC_SHIFT))
+#define MROUTE_SEC_EXTRACT_IGMP (1 << (3 + MROUTE_SEC_SHIFT))
-#define MROUTE_SEC_SHIFT 4
+#define MROUTE_SEC_SHIFT 4
/*
* Choose the largest address possible with
@@ -56,60 +56,64 @@
/*
* Address Types
*/
-#define MR_ADDR_NONE 0
-#define MR_ADDR_ETHER 1
-#define MR_ADDR_IPV4 2
-#define MR_ADDR_IPV6 3
-#define MR_ADDR_MASK 3
+#define MR_ADDR_NONE 0
+#define MR_ADDR_ETHER 1
+#define MR_ADDR_IPV4 2
+#define MR_ADDR_IPV6 3
+#define MR_ADDR_MASK 3
/* Address type mask indicating that port # is part of address */
-#define MR_WITH_PORT 4
+#define MR_WITH_PORT 4
/* Address type mask indicating that netbits is part of address */
-#define MR_WITH_NETBITS 8
+#define MR_WITH_NETBITS 8
/* Indicates than IPv4 addr was extracted from ARP packet */
-#define MR_ARP 16
+#define MR_ARP 16
/* Address type mask indicating that proto # is part of address */
-#define MR_WITH_PROTO 32
+#define MR_WITH_PROTO 32
-struct mroute_addr {
- uint8_t len; /* length of address */
+struct mroute_addr
+{
+ uint8_t len; /* length of address */
uint8_t proto;
- uint8_t type; /* MR_ADDR/MR_WITH flags */
+ uint8_t type; /* MR_ADDR/MR_WITH flags */
uint8_t netbits; /* number of bits in network part of address,
* valid if MR_WITH_NETBITS is set */
- union {
+ union
+ {
uint8_t raw_addr[MR_MAX_ADDR_LEN]; /* actual address */
- struct {
+ struct
+ {
uint8_t addr[OPENVPN_ETH_ALEN];
uint16_t vid;
} ether;
- struct {
- in_addr_t addr; /* _network order_ IPv4 address */
- in_port_t port; /* _network order_ TCP/UDP port */
+ struct
+ {
+ in_addr_t addr; /* _network order_ IPv4 address */
+ in_port_t port; /* _network order_ TCP/UDP port */
} v4;
- struct {
+ struct
+ {
struct in6_addr addr;
- in_port_t port; /* _network order_ TCP/UDP port */
+ in_port_t port; /* _network order_ TCP/UDP port */
} v6;
- struct {
+ struct
+ {
uint8_t prefix[12];
- in_addr_t addr; /* _network order_ IPv4 address */
+ in_addr_t addr; /* _network order_ IPv4 address */
} v4mappedv6;
};
};
/* Double-check that struct packing works as expected */
-static_assert(offsetof(struct mroute_addr, v4.port) ==
- offsetof(struct mroute_addr, v4) + 4,
+static_assert(offsetof(struct mroute_addr, v4.port) == offsetof(struct mroute_addr, v4) + 4,
"Unexpected struct packing of v4");
-static_assert(offsetof(struct mroute_addr, v6.port) ==
- offsetof(struct mroute_addr, v6) + 16,
+static_assert(offsetof(struct mroute_addr, v6.port) == offsetof(struct mroute_addr, v6) + 16,
"Unexpected struct packing of v6");
-static_assert(offsetof(struct mroute_addr, v4mappedv6.addr) ==
- offsetof(struct mroute_addr, v4mappedv6) + 12,
+static_assert(offsetof(struct mroute_addr, v4mappedv6.addr)
+ == offsetof(struct mroute_addr, v4mappedv6) + 12,
"Unexpected struct packing of v4mappedv6");
/*
@@ -120,22 +124,21 @@
/*
* Used to help maintain CIDR routing table.
*/
-struct mroute_helper {
- unsigned int cache_generation; /* incremented when route added */
- int ageable_ttl_secs; /* host route cache entry time-to-live*/
- int n_net_len; /* length of net_len array */
- uint8_t net_len[MR_HELPER_NET_LEN]; /* CIDR netlengths in descending order */
+struct mroute_helper
+{
+ unsigned int cache_generation; /* incremented when route added */
+ int ageable_ttl_secs; /* host route cache entry time-to-live*/
+ int n_net_len; /* length of net_len array */
+ uint8_t net_len[MR_HELPER_NET_LEN]; /* CIDR netlengths in descending order */
int net_len_refcount[MR_HELPER_NET_LEN]; /* refcount of each netlength */
};
struct openvpn_sockaddr;
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr,
- const struct openvpn_sockaddr *osaddr,
- bool use_port);
+ const struct openvpn_sockaddr *osaddr, bool use_port);
-bool mroute_learnable_address(const struct mroute_addr *addr,
- struct gc_arena *gc);
+bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc);
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv);
@@ -143,15 +146,13 @@
void mroute_addr_init(struct mroute_addr *addr);
-const char *mroute_addr_print(const struct mroute_addr *ma,
- struct gc_arena *gc);
+const char *mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc);
-#define MAPF_SUBNET (1<<0)
-#define MAPF_IA_EMPTY_IF_UNDEF (1<<1)
-#define MAPF_SHOW_ARP (1<<2)
-#define MAPF_SHOW_FAMILY (1<<3)
-const char *mroute_addr_print_ex(const struct mroute_addr *ma,
- const unsigned int flags,
+#define MAPF_SUBNET (1 << 0)
+#define MAPF_IA_EMPTY_IF_UNDEF (1 << 1)
+#define MAPF_SHOW_ARP (1 << 2)
+#define MAPF_SHOW_FAMILY (1 << 3)
+const char *mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags,
struct gc_arena *gc);
void mroute_addr_mask_host_bits(struct mroute_addr *ma);
@@ -164,25 +165,19 @@
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits);
-unsigned int mroute_extract_addr_ip(struct mroute_addr *src,
- struct mroute_addr *dest,
+unsigned int mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest,
const struct buffer *buf);
-unsigned int mroute_extract_addr_ether(struct mroute_addr *src,
- struct mroute_addr *dest,
- uint16_t vid,
- const struct buffer *buf);
+unsigned int mroute_extract_addr_ether(struct mroute_addr *src, struct mroute_addr *dest,
+ uint16_t vid, const struct buffer *buf);
/*
* Given a raw packet in buf, return the src and dest
* addresses of the packet.
*/
static inline unsigned int
-mroute_extract_addr_from_packet(struct mroute_addr *src,
- struct mroute_addr *dest,
- uint16_t vid,
- const struct buffer *buf,
- int tunnel_type)
+mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid,
+ const struct buffer *buf, int tunnel_type)
{
unsigned int ret = 0;
verify_align_4(buf);
@@ -232,13 +227,13 @@
mroute_addr_hash_ptr(const struct mroute_addr *a)
{
/* NOTE: depends on ordering of struct mroute_addr */
- return (uint8_t *) &a->proto;
+ return (uint8_t *)&a->proto;
}
static inline uint32_t
mroute_addr_hash_len(const struct mroute_addr *a)
{
- return (uint32_t) a->len + 3;
+ return (uint32_t)a->len + 3;
}
static inline void
@@ -48,27 +48,24 @@
const struct openvpn_iphdr *pip;
int hlen;
- if (BLEN(buf) < (int) sizeof(struct openvpn_iphdr))
+ if (BLEN(buf) < (int)sizeof(struct openvpn_iphdr))
{
return;
}
verify_align_4(buf);
- pip = (struct openvpn_iphdr *) BPTR(buf);
+ pip = (struct openvpn_iphdr *)BPTR(buf);
hlen = OPENVPN_IPH_GET_LEN(pip->version_len);
- if (pip->protocol == OPENVPN_IPPROTO_TCP
- && ntohs(pip->tot_len) == BLEN(buf)
- && (ntohs(pip->frag_off) & OPENVPN_IP_OFFMASK) == 0
- && hlen <= BLEN(buf)
- && BLEN(buf) - hlen
- >= (int) sizeof(struct openvpn_tcphdr))
+ if (pip->protocol == OPENVPN_IPPROTO_TCP && ntohs(pip->tot_len) == BLEN(buf)
+ && (ntohs(pip->frag_off) & OPENVPN_IP_OFFMASK) == 0 && hlen <= BLEN(buf)
+ && BLEN(buf) - hlen >= (int)sizeof(struct openvpn_tcphdr))
{
struct buffer newbuf = *buf;
if (buf_advance(&newbuf, hlen))
{
- struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf);
+ struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *)BPTR(&newbuf);
if (tc->flags & OPENVPN_TCPH_SYN_MASK)
{
mss_fixup_dowork(&newbuf, maxmss);
@@ -88,18 +85,18 @@
const struct openvpn_ipv6hdr *pip6;
struct buffer newbuf;
- if (BLEN(buf) < (int) sizeof(struct openvpn_ipv6hdr))
+ if (BLEN(buf) < (int)sizeof(struct openvpn_ipv6hdr))
{
return;
}
verify_align_4(buf);
- pip6 = (struct openvpn_ipv6hdr *) BPTR(buf);
+ pip6 = (struct openvpn_ipv6hdr *)BPTR(buf);
/* do we have the full IPv6 packet?
* "payload_len" does not include IPv6 header (+40 bytes)
*/
- if (BLEN(buf) != (int) ntohs(pip6->payload_len)+40)
+ if (BLEN(buf) != (int)ntohs(pip6->payload_len) + 40)
{
return;
}
@@ -123,13 +120,12 @@
* verify remainder is large enough to contain a full TCP header
*/
newbuf = *buf;
- if (buf_advance( &newbuf, 40 )
- && BLEN(&newbuf) >= (int) sizeof(struct openvpn_tcphdr))
+ if (buf_advance(&newbuf, 40) && BLEN(&newbuf) >= (int)sizeof(struct openvpn_tcphdr))
{
- struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf);
+ struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *)BPTR(&newbuf);
if (tc->flags & OPENVPN_TCPH_SYN_MASK)
{
- mss_fixup_dowork(&newbuf, maxmss-20);
+ mss_fixup_dowork(&newbuf, maxmss - 20);
}
}
}
@@ -148,25 +144,22 @@
int accumulate;
struct openvpn_tcphdr *tc;
- if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr))
+ if (BLEN(buf) < (int)sizeof(struct openvpn_tcphdr))
{
return;
}
verify_align_4(buf);
- tc = (struct openvpn_tcphdr *) BPTR(buf);
+ tc = (struct openvpn_tcphdr *)BPTR(buf);
hlen = OPENVPN_TCPH_GET_DOFF(tc->doff_res);
/* Invalid header length or header without options. */
- if (hlen <= (int) sizeof(struct openvpn_tcphdr)
- || hlen > BLEN(buf))
+ if (hlen <= (int)sizeof(struct openvpn_tcphdr) || hlen > BLEN(buf))
{
return;
}
- for (olen = hlen - (int) sizeof(struct openvpn_tcphdr),
- opt = (uint8_t *)(tc + 1);
- olen > 1;
+ for (olen = hlen - (int)sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); olen > 1;
olen -= optlen, opt += optlen)
{
if (*opt == OPENVPN_TCPOPT_EOL)
@@ -196,8 +189,8 @@
{
dmsg(D_MSS, "MSS: %" PRIu16 " -> %" PRIu16, mssval, maxmss);
accumulate = htons(mssval);
- opt[2] = (uint8_t)((maxmss>>8)&0xff);
- opt[3] = (uint8_t)(maxmss&0xff);
+ opt[2] = (uint8_t)((maxmss >> 8) & 0xff);
+ opt[3] = (uint8_t)(maxmss & 0xff);
accumulate -= htons(maxmss);
ADJUST_CHECKSUM(accumulate, tc->check);
}
@@ -227,8 +220,7 @@
}
static size_t
-get_ip_encap_overhead(const struct options *options,
- const struct link_socket_info *lsi)
+get_ip_encap_overhead(const struct options *options, const struct link_socket_info *lsi)
{
/* Add the overhead of the encapsulating IP packets */
sa_family_t af;
@@ -252,8 +244,7 @@
}
static void
-frame_calculate_fragment(struct frame *frame, struct key_type *kt,
- const struct options *options,
+frame_calculate_fragment(struct frame *frame, struct key_type *kt, const struct options *options,
struct link_socket_info *lsi)
{
#if defined(ENABLE_FRAGMENT)
@@ -283,8 +274,7 @@
}
static void
-frame_calculate_mssfix(struct frame *frame, struct key_type *kt,
- const struct options *options,
+frame_calculate_mssfix(struct frame *frame, struct key_type *kt, const struct options *options,
struct link_socket_info *lsi)
{
if (options->ce.mssfix_fixed)
@@ -326,13 +316,10 @@
/* This is the target value our payload needs to be smaller */
size_t target = options->ce.mssfix - overhead;
frame->mss_fix = (uint16_t)(adjust_payload_max_cbc(kt, target) - payload_overhead);
-
-
}
void
-frame_calculate_dynamic(struct frame *frame, struct key_type *kt,
- const struct options *options,
+frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options,
struct link_socket_info *lsi)
{
if (options->ce.fragment > 0)
@@ -363,30 +350,29 @@
int encap_overhead = datagram_overhead(af, proto);
/* check if mssfix and fragment need to be adjusted */
- if (pmtu < o->ce.mssfix
- || (o->ce.mssfix_encap && pmtu < o->ce.mssfix + encap_overhead))
+ if (pmtu < o->ce.mssfix || (o->ce.mssfix_encap && pmtu < o->ce.mssfix + encap_overhead))
{
const char *mtustr = o->ce.mssfix_encap ? " mtu" : "";
- msg(D_MTU_INFO, "Note adjusting 'mssfix %d%s' to 'mssfix %d mtu' "
- "according to path MTU discovery", o->ce.mssfix,
- mtustr, pmtu);
+ msg(D_MTU_INFO,
+ "Note adjusting 'mssfix %d%s' to 'mssfix %d mtu' "
+ "according to path MTU discovery",
+ o->ce.mssfix, mtustr, pmtu);
o->ce.mssfix = pmtu;
o->ce.mssfix_encap = true;
frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, o, lsi);
}
#if defined(ENABLE_FRAGMENT)
- if (pmtu < o->ce.fragment
- || (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead))
+ if (pmtu < o->ce.fragment || (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead))
{
const char *mtustr = o->ce.fragment_encap ? " mtu" : "";
- msg(D_MTU_INFO, "Note adjusting 'fragment %d%s' to 'fragment %d mtu' "
- "according to path MTU discovery", o->ce.fragment,
- mtustr, pmtu);
+ msg(D_MTU_INFO,
+ "Note adjusting 'fragment %d%s' to 'fragment %d mtu' "
+ "according to path MTU discovery",
+ o->ce.fragment, mtustr, pmtu);
o->ce.fragment = pmtu;
o->ce.fragment_encap = true;
- frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type,
- o, lsi);
+ frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, o, lsi);
}
#endif
}
@@ -36,8 +36,7 @@
/** Set the --mssfix option. */
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt,
- const struct options *options,
- struct link_socket_info *lsi);
+ const struct options *options, struct link_socket_info *lsi);
/**
* Checks and adjusts the fragment and mssfix value according to the
@@ -83,7 +83,7 @@
}
/* mmap the file */
- data = mmap(NULL, sizeof(struct mmap_stats), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
+ data = mmap(NULL, sizeof(struct mmap_stats), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (data == MAP_FAILED)
{
msg(M_ERR, "mstats_open: write error: %s", fn);
@@ -30,7 +30,8 @@
#include "basic.h"
/* this struct is mapped to the file */
-struct mmap_stats {
+struct mmap_stats
+{
counter_type link_read_bytes; /* counter_type can be assumed to be a uint64_t */
counter_type link_write_bytes;
int n_clients;
@@ -66,8 +66,9 @@
if (he)
{
- struct multi_instance *oldmi = (struct multi_instance *) he->value;
- msg(D_MULTI_LOW, "MULTI TCP: new incoming client address matches existing client address -- new client takes precedence");
+ struct multi_instance *oldmi = (struct multi_instance *)he->value;
+ msg(D_MULTI_LOW,
+ "MULTI TCP: new incoming client address matches existing client address -- new client takes precedence");
oldmi->did_real_hash = false;
multi_close_instance(m, oldmi, false);
he->key = &mi->real;
@@ -108,12 +109,10 @@
ASSERT(mi->context.c2.link_sockets[0]->info.lsa);
ASSERT(mi->context.c2.link_sockets[0]->mode == LS_MODE_TCP_ACCEPT_FROM);
ASSERT(mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET
- || mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6
- );
+ || mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6);
mi->real.proto = mi->context.c2.link_sockets[0]->info.proto;
- if (!mroute_extract_openvpn_sockaddr(&mi->real,
- &mi->context.c2.link_sockets[0]->info.lsa->actual.dest,
- true))
+ if (!mroute_extract_openvpn_sockaddr(
+ &mi->real, &mi->context.c2.link_sockets[0]->info.lsa->actual.dest, true))
{
msg(D_MULTI_ERRORS, "MULTI TCP: TCP client address is undefined");
return false;
@@ -149,7 +148,8 @@
}
bool
-multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags)
+multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi,
+ const unsigned int mpp_flags)
{
struct mbuf_item item;
bool ret = true;
@@ -39,9 +39,11 @@
void multi_tcp_instance_specific_free(struct multi_instance *mi);
-bool multi_tcp_process_outgoing_link(struct multi_context *m, bool defer, const unsigned int mpp_flags);
+bool multi_tcp_process_outgoing_link(struct multi_context *m, bool defer,
+ const unsigned int mpp_flags);
-bool multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags);
+bool multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi,
+ const unsigned int mpp_flags);
struct multi_instance *multi_create_instance_tcp(struct multi_context *m, struct link_socket *sock);
@@ -38,8 +38,7 @@
/* allocate a buffer for socket or tun layer */
void
-alloc_buf_sock_tun(struct buffer *buf,
- const struct frame *frame)
+alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame)
{
/* allocate buffer for overlapped I/O */
*buf = alloc_buf(BUF_SIZE(frame));
@@ -59,8 +58,7 @@
}
size_t
-frame_calculate_protocol_header_size(const struct key_type *kt,
- const struct options *options,
+frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options,
bool occ)
{
/* Sum of all the overhead that reduces the usable packet size */
@@ -97,8 +95,7 @@
size_t
-frame_calculate_payload_overhead(size_t extra_tun,
- const struct options *options,
+frame_calculate_payload_overhead(size_t extra_tun, const struct options *options,
const struct key_type *kt)
{
size_t overhead = 0;
@@ -138,8 +135,7 @@
}
size_t
-frame_calculate_payload_size(const struct frame *frame,
- const struct options *options,
+frame_calculate_payload_size(const struct frame *frame, const struct options *options,
const struct key_type *kt)
{
size_t payload_size = options->ce.tun_mtu;
@@ -174,7 +170,7 @@
* overhead */
/* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
- overhead += 64/8 + 64/8;
+ overhead += 64 / 8 + 64 / 8;
/* set ciphername to none, so its size does get added in the
* fake_kt and the cipher is not tried to be resolved */
ciphername = "none";
@@ -191,9 +187,7 @@
}
void
-frame_print(const struct frame *frame,
- int level,
- const char *prefix)
+frame_print(const struct frame *frame, int level, const char *prefix)
{
struct gc_arena gc = gc_new();
struct buffer out = alloc_buf_gc(256, &gc);
@@ -229,19 +223,18 @@
{
#if defined(IP_MTU_DISCOVER)
case AF_INET:
- if (setsockopt(sd, IPPROTO_IP, IP_MTU_DISCOVER,
- (void *) &mtu_type, sizeof(mtu_type)))
+ if (setsockopt(sd, IPPROTO_IP, IP_MTU_DISCOVER, (void *)&mtu_type,
+ sizeof(mtu_type)))
{
- msg(M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket",
- mtu_type);
+ msg(M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket", mtu_type);
}
break;
#endif
#if defined(IPV6_MTU_DISCOVER)
case AF_INET6:
- if (setsockopt(sd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
- (void *) &mtu_type, sizeof(mtu_type)))
+ if (setsockopt(sd, IPPROTO_IPV6, IPV6_MTU_DISCOVER, (void *)&mtu_type,
+ sizeof(mtu_type)))
{
msg(M_ERR, "Error setting IPV6_MTU_DISCOVER type=%d on TCP6/UDP6 socket",
mtu_type);
@@ -272,13 +265,11 @@
{
return IP_PMTUDISC_DONT;
}
- msg(M_FATAL,
- "invalid --mtu-disc type: '%s' -- valid types are 'yes', 'maybe', or 'no'",
- name);
-#else /* if defined(IP_PMTUDISC_DONT) && defined(IP_PMTUDISC_WANT) && defined(IP_PMTUDISC_DO) */
+ msg(M_FATAL, "invalid --mtu-disc type: '%s' -- valid types are 'yes', 'maybe', or 'no'", name);
+#else /* if defined(IP_PMTUDISC_DONT) && defined(IP_PMTUDISC_WANT) && defined(IP_PMTUDISC_DO) */
msg(M_FATAL, MTUDISC_NOT_SUPPORTED_MSG);
#endif
- return -1; /* NOTREACHED */
+ return -1; /* NOTREACHED */
}
#if EXTENDED_SOCKET_ERROR_CAPABILITY
@@ -300,7 +291,7 @@
struct sock_extended_err *e;
struct sockaddr_storage addr;
struct buffer out = alloc_buf_gc(256, gc);
- char *cbuf = (char *) gc_malloc(256, false, gc);
+ char *cbuf = (char *)gc_malloc(256, false, gc);
*mtu = 0;
@@ -309,7 +300,7 @@
memset(&rcvbuf, -1, sizeof(rcvbuf));
iov.iov_base = &rcvbuf;
iov.iov_len = sizeof(rcvbuf);
- msg.msg_name = (uint8_t *) &addr;
+ msg.msg_name = (uint8_t *)&addr;
msg.msg_namelen = sizeof(addr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
@@ -331,7 +322,7 @@
{
if (cmsg->cmsg_type == IP_RECVERR)
{
- e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+ e = (struct sock_extended_err *)CMSG_DATA(cmsg);
}
else
{
@@ -342,7 +333,7 @@
{
if (cmsg->cmsg_type == IPV6_RECVERR)
{
- e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+ e = (struct sock_extended_err *)CMSG_DATA(cmsg);
}
else
{
@@ -405,7 +396,7 @@
/* see "man 7 ip" (on Linux)
* this works on IPv4 and IPv6(-dual-stack) sockets (v4-mapped)
*/
- if (setsockopt(sd, SOL_IP, IP_RECVERR, (void *) &on, sizeof(on)) != 0)
+ if (setsockopt(sd, SOL_IP, IP_RECVERR, (void *)&on, sizeof(on)) != 0)
{
msg(M_WARN | M_ERRNO,
"Note: enable extended error passing on TCP/UDP socket failed (IP_RECVERR)");
@@ -414,7 +405,7 @@
* this only works on IPv6 sockets
*/
if (proto_af == AF_INET6
- && setsockopt(sd, IPPROTO_IPV6, IPV6_RECVERR, (void *) &on, sizeof(on)) != 0)
+ && setsockopt(sd, IPPROTO_IPV6, IPV6_RECVERR, (void *)&on, sizeof(on)) != 0)
{
msg(M_WARN | M_ERRNO,
"Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR)");
@@ -50,38 +50,38 @@
/*
* Standard ethernet MTU
*/
-#define ETHERNET_MTU 1500
+#define ETHERNET_MTU 1500
/*
* It is a fatal error if mtu is less than
* this value for tun device.
*/
-#define TUN_MTU_MIN 100
+#define TUN_MTU_MIN 100
/*
* Default MTU of network over which tunnel data will pass by TCP/UDP.
*/
-#define LINK_MTU_DEFAULT 1500
+#define LINK_MTU_DEFAULT 1500
/*
* Default MTU of tunnel device.
*/
-#define TUN_MTU_DEFAULT 1500
+#define TUN_MTU_DEFAULT 1500
/*
* MTU Defaults for TAP devices
*/
-#define TAP_MTU_EXTRA_DEFAULT 32
+#define TAP_MTU_EXTRA_DEFAULT 32
/*
* Default MSSFIX value, used for reducing TCP MTU size
*/
-#define MSSFIX_DEFAULT 1492
+#define MSSFIX_DEFAULT 1492
/*
* Default maximum size of control channel packets
*/
-#define TLS_MTU_DEFAULT 1250
+#define TLS_MTU_DEFAULT 1250
/*
* Alignment of payload data such as IP packet or
@@ -94,62 +94,64 @@
/**
* Packet geometry parameters.
*/
-struct frame {
- struct {
+struct frame
+{
+ struct
+ {
/* This struct holds all the information about the buffers that are
* allocated to match this frame */
- int payload_size; /**< the maximum size that a payload that our
- * buffers can hold from either tun device
- * or network link.
- */
+ int payload_size; /**< the maximum size that a payload that our
+ * buffers can hold from either tun device
+ * or network link.
+ */
- int headroom; /**< the headroom in the buffer, this is choosen
- * to allow all potential header to be added
- * before the packet */
+ int headroom; /**< the headroom in the buffer, this is choosen
+ * to allow all potential header to be added
+ * before the packet */
- int tailroom; /**< the tailroom in the buffer. Chosen large
- * enough to also accompany any extrea header
- * or work space required by
- * decryption/encryption or compression. */
+ int tailroom; /**< the tailroom in the buffer. Chosen large
+ * enough to also accompany any extrea header
+ * or work space required by
+ * decryption/encryption or compression. */
} buf;
- uint16_t mss_fix; /**< The actual MSS value that should be
- * written to the payload packets. This
- * is the value for IPv4 TCP packets. For
- * IPv6 packets another 20 bytes must
- * be subtracted */
+ uint16_t mss_fix; /**< The actual MSS value that should be
+ * written to the payload packets. This
+ * is the value for IPv4 TCP packets. For
+ * IPv6 packets another 20 bytes must
+ * be subtracted */
- int max_fragment_size; /**< The maximum size of a fragment.
- * Fragmentation is done on the unencrypted
- * payload after (potential) compression. So
- * this value specifies the maximum payload
- * size that can be send in a single fragment
- */
+ int max_fragment_size; /**< The maximum size of a fragment.
+ * Fragmentation is done on the unencrypted
+ * payload after (potential) compression. So
+ * this value specifies the maximum payload
+ * size that can be send in a single fragment
+ */
- int tun_mtu; /**< the (user) configured tun-mtu. This is used
- * in configuring the tun interface or
- * in calculations that use the desired size
- * of the payload in the buffer.
- *
- * This variable is also used in control
- * frame context to set the desired maximum
- * control frame payload (although most of
- * code ignores it)
- */
- int tun_max_mtu; /**< the maximum tun-mtu size the buffers are
- * are sized for. This is the upper bound that
- * a server can push as MTU */
+ int tun_mtu; /**< the (user) configured tun-mtu. This is used
+ * in configuring the tun interface or
+ * in calculations that use the desired size
+ * of the payload in the buffer.
+ *
+ * This variable is also used in control
+ * frame context to set the desired maximum
+ * control frame payload (although most of
+ * code ignores it)
+ */
+ int tun_max_mtu; /**< the maximum tun-mtu size the buffers are
+ * are sized for. This is the upper bound that
+ * a server can push as MTU */
- int extra_tun; /**< Maximum number of bytes in excess of
- * the tun/tap MTU that might be read
- * from or written to the virtual
- * tun/tap network interface.
- *
- * Only set with the option --tun-mtu-extra
- * which defaults to 0 for tun and 32
- * (\c TAP_MTU_EXTRA_DEFAULT) for tap.
- * */
+ int extra_tun; /**< Maximum number of bytes in excess of
+ * the tun/tap MTU that might be read
+ * from or written to the virtual
+ * tun/tap network interface.
+ *
+ * Only set with the option --tun-mtu-extra
+ * which defaults to 0 for tun and 32
+ * (\c TAP_MTU_EXTRA_DEFAULT) for tap.
+ * */
};
/* Forward declarations, to prevent includes */
@@ -174,9 +176,7 @@
* Function prototypes.
*/
-void frame_print(const struct frame *frame,
- int level,
- const char *prefix);
+void frame_print(const struct frame *frame, int level, const char *prefix);
void set_mtu_discover_type(socket_descriptor_t sd, int mtu_type, sa_family_t proto_af);
@@ -194,10 +194,8 @@
*
* * [IP][UDP][OPENVPN PROTOCOL HEADER][ **PAYLOAD incl compression header** ]
*/
-size_t
-frame_calculate_payload_size(const struct frame *frame,
- const struct options *options,
- const struct key_type *kt);
+size_t frame_calculate_payload_size(const struct frame *frame, const struct options *options,
+ const struct key_type *kt);
/**
* Calculates the size of the payload overhead according to tun-mtu and
@@ -215,10 +213,8 @@
*
* * [IP][UDP][OPENVPN PROTOCOL HEADER][ **PAYLOAD incl compression header** ]
*/
-size_t
-frame_calculate_payload_overhead(size_t extra_tun,
- const struct options *options,
- const struct key_type *kt);
+size_t frame_calculate_payload_overhead(size_t extra_tun, const struct options *options,
+ const struct key_type *kt);
/**
@@ -236,10 +232,8 @@
* @param occ Use the calculation for the OCC link-mtu
* @return size of the overhead in bytes
*/
-size_t
-frame_calculate_protocol_header_size(const struct key_type *kt,
- const struct options *options,
- bool occ);
+size_t frame_calculate_protocol_header_size(const struct key_type *kt,
+ const struct options *options, bool occ);
/**
* Calculate the link-mtu to advertise to our peer. The actual value is not
@@ -248,23 +242,18 @@
* value they expect. This assumes that the traditional cipher/auth directives
* in the config match the config of the peer.
*/
-size_t
-calc_options_string_link_mtu(const struct options *options,
- const struct frame *frame);
+size_t calc_options_string_link_mtu(const struct options *options, const struct frame *frame);
/**
* Return the size of the packet ID size that is currently in use by cipher and
* options for the data channel.
*/
-unsigned int
-calc_packet_id_size_dc(const struct options *options,
- const struct key_type *kt);
+unsigned int calc_packet_id_size_dc(const struct options *options, const struct key_type *kt);
/*
* allocate a buffer for socket or tun layer
*/
-void alloc_buf_sock_tun(struct buffer *buf,
- const struct frame *frame);
+void alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame);
/*
* EXTENDED_SOCKET_ERROR_CAPABILITY functions -- print extra error info
@@ -38,18 +38,15 @@
#endif
static void
-send_hmac_reset_packet(struct multi_context *m,
- struct tls_pre_decrypt_state *state,
- struct tls_auth_standalone *tas,
- struct session_id *sid,
+send_hmac_reset_packet(struct multi_context *m, struct tls_pre_decrypt_state *state,
+ struct tls_auth_standalone *tas, struct session_id *sid,
bool request_resend_wkc)
{
reset_packet_id_send(&state->tls_wrap_tmp.opt.packet_id.send);
state->tls_wrap_tmp.opt.packet_id.rec.initialized = true;
uint8_t header = 0 | (P_CONTROL_HARD_RESET_SERVER_V2 << P_OPCODE_SHIFT);
struct buffer buf = tls_reset_standalone(&state->tls_wrap_tmp, tas, sid,
- &state->peer_session_id, header,
- request_resend_wkc);
+ &state->peer_session_id, header, request_resend_wkc);
struct context *c = &m->top;
@@ -65,8 +62,7 @@
/* Returns true if this packet should create a new session */
static bool
-do_pre_decrypt_check(struct multi_context *m,
- struct tls_pre_decrypt_state *state,
+do_pre_decrypt_check(struct multi_context *m, struct tls_pre_decrypt_state *state,
struct mroute_addr addr)
{
ASSERT(m->top.c2.tls_auth_standalone);
@@ -108,8 +104,8 @@
if (early_neg_support)
{
/* Calculate the session ID HMAC for our reply and create reset packet */
- struct session_id sid = calculate_session_id_hmac(state->peer_session_id,
- from, hmac, handwindow, 0);
+ struct session_id sid =
+ calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, 0);
send_hmac_reset_packet(m, state, tas, &sid, true);
return false;
@@ -124,8 +120,10 @@
{
struct gc_arena gc = gc_new();
const char *peer = print_link_socket_actual(&m->top.c2.from, &gc);
- msg(D_MULTI_DEBUG, "tls-crypt-v2 force-cookie is enabled, "
- "ignoring connection attempt from old client (%s)", peer);
+ msg(D_MULTI_DEBUG,
+ "tls-crypt-v2 force-cookie is enabled, "
+ "ignoring connection attempt from old client (%s)",
+ peer);
gc_free(&gc);
return false;
}
@@ -138,14 +136,13 @@
else if (verdict == VERDICT_VALID_RESET_V2)
{
/* Calculate the session ID HMAC for our reply and create reset packet */
- struct session_id sid = calculate_session_id_hmac(state->peer_session_id,
- from, hmac, handwindow, 0);
+ struct session_id sid =
+ calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, 0);
send_hmac_reset_packet(m, state, tas, &sid, false);
/* We have a reply do not create a new session */
return false;
-
}
else if (verdict == VERDICT_VALID_CONTROL_V1 || verdict == VERDICT_VALID_ACK_V1
|| verdict == VERDICT_VALID_WKC_V1)
@@ -157,7 +154,7 @@
bool ret = check_session_id_hmac(state, from, hmac, handwindow);
const char *peer = print_link_socket_actual(&m->top.c2.from, &gc);
- uint8_t pkt_firstbyte = *BPTR( &m->top.c2.buf);
+ uint8_t pkt_firstbyte = *BPTR(&m->top.c2.buf);
int op = pkt_firstbyte >> P_OPCODE_SHIFT;
if (!ret)
@@ -167,8 +164,10 @@
}
else
{
- msg(D_MULTI_DEBUG, "Valid packet (%s) with HMAC challenge from peer (%s), "
- "accepting new connection.", packet_opcode_name(op), peer);
+ msg(D_MULTI_DEBUG,
+ "Valid packet (%s) with HMAC challenge from peer (%s), "
+ "accepting new connection.",
+ packet_opcode_name(op), peer);
}
gc_free(&gc);
@@ -186,18 +185,16 @@
*/
struct multi_instance *
-multi_get_create_instance_udp(struct multi_context *m, bool *floated,
- struct link_socket *sock)
+multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct link_socket *sock)
{
struct gc_arena gc = gc_new();
- struct mroute_addr real = {0};
+ struct mroute_addr real = { 0 };
struct multi_instance *mi = NULL;
struct hash *hash = m->hash;
real.proto = sock->info.proto;
m->hmac_reply_ls = sock;
- if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true)
- && m->top.c2.buf.len > 0)
+ if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true) && m->top.c2.buf.len > 0)
{
struct hash_element *he;
const uint32_t hv = hash_value(hash, &real);
@@ -217,14 +214,16 @@
{
/* Floating on TCP will never be possible, so ensure we only process
* UDP clients */
- if (m->instances[peer_id]->context.c2.link_sockets[0]->info.proto == sock->info.proto)
+ if (m->instances[peer_id]->context.c2.link_sockets[0]->info.proto
+ == sock->info.proto)
{
mi = m->instances[peer_id];
*floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from);
if (*floated)
{
- /* reset prefix, since here we are not sure peer is the one it claims to be */
+ /* reset prefix, since here we are not sure peer is the one it claims to be
+ */
ungenerate_prefix(mi);
msg(D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id,
mroute_addr_print(&real, &gc));
@@ -237,19 +236,20 @@
he = hash_lookup_fast(hash, bucket, &real, hv);
if (he)
{
- mi = (struct multi_instance *) he->value;
+ mi = (struct multi_instance *)he->value;
}
}
/* we have no existing multi instance for this connection */
if (!mi)
{
- struct tls_pre_decrypt_state state = {0};
+ struct tls_pre_decrypt_state state = { 0 };
if (m->deferred_shutdown_signal.signal_received)
{
msg(D_MULTI_ERRORS,
"MULTI: Connection attempt from %s ignored while server is "
- "shutting down", mroute_addr_print(&real, &gc));
+ "shutting down",
+ mroute_addr_print(&real, &gc));
}
else if (do_pre_decrypt_check(m, &state, real))
{
@@ -277,7 +277,8 @@
&& session_id_defined((&state.peer_session_id)))
{
mi->context.c2.tls_multi->n_sessions++;
- struct tls_session *session = &mi->context.c2.tls_multi->session[TM_INITIAL];
+ struct tls_session *session =
+ &mi->context.c2.tls_multi->session[TM_INITIAL];
session_skip_to_pre_start(session, &state, &m->top.c2.from);
}
}
@@ -297,9 +298,7 @@
{
const char *status = mi ? "[ok]" : "[failed]";
- dmsg(D_MULTI_DEBUG, "GET INST BY REAL: %s %s",
- mroute_addr_print(&real, &gc),
- status);
+ dmsg(D_MULTI_DEBUG, "GET INST BY REAL: %s %s", mroute_addr_print(&real, &gc), status);
}
#endif
}
@@ -339,8 +338,8 @@
{
const unsigned int status = m->multi_io->udp_flags;
const unsigned int mpp_flags = m->top.c2.fast_io
- ? (MPP_CONDITIONAL_PRE_SELECT | MPP_CLOSE_ON_SIGNAL)
- : (MPP_PRE_SELECT | MPP_CLOSE_ON_SIGNAL);
+ ? (MPP_CONDITIONAL_PRE_SELECT | MPP_CLOSE_ON_SIGNAL)
+ : (MPP_PRE_SELECT | MPP_CLOSE_ON_SIGNAL);
#ifdef MULTI_DEBUG_EVENT_LOOP
char buf[16];
@@ -369,7 +368,7 @@
#endif /* ifdef MULTI_DEBUG_EVENT_LOOP */
#ifdef ENABLE_MANAGEMENT
- if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
+ if (status & (MANAGEMENT_READ | MANAGEMENT_WRITE))
{
ASSERT(management);
management_io(management);
@@ -91,9 +91,7 @@
}
static bool
-learn_address_script(const struct multi_context *m,
- const struct multi_instance *mi,
- const char *op,
+learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op,
const struct mroute_addr *addr)
{
struct gc_arena gc = gc_new();
@@ -124,14 +122,13 @@
if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
{
struct argv argv = argv_new();
- argv_printf(&argv, "%s %s",
- op,
- mroute_addr_print(addr, &gc));
+ argv_printf(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
if (mi)
{
argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
}
- if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
+ if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es)
+ != OPENVPN_PLUGIN_FUNC_SUCCESS)
{
msg(M_WARN, "WARNING: learn-address plugin call failed");
ret = false;
@@ -164,8 +161,7 @@
multi_ifconfig_pool_persist(struct multi_context *m, bool force)
{
/* write pool data to file */
- if (m->ifconfig_pool
- && m->top.c1.ifconfig_pool_persist
+ if (m->ifconfig_pool && m->top.c1.ifconfig_pool_persist
&& (force || ifconfig_pool_write_trigger(m->top.c1.ifconfig_pool_persist)))
{
ifconfig_pool_write(m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
@@ -173,9 +169,7 @@
}
static void
-multi_reap_range(const struct multi_context *m,
- int start_bucket,
- int end_bucket)
+multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
{
struct gc_arena gc = gc_new();
struct hash_iterator hi;
@@ -191,11 +185,10 @@
hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
while ((he = hash_iterator_next(&hi)) != NULL)
{
- struct multi_route *r = (struct multi_route *) he->value;
+ struct multi_route *r = (struct multi_route *)he->value;
if (!multi_route_defined(m, r))
{
- dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
- mroute_addr_print(&r->addr, &gc));
+ dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s", mroute_addr_print(&r->addr, &gc));
learn_address_script(m, NULL, "delete", &r->addr);
multi_route_del(r);
hash_iterator_delete_element(&hi);
@@ -256,7 +249,7 @@
cid_hash_function(const void *key, uint32_t iv)
{
const unsigned long *k = (const unsigned long *)key;
- return (uint32_t) *k;
+ return (uint32_t)*k;
}
static bool
@@ -295,8 +288,7 @@
struct multi_context *m = t->multi;
int dev = DEV_TYPE_UNDEF;
- msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
- t->options.real_hash_size,
+ msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d", t->options.real_hash_size,
t->options.virtual_hash_size);
/*
@@ -315,18 +307,14 @@
* to determine which client sent an incoming packet
* which is seen on the TCP/UDP socket.
*/
- m->hash = hash_init(t->options.real_hash_size,
- get_random(),
- mroute_addr_hash_function,
+ m->hash = hash_init(t->options.real_hash_size, get_random(), mroute_addr_hash_function,
mroute_addr_compare_function);
/*
* Virtual address hash table. Used to determine
* which client to route a packet to.
*/
- m->vhash = hash_init(t->options.virtual_hash_size,
- get_random(),
- mroute_addr_hash_function,
+ m->vhash = hash_init(t->options.virtual_hash_size, get_random(), mroute_addr_hash_function,
mroute_addr_compare_function);
/*
@@ -334,16 +322,10 @@
* bucket size of one so that it can be used
* for fast iteration through the list.
*/
- m->iter = hash_init(1,
- get_random(),
- mroute_addr_hash_function,
- mroute_addr_compare_function);
+ m->iter = hash_init(1, get_random(), mroute_addr_hash_function, mroute_addr_compare_function);
#ifdef ENABLE_MANAGEMENT
- m->cid_hash = hash_init(t->options.real_hash_size,
- 0,
- cid_hash_function,
- cid_compare_function);
+ m->cid_hash = hash_init(t->options.real_hash_size, 0, cid_hash_function, cid_compare_function);
#endif
#ifdef ENABLE_ASYNC_PUSH
@@ -351,10 +333,8 @@
* Mapping between inotify watch descriptors and
* multi_instances.
*/
- m->inotify_watchers = hash_init(t->options.real_hash_size,
- get_random(),
- int_hash_function,
- int_compare_function);
+ m->inotify_watchers =
+ hash_init(t->options.real_hash_size, get_random(), int_hash_function, int_compare_function);
#endif
/*
@@ -367,10 +347,9 @@
* Limit frequency of incoming connections to control
* DoS.
*/
- m->new_connection_limiter = frequency_limit_init(t->options.cf_max,
- t->options.cf_per);
- m->initial_rate_limiter = initial_rate_limit_init(t->options.cf_initial_max,
- t->options.cf_initial_per);
+ m->new_connection_limiter = frequency_limit_init(t->options.cf_max, t->options.cf_per);
+ m->initial_rate_limiter =
+ initial_rate_limit_init(t->options.cf_initial_max, t->options.cf_initial_per);
/*
* Allocate broadcast/multicast buffer list
@@ -387,8 +366,7 @@
* differently based on whether a tun or tap style
* tunnel.
*/
- if (t->options.ifconfig_pool_defined
- || t->options.ifconfig_ipv6_pool_defined)
+ if (t->options.ifconfig_pool_defined || t->options.ifconfig_ipv6_pool_defined)
{
int pool_type = IFCONFIG_POOL_INDIV;
@@ -397,14 +375,11 @@
pool_type = IFCONFIG_POOL_30NET;
}
- m->ifconfig_pool = ifconfig_pool_init(t->options.ifconfig_pool_defined,
- pool_type,
- t->options.ifconfig_pool_start,
- t->options.ifconfig_pool_end,
- t->options.duplicate_cn,
- t->options.ifconfig_ipv6_pool_defined,
- t->options.ifconfig_ipv6_pool_base,
- t->options.ifconfig_ipv6_pool_netbits );
+ m->ifconfig_pool = ifconfig_pool_init(
+ t->options.ifconfig_pool_defined, pool_type, t->options.ifconfig_pool_start,
+ t->options.ifconfig_pool_end, t->options.duplicate_cn,
+ t->options.ifconfig_ipv6_pool_defined, t->options.ifconfig_ipv6_pool_base,
+ t->options.ifconfig_ipv6_pool_netbits);
/* reload pool data from file */
if (t->c1.ifconfig_pool_persist)
@@ -454,7 +429,8 @@
/* initialize stale routes check timer */
if (t->options.stale_routes_check_interval > 0)
{
- msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
+ msg(M_INFO,
+ "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time);
event_timeout_init(&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0);
}
@@ -475,8 +451,7 @@
buf_printf(&out, "%s/", cn);
}
buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
- if (mi->context.c2.tls_multi
- && check_debug_level(D_DCO_DEBUG)
+ if (mi->context.c2.tls_multi && check_debug_level(D_DCO_DEBUG)
&& dco_enabled(&mi->context.options))
{
buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
@@ -523,8 +498,7 @@
* CIDR netlengths.
*/
static void
-multi_del_iroutes(struct multi_context *m,
- struct multi_instance *mi)
+multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
{
const struct iroute *ir;
const struct iroute_ipv6 *ir6;
@@ -580,7 +554,9 @@
if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
{
- if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
+ if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL,
+ mi->context.c2.es)
+ != OPENVPN_PLUGIN_FUNC_SUCCESS)
{
msg(M_WARN, "WARNING: client-disconnect plugin call failed");
}
@@ -603,9 +579,7 @@
}
void
-multi_close_instance(struct multi_context *m,
- struct multi_instance *mi,
- bool shutdown)
+multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
{
perf_push(PERF_MULTI_CLOSE_INSTANCE);
@@ -650,7 +624,7 @@
#ifdef ENABLE_ASYNC_PUSH
if (mi->inotify_watch != -1)
{
- hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
+ hash_remove(m->inotify_watchers, (void *)(unsigned long)mi->inotify_watch);
mi->inotify_watch = -1;
}
#endif
@@ -660,7 +634,7 @@
m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
}
- schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
+ schedule_remove_entry(m->schedule, (struct schedule_entry *)mi);
ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
@@ -717,7 +691,7 @@
hash_iterator_init(m->iter, &hi);
while ((he = hash_iterator_next(&hi)))
{
- struct multi_instance *mi = (struct multi_instance *) he->value;
+ struct multi_instance *mi = (struct multi_instance *)he->value;
mi->did_iter = false;
multi_close_instance(m, mi, true);
}
@@ -789,7 +763,9 @@
if (hash_n_elements(m->hash) >= m->max_clients)
{
- msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
+ msg(D_MULTI_ERRORS,
+ "MULTI: new incoming connection would exceed maximum number of clients (%d)",
+ m->max_clients);
goto err;
}
@@ -879,7 +855,7 @@
while ((he = hash_iterator_next(&hi)))
{
struct gc_arena gc = gc_new();
- const struct multi_instance *mi = (struct multi_instance *) he->value;
+ const struct multi_instance *mi = (struct multi_instance *)he->value;
if (!mi->halt)
{
@@ -900,21 +876,19 @@
while ((he = hash_iterator_next(&hi)))
{
struct gc_arena gc = gc_new();
- const struct multi_route *route = (struct multi_route *) he->value;
+ const struct multi_route *route = (struct multi_route *)he->value;
if (multi_route_defined(m, route))
{
const struct multi_instance *mi = route->instance;
const struct mroute_addr *ma = &route->addr;
- char flags[2] = {0, 0};
+ char flags[2] = { 0, 0 };
if (route->flags & MULTI_ROUTE_CACHE)
{
flags[0] = 'C';
}
- status_printf(so, "%s%s,%s,%s,%s",
- mroute_addr_print(ma, &gc),
- flags,
+ status_printf(so, "%s%s,%s,%s,%s", mroute_addr_print(ma, &gc), flags,
tls_common_name(mi->context.c2.tls_multi, false),
mroute_addr_print(&mi->real, &gc),
time_string(route->last_reference, 0, false, &gc));
@@ -926,8 +900,7 @@
status_printf(so, "GLOBAL STATS");
if (m->mbuf)
{
- status_printf(so, "Max bcast/mcast queue length,%d",
- mbuf_maximum_queued(m->mbuf));
+ status_printf(so, "Max bcast/mcast queue length,%d", mbuf_maximum_queued(m->mbuf));
}
status_printf(so, "END");
@@ -940,69 +913,77 @@
* Status file version 2 and 3
*/
status_printf(so, "TITLE%c%s", sep, title_string);
- status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
- status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
- sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
+ status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep,
+ (unsigned int)now);
+ status_printf(
+ so,
+ "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
+ sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
hash_iterator_init(m->hash, &hi);
while ((he = hash_iterator_next(&hi)))
{
struct gc_arena gc = gc_new();
- const struct multi_instance *mi = (struct multi_instance *) he->value;
+ const struct multi_instance *mi = (struct multi_instance *)he->value;
if (!mi->halt)
{
- status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
+ status_printf(
+ so,
+ "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format
+ "%c%s%c%u%c%s%c"
#ifdef ENABLE_MANAGEMENT
- "%lu"
+ "%lu"
#else
- ""
+ ""
#endif
- "%c%" PRIu32 "%c%s",
- sep, tls_common_name(mi->context.c2.tls_multi, false),
- sep, mroute_addr_print(&mi->real, &gc),
- sep, print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc),
- sep, print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc),
- sep, mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
- sep, mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
- sep, time_string(mi->created, 0, false, &gc),
- sep, (unsigned int)mi->created,
- sep, tls_username(mi->context.c2.tls_multi, false),
+ "%c%" PRIu32 "%c%s",
+ sep, tls_common_name(mi->context.c2.tls_multi, false), sep,
+ mroute_addr_print(&mi->real, &gc), sep,
+ print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc), sep,
+ print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc), sep,
+ mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes, sep,
+ mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes, sep,
+ time_string(mi->created, 0, false, &gc), sep, (unsigned int)mi->created,
+ sep, tls_username(mi->context.c2.tls_multi, false),
#ifdef ENABLE_MANAGEMENT
- sep, mi->context.c2.mda_context.cid,
+ sep, mi->context.c2.mda_context.cid,
#else
- sep,
+ sep,
#endif
- sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
- sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
+ sep,
+ mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
+ sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
}
gc_free(&gc);
}
hash_iterator_free(&hi);
- status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
- sep, sep, sep, sep, sep, sep);
+ status_printf(
+ so,
+ "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
+ sep, sep, sep, sep, sep, sep);
hash_iterator_init(m->vhash, &hi);
while ((he = hash_iterator_next(&hi)))
{
struct gc_arena gc = gc_new();
- const struct multi_route *route = (struct multi_route *) he->value;
+ const struct multi_route *route = (struct multi_route *)he->value;
if (multi_route_defined(m, route))
{
const struct multi_instance *mi = route->instance;
const struct mroute_addr *ma = &route->addr;
- char flags[2] = {0, 0};
+ char flags[2] = { 0, 0 };
if (route->flags & MULTI_ROUTE_CACHE)
{
flags[0] = 'C';
}
- status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
- sep, mroute_addr_print(ma, &gc), flags,
- sep, tls_common_name(mi->context.c2.tls_multi, false),
- sep, mroute_addr_print(&mi->real, &gc),
- sep, time_string(route->last_reference, 0, false, &gc),
- sep, (unsigned int)route->last_reference);
+ status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u", sep,
+ mroute_addr_print(ma, &gc), flags, sep,
+ tls_common_name(mi->context.c2.tls_multi, false), sep,
+ mroute_addr_print(&mi->real, &gc), sep,
+ time_string(route->last_reference, 0, false, &gc), sep,
+ (unsigned int)route->last_reference);
}
gc_free(&gc);
}
@@ -1010,11 +991,12 @@
if (m->mbuf)
{
- status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
- sep, sep, mbuf_maximum_queued(m->mbuf));
+ status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d", sep, sep,
+ mbuf_maximum_queued(m->mbuf));
}
- status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep, dco_enabled(&m->top.options));
+ status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep,
+ dco_enabled(&m->top.options));
status_printf(so, "END");
}
else
@@ -1024,19 +1006,22 @@
#ifdef PACKET_TRUNCATION_CHECK
{
- status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
+ status_printf(
+ so,
+ "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
hash_iterator_init(m->hash, &hi);
while ((he = hash_iterator_next(&hi)))
{
struct gc_arena gc = gc_new();
- const struct multi_instance *mi = (struct multi_instance *) he->value;
+ const struct multi_instance *mi = (struct multi_instance *)he->value;
if (!mi->halt)
{
- status_printf(so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format,
+ status_printf(so,
+ "ERRORS,%s," counter_format "," counter_format "," counter_format
+ "," counter_format,
tls_common_name(mi->context.c2.tls_multi, false),
- m->top.c2.n_trunc_tun_read,
- mi->context.c2.n_trunc_tun_write,
+ m->top.c2.n_trunc_tun_read, mi->context.c2.n_trunc_tun_write,
mi->context.c2.n_trunc_pre_encrypt,
mi->context.c2.n_trunc_post_decrypt);
}
@@ -1067,9 +1052,7 @@
* or NULL if none.
*/
static struct multi_instance *
-multi_learn_addr(struct multi_context *m,
- struct multi_instance *mi,
- const struct mroute_addr *addr,
+multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr,
const unsigned int flags)
{
struct hash_element *he;
@@ -1083,7 +1066,7 @@
he = hash_lookup_fast(m->vhash, bucket, addr, hv);
if (he)
{
- oldroute = (struct multi_route *) he->value;
+ oldroute = (struct multi_route *)he->value;
}
if (oldroute && multi_route_defined(m, oldroute))
{
@@ -1141,10 +1124,8 @@
}
}
- msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
- learn_succeeded ? "" : " FAILED",
- mroute_addr_print(&newroute->addr, &gc),
- multi_instance_string(mi, false, &gc));
+ msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s", learn_succeeded ? "" : " FAILED",
+ mroute_addr_print(&newroute->addr, &gc), multi_instance_string(mi, false, &gc));
if (!learn_succeeded)
{
@@ -1160,8 +1141,7 @@
* Get client instance based on virtual address.
*/
static struct multi_instance *
-multi_get_instance_by_virtual_addr(struct multi_context *m,
- const struct mroute_addr *addr,
+multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr,
bool cidr_routing)
{
struct multi_route *route;
@@ -1173,7 +1153,7 @@
return NULL;
}
- route = (struct multi_route *) hash_lookup(m->vhash, addr);
+ route = (struct multi_route *)hash_lookup(m->vhash, addr);
/* does host route (possible cached) exist? */
if (route && multi_route_defined(m, route))
@@ -1197,13 +1177,13 @@
mroute_addr_mask_host_bits(&tryaddr);
/* look up a possible route with netbits netmask */
- route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
+ route = (struct multi_route *)hash_lookup(m->vhash, &tryaddr);
if (route && multi_route_defined(m, route))
{
/* found an applicable route, cache host route */
struct multi_instance *mi = route->instance;
- multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE);
+ multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE | MULTI_ROUTE_AGEABLE);
ret = mi;
break;
}
@@ -1217,15 +1197,12 @@
const char *addr_text = mroute_addr_print(addr, &gc);
if (ret)
{
- dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
- addr_text,
- multi_instance_string(ret, false, &gc),
- mroute_addr_print(&route->addr, &gc));
+ dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s", addr_text,
+ multi_instance_string(ret, false, &gc), mroute_addr_print(&route->addr, &gc));
}
else
{
- dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
- addr_text);
+ dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]", addr_text);
}
gc_free(&gc);
}
@@ -1239,14 +1216,12 @@
* Helper function to multi_learn_addr().
*/
static struct multi_instance *
-multi_learn_in_addr_t(struct multi_context *m,
- struct multi_instance *mi,
- in_addr_t a,
- int netbits, /* -1 if host route, otherwise # of network bits in address */
+multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a,
+ int netbits, /* -1 if host route, otherwise # of network bits in address */
bool primary)
{
struct openvpn_sockaddr remote_si;
- struct mroute_addr addr = {0};
+ struct mroute_addr addr = { 0 };
CLEAR(remote_si);
remote_si.addr.in4.sin_family = AF_INET;
@@ -1257,7 +1232,7 @@
if (netbits >= 0)
{
addr.type |= MR_WITH_NETBITS;
- addr.netbits = (uint8_t) netbits;
+ addr.netbits = (uint8_t)netbits;
}
struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
@@ -1272,7 +1247,7 @@
/* "primary" is the VPN ifconfig address of the peer and already
* known to DCO, so only install "extra" iroutes (primary = false)
*/
- ASSERT(netbits >= 0); /* DCO requires populated netbits */
+ ASSERT(netbits >= 0); /* DCO requires populated netbits */
dco_install_iroute(m, mi, &addr);
}
@@ -1280,13 +1255,11 @@
}
static struct multi_instance *
-multi_learn_in6_addr(struct multi_context *m,
- struct multi_instance *mi,
- struct in6_addr a6,
- int netbits, /* -1 if host route, otherwise # of network bits in address */
+multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6,
+ int netbits, /* -1 if host route, otherwise # of network bits in address */
bool primary)
{
- struct mroute_addr addr = {0};
+ struct mroute_addr addr = { 0 };
addr.len = 16;
addr.type = MR_ADDR_IPV6;
@@ -1296,8 +1269,8 @@
if (netbits >= 0)
{
addr.type |= MR_WITH_NETBITS;
- addr.netbits = (uint8_t) netbits;
- mroute_addr_mask_host_bits( &addr );
+ addr.netbits = (uint8_t)netbits;
+ mroute_addr_mask_host_bits(&addr);
}
struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
@@ -1312,7 +1285,7 @@
/* "primary" is the VPN ifconfig address of the peer and already
* known to DCO, so only install "extra" iroutes (primary = false)
*/
- ASSERT(netbits >= 0); /* DCO requires populated netbits */
+ ASSERT(netbits >= 0); /* DCO requires populated netbits */
dco_install_iroute(m, mi, &addr);
}
@@ -1324,8 +1297,7 @@
* to internal routing table.
*/
static void
-multi_add_iroutes(struct multi_context *m,
- struct multi_instance *mi)
+multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
{
struct gc_arena gc = gc_new();
const struct iroute *ir;
@@ -1338,15 +1310,13 @@
if (ir->netbits >= 0)
{
msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
- print_in_addr_t(ir->network, 0, &gc),
- ir->netbits,
+ print_in_addr_t(ir->network, 0, &gc), ir->netbits,
multi_instance_string(mi, false, &gc));
}
else
{
msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
- print_in_addr_t(ir->network, 0, &gc),
- multi_instance_string(mi, false, &gc));
+ print_in_addr_t(ir->network, 0, &gc), multi_instance_string(mi, false, &gc));
}
mroute_helper_add_iroute46(m->route_helper, ir->netbits);
@@ -1356,8 +1326,7 @@
for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
{
msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
- print_in6_addr(ir6->network, 0, &gc),
- ir6->netbits,
+ print_in6_addr(ir6->network, 0, &gc), ir6->netbits,
multi_instance_string(mi, false, &gc));
mroute_helper_add_iroute46(m->route_helper, ir6->netbits);
@@ -1387,7 +1356,7 @@
hash_iterator_init(m->iter, &hi);
while ((he = hash_iterator_next(&hi)))
{
- struct multi_instance *mi = (struct multi_instance *) he->value;
+ struct multi_instance *mi = (struct multi_instance *)he->value;
if (mi != new_mi && !mi->halt)
{
const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
@@ -1404,7 +1373,9 @@
if (count)
{
- msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
+ msg(D_MULTI_LOW,
+ "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.",
+ new_cn);
}
}
}
@@ -1413,7 +1384,6 @@
static void
check_stale_routes(struct multi_context *m)
{
-
struct gc_arena gc = gc_new();
struct hash_iterator hi;
struct hash_element *he;
@@ -1422,8 +1392,9 @@
hash_iterator_init_range(m->vhash, &hi, 0, hash_n_buckets(m->vhash));
while ((he = hash_iterator_next(&hi)) != NULL)
{
- struct multi_route *r = (struct multi_route *) he->value;
- if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
+ struct multi_route *r = (struct multi_route *)he->value;
+ if (multi_route_defined(m, r)
+ && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
{
dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
mroute_addr_print(&r->addr, &gc));
@@ -1446,7 +1417,8 @@
const struct options *o = &c->options;
if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
{
- return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network;
+ return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local)
+ == o->push_ifconfig_constraint_network;
}
else
{
@@ -1480,7 +1452,8 @@
mi->context.c2.push_ifconfig_defined = true;
mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
- mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
+ mi->context.c2.push_ifconfig_remote_netmask =
+ mi->context.options.push_ifconfig_remote_netmask;
mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias;
/* the current implementation does not allow "static IPv4, pool IPv6",
@@ -1490,7 +1463,8 @@
if (mi->context.options.ifconfig_ipv6_pool_defined
&& !mi->context.options.push_ifconfig_ipv6_defined)
{
- msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
+ msg(M_INFO,
+ "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then.");
}
}
else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
@@ -1505,30 +1479,33 @@
}
CLEAR(remote_ipv6);
- mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
+ mi->vaddr_handle =
+ ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
if (mi->vaddr_handle >= 0)
{
const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
- msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
- (mi->context.options.ifconfig_pool_defined
- ? print_in_addr_t(remote, 0, &gc)
- : "(Not enabled)"),
- (mi->context.options.ifconfig_ipv6_pool_defined
- ? print_in6_addr( remote_ipv6, 0, &gc )
- : "(Not enabled)") );
+ msg(M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
+ (mi->context.options.ifconfig_pool_defined ? print_in_addr_t(remote, 0, &gc)
+ : "(Not enabled)"),
+ (mi->context.options.ifconfig_ipv6_pool_defined
+ ? print_in6_addr(remote_ipv6, 0, &gc)
+ : "(Not enabled)"));
if (mi->context.options.ifconfig_pool_defined)
{
/* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
mi->context.c2.push_ifconfig_local = remote;
- if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
+ if (tunnel_type == DEV_TYPE_TAP
+ || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
{
- mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask;
+ mi->context.c2.push_ifconfig_remote_netmask =
+ mi->context.options.ifconfig_pool_netmask;
if (!mi->context.c2.push_ifconfig_remote_netmask)
{
- mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask;
+ mi->context.c2.push_ifconfig_remote_netmask =
+ mi->context.c1.tuntap->remote_netmask;
}
}
else if (tunnel_type == DEV_TYPE_TUN)
@@ -1558,8 +1535,7 @@
if (mi->context.options.ifconfig_ipv6_pool_defined)
{
mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
- mi->context.c2.push_ifconfig_ipv6_remote =
- mi->context.c1.tuntap->local_ipv6;
+ mi->context.c2.push_ifconfig_ipv6_remote = mi->context.c1.tuntap->local_ipv6;
mi->context.c2.push_ifconfig_ipv6_netbits =
mi->context.options.ifconfig_ipv6_netbits;
mi->context.c2.push_ifconfig_ipv6_defined = true;
@@ -1580,17 +1556,14 @@
*/
if (mi->context.options.push_ifconfig_ipv6_defined)
{
- mi->context.c2.push_ifconfig_ipv6_local =
- mi->context.options.push_ifconfig_ipv6_local;
- mi->context.c2.push_ifconfig_ipv6_remote =
- mi->context.options.push_ifconfig_ipv6_remote;
- mi->context.c2.push_ifconfig_ipv6_netbits =
- mi->context.options.push_ifconfig_ipv6_netbits;
+ mi->context.c2.push_ifconfig_ipv6_local = mi->context.options.push_ifconfig_ipv6_local;
+ mi->context.c2.push_ifconfig_ipv6_remote = mi->context.options.push_ifconfig_ipv6_remote;
+ mi->context.c2.push_ifconfig_ipv6_netbits = mi->context.options.push_ifconfig_ipv6_netbits;
mi->context.c2.push_ifconfig_ipv6_defined = true;
- msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
- print_in6_addr( mi->context.c2.push_ifconfig_ipv6_local, 0, &gc ),
- mi->context.c2.push_ifconfig_ipv6_netbits );
+ msg(M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
+ print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc),
+ mi->context.c2.push_ifconfig_ipv6_netbits);
}
gc_free(&gc);
@@ -1611,24 +1584,19 @@
const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
- setenv_in_addr_t(mi->context.c2.es,
- "ifconfig_pool_remote_ip",
- mi->context.c2.push_ifconfig_local,
- SA_SET_IF_NONZERO);
+ setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_remote_ip",
+ mi->context.c2.push_ifconfig_local, SA_SET_IF_NONZERO);
- if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
+ if (tunnel_type == DEV_TYPE_TAP
+ || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
{
- setenv_in_addr_t(mi->context.c2.es,
- "ifconfig_pool_netmask",
- mi->context.c2.push_ifconfig_remote_netmask,
- SA_SET_IF_NONZERO);
+ setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_netmask",
+ mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO);
}
else if (tunnel_type == DEV_TYPE_TUN)
{
- setenv_in_addr_t(mi->context.c2.es,
- "ifconfig_pool_local_ip",
- mi->context.c2.push_ifconfig_remote_netmask,
- SA_SET_IF_NONZERO);
+ setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_local_ip",
+ mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO);
}
}
@@ -1638,16 +1606,11 @@
if (mi->context.c2.push_ifconfig_ipv6_defined)
{
- setenv_in6_addr(mi->context.c2.es,
- "ifconfig_pool_remote",
- &mi->context.c2.push_ifconfig_ipv6_local,
- SA_SET_IF_NONZERO);
- setenv_in6_addr(mi->context.c2.es,
- "ifconfig_pool_local",
- &mi->context.c2.push_ifconfig_ipv6_remote,
- SA_SET_IF_NONZERO);
- setenv_int(mi->context.c2.es,
- "ifconfig_pool_ip6_netbits",
+ setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_remote",
+ &mi->context.c2.push_ifconfig_ipv6_local, SA_SET_IF_NONZERO);
+ setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_local",
+ &mi->context.c2.push_ifconfig_ipv6_remote, SA_SET_IF_NONZERO);
+ setenv_int(mi->context.c2.es, "ifconfig_pool_ip6_netbits",
mi->context.c2.push_ifconfig_ipv6_netbits);
}
}
@@ -1656,20 +1619,14 @@
* Called after client-connect script is called
*/
static void
-multi_client_connect_post(struct multi_context *m,
- struct multi_instance *mi,
- const char *dc_file,
+multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file,
unsigned int *option_types_found)
{
/* Did script generate a dynamic config file? */
if (platform_test_file(dc_file))
{
- options_server_import(&mi->context.options,
- dc_file,
- D_IMPORT_ERRORS|M_OPTERR,
- CLIENT_CONNECT_OPT_MASK,
- option_types_found,
- mi->context.c2.es);
+ options_server_import(&mi->context.options, dc_file, D_IMPORT_ERRORS | M_OPTERR,
+ CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
/*
* If the --client-connect script generates a config file
@@ -1688,10 +1645,8 @@
* Called after client-connect plug-in is called
*/
static void
-multi_client_connect_post_plugin(struct multi_context *m,
- struct multi_instance *mi,
- const struct plugin_return *pr,
- unsigned int *option_types_found)
+multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi,
+ const struct plugin_return *pr, unsigned int *option_types_found)
{
struct plugin_return config;
@@ -1705,12 +1660,9 @@
{
if (config.list[i] && config.list[i]->value)
{
- options_string_import(&mi->context.options,
- config.list[i]->value,
- D_IMPORT_ERRORS|M_OPTERR,
- CLIENT_CONNECT_OPT_MASK,
- option_types_found,
- mi->context.c2.es);
+ options_string_import(&mi->context.options, config.list[i]->value,
+ D_IMPORT_ERRORS | M_OPTERR, CLIENT_CONNECT_OPT_MASK,
+ option_types_found, mi->context.c2.es);
}
}
@@ -1732,9 +1684,7 @@
* Called to load management-derived client-connect config
*/
enum client_connect_return
-multi_client_connect_mda(struct multi_context *m,
- struct multi_instance *mi,
- bool deferred,
+multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred,
unsigned int *option_types_found)
{
/* We never return CC_RET_DEFERRED */
@@ -1747,12 +1697,8 @@
for (be = mi->cc_config->head; be != NULL; be = be->next)
{
const char *opt = BSTR(&be->buf);
- options_string_import(&mi->context.options,
- opt,
- D_IMPORT_ERRORS|M_OPTERR,
- CLIENT_CONNECT_OPT_MASK,
- option_types_found,
- mi->context.c2.es);
+ options_string_import(&mi->context.options, opt, D_IMPORT_ERRORS | M_OPTERR,
+ CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
}
/*
@@ -1817,9 +1763,9 @@
else if (dco_enabled(o))
{
msg(M_INFO, "Client does not support DATA_V2. Data channel offloading "
- "requires DATA_V2. Dropping client.");
+ "requires DATA_V2. Dropping client.");
auth_set_client_reason(tls_multi, "Data channel negotiation "
- "failed (missing DATA_V2)");
+ "failed (missing DATA_V2)");
return false;
}
@@ -1828,8 +1774,8 @@
if (proto & IV_PROTO_NCP_P2P)
{
msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client "
- "option). It will not negotiate ciphers with this server. "
- "Expect this connection to fail.");
+ "option). It will not negotiate ciphers with this server. "
+ "Expect this connection to fail.");
}
if (proto & IV_PROTO_REQUEST_PUSH)
@@ -1844,11 +1790,11 @@
else if (o->force_key_material_export)
{
msg(M_INFO, "PUSH: client does not support TLS Keying Material "
- "Exporters but --force-tls-key-material-export is enabled.");
+ "Exporters but --force-tls-key-material-export is enabled.");
auth_set_client_reason(tls_multi, "Client incompatible with this "
- "server. Keying Material Exporters (RFC 5705) "
- "support missing. Upgrade to a client that "
- "supports this feature (OpenVPN 2.6.0+).");
+ "server. Keying Material Exporters (RFC 5705) "
+ "support missing. Upgrade to a client that "
+ "supports this feature (OpenVPN 2.6.0+).");
return false;
}
if (proto & IV_PROTO_DYN_TLS_CRYPT)
@@ -1869,10 +1815,11 @@
*/
if (get_primary_key(tls_multi)->crypto_options.key_ctx_bi.initialized)
{
- msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
+ msg(M_INFO,
+ "PUSH: client wants to negotiate cipher (NCP), but "
"server has already generated data channel keys, "
"re-sending previously negotiated cipher '%s'",
- o->ciphername );
+ o->ciphername);
return true;
}
@@ -1880,14 +1827,13 @@
* Push the first cipher from --data-ciphers to the client that
* the client announces to be supporting.
*/
- char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
- tls_multi->remote_ciphername,
- &o->gc);
+ char *push_cipher =
+ ncp_get_best_cipher(o->ncp_ciphers, peer_info, tls_multi->remote_ciphername, &o->gc);
if (push_cipher)
{
/* Enable epoch data key format if supported and AEAD cipher in use */
- if (tls_multi->session[TM_ACTIVE].opt->data_epoch_supported
- && (proto & IV_PROTO_DATA_EPOCH) && cipher_kt_mode_aead(push_cipher))
+ if (tls_multi->session[TM_ACTIVE].opt->data_epoch_supported && (proto & IV_PROTO_DATA_EPOCH)
+ && cipher_kt_mode_aead(push_cipher))
{
o->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
}
@@ -1908,16 +1854,17 @@
* side, in this situation we fail the auth*/
if (strlen(peer_ciphers) > 0)
{
- msg(M_INFO, "PUSH: No common cipher between server and client. "
+ msg(M_INFO,
+ "PUSH: No common cipher between server and client. "
"Server data-ciphers: '%s'%s, client supported ciphers '%s'",
o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), peer_ciphers);
}
else if (tls_multi->remote_ciphername)
{
- msg(M_INFO, "PUSH: No common cipher between server and client. "
+ msg(M_INFO,
+ "PUSH: No common cipher between server and client. "
"Server data-ciphers: '%s'%s, client supports cipher '%s'",
- o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc),
- tls_multi->remote_ciphername);
+ o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), tls_multi->remote_ciphername);
}
else
{
@@ -1925,20 +1872,22 @@
if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
{
- msg(M_INFO, "Using data channel cipher '%s' since "
- "--data-ciphers-fallback is set.", o->ciphername);
+ msg(M_INFO,
+ "Using data channel cipher '%s' since "
+ "--data-ciphers-fallback is set.",
+ o->ciphername);
ret = true;
}
else
{
msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
- "client is using if you want to allow the client to connect");
+ "client is using if you want to allow the client to connect");
}
}
if (!ret)
{
auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
- "failed (no shared cipher)");
+ "failed (no shared cipher)");
}
gc_free(&gc);
@@ -1961,8 +1910,7 @@
setenv_del(mi->context.c2.es, "client_connect_deferred_file");
if (!platform_unlink(ccs->deferred_ret_file))
{
- msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
- ccs->deferred_ret_file);
+ msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->deferred_ret_file);
}
free(ccs->deferred_ret_file);
ccs->deferred_ret_file = NULL;
@@ -1993,8 +1941,7 @@
}
ccs->deferred_ret_file = string_alloc(fn, NULL);
- setenv_str(mi->context.c2.es, "client_connect_deferred_file",
- ccs->deferred_ret_file);
+ setenv_str(mi->context.c2.es, "client_connect_deferred_file", ccs->deferred_ret_file);
gc_free(&gc);
return true;
@@ -2045,7 +1992,7 @@
default:
/* We received an unknown/unexpected value. Assume failure. */
msg(M_WARN, "WARNING: Unknown/unexpected value in deferred "
- "client-connect resultfile");
+ "client-connect resultfile");
ret = CC_RET_FAILED;
}
fclose(fp);
@@ -2067,8 +2014,7 @@
setenv_del(mi->context.c2.es, "client_connect_config_file");
if (!platform_unlink(ccs->config_file))
{
- msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
- ccs->config_file);
+ msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->config_file);
}
free(ccs->config_file);
ccs->config_file = NULL;
@@ -2102,18 +2048,15 @@
}
ccs->config_file = string_alloc(fn, NULL);
- setenv_str(mi->context.c2.es, "client_connect_config_file",
- ccs->config_file);
+ setenv_str(mi->context.c2.es, "client_connect_config_file", ccs->config_file);
gc_free(&gc);
return true;
}
static enum client_connect_return
-multi_client_connect_call_plugin_v1(struct multi_context *m,
- struct multi_instance *mi,
- bool deferred,
- unsigned int *option_types_found)
+multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi,
+ bool deferred, unsigned int *option_types_found)
{
enum client_connect_return ret = CC_RET_SKIPPED;
#ifdef ENABLE_PLUGIN
@@ -2131,8 +2074,7 @@
if (!deferred)
{
call = OPENVPN_PLUGIN_CLIENT_CONNECT;
- if (!ccs_gen_config_file(mi)
- || !ccs_gen_deferred_ret_file(mi))
+ if (!ccs_gen_config_file(mi) || !ccs_gen_deferred_ret_file(mi))
{
ret = CC_RET_FAILED;
goto cleanup;
@@ -2147,8 +2089,7 @@
}
argv_printf(&argv, "%s", ccs->config_file);
- int plug_ret = plugin_call(mi->context.plugins, call,
- &argv, NULL, mi->context.c2.es);
+ int plug_ret = plugin_call(mi->context.plugins, call, &argv, NULL, mi->context.c2.es);
if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
{
ret = CC_RET_SUCCEEDED;
@@ -2188,8 +2129,7 @@
/* if we still think we have succeeded, do postprocessing */
if (ret == CC_RET_SUCCEEDED)
{
- multi_client_connect_post(m, mi, ccs->config_file,
- option_types_found);
+ multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
}
cleanup:
argv_free(&argv);
@@ -2205,10 +2145,8 @@
}
static enum client_connect_return
-multi_client_connect_call_plugin_v2(struct multi_context *m,
- struct multi_instance *mi,
- bool deferred,
- unsigned int *option_types_found)
+multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi,
+ bool deferred, unsigned int *option_types_found)
{
enum client_connect_return ret = CC_RET_SKIPPED;
#ifdef ENABLE_PLUGIN
@@ -2216,8 +2154,7 @@
ASSERT(mi);
ASSERT(option_types_found);
- int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
- OPENVPN_PLUGIN_CLIENT_CONNECT_V2;
+ int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 : OPENVPN_PLUGIN_CLIENT_CONNECT_V2;
/* V2 callback, use a plugin_return struct for passing back return info */
if (plugin_defined(mi->context.plugins, call))
{
@@ -2225,8 +2162,7 @@
plugin_return_init(&pr);
- int plug_ret = plugin_call(mi->context.plugins, call,
- NULL, &pr, mi->context.c2.es);
+ int plug_ret = plugin_call(mi->context.plugins, call, NULL, &pr, mi->context.c2.es);
if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
{
multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
@@ -2235,13 +2171,12 @@
else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
{
ret = CC_RET_DEFERRED;
- if (!(plugin_defined(mi->context.plugins,
- OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
+ if (!(plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
{
msg(M_WARN, "A plugin that defers from the "
- "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
- "declare support for "
- "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
+ "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
+ "declare support for "
+ "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
ret = CC_RET_FAILED;
}
}
@@ -2259,8 +2194,7 @@
}
static enum client_connect_return
-multi_client_connect_script_deferred(struct multi_context *m,
- struct multi_instance *mi,
+multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi,
unsigned int *option_types_found)
{
ASSERT(mi);
@@ -2285,8 +2219,7 @@
if (ret == CC_RET_SUCCEEDED)
{
ccs_delete_deferred_ret_file(mi);
- multi_client_connect_post(m, mi, ccs->config_file,
- option_types_found);
+ multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
ccs_delete_config_file(mi);
}
if (ret == CC_RET_FAILED)
@@ -2302,9 +2235,7 @@
* Runs the --client-connect script if one is defined.
*/
static enum client_connect_return
-multi_client_connect_call_script(struct multi_context *m,
- struct multi_instance *mi,
- bool deferred,
+multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred,
unsigned int *option_types_found)
{
if (deferred)
@@ -2324,8 +2255,7 @@
setenv_str(mi->context.c2.es, "script_type", "client-connect");
- if (!ccs_gen_config_file(mi)
- || !ccs_gen_deferred_ret_file(mi))
+ if (!ccs_gen_config_file(mi) || !ccs_gen_deferred_ret_file(mi))
{
ret = CC_RET_FAILED;
goto cleanup;
@@ -2342,8 +2272,7 @@
}
else
{
- multi_client_connect_post(m, mi, ccs->config_file,
- option_types_found);
+ multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
ret = CC_RET_SUCCEEDED;
}
}
@@ -2364,8 +2293,7 @@
}
static bool
-multi_client_setup_dco_initial(struct multi_context *m,
- struct multi_instance *mi,
+multi_client_setup_dco_initial(struct multi_context *m, struct multi_instance *mi,
struct gc_arena *gc)
{
if (!dco_enabled(&mi->context.options))
@@ -2376,8 +2304,8 @@
int ret = dco_multi_add_new_peer(m, mi);
if (ret < 0)
{
- msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)",
- multi_instance_string(mi, false, gc), strerror(-ret), ret);
+ msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)", multi_instance_string(mi, false, gc),
+ strerror(-ret), ret);
return false;
}
@@ -2398,9 +2326,8 @@
}
#endif
struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
- if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
- &c->c2.frame, frame_fragment,
- get_link_socket_info(c),
+ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
+ frame_fragment, get_link_socket_info(c),
&c->c1.tuntap->dco))
{
msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
@@ -2412,8 +2339,7 @@
}
static void
-multi_client_connect_late_setup(struct multi_context *m,
- struct multi_instance *mi,
+multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi,
const unsigned int option_types_found)
{
ASSERT(m);
@@ -2430,7 +2356,8 @@
*/
if (!mi->context.c2.push_ifconfig_defined)
{
- msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote "
+ msg(D_MULTI_ERRORS,
+ "MULTI: no dynamic or static remote "
"--ifconfig address is available for %s",
multi_instance_string(mi, false, &gc));
}
@@ -2446,7 +2373,8 @@
print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc);
/* JYFIXME -- this should cause the connection to fail */
- msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) "
+ msg(D_MULTI_ERRORS,
+ "MULTI ERROR: primary virtual IP for %s (%s) "
"violates tunnel network/netmask constraint (%s/%s)",
multi_instance_string(mi, false, &gc),
print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc),
@@ -2490,9 +2418,7 @@
{
if (mi->context.c2.push_ifconfig_defined)
{
- multi_learn_in_addr_t(m, mi,
- mi->context.c2.push_ifconfig_local,
- -1, true);
+ multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true);
msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
multi_instance_string(mi, false, &gc),
print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc));
@@ -2500,15 +2426,12 @@
if (mi->context.c2.push_ifconfig_ipv6_defined)
{
- multi_learn_in6_addr(m, mi,
- mi->context.c2.push_ifconfig_ipv6_local,
- -1, true);
+ multi_learn_in6_addr(m, mi, mi->context.c2.push_ifconfig_ipv6_local, -1, true);
/* TODO: find out where addresses are "unlearned"!! */
const char *ifconfig_local_ipv6 =
print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc);
msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
- multi_instance_string(mi, false, &gc),
- ifconfig_local_ipv6);
+ multi_instance_string(mi, false, &gc), ifconfig_local_ipv6);
}
/* add routes locally, pointing to new client, if
@@ -2524,7 +2447,8 @@
}
else if (mi->context.options.iroutes)
{
- msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute "
+ msg(D_MULTI_ERRORS,
+ "MULTI: --iroute options rejected for %s -- iroute "
"only works with tun-style tunnels",
multi_instance_string(mi, false, &gc));
}
@@ -2538,8 +2462,7 @@
}
static void
-multi_client_connect_early_setup(struct multi_context *m,
- struct multi_instance *mi)
+multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
{
ASSERT(mi->context.c1.tuntap);
/*
@@ -2574,10 +2497,8 @@
* ccd/script to do compression on a special client.
*/
static enum client_connect_return
-multi_client_connect_compress_migrate(struct multi_context *m,
- struct multi_instance *mi,
- bool deferred,
- unsigned int *option_types_found)
+multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi,
+ bool deferred, unsigned int *option_types_found)
{
#ifdef USE_COMP
struct options *o = &mi->context.options;
@@ -2608,9 +2529,7 @@
* --client-config-dir directory.
*/
static enum client_connect_return
-multi_client_connect_source_ccd(struct multi_context *m,
- struct multi_instance *mi,
- bool deferred,
+multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred,
unsigned int *option_types_found)
{
/* Since we never return a CC_RET_DEFERRED, this indicates a serious
@@ -2624,12 +2543,10 @@
const char *ccd_client =
platform_gen_path(mi->context.options.client_config_dir,
- tls_common_name(mi->context.c2.tls_multi, false),
- &gc);
+ tls_common_name(mi->context.c2.tls_multi, false), &gc);
const char *ccd_default =
- platform_gen_path(mi->context.options.client_config_dir,
- CCD_DEFAULT, &gc);
+ platform_gen_path(mi->context.options.client_config_dir, CCD_DEFAULT, &gc);
/* try common-name file */
@@ -2645,12 +2562,8 @@
if (ccd_file)
{
- options_server_import(&mi->context.options,
- ccd_file,
- D_IMPORT_ERRORS|M_OPTERR,
- CLIENT_CONNECT_OPT_MASK,
- option_types_found,
- mi->context.c2.es);
+ options_server_import(&mi->context.options, ccd_file, D_IMPORT_ERRORS | M_OPTERR,
+ CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
/*
* Select a virtual address from either --ifconfig-push in
* --client-config-dir file or --ifconfig-pool.
@@ -2666,9 +2579,9 @@
return ret;
}
-typedef enum client_connect_return (*multi_client_connect_handler)
- (struct multi_context *m, struct multi_instance *mi,
- bool from_deferred, unsigned int *option_types_found);
+typedef enum client_connect_return (*multi_client_connect_handler)(
+ struct multi_context *m, struct multi_instance *mi, bool from_deferred,
+ unsigned int *option_types_found);
static const multi_client_connect_handler client_connect_handlers[] = {
multi_client_connect_compress_migrate,
@@ -2694,9 +2607,9 @@
if (!multi->locked_username)
{
msg(D_MULTI_ERRORS, "MULTI: Ignoring override-username as no "
- "user/password method is enabled. Enable "
- "--management-client-auth, --auth-user-pass-verify, or a "
- "plugin with user/password verify capability.");
+ "user/password method is enabled. Enable "
+ "--management-client-auth, --auth-user-pass-verify, or a "
+ "plugin with user/password verify capability.");
return false;
}
@@ -2727,16 +2640,15 @@
{
struct user_pass up;
CLEAR(up);
- strncpynt(up.username, multi->locked_username,
- sizeof(up.username));
+ strncpynt(up.username, multi->locked_username, sizeof(up.username));
generate_auth_token(&up, multi);
}
- msg(D_MULTI_LOW, "MULTI: Note, override-username changes username "
+ msg(D_MULTI_LOW,
+ "MULTI: Note, override-username changes username "
"from '%s' to '%s'",
- multi->locked_original_username,
- multi->locked_username);
+ multi->locked_original_username, multi->locked_username);
}
return true;
}
@@ -2767,8 +2679,7 @@
bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
- unsigned int *option_types_found =
- &mi->client_connect_defer_state.option_types_found;
+ unsigned int *option_types_found = &mi->client_connect_defer_state.option_types_found;
/* We are called for the first time */
if (!from_deferred)
@@ -2783,12 +2694,10 @@
bool cc_succeeded = true;
- while (cc_succeeded
- && client_connect_handlers[*cur_handler_index] != NULL)
+ while (cc_succeeded && client_connect_handlers[*cur_handler_index] != NULL)
{
enum client_connect_return ret;
- ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
- option_types_found);
+ ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred, option_types_found);
from_deferred = false;
@@ -2836,7 +2745,7 @@
if (mi->context.options.disable)
{
msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
- "'disable' directive");
+ "'disable' directive");
cc_succeeded = false;
}
@@ -2889,8 +2798,8 @@
#ifdef ENABLE_MANAGEMENT
if (management)
{
- management_connection_established(management,
- &mi->context.c2.mda_context, mi->context.c2.es);
+ management_connection_established(management, &mi->context.c2.mda_context,
+ mi->context.c2.es);
}
#endif
}
@@ -2912,13 +2821,14 @@
while (buffer_i < r)
{
/* parse inotify events */
- struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
+ struct inotify_event *pevent = (struct inotify_event *)&buffer[buffer_i];
size_t event_size = sizeof(struct inotify_event) + pevent->len;
buffer_i += event_size;
msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
- struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
+ struct multi_instance *mi =
+ hash_lookup(m->inotify_watchers, (void *)(unsigned long)pevent->wd);
if (pevent->mask & IN_CLOSE_WRITE)
{
@@ -2937,7 +2847,7 @@
/* this event is _always_ fired when watch is removed or file is deleted */
if (mi)
{
- hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
+ hash_remove(m->inotify_watchers, (void *)(unsigned long)pevent->wd);
mi->inotify_watch = -1;
}
}
@@ -2954,9 +2864,7 @@
* instance.
*/
void
-multi_add_mbuf(struct multi_context *m,
- struct multi_instance *mi,
- struct mbuf_buffer *mb)
+multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
{
if (multi_output_queue_ready(m, mi))
{
@@ -2975,9 +2883,7 @@
* Add a packet to a client instance output queue.
*/
static inline void
-multi_unicast(struct multi_context *m,
- const struct buffer *buf,
- struct multi_instance *mi)
+multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
{
struct mbuf_buffer *mb;
@@ -2994,10 +2900,8 @@
* Broadcast a packet to all clients.
*/
static void
-multi_bcast(struct multi_context *m,
- const struct buffer *buf,
- const struct multi_instance *sender_instance,
- uint16_t vid)
+multi_bcast(struct multi_context *m, const struct buffer *buf,
+ const struct multi_instance *sender_instance, uint16_t vid)
{
struct hash_iterator hi;
struct hash_element *he;
@@ -3015,7 +2919,7 @@
while ((he = hash_iterator_next(&hi)))
{
- mi = (struct multi_instance *) he->value;
+ mi = (struct multi_instance *)he->value;
if (mi != sender_instance && !mi->halt)
{
if (vid != 0 && vid != mi->context.options.vlan_pvid)
@@ -3073,29 +2977,24 @@
tv_add(&mi->wakeup, &mi->context.c2.timeval);
/* tell scheduler to wake us up at some point in the future */
- schedule_add_entry(m->schedule,
- (struct schedule_entry *) mi,
- &mi->wakeup,
+ schedule_add_entry(m->schedule, (struct schedule_entry *)mi, &mi->wakeup,
compute_wakeup_sigma(&mi->context.c2.timeval));
}
#if defined(ENABLE_ASYNC_PUSH)
static void
-add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
- int inotify_fd, const char *file)
+add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi, int inotify_fd,
+ const char *file)
{
/* watch acf file */
- long watch_descriptor = inotify_add_watch(inotify_fd, file,
- IN_CLOSE_WRITE | IN_ONESHOT);
+ long watch_descriptor = inotify_add_watch(inotify_fd, file, IN_CLOSE_WRITE | IN_ONESHOT);
if (watch_descriptor >= 0)
{
if (mi->inotify_watch != -1)
{
- hash_remove(m->inotify_watchers,
- (void *) (unsigned long)mi->inotify_watch);
+ hash_remove(m->inotify_watchers, (void *)(unsigned long)mi->inotify_watch);
}
- hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
- mi, true);
+ hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true);
mi->inotify_watch = watch_descriptor;
}
else
@@ -3117,7 +3016,9 @@
{
bool ret = true;
- if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
+ if (!IS_SIG(&mi->context)
+ && ((flags & MPP_PRE_SELECT)
+ || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
{
#if defined(ENABLE_ASYNC_PUSH)
bool was_unauthenticated = true;
@@ -3142,14 +3043,12 @@
if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
&& (ks->authenticated == KS_AUTH_DEFERRED))
{
- add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
- ks->plugin_auth.auth_control_file);
+ add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->plugin_auth.auth_control_file);
}
if (ks && ks->script_auth.auth_control_file && was_unauthenticated
&& (ks->authenticated == KS_AUTH_DEFERRED))
{
- add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
- ks->script_auth.auth_control_file);
+ add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->script_auth.auth_control_file);
}
#endif
@@ -3167,8 +3066,7 @@
&& mi->client_connect_defer_state.deferred_ret_file)
{
add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
- mi->client_connect_defer_state.
- deferred_ret_file);
+ mi->client_connect_defer_state.deferred_ret_file);
}
#endif
/* tell scheduler to wake us up at some point in the future */
@@ -3190,14 +3088,10 @@
multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
#ifdef MULTI_DEBUG_EVENT_LOOP
- printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
- id(mi),
- (int) (mi == m->pending),
- mi ? mi->context.c2.to_tun.len : -1,
- mi ? mi->context.c2.to_link.len : -1,
+ printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n", id(mi), (int)(mi == m->pending),
+ mi ? mi->context.c2.to_tun.len : -1, mi ? mi->context.c2.to_link.len : -1,
(mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
- (int64_t)mi->context.c2.timeval.tv_sec,
- (long)mi->context.c2.timeval.tv_usec);
+ (int64_t)mi->context.c2.timeval.tv_sec, (long)mi->context.c2.timeval.tv_usec);
#endif
}
@@ -3218,10 +3112,9 @@
* updates hashtables in multi_context.
*/
static void
-multi_process_float(struct multi_context *m, struct multi_instance *mi,
- struct link_socket *sock)
+multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock)
{
- struct mroute_addr real = {0};
+ struct mroute_addr real = { 0 };
struct hash *hash = m->hash;
struct gc_arena gc = gc_new();
@@ -3243,7 +3136,7 @@
struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
if (he)
{
- struct multi_instance *ex_mi = (struct multi_instance *) he->value;
+ struct multi_instance *ex_mi = (struct multi_instance *)he->value;
struct tls_multi *m1 = mi->context.c2.tls_multi;
struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
@@ -3265,23 +3158,23 @@
*/
if (m1->peer_id == m2->peer_id)
{
- msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to "
+ msg(M_WARN,
+ "disallowing peer %" PRIu32 " (%s) from floating to "
"its own address (%s)",
m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
mroute_addr_print(&mi->real, &gc));
goto done;
}
- msg(D_MULTI_LOW, "closing instance %s due to float collision with %s "
+ msg(D_MULTI_LOW,
+ "closing instance %s due to float collision with %s "
"using the same certificate",
- multi_instance_string(ex_mi, false, &gc),
- multi_instance_string(mi, false, &gc));
+ multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, false, &gc));
multi_close_instance(m, ex_mi, false);
}
msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
- mi->context.c2.tls_multi->peer_id,
- tls_common_name(mi->context.c2.tls_multi, false),
+ mi->context.c2.tls_multi->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
mroute_addr_print_ex(&mi->real, MAPF_SHOW_FAMILY, &gc),
mroute_addr_print_ex(&real, MAPF_SHOW_FAMILY, &gc));
@@ -3327,7 +3220,8 @@
multi_close_instance(m, mi, false);
}
-#if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) || defined(ENABLE_MANAGEMENT)
+#if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) \
+ || defined(ENABLE_MANAGEMENT)
static void
multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
{
@@ -3338,8 +3232,7 @@
#if defined(ENABLE_DCO)
static void
-process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi,
- dco_context_t *dco)
+process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi, dco_context_t *dco)
{
const char *reason = "ovpn-dco: unknown reason";
switch (dco->dco_del_peer_reason)
@@ -3436,9 +3329,10 @@
*/
msglevel = D_DCO_DEBUG;
}
- msg(msglevel, "Received DCO message for unknown peer-id: %d, "
- "type %d, del_peer_reason %d", peer_id, dco->dco_message_type,
- dco->dco_del_peer_reason);
+ msg(msglevel,
+ "Received DCO message for unknown peer-id: %d, "
+ "type %d, del_peer_reason %d",
+ peer_id, dco->dco_message_type, dco->dco_del_peer_reason);
}
dco->dco_message_type = 0;
@@ -3528,11 +3422,8 @@
if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
{
/* extract packet source and dest addresses */
- mroute_flags = mroute_extract_addr_from_packet(&src,
- &dest,
- 0,
- &c->c2.to_tun,
- DEV_TYPE_TUN);
+ mroute_flags =
+ mroute_extract_addr_from_packet(&src, &dest, 0, &c->c2.to_tun, DEV_TYPE_TUN);
/* drop packet if extract failed */
if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
@@ -3543,14 +3434,15 @@
else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
{
/* IPv6 link-local address (fe80::xxx)? */
- if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
- && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
+ if ((src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
+ && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr))
{
/* do nothing, for now. TODO: add address learning */
}
else
{
- msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
+ msg(D_MULTI_DROPPED,
+ "MULTI: bad source address from client [%s], packet dropped",
mroute_addr_print(&src, &gc));
}
c->c2.to_tun.len = 0;
@@ -3599,11 +3491,8 @@
}
}
/* extract packet source and dest addresses */
- mroute_flags = mroute_extract_addr_from_packet(&src,
- &dest,
- vid,
- &c->c2.to_tun,
- DEV_TYPE_TAP);
+ mroute_flags =
+ mroute_extract_addr_from_packet(&src, &dest, vid, &c->c2.to_tun, DEV_TYPE_TAP);
if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
{
@@ -3612,7 +3501,7 @@
/* check for broadcast */
if (m->enable_c2c)
{
- if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
+ if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST))
{
multi_bcast(m, &c->c2.to_tun, m->pending, vid);
}
@@ -3632,7 +3521,8 @@
}
else
{
- msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
+ msg(D_MULTI_DROPPED,
+ "MULTI: bad source address from client [%s], packet dropped",
mroute_addr_print(&src, &gc));
c->c2.to_tun.len = 0;
}
@@ -3666,7 +3556,7 @@
if (BLEN(&m->top.c2.buf) > 0)
{
unsigned int mroute_flags;
- struct mroute_addr src = {0}, dest = {0};
+ struct mroute_addr src = { 0 }, dest = { 0 };
const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
int16_t vid = 0;
@@ -3693,25 +3583,22 @@
* the appropriate multi_instance object.
*/
- mroute_flags = mroute_extract_addr_from_packet(&src,
- &dest,
- vid,
- &m->top.c2.buf,
- dev_type);
+ mroute_flags = mroute_extract_addr_from_packet(&src, &dest, vid, &m->top.c2.buf, dev_type);
if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
{
struct context *c;
/* broadcast or multicast dest addr? */
- if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
+ if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST))
{
/* for now, treat multicast as broadcast */
multi_bcast(m, &m->top.c2.buf, NULL, vid);
}
else
{
- multi_set_pending(m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN));
+ multi_set_pending(
+ m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN));
if (m->pending)
{
@@ -3729,7 +3616,8 @@
else
{
/* drop packet */
- msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
+ msg(D_MULTI_DROPPED,
+ "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
buf_reset_len(&c->c2.buf);
}
}
@@ -3763,7 +3651,8 @@
set_prefix(item.instance);
item.instance->context.c2.buf = item.buffer->buf;
- if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
+ if (item.buffer->flags
+ & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
{
pip_flags |= PIP_MSSFIX;
}
@@ -3801,7 +3690,8 @@
{
if (m->earliest_wakeup == (struct multi_instance *)&m->deferred_shutdown_signal)
{
- schedule_remove_entry(m->schedule, (struct schedule_entry *) &m->deferred_shutdown_signal);
+ schedule_remove_entry(m->schedule,
+ (struct schedule_entry *)&m->deferred_shutdown_signal);
throw_signal(m->deferred_shutdown_signal.signal_received);
}
else
@@ -3844,9 +3734,9 @@
route_quota_exceeded(const struct multi_instance *mi)
{
struct gc_arena gc = gc_new();
- msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
- mi->context.options.max_routes_per_client,
- multi_instance_string(mi, false, &gc));
+ msg(D_ROUTE_QUOTA,
+ "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
+ mi->context.options.max_routes_per_client, multi_instance_string(mi, false, &gc));
gc_free(&gc);
}
@@ -3869,8 +3759,7 @@
parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
- parm.n_packets,
- parm.packet_size);
+ parm.n_packets, parm.packet_size);
for (i = 0; i < parm.packet_size; ++i)
{
@@ -3958,10 +3847,11 @@
hash_iterator_init(m->iter, &hi);
while ((he = hash_iterator_next(&hi)))
{
- struct multi_instance *mi = (struct multi_instance *) he->value;
+ struct multi_instance *mi = (struct multi_instance *)he->value;
if (!mi->halt && proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto))
{
- send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
+ send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART",
+ D_PUSH);
multi_schedule_context_wakeup(m, mi);
}
}
@@ -3975,8 +3865,7 @@
m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received;
- schedule_add_entry(m->schedule,
- (struct schedule_entry *) &m->deferred_shutdown_signal,
+ schedule_add_entry(m->schedule, (struct schedule_entry *)&m->deferred_shutdown_signal,
&m->deferred_shutdown_signal.wakeup,
compute_wakeup_sigma(&m->deferred_shutdown_signal.wakeup));
@@ -3997,8 +3886,7 @@
status_close(so);
return false;
}
- else if (has_udp_in_local_list(&m->top.options)
- && is_exit_restart(m->top.sig->signal_received)
+ else if (has_udp_in_local_list(&m->top.options) && is_exit_restart(m->top.sig->signal_received)
&& (m->deferred_shutdown_signal.signal_received == 0)
&& m->top.options.ce.explicit_exit_notification != 0)
{
@@ -4016,7 +3904,7 @@
static void
management_callback_status(void *arg, const int version, struct status_output *so)
{
- struct multi_context *m = (struct multi_context *) arg;
+ struct multi_context *m = (struct multi_context *)arg;
if (!version)
{
@@ -4031,14 +3919,14 @@
static int
management_callback_n_clients(void *arg)
{
- struct multi_context *m = (struct multi_context *) arg;
+ struct multi_context *m = (struct multi_context *)arg;
return m->n_clients;
}
static int
management_callback_kill_by_cn(void *arg, const char *del_cn)
{
- struct multi_context *m = (struct multi_context *) arg;
+ struct multi_context *m = (struct multi_context *)arg;
struct hash_iterator hi;
struct hash_element *he;
int count = 0;
@@ -4046,7 +3934,7 @@
hash_iterator_init(m->iter, &hi);
while ((he = hash_iterator_next(&hi)))
{
- struct multi_instance *mi = (struct multi_instance *) he->value;
+ struct multi_instance *mi = (struct multi_instance *)he->value;
if (!mi->halt)
{
const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
@@ -4062,10 +3950,9 @@
}
static int
-management_callback_kill_by_addr(void *arg, const in_addr_t addr,
- const int port, const int proto)
+management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port, const int proto)
{
- struct multi_context *m = (struct multi_context *) arg;
+ struct multi_context *m = (struct multi_context *)arg;
struct hash_iterator hi;
struct hash_element *he;
struct openvpn_sockaddr saddr;
@@ -4082,7 +3969,7 @@
hash_iterator_init(m->iter, &hi);
while ((he = hash_iterator_next(&hi)))
{
- struct multi_instance *mi = (struct multi_instance *) he->value;
+ struct multi_instance *mi = (struct multi_instance *)he->value;
if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
{
multi_signal_instance(m, mi, SIGTERM);
@@ -4097,7 +3984,7 @@
static void
management_delete_event(void *arg, event_t event)
{
- struct multi_context *m = (struct multi_context *) arg;
+ struct multi_context *m = (struct multi_context *)arg;
if (m->multi_io)
{
multi_tcp_delete_event(m->multi_io, event);
@@ -4109,7 +3996,7 @@
{
if (m)
{
- struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
+ struct multi_instance *mi = (struct multi_instance *)hash_lookup(m->cid_hash, &cid);
if (mi && !mi->halt)
{
return mi;
@@ -4121,7 +4008,7 @@
static bool
management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
{
- struct multi_context *m = (struct multi_context *) arg;
+ struct multi_context *m = (struct multi_context *)arg;
struct multi_instance *mi = lookup_by_cid(m, cid);
if (mi)
{
@@ -4136,13 +4023,10 @@
}
static bool
-management_client_pending_auth(void *arg,
- const unsigned long cid,
- const unsigned int mda_key_id,
- const char *extra,
- unsigned int timeout)
+management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id,
+ const char *extra, unsigned int timeout)
{
- struct multi_context *m = (struct multi_context *) arg;
+ struct multi_context *m = (struct multi_context *)arg;
struct multi_instance *mi = lookup_by_cid(m, cid);
if (mi)
@@ -4164,8 +4048,7 @@
}
/* sends INFO_PRE and AUTH_PENDING messages to client */
- bool ret = send_auth_pending_messages(multi, session, extra,
- timeout);
+ bool ret = send_auth_pending_messages(multi, session, extra, timeout);
reschedule_multi_process(&mi->context);
multi_schedule_context_wakeup(m, mi);
return ret;
@@ -4175,15 +4058,11 @@
static bool
-management_client_auth(void *arg,
- const unsigned long cid,
- const unsigned int mda_key_id,
- const bool auth,
- const char *reason,
- const char *client_reason,
- struct buffer_list *cc_config) /* ownership transferred */
+management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id,
+ const bool auth, const char *reason, const char *client_reason,
+ struct buffer_list *cc_config) /* ownership transferred */
{
- struct multi_context *m = (struct multi_context *) arg;
+ struct multi_context *m = (struct multi_context *)arg;
struct multi_instance *mi = lookup_by_cid(m, cid);
bool cc_config_owned = true;
bool ret = false;
@@ -4203,7 +4082,8 @@
}
else if (reason)
{
- msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
+ msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason,
+ np(client_reason));
}
}
}
@@ -4217,7 +4097,7 @@
static char *
management_get_peer_info(void *arg, const unsigned long cid)
{
- struct multi_context *m = (struct multi_context *) arg;
+ struct multi_context *m = (struct multi_context *)arg;
struct multi_instance *mi = lookup_by_cid(m, cid);
char *ret = NULL;
@@ -4361,7 +4241,7 @@
tunnel_server_loop(&multi);
- #ifdef ENABLE_ASYNC_PUSH
+#ifdef ENABLE_ASYNC_PUSH
close(top->c2.inotify_fd);
#endif
@@ -4375,5 +4255,4 @@
multi_uninit(&multi);
multi_top_free(&multi);
close_instance(top);
-
}
@@ -99,27 +99,28 @@
* page describes the role the structure plays when OpenVPN is running in
* server-mode.
*/
-struct multi_instance {
- struct schedule_entry se; /* this must be the first element of the structure,
- * We cast between this and schedule_entry so the
- * beginning of the struct must be identical */
+struct multi_instance
+{
+ struct schedule_entry se; /* this must be the first element of the structure,
+ * We cast between this and schedule_entry so the
+ * beginning of the struct must be identical */
- struct event_arg ev_arg; /**< this struct will store a pointer to either mi or
- * link_socket, depending on the event type, to keep
- * it accessible it's placed within the same struct
- * it points to. */
+ struct event_arg ev_arg; /**< this struct will store a pointer to either mi or
+ * link_socket, depending on the event type, to keep
+ * it accessible it's placed within the same struct
+ * it points to. */
struct gc_arena gc;
bool halt;
int refcount;
- int route_count; /* number of routes (including cached routes) owned by this instance */
- time_t created; /**< Time at which a VPN tunnel instance
- * was created. This parameter is set
- * by the \c multi_create_instance()
- * function. */
- struct timeval wakeup; /* absolute time */
- struct mroute_addr real; /**< External network address of the
- * remote peer. */
+ int route_count; /* number of routes (including cached routes) owned by this instance */
+ time_t created; /**< Time at which a VPN tunnel instance
+ * was created. This parameter is set
+ * by the \c multi_create_instance()
+ * function. */
+ struct timeval wakeup; /* absolute time */
+ struct mroute_addr real; /**< External network address of the
+ * remote peer. */
ifconfig_pool_handle vaddr_handle;
char msg_prefix[MULTI_PREFIX_MAX_LENGTH];
@@ -128,7 +129,7 @@
struct mbuf_set *tcp_link_out_deferred;
bool socket_set_called;
- in_addr_t reporting_addr; /* IP address shown in status listing */
+ in_addr_t reporting_addr; /* IP address shown in status listing */
struct in6_addr reporting_addr_ipv6; /* IPv6 address in status listing */
bool did_real_hash;
@@ -138,10 +139,10 @@
struct buffer_list *cc_config;
#endif
bool did_iroutes;
- int n_clients_delta; /* added to multi_context.n_clients when instance is closed */
+ int n_clients_delta; /* added to multi_context.n_clients when instance is closed */
- struct context context; /**< The context structure storing state
- * for this VPN tunnel. */
+ struct context context; /**< The context structure storing state
+ * for this VPN tunnel. */
struct client_connect_defer_state client_connect_defer_state;
#ifdef ENABLE_ASYNC_PUSH
int inotify_watch; /* watch descriptor for acf */
@@ -159,22 +160,23 @@
* page describes the role the structure plays when OpenVPN is running in
* server-mode.
*/
-struct multi_context {
- struct multi_instance **instances; /**< Array of multi_instances. An instance can be
- * accessed using peer-id as an index. */
+struct multi_context
+{
+ struct multi_instance **instances; /**< Array of multi_instances. An instance can be
+ * accessed using peer-id as an index. */
- struct hash *hash; /**< VPN tunnel instances indexed by real
- * address of the remote peer. */
- struct hash *vhash; /**< VPN tunnel instances indexed by
- * virtual address of remote hosts. */
- struct hash *iter; /**< VPN tunnel instances indexed by real
- * address of the remote peer, optimized
- * for iteration. */
+ struct hash *hash; /**< VPN tunnel instances indexed by real
+ * address of the remote peer. */
+ struct hash *vhash; /**< VPN tunnel instances indexed by
+ * virtual address of remote hosts. */
+ struct hash *iter; /**< VPN tunnel instances indexed by real
+ * address of the remote peer, optimized
+ * for iteration. */
struct schedule *schedule;
- struct mbuf_set *mbuf; /**< Set of buffers for passing data
- * channel packets between VPN tunnel
- * instances. */
- struct multi_io *multi_io; /**< I/O state and events tracker */
+ struct mbuf_set *mbuf; /**< Set of buffers for passing data
+ * channel packets between VPN tunnel
+ * instances. */
+ struct multi_io *multi_io; /**< I/O state and events tracker */
struct ifconfig_pool *ifconfig_pool;
struct frequency_limit *new_connection_limiter;
struct initial_packet_rate_limit *initial_rate_limiter;
@@ -198,8 +200,8 @@
struct context_buffers *context_buffers;
time_t per_second_trigger;
- struct context top; /**< Storage structure for process-wide
- * configuration. */
+ struct context top; /**< Storage structure for process-wide
+ * configuration. */
struct buffer hmac_reply;
struct link_socket_actual *hmac_reply_dest;
@@ -237,8 +239,8 @@
struct mroute_addr addr;
struct multi_instance *instance;
-#define MULTI_ROUTE_CACHE (1<<0)
-#define MULTI_ROUTE_AGEABLE (1<<1)
+#define MULTI_ROUTE_CACHE (1 << 0)
+#define MULTI_ROUTE_AGEABLE (1 << 1)
unsigned int flags;
unsigned int cache_generation;
@@ -262,17 +264,18 @@
* Called by mtcp.c, mudp.c, or other (to be written) protocol drivers
*/
-struct multi_instance *multi_create_instance(struct multi_context *m, const struct mroute_addr *real,
+struct multi_instance *multi_create_instance(struct multi_context *m,
+ const struct mroute_addr *real,
struct link_socket *sock);
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown);
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags);
-#define MPP_PRE_SELECT (1<<0)
-#define MPP_CONDITIONAL_PRE_SELECT (1<<1)
-#define MPP_CLOSE_ON_SIGNAL (1<<2)
-#define MPP_RECORD_TOUCH (1<<3)
+#define MPP_PRE_SELECT (1 << 0)
+#define MPP_CONDITIONAL_PRE_SELECT (1 << 1)
+#define MPP_CLOSE_ON_SIGNAL (1 << 2)
+#define MPP_RECORD_TOUCH (1 << 3)
/**************************************************************************/
@@ -297,7 +300,8 @@
* signal during processing.
* - False, if the VPN tunnel instance \a mi was closed.
*/
-bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags);
+bool multi_process_post(struct multi_context *m, struct multi_instance *mi,
+ const unsigned int flags);
/**
* Process an incoming DCO message (from kernel space).
@@ -334,8 +338,8 @@
* @param mpp_flags - Fast I/O optimization flags.
* @param sock - Socket where the packet was received.
*/
-bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags,
- struct link_socket *sock);
+bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance,
+ const unsigned int mpp_flags, struct link_socket *sock);
/**
@@ -360,9 +364,7 @@
struct multi_instance *multi_get_queue(struct mbuf_set *ms);
-void multi_add_mbuf(struct multi_context *m,
- struct multi_instance *mi,
- struct mbuf_buffer *mb);
+void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb);
void multi_ifconfig_pool_persist(struct multi_context *m, bool force);
@@ -388,8 +390,7 @@
* Return true if our output queue is not full
*/
static inline bool
-multi_output_queue_ready(const struct multi_context *m,
- const struct multi_instance *mi)
+multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
{
if (mi->tcp_link_out_deferred)
{
@@ -485,8 +486,7 @@
}
static inline bool
-multi_route_defined(const struct multi_context *m,
- const struct multi_route *r)
+multi_route_defined(const struct multi_context *m, const struct multi_route *r)
{
if (r->instance->halt)
{
@@ -511,8 +511,7 @@
/*
* Takes prefix away from multi_instance.
*/
-void
-ungenerate_prefix(struct multi_instance *mi);
+void ungenerate_prefix(struct multi_instance *mi);
/*
* Set a msg() function prefix with our current client instance ID.
@@ -548,10 +547,10 @@
* don't want to reap in a single pass.
*/
-#define REAP_MAX_WAKEUP 10 /* Do reap pass at least once per n seconds */
-#define REAP_DIVISOR 256 /* How many passes to cover whole hash table */
-#define REAP_MIN 16 /* Minimum number of buckets per pass */
-#define REAP_MAX 1024 /* Maximum number of buckets per pass */
+#define REAP_MAX_WAKEUP 10 /* Do reap pass at least once per n seconds */
+#define REAP_DIVISOR 256 /* How many passes to cover whole hash table */
+#define REAP_MIN 16 /* Minimum number of buckets per pass */
+#define REAP_MAX 1024 /* Maximum number of buckets per pass */
/*
* Mark a cached host route for deletion after this
@@ -596,7 +595,7 @@
struct timeval tv, current;
CLEAR(tv);
- m->earliest_wakeup = (struct multi_instance *) schedule_get_earliest_wakeup(m->schedule, &tv);
+ m->earliest_wakeup = (struct multi_instance *)schedule_get_earliest_wakeup(m->schedule, &tv);
if (m->earliest_wakeup)
{
ASSERT(!openvpn_gettimeofday(¤t, NULL));
@@ -641,9 +640,7 @@
ASSERT(mi);
#ifdef MULTI_DEBUG_EVENT_LOOP
- printf("%s -> TUN len=%d\n",
- id(mi),
- mi->context.c2.to_tun.len);
+ printf("%s -> TUN len=%d\n", id(mi), mi->context.c2.to_tun.len);
#endif
set_prefix(mi);
vlan_process_outgoing_tun(m, mi);
@@ -653,12 +650,13 @@
return ret;
}
-#define CLIENT_CONNECT_OPT_MASK (OPT_P_INSTANCE | OPT_P_INHERIT \
- |OPT_P_PUSH | OPT_P_TIMER | OPT_P_CONFIG \
- |OPT_P_ECHO | OPT_P_COMP | OPT_P_SOCKFLAGS)
+#define CLIENT_CONNECT_OPT_MASK \
+ (OPT_P_INSTANCE | OPT_P_INHERIT | OPT_P_PUSH | OPT_P_TIMER | OPT_P_CONFIG | OPT_P_ECHO \
+ | OPT_P_COMP | OPT_P_SOCKFLAGS)
static inline bool
-multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags)
+multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi,
+ const unsigned int mpp_flags)
{
bool ret = true;
set_prefix(mi);
@@ -39,12 +39,12 @@
/*
* Special tags passed to event.[ch] functions
*/
-#define MULTI_IO_SOCKET ((void *)1)
-#define MULTI_IO_TUN ((void *)2)
-#define MULTI_IO_SIG ((void *)3) /* Only on Windows */
-#define MULTI_IO_MANAGEMENT ((void *)4)
+#define MULTI_IO_SOCKET ((void *)1)
+#define MULTI_IO_TUN ((void *)2)
+#define MULTI_IO_SIG ((void *)3) /* Only on Windows */
+#define MULTI_IO_MANAGEMENT ((void *)4)
#define MULTI_IO_FILE_CLOSE_WRITE ((void *)5)
-#define MULTI_IO_DCO ((void *)6)
+#define MULTI_IO_DCO ((void *)6)
struct ta_iow_flags
{
@@ -127,7 +127,8 @@
wait_signal(multi_io->es, MULTI_IO_SIG);
ALLOC_ARRAY(multi_io->esr, struct event_set_return, multi_io->maxevents);
*maxclients = max_int(min_int(multi_io->maxevents - extra_events, *maxclients), 1);
- msg(D_MULTI_LOW, "MULTI IO: MULTI_IO INIT maxclients=%d maxevents=%d", *maxclients, multi_io->maxevents);
+ msg(D_MULTI_LOW, "MULTI IO: MULTI_IO INIT maxclients=%d maxevents=%d", *maxclients,
+ multi_io->maxevents);
return multi_io;
}
@@ -142,18 +143,13 @@
mi->socket_set_called = true;
if (proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto))
{
- socket_set(mi->context.c2.link_sockets[0],
- m->multi_io->es,
- EVENT_READ,
- &mi->context.c2.link_sockets[0]->ev_arg,
- NULL);
+ socket_set(mi->context.c2.link_sockets[0], m->multi_io->es, EVENT_READ,
+ &mi->context.c2.link_sockets[0]->ev_arg, NULL);
}
else
{
- socket_set(mi->context.c2.link_sockets[0],
- m->multi_io->es,
- mbuf_defined(mi->tcp_link_out_deferred) ? EVENT_WRITE : EVENT_READ,
- &mi->ev_arg,
+ socket_set(mi->context.c2.link_sockets[0], m->multi_io->es,
+ mbuf_defined(mi->tcp_link_out_deferred) ? EVENT_WRITE : EVENT_READ, &mi->ev_arg,
&mi->tcp_rwflags);
}
}
@@ -197,7 +193,8 @@
#ifdef ENABLE_MANAGEMENT
if (management)
{
- management_socket_set(management, m->multi_io->es, MULTI_IO_MANAGEMENT, &m->multi_io->management_persist_flags);
+ management_socket_set(management, m->multi_io->es, MULTI_IO_MANAGEMENT,
+ &m->multi_io->management_persist_flags);
}
#endif
@@ -206,7 +203,8 @@
event_ctl(m->multi_io->es, m->top.c2.inotify_fd, EVENT_READ, MULTI_IO_FILE_CLOSE_WRITE);
#endif
- status = event_wait(m->multi_io->es, &m->top.c2.timeval, m->multi_io->esr, m->multi_io->maxevents);
+ status =
+ event_wait(m->multi_io->es, &m->top.c2.timeval, m->multi_io->esr, m->multi_io->maxevents);
update_time();
m->multi_io->n_esr = 0;
if (status > 0)
@@ -217,13 +215,13 @@
}
static int
-multi_io_wait_lite(struct multi_context *m, struct multi_instance *mi, const int action, bool *tun_input_pending)
+multi_io_wait_lite(struct multi_context *m, struct multi_instance *mi, const int action,
+ bool *tun_input_pending)
{
struct context *c = multi_get_context(m, mi);
unsigned int looking_for = 0;
- dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_wait_lite a=%s mi=" ptr_format,
- pract(action),
+ dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_wait_lite a=%s mi=" ptr_format, pract(action),
(ptr_type)mi);
tv_clear(&c->c2.timeval); /* ZERO-TIMEOUT */
@@ -254,7 +252,7 @@
case TA_SOCKET_WRITE:
looking_for = SOCKET_WRITE;
- io_wait(c, IOW_TO_LINK|IOW_READ_TUN_FORCE);
+ io_wait(c, IOW_TO_LINK | IOW_READ_TUN_FORCE);
break;
default:
@@ -290,12 +288,11 @@
static struct multi_instance *
multi_io_dispatch(struct multi_context *m, struct multi_instance *mi, const int action)
{
- const unsigned int mpp_flags = MPP_PRE_SELECT|MPP_RECORD_TOUCH;
+ const unsigned int mpp_flags = MPP_PRE_SELECT | MPP_RECORD_TOUCH;
struct multi_instance *touched = mi;
m->mpp_touched = &touched;
- dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_dispatch a=%s mi=" ptr_format,
- pract(action),
+ dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_dispatch a=%s mi=" ptr_format, pract(action),
(ptr_type)mi);
switch (action)
@@ -318,8 +315,7 @@
clear_prefix();
if (!IS_SIG(&mi->context))
{
- multi_process_incoming_link(m, mi, mpp_flags,
- mi->context.c2.link_sockets[0]);
+ multi_process_incoming_link(m, mi, mpp_flags, mi->context.c2.link_sockets[0]);
if (!IS_SIG(&mi->context))
{
stream_buf_read_setup(mi->context.c2.link_sockets[0]);
@@ -372,9 +368,9 @@
struct context *c = multi_get_context(m, mi);
int newaction = TA_UNDEF;
-#define MTP_NONE 0
-#define MTP_TUN_OUT (1<<0)
-#define MTP_LINK_OUT (1<<1)
+#define MTP_NONE 0
+#define MTP_TUN_OUT (1 << 0)
+#define MTP_LINK_OUT (1 << 1)
unsigned int flags = MTP_NONE;
if (TUN_OUT(c))
@@ -388,7 +384,7 @@
switch (flags)
{
- case MTP_TUN_OUT|MTP_LINK_OUT:
+ case MTP_TUN_OUT | MTP_LINK_OUT:
case MTP_TUN_OUT:
newaction = TA_TUN_WRITE;
break;
@@ -412,16 +408,13 @@
{
struct gc_arena gc = gc_new();
msg(M_FATAL, "MULTI IO: multi_io_post bad state, mi=%s flags=%d",
- multi_instance_string(mi, false, &gc),
- flags);
+ multi_instance_string(mi, false, &gc), flags);
gc_free(&gc);
break;
}
}
- dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_post %s -> %s",
- pract(action),
- pract(newaction));
+ dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_post %s -> %s", pract(action), pract(newaction));
return newaction;
}
@@ -500,47 +493,47 @@
}
else
#endif
- /* incoming data on TUN? */
- if (e->arg == MULTI_IO_TUN)
- {
- if (e->rwflags & EVENT_WRITE)
+ /* incoming data on TUN? */
+ if (e->arg == MULTI_IO_TUN)
{
- multi_io_action(m, NULL, TA_TUN_WRITE, false);
+ if (e->rwflags & EVENT_WRITE)
+ {
+ multi_io_action(m, NULL, TA_TUN_WRITE, false);
+ }
+ else if (e->rwflags & EVENT_READ)
+ {
+ multi_io_action(m, NULL, TA_TUN_READ, false);
+ }
}
- else if (e->rwflags & EVENT_READ)
+ /* new incoming TCP client attempting to connect? */
+ else if (e->arg == MULTI_IO_SOCKET)
{
- multi_io_action(m, NULL, TA_TUN_READ, false);
+ struct multi_instance *mi;
+ ASSERT(m->top.c2.link_sockets[0]);
+ socket_reset_listen_persistent(m->top.c2.link_sockets[0]);
+ mi = multi_create_instance_tcp(m, m->top.c2.link_sockets[0]);
+ if (mi)
+ {
+ multi_io_action(m, mi, TA_INITIAL, false);
+ }
}
- }
- /* new incoming TCP client attempting to connect? */
- else if (e->arg == MULTI_IO_SOCKET)
- {
- struct multi_instance *mi;
- ASSERT(m->top.c2.link_sockets[0]);
- socket_reset_listen_persistent(m->top.c2.link_sockets[0]);
- mi = multi_create_instance_tcp(m, m->top.c2.link_sockets[0]);
- if (mi)
- {
- multi_io_action(m, mi, TA_INITIAL, false);
- }
- }
#if defined(ENABLE_DCO)
- /* incoming data on DCO? */
- else if (e->arg == MULTI_IO_DCO)
- {
- multi_process_incoming_dco(m);
- }
+ /* incoming data on DCO? */
+ else if (e->arg == MULTI_IO_DCO)
+ {
+ multi_process_incoming_dco(m);
+ }
#endif
- /* signal received? */
- else if (e->arg == MULTI_IO_SIG)
- {
- get_signal(&m->top.sig->signal_received);
- }
+ /* signal received? */
+ else if (e->arg == MULTI_IO_SIG)
+ {
+ get_signal(&m->top.sig->signal_received);
+ }
#ifdef ENABLE_ASYNC_PUSH
- else if (e->arg == MULTI_IO_FILE_CLOSE_WRITE)
- {
- multi_process_file_closed(m, MPP_PRE_SELECT | MPP_RECORD_TOUCH);
- }
+ else if (e->arg == MULTI_IO_FILE_CLOSE_WRITE)
+ {
+ multi_process_file_closed(m, MPP_PRE_SELECT | MPP_RECORD_TOUCH);
+ }
#endif
}
if (IS_SIG(&m->top))
@@ -569,9 +562,7 @@
do
{
- dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_action a=%s p=%d",
- pract(action),
- poll);
+ dmsg(D_MULTI_DEBUG, "MULTI IO: multi_io_action a=%s p=%d", pract(action), poll);
/*
* If TA_SOCKET_READ_RESIDUAL, it means we still have pending
@@ -590,7 +581,8 @@
action = multi_io_wait_lite(m, mi, action, &tun_input_pending);
if (action == TA_UNDEF)
{
- msg(M_FATAL, "MULTI IO: I/O wait required blocking in multi_io_action, action=%d", orig_action);
+ msg(M_FATAL, "MULTI IO: I/O wait required blocking in multi_io_action, action=%d",
+ orig_action);
}
}
@@ -101,8 +101,8 @@
*
* @return 0 on success, negative error code on error
*/
-int net_iface_new(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface,
- const char *type, void *arg);
+int net_iface_new(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, const char *type,
+ void *arg);
/**
* Retrieve the interface type
@@ -113,8 +113,7 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_iface_type(openvpn_net_ctx_t *ctx, const char *iface,
- char type[IFACE_TYPE_LEN_MAX]);
+int net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, char type[IFACE_TYPE_LEN_MAX]);
/**
* Remove an interface
@@ -134,8 +133,7 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_iface_up(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface,
- bool up);
+int net_iface_up(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, bool up);
/**
* Set the MTU for an interface
@@ -146,8 +144,7 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_iface_mtu_set(openvpn_net_ctx_t *ctx,
- const openvpn_net_iface_t *iface, uint32_t mtu);
+int net_iface_mtu_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, uint32_t mtu);
/**
* Set the Link Layer (Ethernet) address of the TAP interface
@@ -158,8 +155,7 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface,
- uint8_t *addr);
+int net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, uint8_t *addr);
/**
* Add an IPv4 address to an interface
@@ -171,8 +167,8 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_addr_v4_add(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface,
- const in_addr_t *addr, int prefixlen);
+int net_addr_v4_add(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, const in_addr_t *addr,
+ int prefixlen);
/**
* Add an IPv6 address to an interface
@@ -197,8 +193,8 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_addr_v4_del(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface,
- const in_addr_t *addr, int prefixlen);
+int net_addr_v4_del(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, const in_addr_t *addr,
+ int prefixlen);
/**
* Remove an IPv6 from an interface
@@ -222,8 +218,7 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx,
- const openvpn_net_iface_t *iface,
+int net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface,
const in_addr_t *local, const in_addr_t *remote);
/**
@@ -236,8 +231,7 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx,
- const openvpn_net_iface_t *iface,
+int net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface,
const in_addr_t *local, const in_addr_t *remote);
#endif /* ENABLE_SITNL || ENABLE_IPROUTE */
@@ -257,9 +251,8 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst,
- int prefixlen, const in_addr_t *gw,
- const openvpn_net_iface_t *iface, uint32_t table,
+int net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen,
+ const in_addr_t *gw, const openvpn_net_iface_t *iface, uint32_t table,
int metric);
/**
@@ -276,10 +269,9 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- int prefixlen, const struct in6_addr *gw,
- const openvpn_net_iface_t *iface,
- uint32_t table, int metric);
+int net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen,
+ const struct in6_addr *gw, const openvpn_net_iface_t *iface, uint32_t table,
+ int metric);
/**
* Delete a route for an IPv4 address/network
@@ -295,9 +287,8 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst,
- int prefixlen, const in_addr_t *gw,
- const openvpn_net_iface_t *iface, uint32_t table,
+int net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen,
+ const in_addr_t *gw, const openvpn_net_iface_t *iface, uint32_t table,
int metric);
/**
@@ -314,10 +305,9 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- int prefixlen, const struct in6_addr *gw,
- const openvpn_net_iface_t *iface,
- uint32_t table, int metric);
+int net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen,
+ const struct in6_addr *gw, const openvpn_net_iface_t *iface, uint32_t table,
+ int metric);
#endif /* ENABLE_SITNL || ENABLE_IPROUTE || TARGET_FREEBSD */
@@ -334,8 +324,8 @@
*
* @return 0 on success, a negative error code otherwise
*/
-int net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst,
- in_addr_t *best_gw, openvpn_net_iface_t *best_iface);
+int net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst, in_addr_t *best_gw,
+ openvpn_net_iface_t *best_iface);
/**
* Retrieve the gateway and outgoing interface for the specified IPv6
@@ -349,8 +339,7 @@
* @return 0 on success, a negative error code otherwise
*/
int net_route_v6_best_gw(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- struct in6_addr *best_gw,
- openvpn_net_iface_t *best_iface);
+ struct in6_addr *best_gw, openvpn_net_iface_t *best_iface);
#endif /* ENABLE_SITNL || ENABLE_IPROUTE */
@@ -9,9 +9,8 @@
#if defined(TARGET_FREEBSD)
static int
-net_route_v4(const char *op, const in_addr_t *dst, int prefixlen,
- const in_addr_t *gw, const char *iface, uint32_t table,
- int metric)
+net_route_v4(const char *op, const in_addr_t *dst, int prefixlen, const in_addr_t *gw,
+ const char *iface, uint32_t table, int metric)
{
char buf1[INET_ADDRSTRLEN], buf2[INET_ADDRSTRLEN];
in_addr_t _dst, _gw;
@@ -21,16 +20,12 @@
_dst = ntohl(*dst);
_gw = ntohl(*gw);
- argv_printf(&argv, "%s %s -net %s/%d %s -fib %d",
- ROUTE_PATH, op,
- inet_ntop(AF_INET, &_dst, buf1, sizeof(buf1)),
- prefixlen,
- inet_ntop(AF_INET, &_gw, buf2, sizeof(buf2)),
- table);
+ argv_printf(&argv, "%s %s -net %s/%d %s -fib %d", ROUTE_PATH, op,
+ inet_ntop(AF_INET, &_dst, buf1, sizeof(buf1)), prefixlen,
+ inet_ntop(AF_INET, &_gw, buf2, sizeof(buf2)), table);
argv_msg(M_INFO, &argv);
- status = openvpn_execve_check(&argv, NULL, 0,
- "ERROR: FreeBSD route command failed");
+ status = openvpn_execve_check(&argv, NULL, 0, "ERROR: FreeBSD route command failed");
argv_free(&argv);
@@ -38,24 +33,19 @@
}
static int
-net_route_v6(const char *op, const struct in6_addr *dst,
- int prefixlen, const struct in6_addr *gw, const char *iface,
- uint32_t table, int metric)
+net_route_v6(const char *op, const struct in6_addr *dst, int prefixlen, const struct in6_addr *gw,
+ const char *iface, uint32_t table, int metric)
{
char buf1[INET6_ADDRSTRLEN], buf2[INET6_ADDRSTRLEN];
struct argv argv = argv_new();
bool status;
- argv_printf(&argv, "%s -6 %s -net %s/%d %s -fib %d",
- ROUTE_PATH, op,
- inet_ntop(AF_INET6, dst, buf1, sizeof(buf1)),
- prefixlen,
- inet_ntop(AF_INET6, gw, buf2, sizeof(buf2)),
- table);
+ argv_printf(&argv, "%s -6 %s -net %s/%d %s -fib %d", ROUTE_PATH, op,
+ inet_ntop(AF_INET6, dst, buf1, sizeof(buf1)), prefixlen,
+ inet_ntop(AF_INET6, gw, buf2, sizeof(buf2)), table);
argv_msg(M_INFO, &argv);
- status = openvpn_execve_check(&argv, NULL, 0,
- "ERROR: FreeBSD route command failed");
+ status = openvpn_execve_check(&argv, NULL, 0, "ERROR: FreeBSD route command failed");
argv_free(&argv);
@@ -63,33 +53,29 @@
}
int
-net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen,
- const in_addr_t *gw, const char *iface, uint32_t table,
- int metric)
+net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw,
+ const char *iface, uint32_t table, int metric)
{
return net_route_v4("add", dst, prefixlen, gw, iface, table, metric);
}
int
-net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- int prefixlen, const struct in6_addr *gw, const char *iface,
- uint32_t table, int metric)
+net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen,
+ const struct in6_addr *gw, const char *iface, uint32_t table, int metric)
{
return net_route_v6("add", dst, prefixlen, gw, iface, table, metric);
}
int
-net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen,
- const in_addr_t *gw, const char *iface, uint32_t table,
- int metric)
+net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw,
+ const char *iface, uint32_t table, int metric)
{
return net_route_v4("del", dst, prefixlen, gw, iface, table, metric);
}
int
-net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- int prefixlen, const struct in6_addr *gw, const char *iface,
- uint32_t table, int metric)
+net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen,
+ const struct in6_addr *gw, const char *iface, uint32_t table, int metric)
{
return net_route_v6("del", dst, prefixlen, gw, iface, table, metric);
}
@@ -61,8 +61,7 @@
}
int
-net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type,
- void *arg)
+net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type, void *arg)
{
struct argv argv = argv_new();
@@ -76,8 +75,7 @@
}
int
-net_iface_type(openvpn_net_ctx_t *ctx, const char *iface,
- char type[IFACE_TYPE_LEN_MAX])
+net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, char type[IFACE_TYPE_LEN_MAX])
{
/* not supported by iproute2 */
msg(M_WARN, "%s: operation not supported by iproute2 backend", __func__);
@@ -102,8 +100,7 @@
{
struct argv argv = argv_new();
- argv_printf(&argv, "%s link set dev %s %s", iproute_path, iface,
- up ? "up" : "down");
+ argv_printf(&argv, "%s link set dev %s %s", iproute_path, iface, up ? "up" : "down");
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip link set failed");
@@ -117,8 +114,7 @@
{
struct argv argv = argv_new();
- argv_printf(&argv, "%s link set dev %s up mtu %d", iproute_path, iface,
- mtu);
+ argv_printf(&argv, "%s link set dev %s up mtu %d", iproute_path, iface, mtu);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip link set failed");
@@ -128,19 +124,16 @@
}
int
-net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface,
- uint8_t *addr)
+net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, uint8_t *addr)
{
struct argv argv = argv_new();
int ret = 0;
- argv_printf(&argv,
- "%s link set addr " MAC_FMT " dev %s",
- iproute_path, MAC_PRINT_ARG(addr), iface);
+ argv_printf(&argv, "%s link set addr " MAC_FMT " dev %s", iproute_path, MAC_PRINT_ARG(addr),
+ iface);
argv_msg(M_INFO, &argv);
- if (!openvpn_execve_check(&argv, ctx->es, 0,
- "Linux ip link set addr failed"))
+ if (!openvpn_execve_check(&argv, ctx->es, 0, "Linux ip link set addr failed"))
{
ret = -1;
}
@@ -151,15 +144,13 @@
}
int
-net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface,
- const in_addr_t *addr, int prefixlen)
+net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *addr, int prefixlen)
{
struct argv argv = argv_new();
const char *addr_str = print_in_addr_t(*addr, 0, &ctx->gc);
- argv_printf(&argv, "%s addr add dev %s %s/%d", iproute_path, iface,
- addr_str, prefixlen);
+ argv_printf(&argv, "%s addr add dev %s %s/%d", iproute_path, iface, addr_str, prefixlen);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip addr add failed");
@@ -169,17 +160,15 @@
}
int
-net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface,
- const struct in6_addr *addr, int prefixlen)
+net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface, const struct in6_addr *addr,
+ int prefixlen)
{
struct argv argv = argv_new();
char *addr_str = (char *)print_in6_addr(*addr, 0, &ctx->gc);
- argv_printf(&argv, "%s -6 addr add %s/%d dev %s", iproute_path, addr_str,
- prefixlen, iface);
+ argv_printf(&argv, "%s -6 addr add %s/%d dev %s", iproute_path, addr_str, prefixlen, iface);
argv_msg(M_INFO, &argv);
- openvpn_execve_check(&argv, ctx->es, S_FATAL,
- "Linux ip -6 addr add failed");
+ openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip -6 addr add failed");
argv_free(&argv);
@@ -187,14 +176,12 @@
}
int
-net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface,
- const in_addr_t *addr, int prefixlen)
+net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *addr, int prefixlen)
{
struct argv argv = argv_new();
const char *addr_str = print_in_addr_t(*addr, 0, &ctx->gc);
- argv_printf(&argv, "%s addr del dev %s %s/%d", iproute_path, iface,
- addr_str, prefixlen);
+ argv_printf(&argv, "%s addr del dev %s %s/%d", iproute_path, iface, addr_str, prefixlen);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, ctx->es, 0, "Linux ip addr del failed");
@@ -205,14 +192,13 @@
}
int
-net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface,
- const struct in6_addr *addr, int prefixlen)
+net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface, const struct in6_addr *addr,
+ int prefixlen)
{
struct argv argv = argv_new();
char *addr_str = (char *)print_in6_addr(*addr, 0, &ctx->gc);
- argv_printf(&argv, "%s -6 addr del %s/%d dev %s", iproute_path,
- addr_str, prefixlen, iface);
+ argv_printf(&argv, "%s -6 addr del %s/%d dev %s", iproute_path, addr_str, prefixlen, iface);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, ctx->es, 0, "Linux ip -6 addr del failed");
@@ -222,15 +208,15 @@
}
int
-net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface,
- const in_addr_t *local, const in_addr_t *remote)
+net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *local,
+ const in_addr_t *remote)
{
struct argv argv = argv_new();
const char *local_str = print_in_addr_t(*local, 0, &ctx->gc);
const char *remote_str = print_in_addr_t(*remote, 0, &ctx->gc);
- argv_printf(&argv, "%s addr add dev %s local %s peer %s", iproute_path,
- iface, local_str, remote_str);
+ argv_printf(&argv, "%s addr add dev %s local %s peer %s", iproute_path, iface, local_str,
+ remote_str);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, ctx->es, S_FATAL, "Linux ip addr add failed");
@@ -240,15 +226,15 @@
}
int
-net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface,
- const in_addr_t *local, const in_addr_t *remote)
+net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *local,
+ const in_addr_t *remote)
{
struct argv argv = argv_new();
const char *local_str = print_in_addr_t(*local, 0, &ctx->gc);
const char *remote_str = print_in_addr_t(*remote, 0, &ctx->gc);
- argv_printf(&argv, "%s addr del dev %s local %s peer %s", iproute_path,
- iface, local_str, remote_str);
+ argv_printf(&argv, "%s addr del dev %s local %s peer %s", iproute_path, iface, local_str,
+ remote_str);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, ctx->es, 0, "Linux ip addr del failed");
@@ -258,9 +244,8 @@
}
int
-net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen,
- const in_addr_t *gw, const char *iface, uint32_t table,
- int metric)
+net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw,
+ const char *iface, uint32_t table, int metric)
{
struct argv argv = argv_new();
const char *dst_str = print_in_addr_t(*dst, 0, &ctx->gc);
@@ -297,16 +282,14 @@
}
int
-net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- int prefixlen, const struct in6_addr *gw, const char *iface,
- uint32_t table, int metric)
+net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen,
+ const struct in6_addr *gw, const char *iface, uint32_t table, int metric)
{
struct argv argv = argv_new();
char *dst_str = (char *)print_in6_addr(*dst, 0, &ctx->gc);
int ret = 0;
- argv_printf(&argv, "%s -6 route add %s/%d dev %s", iproute_path, dst_str,
- prefixlen, iface);
+ argv_printf(&argv, "%s -6 route add %s/%d dev %s", iproute_path, dst_str, prefixlen, iface);
if (gw)
{
@@ -332,9 +315,8 @@
}
int
-net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen,
- const in_addr_t *gw, const char *iface, uint32_t table,
- int metric)
+net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw,
+ const char *iface, uint32_t table, int metric)
{
struct argv argv = argv_new();
const char *dst_str = print_in_addr_t(*dst, 0, &ctx->gc);
@@ -359,16 +341,14 @@
}
int
-net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- int prefixlen, const struct in6_addr *gw, const char *iface,
- uint32_t table, int metric)
+net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen,
+ const struct in6_addr *gw, const char *iface, uint32_t table, int metric)
{
struct argv argv = argv_new();
char *dst_str = (char *)print_in6_addr(*dst, 0, &ctx->gc);
int ret = 0;
- argv_printf(&argv, "%s -6 route del %s/%d dev %s", iproute_path, dst_str,
- prefixlen, iface);
+ argv_printf(&argv, "%s -6 route del %s/%d dev %s", iproute_path, dst_str, prefixlen, iface);
if (gw)
{
@@ -43,12 +43,12 @@
#define SNDBUF_SIZE (1024 * 2)
#define RCVBUF_SIZE (1024 * 4)
-#define SITNL_ADDATTR(_msg, _max_size, _attr, _data, _size) \
- { \
+#define SITNL_ADDATTR(_msg, _max_size, _attr, _data, _size) \
+ { \
if (sitnl_addattr(_msg, _max_size, _attr, _data, _size) < 0) \
- { \
- goto err; \
- } \
+ { \
+ goto err; \
+ } \
}
#define SITNL_NEST(_msg, _max_size, _attr) \
@@ -58,8 +58,8 @@
_nest; \
})
-#define SITNL_NEST_END(_msg, _nest) \
- { \
+#define SITNL_NEST_END(_msg, _nest) \
+ { \
_nest->rta_len = (void *)sitnl_nlmsg_tail(_msg) - (void *)_nest; \
}
@@ -73,7 +73,7 @@
* The only way out to avoid any warning/error is to force the function to
* not be inline'd.
*/
-static __attribute__ ((noinline)) void *
+static __attribute__((noinline)) void *
sitnl_nlmsg_tail(const struct nlmsghdr *nlh)
{
return (unsigned char *)nlh + NLMSG_ALIGN(nlh->nlmsg_len);
@@ -83,7 +83,8 @@
* Generic address data structure used to pass addresses and prefixes as
* argument to AF family agnostic functions
*/
-typedef union {
+typedef union
+{
in_addr_t ipv4;
struct in6_addr ipv6;
} inet_address_t;
@@ -91,7 +92,8 @@
/**
* Link state request message
*/
-struct sitnl_link_req {
+struct sitnl_link_req
+{
struct nlmsghdr n;
struct ifinfomsg i;
char buf[256];
@@ -100,7 +102,8 @@
/**
* Address request message
*/
-struct sitnl_addr_req {
+struct sitnl_addr_req
+{
struct nlmsghdr n;
struct ifaddrmsg i;
char buf[256];
@@ -109,7 +112,8 @@
/**
* Route request message
*/
-struct sitnl_route_req {
+struct sitnl_route_req
+{
struct nlmsghdr n;
struct rtmsg r;
char buf[256];
@@ -120,7 +124,8 @@
/**
* Object returned by route request operation
*/
-struct sitnl_route_data_cb {
+struct sitnl_route_data_cb
+{
unsigned int iface;
inet_address_t gw;
};
@@ -129,16 +134,14 @@
* Helper function used to easily add attributes to a rtnl message
*/
static int
-sitnl_addattr(struct nlmsghdr *n, int maxlen, int type, const void *data,
- int alen)
+sitnl_addattr(struct nlmsghdr *n, int maxlen, int type, const void *data, int alen)
{
int len = RTA_LENGTH(alen);
struct rtattr *rta;
if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen)
{
- msg(M_WARN, "%s: rtnl: message exceeded bound of %d", __func__,
- maxlen);
+ msg(M_WARN, "%s: rtnl: message exceeded bound of %d", __func__, maxlen);
return -EMSGSIZE;
}
@@ -240,8 +243,8 @@
* Send Netlink message and run callback on reply (if specified)
*/
static int
-sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups,
- sitnl_parse_reply_cb cb, void *arg_cb)
+sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups, sitnl_parse_reply_cb cb,
+ void *arg_cb)
{
int len, rem_len, fd, ret, rcv_len;
struct sockaddr_nl nladdr;
@@ -249,13 +252,11 @@
struct nlmsghdr *h;
unsigned int seq;
char buf[1024 * 16];
- struct iovec iov =
- {
+ struct iovec iov = {
.iov_base = payload,
.iov_len = payload->nlmsg_len,
};
- struct msghdr nlmsg =
- {
+ struct msghdr nlmsg = {
.msg_name = &nladdr,
.msg_namelen = sizeof(nladdr),
.msg_iov = &iov,
@@ -334,8 +335,8 @@
if (nlmsg.msg_namelen != sizeof(nladdr))
{
- msg(M_WARN, "%s: sender address length: %u (expected %zu)",
- __func__, nlmsg.msg_namelen, sizeof(nladdr));
+ msg(M_WARN, "%s: sender address length: %u (expected %zu)", __func__, nlmsg.msg_namelen,
+ sizeof(nladdr));
ret = -EIO;
goto out;
}
@@ -359,17 +360,18 @@
goto out;
}
-/* if (((int)nladdr.nl_pid != peer) || (h->nlmsg_pid != nladdr.nl_pid)
- * || (h->nlmsg_seq != seq))
- * {
- * rcv_len -= NLMSG_ALIGN(len);
- * h = (struct nlmsghdr *)((char *)h + NLMSG_ALIGN(len));
- * msg(M_DEBUG, "%s: skipping unrelated message. nl_pid:%d (peer:%d) nl_msg_pid:%d nl_seq:%d seq:%d",
- * __func__, (int)nladdr.nl_pid, peer, h->nlmsg_pid,
- * h->nlmsg_seq, seq);
- * continue;
- * }
- */
+ /* if (((int)nladdr.nl_pid != peer) || (h->nlmsg_pid != nladdr.nl_pid)
+ * || (h->nlmsg_seq != seq))
+ * {
+ * rcv_len -= NLMSG_ALIGN(len);
+ * h = (struct nlmsghdr *)((char *)h + NLMSG_ALIGN(len));
+ * msg(M_DEBUG, "%s: skipping unrelated message. nl_pid:%d (peer:%d)
+ * nl_msg_pid:%d nl_seq:%d seq:%d",
+ * __func__, (int)nladdr.nl_pid, peer, h->nlmsg_pid,
+ * h->nlmsg_seq, seq);
+ * continue;
+ * }
+ */
if (h->nlmsg_type == NLMSG_DONE)
{
@@ -401,8 +403,8 @@
}
else
{
- msg(M_WARN, "%s: rtnl: generic error (%d): %s",
- __func__, err->error, strerror(-err->error));
+ msg(M_WARN, "%s: rtnl: generic error (%d): %s", __func__, err->error,
+ strerror(-err->error));
ret = err->error;
}
}
@@ -446,7 +448,8 @@
return ret;
}
-typedef struct {
+typedef struct
+{
int addr_size;
inet_address_t gw;
char iface[IFNAMSIZ];
@@ -508,8 +511,7 @@
if (!if_indextoname(ifindex, res->iface))
{
- msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifname for index %d",
- __func__, ifindex);
+ msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifname for index %d", __func__, ifindex);
return -1;
}
@@ -522,8 +524,8 @@
}
static int
-sitnl_route_best_gw(sa_family_t af_family, const inet_address_t *dst,
- void *best_gw, char *best_iface)
+sitnl_route_best_gw(sa_family_t af_family, const inet_address_t *dst, void *best_gw,
+ char *best_iface)
{
struct sitnl_route_req req;
route_res_t res;
@@ -585,15 +587,14 @@
strncpy(best_iface, res.iface, IFNAMSIZ);
err:
return ret;
-
}
/* used by iproute2 implementation too */
int
-net_route_v6_best_gw(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- struct in6_addr *best_gw, char *best_iface)
+net_route_v6_best_gw(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, struct in6_addr *best_gw,
+ char *best_iface)
{
- inet_address_t dst_v6 = {0};
+ inet_address_t dst_v6 = { 0 };
char buf[INET6_ADDRSTRLEN];
int ret;
@@ -602,8 +603,7 @@
dst_v6.ipv6 = *dst;
}
- msg(D_ROUTE, "%s query: dst %s", __func__,
- inet_ntop(AF_INET6, &dst_v6.ipv6, buf, sizeof(buf)));
+ msg(D_ROUTE, "%s query: dst %s", __func__, inet_ntop(AF_INET6, &dst_v6.ipv6, buf, sizeof(buf)));
ret = sitnl_route_best_gw(AF_INET6, &dst_v6, best_gw, best_iface);
if (ret < 0)
@@ -615,15 +615,14 @@
inet_ntop(AF_INET6, best_gw, buf, sizeof(buf)), best_iface);
return ret;
-
}
/* used by iproute2 implementation too */
int
-net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst,
- in_addr_t *best_gw, char *best_iface)
+net_route_v4_best_gw(openvpn_net_ctx_t *ctx, const in_addr_t *dst, in_addr_t *best_gw,
+ char *best_iface)
{
- inet_address_t dst_v4 = {0};
+ inet_address_t dst_v4 = { 0 };
char buf[INET_ADDRSTRLEN];
int ret;
@@ -632,8 +631,7 @@
dst_v4.ipv4 = htonl(*dst);
}
- msg(D_ROUTE, "%s query: dst %s", __func__,
- inet_ntop(AF_INET, &dst_v4.ipv4, buf, sizeof(buf)));
+ msg(D_ROUTE, "%s query: dst %s", __func__, inet_ntop(AF_INET, &dst_v4.ipv4, buf, sizeof(buf)));
ret = sitnl_route_best_gw(AF_INET, &dst_v4, best_gw, best_iface);
if (ret < 0)
@@ -669,8 +667,7 @@
ifindex = if_nametoindex(iface);
if (ifindex == 0)
{
- msg(M_WARN, "%s: rtnl: cannot get ifindex for %s: %s", __func__, iface,
- strerror(errno));
+ msg(M_WARN, "%s: rtnl: cannot get ifindex for %s: %s", __func__, iface, strerror(errno));
return -ENOENT;
}
@@ -696,8 +693,7 @@
}
int
-net_iface_mtu_set(openvpn_net_ctx_t *ctx, const char *iface,
- uint32_t mtu)
+net_iface_mtu_set(openvpn_net_ctx_t *ctx, const char *iface, uint32_t mtu)
{
struct sitnl_link_req req;
int ifindex, ret = -1;
@@ -707,8 +703,7 @@
ifindex = if_nametoindex(iface);
if (ifindex == 0)
{
- msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__,
- iface);
+ msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, iface);
return -1;
}
@@ -729,8 +724,7 @@
}
int
-net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface,
- uint8_t *addr)
+net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, uint8_t *addr)
{
struct sitnl_link_req req;
int ifindex, ret = -1;
@@ -740,8 +734,7 @@
ifindex = if_nametoindex(iface);
if (ifindex == 0)
{
- msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__,
- iface);
+ msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, iface);
return -1;
}
@@ -754,8 +747,7 @@
SITNL_ADDATTR(&req.n, sizeof(req), IFLA_ADDRESS, addr, OPENVPN_ETH_ALEN);
- msg(M_INFO, "%s: lladdr " MAC_FMT " for %s", __func__, MAC_PRINT_ARG(addr),
- iface);
+ msg(M_INFO, "%s: lladdr " MAC_FMT " for %s", __func__, MAC_PRINT_ARG(addr), iface);
ret = sitnl_send(&req.n, 0, 0, NULL, NULL);
err:
@@ -764,8 +756,7 @@
static int
sitnl_addr_set(int cmd, uint32_t flags, int ifindex, sa_family_t af_family,
- const inet_address_t *local, const inet_address_t *remote,
- int prefixlen)
+ const inet_address_t *local, const inet_address_t *remote, int prefixlen)
{
struct sitnl_addr_req req;
uint32_t size;
@@ -791,8 +782,7 @@
break;
default:
- msg(M_WARN, "%s: rtnl: unknown address family %d", __func__,
- af_family);
+ msg(M_WARN, "%s: rtnl: unknown address family %d", __func__, af_family);
return -EINVAL;
}
@@ -823,8 +813,7 @@
}
static int
-sitnl_addr_ptp_add(sa_family_t af_family, const char *iface,
- const inet_address_t *local,
+sitnl_addr_ptp_add(sa_family_t af_family, const char *iface, const inet_address_t *local,
const inet_address_t *remote)
{
int ifindex;
@@ -848,18 +837,16 @@
ifindex = if_nametoindex(iface);
if (ifindex == 0)
{
- msg(M_WARN, "%s: cannot get ifindex for %s: %s", __func__, np(iface),
- strerror(errno));
+ msg(M_WARN, "%s: cannot get ifindex for %s: %s", __func__, np(iface), strerror(errno));
return -ENOENT;
}
- return sitnl_addr_set(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, ifindex,
- af_family, local, remote, 0);
+ return sitnl_addr_set(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, ifindex, af_family, local,
+ remote, 0);
}
static int
-sitnl_addr_ptp_del(sa_family_t af_family, const char *iface,
- const inet_address_t *local)
+sitnl_addr_ptp_del(sa_family_t af_family, const char *iface, const inet_address_t *local)
{
int ifindex;
@@ -890,9 +877,8 @@
}
static int
-sitnl_route_set(int cmd, uint32_t flags, int ifindex, sa_family_t af_family,
- const void *dst, int prefixlen,
- const void *gw, enum rt_class_t table, int metric,
+sitnl_route_set(int cmd, uint32_t flags, int ifindex, sa_family_t af_family, const void *dst,
+ int prefixlen, const void *gw, enum rt_class_t table, int metric,
enum rt_scope_t scope, int protocol, int type)
{
struct sitnl_route_req req;
@@ -960,8 +946,7 @@
}
static int
-sitnl_addr_add(sa_family_t af_family, const char *iface,
- const inet_address_t *addr, int prefixlen)
+sitnl_addr_add(sa_family_t af_family, const char *iface, const inet_address_t *addr, int prefixlen)
{
int ifindex;
@@ -984,52 +969,47 @@
ifindex = if_nametoindex(iface);
if (ifindex == 0)
{
- msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__,
- iface);
+ msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, iface);
return -ENOENT;
}
- return sitnl_addr_set(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, ifindex,
- af_family, addr, NULL, prefixlen);
-}
-
-static int
-sitnl_addr_del(sa_family_t af_family, const char *iface, inet_address_t *addr,
- int prefixlen)
-{
- int ifindex;
-
- switch (af_family)
- {
- case AF_INET:
- case AF_INET6:
- break;
-
- default:
- return -EINVAL;
- }
-
- if (!iface)
- {
- msg(M_WARN, "%s: passed NULL interface", __func__);
- return -EINVAL;
- }
-
- ifindex = if_nametoindex(iface);
- if (ifindex == 0)
- {
- msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__,
- iface);
- return -ENOENT;
- }
-
- return sitnl_addr_set(RTM_DELADDR, 0, ifindex, af_family, addr, NULL,
+ return sitnl_addr_set(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, ifindex, af_family, addr, NULL,
prefixlen);
}
+static int
+sitnl_addr_del(sa_family_t af_family, const char *iface, inet_address_t *addr, int prefixlen)
+{
+ int ifindex;
+
+ switch (af_family)
+ {
+ case AF_INET:
+ case AF_INET6:
+ break;
+
+ default:
+ return -EINVAL;
+ }
+
+ if (!iface)
+ {
+ msg(M_WARN, "%s: passed NULL interface", __func__);
+ return -EINVAL;
+ }
+
+ ifindex = if_nametoindex(iface);
+ if (ifindex == 0)
+ {
+ msg(M_WARN | M_ERRNO, "%s: rtnl: cannot get ifindex for %s", __func__, iface);
+ return -ENOENT;
+ }
+
+ return sitnl_addr_set(RTM_DELADDR, 0, ifindex, af_family, addr, NULL, prefixlen);
+}
+
int
-net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface,
- const in_addr_t *addr, int prefixlen)
+net_addr_v4_add(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *addr, int prefixlen)
{
inet_address_t addr_v4 = { 0 };
char buf[INET_ADDRSTRLEN];
@@ -1041,15 +1021,15 @@
addr_v4.ipv4 = htonl(*addr);
- msg(M_INFO, "%s: %s/%d dev %s", __func__,
- inet_ntop(AF_INET, &addr_v4.ipv4, buf, sizeof(buf)), prefixlen, iface);
+ msg(M_INFO, "%s: %s/%d dev %s", __func__, inet_ntop(AF_INET, &addr_v4.ipv4, buf, sizeof(buf)),
+ prefixlen, iface);
return sitnl_addr_add(AF_INET, iface, &addr_v4, prefixlen);
}
int
-net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface,
- const struct in6_addr *addr, int prefixlen)
+net_addr_v6_add(openvpn_net_ctx_t *ctx, const char *iface, const struct in6_addr *addr,
+ int prefixlen)
{
inet_address_t addr_v6 = { 0 };
char buf[INET6_ADDRSTRLEN];
@@ -1061,15 +1041,14 @@
addr_v6.ipv6 = *addr;
- msg(M_INFO, "%s: %s/%d dev %s", __func__,
- inet_ntop(AF_INET6, &addr_v6.ipv6, buf, sizeof(buf)), prefixlen, iface);
+ msg(M_INFO, "%s: %s/%d dev %s", __func__, inet_ntop(AF_INET6, &addr_v6.ipv6, buf, sizeof(buf)),
+ prefixlen, iface);
return sitnl_addr_add(AF_INET6, iface, &addr_v6, prefixlen);
}
int
-net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface,
- const in_addr_t *addr, int prefixlen)
+net_addr_v4_del(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *addr, int prefixlen)
{
inet_address_t addr_v4 = { 0 };
char buf[INET_ADDRSTRLEN];
@@ -1081,15 +1060,15 @@
addr_v4.ipv4 = htonl(*addr);
- msg(M_INFO, "%s: %s dev %s", __func__,
- inet_ntop(AF_INET, &addr_v4.ipv4, buf, sizeof(buf)), iface);
+ msg(M_INFO, "%s: %s dev %s", __func__, inet_ntop(AF_INET, &addr_v4.ipv4, buf, sizeof(buf)),
+ iface);
return sitnl_addr_del(AF_INET, iface, &addr_v4, prefixlen);
}
int
-net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface,
- const struct in6_addr *addr, int prefixlen)
+net_addr_v6_del(openvpn_net_ctx_t *ctx, const char *iface, const struct in6_addr *addr,
+ int prefixlen)
{
inet_address_t addr_v6 = { 0 };
char buf[INET6_ADDRSTRLEN];
@@ -1101,15 +1080,15 @@
addr_v6.ipv6 = *addr;
- msg(M_INFO, "%s: %s/%d dev %s", __func__,
- inet_ntop(AF_INET6, &addr_v6.ipv6, buf, sizeof(buf)), prefixlen, iface);
+ msg(M_INFO, "%s: %s/%d dev %s", __func__, inet_ntop(AF_INET6, &addr_v6.ipv6, buf, sizeof(buf)),
+ prefixlen, iface);
return sitnl_addr_del(AF_INET6, iface, &addr_v6, prefixlen);
}
int
-net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface,
- const in_addr_t *local, const in_addr_t *remote)
+net_addr_ptp_v4_add(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *local,
+ const in_addr_t *remote)
{
inet_address_t local_v4 = { 0 };
inet_address_t remote_v4 = { 0 };
@@ -1136,8 +1115,8 @@
}
int
-net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface,
- const in_addr_t *local, const in_addr_t *remote)
+net_addr_ptp_v4_del(openvpn_net_ctx_t *ctx, const char *iface, const in_addr_t *local,
+ const in_addr_t *remote)
{
inet_address_t local_v4 = { 0 };
char buf[INET6_ADDRSTRLEN];
@@ -1150,15 +1129,15 @@
local_v4.ipv4 = htonl(*local);
- msg(M_INFO, "%s: %s dev %s", __func__,
- inet_ntop(AF_INET, &local_v4.ipv4, buf, sizeof(buf)), iface);
+ msg(M_INFO, "%s: %s dev %s", __func__, inet_ntop(AF_INET, &local_v4.ipv4, buf, sizeof(buf)),
+ iface);
return sitnl_addr_ptp_del(AF_INET, iface, &local_v4);
}
static int
-sitnl_route_add(const char *iface, sa_family_t af_family, const void *dst,
- int prefixlen, const void *gw, uint32_t table, int metric)
+sitnl_route_add(const char *iface, sa_family_t af_family, const void *dst, int prefixlen,
+ const void *gw, uint32_t table, int metric)
{
enum rt_scope_t scope = RT_SCOPE_UNIVERSE;
int ifindex = 0;
@@ -1168,8 +1147,7 @@
ifindex = if_nametoindex(iface);
if (ifindex == 0)
{
- msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifindex for %s",
- __func__, iface);
+ msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifindex for %s", __func__, iface);
return -ENOENT;
}
}
@@ -1184,15 +1162,13 @@
scope = RT_SCOPE_LINK;
}
- return sitnl_route_set(RTM_NEWROUTE, NLM_F_CREATE, ifindex,
- af_family, dst, prefixlen, gw, table, metric, scope,
- RTPROT_BOOT, RTN_UNICAST);
+ return sitnl_route_set(RTM_NEWROUTE, NLM_F_CREATE, ifindex, af_family, dst, prefixlen, gw,
+ table, metric, scope, RTPROT_BOOT, RTN_UNICAST);
}
int
-net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen,
- const in_addr_t *gw, const char *iface,
- uint32_t table, int metric)
+net_route_v4_add(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw,
+ const char *iface, uint32_t table, int metric)
{
in_addr_t *dst_ptr = NULL, *gw_ptr = NULL;
in_addr_t dst_be = 0, gw_be = 0;
@@ -1212,18 +1188,15 @@
}
msg(D_ROUTE, "%s: %s/%d via %s dev %s table %d metric %d", __func__,
- inet_ntop(AF_INET, &dst_be, dst_str, sizeof(dst_str)),
- prefixlen, inet_ntop(AF_INET, &gw_be, gw_str, sizeof(gw_str)),
- np(iface), table, metric);
+ inet_ntop(AF_INET, &dst_be, dst_str, sizeof(dst_str)), prefixlen,
+ inet_ntop(AF_INET, &gw_be, gw_str, sizeof(gw_str)), np(iface), table, metric);
- return sitnl_route_add(iface, AF_INET, dst_ptr, prefixlen, gw_ptr, table,
- metric);
+ return sitnl_route_add(iface, AF_INET, dst_ptr, prefixlen, gw_ptr, table, metric);
}
int
-net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- int prefixlen, const struct in6_addr *gw,
- const char *iface, uint32_t table, int metric)
+net_route_v6_add(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen,
+ const struct in6_addr *gw, const char *iface, uint32_t table, int metric)
{
inet_address_t dst_v6 = { 0 };
inet_address_t gw_v6 = { 0 };
@@ -1241,18 +1214,15 @@
}
msg(D_ROUTE, "%s: %s/%d via %s dev %s table %d metric %d", __func__,
- inet_ntop(AF_INET6, &dst_v6.ipv6, dst_str, sizeof(dst_str)),
- prefixlen, inet_ntop(AF_INET6, &gw_v6.ipv6, gw_str, sizeof(gw_str)),
- np(iface), table, metric);
+ inet_ntop(AF_INET6, &dst_v6.ipv6, dst_str, sizeof(dst_str)), prefixlen,
+ inet_ntop(AF_INET6, &gw_v6.ipv6, gw_str, sizeof(gw_str)), np(iface), table, metric);
- return sitnl_route_add(iface, AF_INET6, dst, prefixlen, gw, table,
- metric);
+ return sitnl_route_add(iface, AF_INET6, dst, prefixlen, gw, table, metric);
}
static int
-sitnl_route_del(const char *iface, sa_family_t af_family, inet_address_t *dst,
- int prefixlen, inet_address_t *gw, uint32_t table,
- int metric)
+sitnl_route_del(const char *iface, sa_family_t af_family, inet_address_t *dst, int prefixlen,
+ inet_address_t *gw, uint32_t table, int metric)
{
int ifindex = 0;
@@ -1261,8 +1231,7 @@
ifindex = if_nametoindex(iface);
if (ifindex == 0)
{
- msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifindex for %s",
- __func__, iface);
+ msg(M_WARN | M_ERRNO, "%s: rtnl: can't get ifindex for %s", __func__, iface);
return -ENOENT;
}
}
@@ -1272,14 +1241,13 @@
table = RT_TABLE_MAIN;
}
- return sitnl_route_set(RTM_DELROUTE, 0, ifindex, af_family, dst, prefixlen,
- gw, table, metric, RT_SCOPE_NOWHERE, 0, 0);
+ return sitnl_route_set(RTM_DELROUTE, 0, ifindex, af_family, dst, prefixlen, gw, table, metric,
+ RT_SCOPE_NOWHERE, 0, 0);
}
int
-net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen,
- const in_addr_t *gw, const char *iface, uint32_t table,
- int metric)
+net_route_v4_del(openvpn_net_ctx_t *ctx, const in_addr_t *dst, int prefixlen, const in_addr_t *gw,
+ const char *iface, uint32_t table, int metric)
{
inet_address_t dst_v4 = { 0 };
inet_address_t gw_v4 = { 0 };
@@ -1297,18 +1265,15 @@
}
msg(D_ROUTE, "%s: %s/%d via %s dev %s table %d metric %d", __func__,
- inet_ntop(AF_INET, &dst_v4.ipv4, dst_str, sizeof(dst_str)),
- prefixlen, inet_ntop(AF_INET, &gw_v4.ipv4, gw_str, sizeof(gw_str)),
- np(iface), table, metric);
+ inet_ntop(AF_INET, &dst_v4.ipv4, dst_str, sizeof(dst_str)), prefixlen,
+ inet_ntop(AF_INET, &gw_v4.ipv4, gw_str, sizeof(gw_str)), np(iface), table, metric);
- return sitnl_route_del(iface, AF_INET, &dst_v4, prefixlen, &gw_v4, table,
- metric);
+ return sitnl_route_del(iface, AF_INET, &dst_v4, prefixlen, &gw_v4, table, metric);
}
int
-net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst,
- int prefixlen, const struct in6_addr *gw,
- const char *iface, uint32_t table, int metric)
+net_route_v6_del(openvpn_net_ctx_t *ctx, const struct in6_addr *dst, int prefixlen,
+ const struct in6_addr *gw, const char *iface, uint32_t table, int metric)
{
inet_address_t dst_v6 = { 0 };
inet_address_t gw_v6 = { 0 };
@@ -1326,20 +1291,17 @@
}
msg(D_ROUTE, "%s: %s/%d via %s dev %s table %d metric %d", __func__,
- inet_ntop(AF_INET6, &dst_v6.ipv6, dst_str, sizeof(dst_str)),
- prefixlen, inet_ntop(AF_INET6, &gw_v6.ipv6, gw_str, sizeof(gw_str)),
- np(iface), table, metric);
+ inet_ntop(AF_INET6, &dst_v6.ipv6, dst_str, sizeof(dst_str)), prefixlen,
+ inet_ntop(AF_INET6, &gw_v6.ipv6, gw_str, sizeof(gw_str)), np(iface), table, metric);
- return sitnl_route_del(iface, AF_INET6, &dst_v6, prefixlen, &gw_v6,
- table, metric);
+ return sitnl_route_del(iface, AF_INET6, &dst_v6, prefixlen, &gw_v6, table, metric);
}
int
-net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type,
- void *arg)
+net_iface_new(openvpn_net_ctx_t *ctx, const char *iface, const char *type, void *arg)
{
- struct sitnl_link_req req = { };
+ struct sitnl_link_req req = {};
int ret = -1;
ASSERT(iface);
@@ -1357,8 +1319,7 @@
{
dco_context_t *dco = arg;
struct rtattr *data = SITNL_NEST(&req.n, sizeof(req), IFLA_INFO_DATA);
- SITNL_ADDATTR(&req.n, sizeof(req), IFLA_OVPN_MODE, &dco->ifmode,
- sizeof(uint8_t));
+ SITNL_ADDATTR(&req.n, sizeof(req), IFLA_OVPN_MODE, &dco->ifmode, sizeof(uint8_t));
SITNL_NEST_END(&req.n, data);
}
#endif
@@ -1366,7 +1327,7 @@
req.i.ifi_family = AF_PACKET;
- msg(D_ROUTE, "%s: add %s type %s", __func__, iface, type);
+ msg(D_ROUTE, "%s: add %s type %s", __func__, iface, type);
ret = sitnl_send(&req.n, 0, 0, NULL, NULL);
err:
@@ -1374,8 +1335,8 @@
}
static int
-sitnl_parse_rtattr_flags(struct rtattr *tb[], int max, struct rtattr *rta,
- int len, unsigned short flags)
+sitnl_parse_rtattr_flags(struct rtattr *tb[], int max, struct rtattr *rta, int len,
+ unsigned short flags)
{
unsigned short type;
@@ -1395,8 +1356,7 @@
if (len)
{
- msg(D_ROUTE, "%s: %d bytes not parsed! (rta_len=%d)", __func__, len,
- rta->rta_len);
+ msg(D_ROUTE, "%s: %d bytes not parsed! (rta_len=%d)", __func__, len, rta->rta_len);
}
return 0;
@@ -1409,8 +1369,7 @@
}
#define sitnl_parse_rtattr_nested(tb, max, rta) \
- (sitnl_parse_rtattr_flags(tb, max, RTA_DATA(rta), RTA_PAYLOAD(rta), \
- NLA_F_NESTED))
+ (sitnl_parse_rtattr_flags(tb, max, RTA_DATA(rta), RTA_PAYLOAD(rta), NLA_F_NESTED))
static int
sitnl_type_save(struct nlmsghdr *n, void *arg)
@@ -1430,8 +1389,7 @@
{
struct rtattr *tb_link[IFLA_INFO_MAX + 1];
- ret = sitnl_parse_rtattr_nested(tb_link, IFLA_INFO_MAX,
- tb[IFLA_LINKINFO]);
+ ret = sitnl_parse_rtattr_nested(tb_link, IFLA_INFO_MAX, tb[IFLA_LINKINFO]);
if (ret < 0)
{
return ret;
@@ -1449,10 +1407,9 @@
}
int
-net_iface_type(openvpn_net_ctx_t *ctx, const char *iface,
- char type[IFACE_TYPE_LEN_MAX])
+net_iface_type(openvpn_net_ctx_t *ctx, const char *iface, char type[IFACE_TYPE_LEN_MAX])
{
- struct sitnl_link_req req = { };
+ struct sitnl_link_req req = {};
int ifindex = if_nametoindex(iface);
if (!ifindex)
@@ -1472,8 +1429,7 @@
int ret = sitnl_send(&req.n, 0, 0, sitnl_type_save, type);
if (ret < 0)
{
- msg(D_ROUTE, "%s: cannot retrieve iface %s: %s (%d)", __func__, iface,
- strerror(-ret), ret);
+ msg(D_ROUTE, "%s: cannot retrieve iface %s: %s (%d)", __func__, iface, strerror(-ret), ret);
return ret;
}
@@ -1485,7 +1441,7 @@
int
net_iface_del(openvpn_net_ctx_t *ctx, const char *iface)
{
- struct sitnl_link_req req = { };
+ struct sitnl_link_req req = {};
int ifindex = if_nametoindex(iface);
if (!ifindex)
@@ -44,15 +44,14 @@
#ifdef _MSC_VER
/* MS compilers */
#define UINTEGER64 __int64
-#define UINT64(c) c ## Ui64
+#define UINT64(c) c##Ui64
#else
/* Non MS compilers */
#define UINTEGER64 unsigned long long
-#define UINT64(c) c ## LL
+#define UINT64(c) c##LL
#endif
-
static void
gen_md4_hash(const uint8_t *data, int data_len, uint8_t *result)
{
@@ -64,8 +63,7 @@
}
static void
-gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key,
- uint8_t *result)
+gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, uint8_t *result)
{
hmac_ctx_t *hmac_ctx = hmac_ctx_new();
@@ -91,13 +89,13 @@
/* store little endian value */
timestamp[0] = timestamp_ull & UINT64(0xFF);
- timestamp[1] = (timestamp_ull >> 8) & UINT64(0xFF);
- timestamp[2] = (timestamp_ull >> 16) & UINT64(0xFF);
- timestamp[3] = (timestamp_ull >> 24) & UINT64(0xFF);
- timestamp[4] = (timestamp_ull >> 32) & UINT64(0xFF);
- timestamp[5] = (timestamp_ull >> 40) & UINT64(0xFF);
- timestamp[6] = (timestamp_ull >> 48) & UINT64(0xFF);
- timestamp[7] = (timestamp_ull >> 56) & UINT64(0xFF);
+ timestamp[1] = (timestamp_ull >> 8) & UINT64(0xFF);
+ timestamp[2] = (timestamp_ull >> 16) & UINT64(0xFF);
+ timestamp[3] = (timestamp_ull >> 24) & UINT64(0xFF);
+ timestamp[4] = (timestamp_ull >> 32) & UINT64(0xFF);
+ timestamp[5] = (timestamp_ull >> 40) & UINT64(0xFF);
+ timestamp[6] = (timestamp_ull >> 48) & UINT64(0xFF);
+ timestamp[7] = (timestamp_ull >> 56) & UINT64(0xFF);
}
static void
@@ -106,7 +104,7 @@
/* Generates 8 random bytes to be used as client nonce */
int i;
- for (i = 0; i<8; i++)
+ for (i = 0; i < 8; i++)
{
nonce[i] = (unsigned char)get_random();
}
@@ -152,8 +150,8 @@
}
static void
-add_security_buffer(int sb_offset, void *data, int length,
- unsigned char *msg_buf, int *msg_bufpos, size_t msg_bufsize)
+add_security_buffer(int sb_offset, void *data, int length, unsigned char *msg_buf, int *msg_bufpos,
+ size_t msg_bufsize)
{
if (*msg_bufpos + length > msg_bufsize)
{
@@ -188,8 +186,7 @@
}
const char *
-ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2,
- struct gc_arena *gc)
+ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc)
{
/* NTLM handshake
*
@@ -205,13 +202,13 @@
int i, ret_val;
uint8_t ntlmv2_response[256];
- char userdomain_u[256]; /* for uppercase unicode username and domain */
- char userdomain[128]; /* the same as previous but ascii */
+ char userdomain_u[256]; /* for uppercase unicode username and domain */
+ char userdomain[128]; /* the same as previous but ascii */
uint8_t ntlmv2_hash[MD5_DIGEST_LENGTH];
uint8_t ntlmv2_hmacmd5[16];
- uint8_t *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */
+ uint8_t *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */
int ntlmv2_blob_size = 0;
- int phase3_bufpos = 0x40; /* offset to next security buffer data to be added */
+ int phase3_bufpos = 0x40; /* offset to next security buffer data to be added */
size_t len;
char domain[128];
@@ -225,20 +222,20 @@
separator = strchr(p->up.username, '\\');
if (separator == NULL)
{
- strncpy(username, p->up.username, sizeof(username)-1);
- username[sizeof(username)-1] = 0;
+ strncpy(username, p->up.username, sizeof(username) - 1);
+ username[sizeof(username) - 1] = 0;
domain[0] = 0;
}
else
{
- strncpy(username, separator+1, sizeof(username)-1);
- username[sizeof(username)-1] = 0;
+ strncpy(username, separator + 1, sizeof(username) - 1);
+ username[sizeof(username) - 1] = 0;
len = separator - p->up.username;
if (len > sizeof(domain) - 1)
{
len = sizeof(domain) - 1;
}
- strncpy(domain, p->up.username, len);
+ strncpy(domain, p->up.username, len);
domain[len] = 0;
}
@@ -264,9 +261,9 @@
}
/* extract the challenge from bytes 24-31 */
- for (i = 0; i<8; i++)
+ for (i = 0; i < 8; i++)
{
- challenge[i] = buf2[i+24];
+ challenge[i] = buf2[i + 24];
}
/* Generate NTLMv2 response */
@@ -284,17 +281,16 @@
msg(M_INFO, "NTLM: Username or domain too long");
}
unicodize(userdomain_u, userdomain);
- gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash,
- ntlmv2_hash);
+ gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash, ntlmv2_hash);
/* NTLMv2 Blob */
- memset(ntlmv2_blob, 0, 128); /* Clear blob buffer */
- ntlmv2_blob[0x00] = 1; /* Signature */
- ntlmv2_blob[0x01] = 1; /* Signature */
- ntlmv2_blob[0x04] = 0; /* Reserved */
- gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */
- gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */
- ntlmv2_blob[0x18] = 0; /* Unknown, zero should work */
+ memset(ntlmv2_blob, 0, 128); /* Clear blob buffer */
+ ntlmv2_blob[0x00] = 1; /* Signature */
+ ntlmv2_blob[0x01] = 1; /* Signature */
+ ntlmv2_blob[0x04] = 0; /* Reserved */
+ gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */
+ gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */
+ ntlmv2_blob[0x18] = 0; /* Unknown, zero should work */
/* Add target information block to the blob */
@@ -311,11 +307,11 @@
* byte order on the wire for the NTLM header is LE.
*/
const size_t hoff = 0x14;
- unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8)
- |(buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24);
+ unsigned long flags =
+ buf2[hoff] | (buf2[hoff + 1] << 8) | (buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24);
if ((flags & 0x00800000) == 0x00800000)
{
- tib_len = buf2[0x28]; /* Get Target Information block size */
+ tib_len = buf2[0x28]; /* Get Target Information block size */
if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response))
{
msg(M_WARN, "NTLM: target information buffer too long for response (len=%d)", tib_len);
@@ -327,7 +323,9 @@
uint8_t tib_pos = buf2[0x2c];
if (tib_pos + tib_len > sizeof(buf2))
{
- msg(M_ERR, "NTLM: phase 2 response from server too long (need %d bytes at offset %u)", tib_len, tib_pos);
+ msg(M_ERR,
+ "NTLM: phase 2 response from server too long (need %d bytes at offset %u)",
+ tib_len, tib_pos);
return NULL;
}
/* Get Target Information block pointer */
@@ -351,41 +349,38 @@
memcpy(&ntlmv2_response[8], challenge, 8);
/* hmac-md5 */
- gen_hmac_md5(&ntlmv2_response[8], ntlmv2_blob_size + 8, ntlmv2_hash,
- ntlmv2_hmacmd5);
+ gen_hmac_md5(&ntlmv2_response[8], ntlmv2_blob_size + 8, ntlmv2_hash, ntlmv2_hmacmd5);
/* Add hmac-md5 result to the blob.
* Note: This overwrites challenge previously written at
* ntlmv2_response[8..15] */
memcpy(ntlmv2_response, ntlmv2_hmacmd5, MD5_DIGEST_LENGTH);
- memset(phase3, 0, sizeof(phase3)); /* clear reply */
+ memset(phase3, 0, sizeof(phase3)); /* clear reply */
- strcpy((char *)phase3, "NTLMSSP\0"); /* signature */
- phase3[8] = 3; /* type 3 */
+ strcpy((char *)phase3, "NTLMSSP\0"); /* signature */
+ phase3[8] = 3; /* type 3 */
/* NTLMv2 response */
- add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16,
- phase3, &phase3_bufpos, sizeof(phase3));
+ add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, phase3, &phase3_bufpos,
+ sizeof(phase3));
/* username in ascii */
- add_security_buffer(0x24, username, strlen(username), phase3,
- &phase3_bufpos, sizeof(phase3));
+ add_security_buffer(0x24, username, strlen(username), phase3, &phase3_bufpos, sizeof(phase3));
/* Set domain. If <domain> is empty, default domain will be used
* (i.e. proxy's domain) */
add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos, sizeof(phase3));
/* other security buffers will be empty */
- phase3[0x10] = phase3_bufpos; /* lm not used */
- phase3[0x30] = phase3_bufpos; /* no workstation name supplied */
- phase3[0x38] = phase3_bufpos; /* no session key */
+ phase3[0x10] = phase3_bufpos; /* lm not used */
+ phase3[0x30] = phase3_bufpos; /* no workstation name supplied */
+ phase3[0x38] = phase3_bufpos; /* no session key */
/* flags */
phase3[0x3c] = 0x02; /* negotiate oem */
phase3[0x3d] = 0x02; /* negotiate ntlm */
- return ((const char *)make_base64_string2((unsigned char *)phase3,
- phase3_bufpos, gc));
+ return ((const char *)make_base64_string2((unsigned char *)phase3, phase3_bufpos, gc));
}
#endif /* if NTLM */
@@ -51,95 +51,93 @@
* OCC_STRING_SIZE must be set to sizeof (occ_magic)
*/
-const uint8_t occ_magic[] = {
- 0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81,
- 0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c
-};
+const uint8_t occ_magic[] = { 0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81,
+ 0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c };
static const struct mtu_load_test mtu_load_test_sequence[] = {
- {OCC_MTU_LOAD_REQUEST, -1000},
- {OCC_MTU_LOAD, -1000},
- {OCC_MTU_LOAD_REQUEST, -1000},
- {OCC_MTU_LOAD, -1000},
- {OCC_MTU_LOAD_REQUEST, -1000},
- {OCC_MTU_LOAD, -1000},
+ { OCC_MTU_LOAD_REQUEST, -1000 },
+ { OCC_MTU_LOAD, -1000 },
+ { OCC_MTU_LOAD_REQUEST, -1000 },
+ { OCC_MTU_LOAD, -1000 },
+ { OCC_MTU_LOAD_REQUEST, -1000 },
+ { OCC_MTU_LOAD, -1000 },
- {OCC_MTU_LOAD_REQUEST, -750},
- {OCC_MTU_LOAD, -750},
- {OCC_MTU_LOAD_REQUEST, -750},
- {OCC_MTU_LOAD, -750},
- {OCC_MTU_LOAD_REQUEST, -750},
- {OCC_MTU_LOAD, -750},
+ { OCC_MTU_LOAD_REQUEST, -750 },
+ { OCC_MTU_LOAD, -750 },
+ { OCC_MTU_LOAD_REQUEST, -750 },
+ { OCC_MTU_LOAD, -750 },
+ { OCC_MTU_LOAD_REQUEST, -750 },
+ { OCC_MTU_LOAD, -750 },
- {OCC_MTU_LOAD_REQUEST, -500},
- {OCC_MTU_LOAD, -500},
- {OCC_MTU_LOAD_REQUEST, -500},
- {OCC_MTU_LOAD, -500},
- {OCC_MTU_LOAD_REQUEST, -500},
- {OCC_MTU_LOAD, -500},
+ { OCC_MTU_LOAD_REQUEST, -500 },
+ { OCC_MTU_LOAD, -500 },
+ { OCC_MTU_LOAD_REQUEST, -500 },
+ { OCC_MTU_LOAD, -500 },
+ { OCC_MTU_LOAD_REQUEST, -500 },
+ { OCC_MTU_LOAD, -500 },
- {OCC_MTU_LOAD_REQUEST, -400},
- {OCC_MTU_LOAD, -400},
- {OCC_MTU_LOAD_REQUEST, -400},
- {OCC_MTU_LOAD, -400},
- {OCC_MTU_LOAD_REQUEST, -400},
- {OCC_MTU_LOAD, -400},
+ { OCC_MTU_LOAD_REQUEST, -400 },
+ { OCC_MTU_LOAD, -400 },
+ { OCC_MTU_LOAD_REQUEST, -400 },
+ { OCC_MTU_LOAD, -400 },
+ { OCC_MTU_LOAD_REQUEST, -400 },
+ { OCC_MTU_LOAD, -400 },
- {OCC_MTU_LOAD_REQUEST, -300},
- {OCC_MTU_LOAD, -300},
- {OCC_MTU_LOAD_REQUEST, -300},
- {OCC_MTU_LOAD, -300},
- {OCC_MTU_LOAD_REQUEST, -300},
- {OCC_MTU_LOAD, -300},
+ { OCC_MTU_LOAD_REQUEST, -300 },
+ { OCC_MTU_LOAD, -300 },
+ { OCC_MTU_LOAD_REQUEST, -300 },
+ { OCC_MTU_LOAD, -300 },
+ { OCC_MTU_LOAD_REQUEST, -300 },
+ { OCC_MTU_LOAD, -300 },
- {OCC_MTU_LOAD_REQUEST, -200},
- {OCC_MTU_LOAD, -200},
- {OCC_MTU_LOAD_REQUEST, -200},
- {OCC_MTU_LOAD, -200},
- {OCC_MTU_LOAD_REQUEST, -200},
- {OCC_MTU_LOAD, -200},
+ { OCC_MTU_LOAD_REQUEST, -200 },
+ { OCC_MTU_LOAD, -200 },
+ { OCC_MTU_LOAD_REQUEST, -200 },
+ { OCC_MTU_LOAD, -200 },
+ { OCC_MTU_LOAD_REQUEST, -200 },
+ { OCC_MTU_LOAD, -200 },
- {OCC_MTU_LOAD_REQUEST, -150},
- {OCC_MTU_LOAD, -150},
- {OCC_MTU_LOAD_REQUEST, -150},
- {OCC_MTU_LOAD, -150},
- {OCC_MTU_LOAD_REQUEST, -150},
- {OCC_MTU_LOAD, -150},
+ { OCC_MTU_LOAD_REQUEST, -150 },
+ { OCC_MTU_LOAD, -150 },
+ { OCC_MTU_LOAD_REQUEST, -150 },
+ { OCC_MTU_LOAD, -150 },
+ { OCC_MTU_LOAD_REQUEST, -150 },
+ { OCC_MTU_LOAD, -150 },
- {OCC_MTU_LOAD_REQUEST, -100},
- {OCC_MTU_LOAD, -100},
- {OCC_MTU_LOAD_REQUEST, -100},
- {OCC_MTU_LOAD, -100},
- {OCC_MTU_LOAD_REQUEST, -100},
- {OCC_MTU_LOAD, -100},
+ { OCC_MTU_LOAD_REQUEST, -100 },
+ { OCC_MTU_LOAD, -100 },
+ { OCC_MTU_LOAD_REQUEST, -100 },
+ { OCC_MTU_LOAD, -100 },
+ { OCC_MTU_LOAD_REQUEST, -100 },
+ { OCC_MTU_LOAD, -100 },
- {OCC_MTU_LOAD_REQUEST, -50},
- {OCC_MTU_LOAD, -50},
- {OCC_MTU_LOAD_REQUEST, -50},
- {OCC_MTU_LOAD, -50},
- {OCC_MTU_LOAD_REQUEST, -50},
- {OCC_MTU_LOAD, -50},
+ { OCC_MTU_LOAD_REQUEST, -50 },
+ { OCC_MTU_LOAD, -50 },
+ { OCC_MTU_LOAD_REQUEST, -50 },
+ { OCC_MTU_LOAD, -50 },
+ { OCC_MTU_LOAD_REQUEST, -50 },
+ { OCC_MTU_LOAD, -50 },
- {OCC_MTU_LOAD_REQUEST, 0},
- {OCC_MTU_LOAD, 0},
- {OCC_MTU_LOAD_REQUEST, 0},
- {OCC_MTU_LOAD, 0},
- {OCC_MTU_LOAD_REQUEST, 0},
- {OCC_MTU_LOAD, 0},
+ { OCC_MTU_LOAD_REQUEST, 0 },
+ { OCC_MTU_LOAD, 0 },
+ { OCC_MTU_LOAD_REQUEST, 0 },
+ { OCC_MTU_LOAD, 0 },
+ { OCC_MTU_LOAD_REQUEST, 0 },
+ { OCC_MTU_LOAD, 0 },
- {OCC_MTU_REQUEST, 0},
- {OCC_MTU_REQUEST, 0},
- {OCC_MTU_REQUEST, 0},
- {OCC_MTU_REQUEST, 0},
- {OCC_MTU_REQUEST, 0},
- {OCC_MTU_REQUEST, 0},
- {OCC_MTU_REQUEST, 0},
- {OCC_MTU_REQUEST, 0},
- {OCC_MTU_REQUEST, 0},
- {OCC_MTU_REQUEST, 0},
+ { OCC_MTU_REQUEST, 0 },
+ { OCC_MTU_REQUEST, 0 },
+ { OCC_MTU_REQUEST, 0 },
+ { OCC_MTU_REQUEST, 0 },
+ { OCC_MTU_REQUEST, 0 },
+ { OCC_MTU_REQUEST, 0 },
+ { OCC_MTU_REQUEST, 0 },
+ { OCC_MTU_REQUEST, 0 },
+ { OCC_MTU_REQUEST, 0 },
+ { OCC_MTU_REQUEST, 0 },
- {-1, 0}
+ { -1, 0 }
};
void
@@ -155,15 +153,12 @@
*/
msg(D_SHOW_OCC,
"NOTE: failed to obtain options consistency info from peer -- "
- "this could occur if the remote peer is running a version of "
- PACKAGE_NAME
- " before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent "
- PACKAGE_NAME
+ "this could occur if the remote peer is running a version of " PACKAGE_NAME
+ " before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent " PACKAGE_NAME
" from running (" counter_format " bytes received from peer, " counter_format
" bytes authenticated data channel traffic) -- you can disable the options consistency "
"check with --disable-occ.",
- c->c2.link_read_bytes,
- c->c2.link_read_bytes_auth);
+ c->c2.link_read_bytes, c->c2.link_read_bytes_auth);
}
event_timeout_clear(&c->c2.occ_interval);
}
@@ -196,16 +191,17 @@
if (entry->op >= 0)
{
c->c2.occ_op = entry->op;
- size_t payload_size = frame_calculate_payload_size(&c->c2.frame,
- &c->options, &c->c1.ks.key_type);
- size_t header_size = frame_calculate_protocol_header_size(&c->c1.ks.key_type, &c->options, false);
+ size_t payload_size =
+ frame_calculate_payload_size(&c->c2.frame, &c->options, &c->c1.ks.key_type);
+ size_t header_size =
+ frame_calculate_protocol_header_size(&c->c1.ks.key_type, &c->options, false);
c->c2.occ_mtu_load_size = payload_size + header_size;
}
else
{
- msg(M_INFO,
- "NOTE: failed to empirically measure MTU (requires " PACKAGE_NAME " 1.5 or higher at other end of connection).");
+ msg(M_INFO, "NOTE: failed to empirically measure MTU (requires " PACKAGE_NAME
+ " 1.5 or higher at other end of connection).");
event_timeout_clear(&c->c2.occ_mtu_load_test_interval);
c->c2.occ_mtu_load_n_tries = 0;
}
@@ -308,10 +304,8 @@
proto_hdr = frame_calculate_protocol_header_size(kt, &c->options, false);
need_to_add = min_int(c->c2.occ_mtu_load_size, c->c2.frame.buf.payload_size)
- - OCC_STRING_SIZE
- - sizeof(uint8_t) /* occ opcode */
- - payload_hdr
- - proto_hdr;
+ - OCC_STRING_SIZE - sizeof(uint8_t) /* occ opcode */
+ - payload_hdr - proto_hdr;
while (need_to_add > 0)
{
@@ -325,13 +319,8 @@
--need_to_add;
}
dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d,%d)-%d-%d-%d-%d) size=%d",
- c->c2.occ_mtu_load_size,
- c->c2.frame.buf.payload_size,
- OCC_STRING_SIZE,
- (int) sizeof(uint8_t),
- (int) payload_hdr,
- (int) proto_hdr,
- BLEN(&c->c2.buf));
+ c->c2.occ_mtu_load_size, c->c2.frame.buf.payload_size, OCC_STRING_SIZE,
+ (int)sizeof(uint8_t), (int)payload_hdr, (int)proto_hdr, BLEN(&c->c2.buf));
doit = true;
}
break;
@@ -387,12 +376,10 @@
dmsg(D_PACKET_CONTENT, "RECEIVED OCC_REPLY");
if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_remote)
{
- if (!options_cmp_equal_safe((char *) BPTR(&c->c2.buf),
- c->c2.options_string_remote,
+ if (!options_cmp_equal_safe((char *)BPTR(&c->c2.buf), c->c2.options_string_remote,
c->c2.buf.len))
{
- options_warning_safe((char *) BPTR(&c->c2.buf),
- c->c2.options_string_remote,
+ options_warning_safe((char *)BPTR(&c->c2.buf), c->c2.options_string_remote,
c->c2.buf.len);
}
}
@@ -403,22 +390,20 @@
dmsg(D_PACKET_CONTENT, "RECEIVED OCC_MTU_REPLY");
c->c2.max_recv_size_remote = buf_read_u16(&c->c2.buf);
c->c2.max_send_size_remote = buf_read_u16(&c->c2.buf);
- if (c->options.mtu_test
- && c->c2.max_recv_size_remote > 0
+ if (c->options.mtu_test && c->c2.max_recv_size_remote > 0
&& c->c2.max_send_size_remote > 0)
{
- msg(M_INFO, "NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d]",
- c->c2.max_send_size_local,
- c->c2.max_recv_size_remote,
- c->c2.max_send_size_remote,
- c->c2.max_recv_size_local);
- if (!c->options.ce.fragment
- && (proto_is_dgram(c->options.ce.proto))
+ msg(M_INFO,
+ "NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d]",
+ c->c2.max_send_size_local, c->c2.max_recv_size_remote,
+ c->c2.max_send_size_remote, c->c2.max_recv_size_local);
+ if (!c->options.ce.fragment && (proto_is_dgram(c->options.ce.proto))
&& c->c2.max_send_size_local > TUN_MTU_MIN
&& (c->c2.max_recv_size_remote < c->c2.max_send_size_local
|| c->c2.max_recv_size_local < c->c2.max_send_size_remote))
{
- msg(M_INFO, "NOTE: This connection is unable to accommodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.",
+ msg(M_INFO,
+ "NOTE: This connection is unable to accommodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.",
c->c2.max_send_size_local);
}
}
@@ -32,8 +32,8 @@
* OCC (OpenVPN Configuration Control) protocol opcodes.
*/
-#define OCC_REQUEST 0 /* request options string from peer */
-#define OCC_REPLY 1 /* deliver options string to peer */
+#define OCC_REQUEST 0 /* request options string from peer */
+#define OCC_REPLY 1 /* deliver options string to peer */
/*
* Send an OCC_REQUEST once every OCC_INTERVAL
@@ -48,11 +48,12 @@
/*
* Other OCC protocol opcodes used to estimate the MTU empirically.
*/
-#define OCC_MTU_LOAD_REQUEST 2 /* Ask peer to send a big packet to us */
-#define OCC_MTU_LOAD 3 /* Send a big packet to peer */
-#define OCC_MTU_REQUEST 4 /* Ask peer to tell us the largest
- * packet it has received from us so far */
-#define OCC_MTU_REPLY 5 /* Send largest packet size to peer */
+#define OCC_MTU_LOAD_REQUEST 2 /* Ask peer to send a big packet to us */
+#define OCC_MTU_LOAD 3 /* Send a big packet to peer */
+#define OCC_MTU_REQUEST \
+ 4 /* Ask peer to tell us the largest \
+ * packet it has received from us so far */
+#define OCC_MTU_REPLY 5 /* Send largest packet size to peer */
/*
* Process one command from mtu_load_test_sequence
@@ -63,7 +64,7 @@
/*
* Send an exit message to remote.
*/
-#define OCC_EXIT 6
+#define OCC_EXIT 6
/*
* Used to conduct a load test command sequence
@@ -71,10 +72,10 @@
*/
struct mtu_load_test
{
- int op; /* OCC opcode to send to peer */
- int delta; /* determine packet size to send by using
- * this delta against currently
- * configured MTU */
+ int op; /* OCC opcode to send to peer */
+ int delta; /* determine packet size to send by using
+ * this delta against currently
+ * configured MTU */
};
extern const uint8_t occ_magic[];
@@ -110,8 +111,7 @@
check_send_occ_req(struct context *c)
{
if (event_timeout_defined(&c->c2.occ_interval)
- && event_timeout_trigger(&c->c2.occ_interval,
- &c->c2.timeval,
+ && event_timeout_trigger(&c->c2.occ_interval, &c->c2.timeval,
(!TO_LINK_DEF(c) && c->c2.occ_op < 0) ? ETT_DEFAULT : 0))
{
check_send_occ_req_dowork(c);
@@ -125,8 +125,7 @@
check_send_occ_load_test(struct context *c)
{
if (event_timeout_defined(&c->c2.occ_mtu_load_test_interval)
- && event_timeout_trigger(&c->c2.occ_mtu_load_test_interval,
- &c->c2.timeval,
+ && event_timeout_trigger(&c->c2.occ_mtu_load_test_interval, &c->c2.timeval,
(!TO_LINK_DEF(c) && c->c2.occ_op < 0) ? ETT_DEFAULT : 0))
{
check_send_occ_load_test_dowork(c);
@@ -67,15 +67,16 @@
}
}
-#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
-#define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
+#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
+#define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
#endif
#if defined(LIBRESSL_VERSION_NUMBER)
-#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
#endif
-#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL || defined(OPENSSL_IS_AWSLC)
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL \
+ || defined(OPENSSL_IS_AWSLC)
#define SSL_get_peer_tmp_key SSL_get_server_tmp_key
#endif
@@ -85,10 +86,8 @@
/* Note that this is not a perfect emulation of the new function but
* is good enough for our case of printing certificate details during
* handshake */
-static inline
-int
-EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz,
- size_t *gname_len)
+static inline int
+EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len)
{
const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
if (ec == NULL)
@@ -117,13 +116,12 @@
#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_NO_EC) */
#if OPENSSL_VERSION_NUMBER < 0x30000000L
-#define EVP_MD_get0_name EVP_MD_name
-#define EVP_CIPHER_get0_name EVP_CIPHER_name
+#define EVP_MD_get0_name EVP_MD_name
+#define EVP_CIPHER_get0_name EVP_CIPHER_name
#define EVP_CIPHER_CTX_get_mode EVP_CIPHER_CTX_mode
/** Reduce SSL_CTX_new_ex() to SSL_CTX_new() for OpenSSL < 3 */
-#define SSL_CTX_new_ex(libctx, propq, method) \
- SSL_CTX_new((method))
+#define SSL_CTX_new_ex(libctx, propq, method) SSL_CTX_new((method))
/* Some safe typedefs to avoid too many ifdefs */
typedef void OSSL_LIB_CTX;
@@ -160,9 +158,7 @@
}
static inline unsigned long
-ERR_get_error_all(const char **file, int *line,
- const char **func,
- const char **data, int *flags)
+ERR_get_error_all(const char **file, int *line, const char **func, const char **data, int *flags)
{
static const char *empty = "";
*func = empty;
@@ -172,13 +168,13 @@
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-#if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL)
+#if OPENSSL_VERSION_NUMBER < 0x30500000 \
+ && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL)
static inline int
SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
{
int peer_sig_nid;
- if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid)
- && peer_sig_nid != NID_undef)
+ if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) && peer_sig_nid != NID_undef)
{
*sigalg = OBJ_nid2sn(peer_sig_nid);
return 1;
@@ -194,7 +190,8 @@
*sigalg = NULL;
return 0;
}
-#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) */
+#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || \
+ LIBRESSL_VERSION_NUMBER > 0x3050400fL) */
#if OPENSSL_VERSION_NUMBER < 0x30200000L && OPENSSL_VERSION_NUMBER >= 0x30000000L
static inline const char *
@@ -119,8 +119,7 @@
* printing depends on it */
for (int j = 1; j < MAX_PARMS && c->options.providers.names[j]; j++)
{
- c->options.providers.providers[j] =
- crypto_load_provider(c->options.providers.names[j]);
+ c->options.providers.providers[j] = crypto_load_provider(c->options.providers.names[j]);
}
}
@@ -129,8 +128,7 @@
{
for (int j = 1; j < MAX_PARMS && c->options.providers.providers[j]; j++)
{
- crypto_unload_provider(c->options.providers.names[j],
- c->options.providers.providers[j]);
+ crypto_unload_provider(c->options.providers.names[j], c->options.providers.providers[j]);
}
net_ctx_free(&c->net_ctx);
}
@@ -156,14 +154,15 @@
* @param argc - Commandline argument count.
* @param argv - Commandline argument values.
*/
-static
-int
+static int
openvpn_main(int argc, char *argv[])
{
struct context c;
#if PEDANTIC
- fprintf(stderr, "Sorry, I was built with --enable-pedantic and I am incapable of doing any real work!\n");
+ fprintf(
+ stderr,
+ "Sorry, I was built with --enable-pedantic and I am incapable of doing any real work!\n");
return 1;
#endif
@@ -332,15 +331,13 @@
/* pass restart status to management subsystem */
signal_restart_status(c.sig);
- }
- while (signal_reset(c.sig, SIGUSR1) == SIGUSR1);
+ } while (signal_reset(c.sig, SIGUSR1) == SIGUSR1);
env_set_destroy(c.es);
uninit_options(&c.options);
gc_reset(&c.gc);
uninit_early(&c);
- }
- while (signal_reset(c.sig, SIGHUP) == SIGHUP);
+ } while (signal_reset(c.sig, SIGHUP) == SIGHUP);
}
context_gc_free(&c);
@@ -365,7 +362,7 @@
int ret;
int i;
- if ((argv = calloc(argc+1, sizeof(char *))) == NULL)
+ if ((argv = calloc(argc + 1, sizeof(char *))) == NULL)
{
return 1;
}
@@ -69,7 +69,7 @@
* renegotiation key */
struct key2 original_wrap_keydata;
struct key_ctx tls_crypt_v2_server_key;
- struct buffer tls_crypt_v2_wkc; /**< Wrapped client key */
+ struct buffer tls_crypt_v2_wkc; /**< Wrapped client key */
struct key_ctx auth_token_key;
};
@@ -169,10 +169,10 @@
/* persist crypto sequence number to/from file */
struct packet_id_persist pid_persist;
- struct tuntap *tuntap; /**< Tun/tap virtual network interface. */
- bool tuntap_owned; /**< Whether the tun/tap interface should
- * be cleaned up when this %context is
- * cleaned up. */
+ struct tuntap *tuntap; /**< Tun/tap virtual network interface. */
+ bool tuntap_owned; /**< Whether the tun/tap interface should
+ * be cleaned up when this %context is
+ * cleaned up. */
struct route_list *route_list;
/**< List of routing information. See the
@@ -208,8 +208,7 @@
static inline bool
is_cas_pending(enum multi_status cas)
{
- return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED
- || cas == CAS_PENDING_DEFERRED_PARTIAL;
+ return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED || cas == CAS_PENDING_DEFERRED_PARTIAL;
}
/**
@@ -223,9 +222,9 @@
*/
struct context_2
{
- struct gc_arena gc; /**< Garbage collection arena for
- * allocations done in the level 2 scope
- * of this context_2 structure. */
+ struct gc_arena gc; /**< Garbage collection arena for
+ * allocations done in the level 2 scope
+ * of this context_2 structure. */
/* our global wait events */
struct event_set *event_set;
@@ -240,13 +239,13 @@
bool link_socket_owned;
- const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */
+ const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */
- struct link_socket_actual *to_link_addr; /* IP address of remote */
- struct link_socket_actual from; /* address of incoming datagram */
+ struct link_socket_actual *to_link_addr; /* IP address of remote */
+ struct link_socket_actual from; /* address of incoming datagram */
/* MTU frame parameters */
- struct frame frame; /* Active frame parameters */
+ struct frame frame; /* Active frame parameters */
#ifdef ENABLE_FRAGMENT
/* Object to handle advanced MTU negotiation and datagram fragmentation */
@@ -297,7 +296,7 @@
char *options_string_local;
char *options_string_remote;
- int occ_op; /* INIT to -1 */
+ int occ_op; /* INIT to -1 */
int occ_n_tries;
struct event_timeout occ_interval;
@@ -305,11 +304,11 @@
* Keep track of maximum packet size received so far
* (of authenticated packets).
*/
- int original_recv_size; /* temporary */
- int max_recv_size_local; /* max packet size received */
- int max_recv_size_remote; /* max packet size received by remote */
- int max_send_size_local; /* max packet size sent */
- int max_send_size_remote; /* max packet size sent by remote */
+ int original_recv_size; /* temporary */
+ int max_recv_size_local; /* max packet size received */
+ int max_recv_size_remote; /* max packet size received by remote */
+ int max_send_size_local; /* max packet size sent */
+ int max_send_size_remote; /* max packet size sent by remote */
/* remote wants us to send back a load test packet of this size */
@@ -473,63 +472,67 @@
*/
struct context
{
- struct options options; /**< Options loaded from command line or
- * configuration file. */
+ struct options options; /**< Options loaded from command line or
+ * configuration file. */
- bool first_time; /**< True on the first iteration of
- * OpenVPN's main loop. */
+ bool first_time; /**< True on the first iteration of
+ * OpenVPN's main loop. */
/* context modes */
-#define CM_P2P 0 /* standalone point-to-point session or client */
-#define CM_TOP 1 /* top level of a multi-client or point-to-multipoint server */
-#define CM_TOP_CLONE 2 /* clone of a CM_TOP context for one thread */
-#define CM_CHILD_UDP 3 /* child context of a CM_TOP or CM_THREAD */
-#define CM_CHILD_TCP 4 /* child context of a CM_TOP or CM_THREAD */
- int mode; /**< Role of this context within the
- * OpenVPN process. Valid values are \c
- * CM_P2P, \c CM_TOP, \c CM_TOP_CLONE,
- * \c CM_CHILD_UDP, and \c CM_CHILD_TCP. */
+#define CM_P2P 0 /* standalone point-to-point session or client */
+#define CM_TOP 1 /* top level of a multi-client or point-to-multipoint server */
+#define CM_TOP_CLONE 2 /* clone of a CM_TOP context for one thread */
+#define CM_CHILD_UDP 3 /* child context of a CM_TOP or CM_THREAD */
+#define CM_CHILD_TCP 4 /* child context of a CM_TOP or CM_THREAD */
+ int mode; /**< Role of this context within the
+ * OpenVPN process. Valid values are \c
+ * CM_P2P, \c CM_TOP, \c CM_TOP_CLONE,
+ * \c CM_CHILD_UDP, and \c CM_CHILD_TCP. */
struct multi_context *multi; /**< Pointer to the main P2MP context.
* Non-NULL only when mode == CM_TOP. */
- struct gc_arena gc; /**< Garbage collection arena for
- * allocations done in the scope of this
- * context structure. */
+ struct gc_arena gc; /**< Garbage collection arena for
+ * allocations done in the scope of this
+ * context structure. */
- struct env_set *es; /**< Set of environment variables. */
+ struct env_set *es; /**< Set of environment variables. */
- openvpn_net_ctx_t net_ctx; /**< Networking API opaque context */
+ openvpn_net_ctx_t net_ctx; /**< Networking API opaque context */
- struct signal_info *sig; /**< Internal error signaling object. */
+ struct signal_info *sig; /**< Internal error signaling object. */
struct plugin_list *plugins; /**< List of plug-ins. */
- bool plugins_owned; /**< Whether the plug-ins should be
- * cleaned up when this %context is
- * cleaned up. */
+ bool plugins_owned; /**< Whether the plug-ins should be
+ * cleaned up when this %context is
+ * cleaned up. */
- bool did_we_daemonize; /**< Whether demonization has already
- * taken place. */
+ bool did_we_daemonize; /**< Whether demonization has already
+ * taken place. */
struct context_persist persist;
/**< Persistent %context. */
- struct context_0 *c0; /**< Level 0 %context. */
- struct context_1 c1; /**< Level 1 %context. */
- struct context_2 c2; /**< Level 2 %context. */
+ struct context_0 *c0; /**< Level 0 %context. */
+ struct context_1 c1; /**< Level 1 %context. */
+ struct context_2 c2; /**< Level 2 %context. */
};
/*
* Check for a signal when inside an event loop
*/
-#define EVENT_LOOP_CHECK_SIGNAL(c, func, arg) \
- if (IS_SIG(c)) \
- { \
- const int brk = func(arg); \
- perf_pop(); \
- if (brk) { \
- break;} \
- else { \
- continue;} \
+#define EVENT_LOOP_CHECK_SIGNAL(c, func, arg) \
+ if (IS_SIG(c)) \
+ { \
+ const int brk = func(arg); \
+ perf_pop(); \
+ if (brk) \
+ { \
+ break; \
+ } \
+ else \
+ { \
+ continue; \
+ } \
}
/*
@@ -537,14 +540,15 @@
* have been compiled in.
*/
-#define TLS_MODE(c) ((c)->c2.tls_multi != NULL)
-#define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)
-#define PROTO_DUMP(buf, gc) protocol_dump((buf), \
- PROTO_DUMP_FLAGS \
- |(c->c2.tls_multi ? PD_TLS : 0) \
- |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \
- |(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \
- gc)
+#define TLS_MODE(c) ((c)->c2.tls_multi != NULL)
+#define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA | PD_VERBOSE) : 0)
+#define PROTO_DUMP(buf, gc) \
+ protocol_dump( \
+ (buf), \
+ PROTO_DUMP_FLAGS | (c->c2.tls_multi ? PD_TLS : 0) \
+ | (c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \
+ | (c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \
+ gc)
/* this represents "disabled peer-id" */
#define MAX_PEER_ID 0xFFFFFF
@@ -67,8 +67,7 @@
#include "memdbg.h"
#include "options_util.h"
-const char title_string[] =
- PACKAGE_STRING
+const char title_string[] = PACKAGE_STRING
#ifdef CONFIGURE_GIT_REVISION
" [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
#endif
@@ -114,7 +113,7 @@
#ifdef CONFIGURE_GIT_REVISION
" built on " __DATE__
#endif
-;
+ ;
#ifndef ENABLE_SMALL
@@ -698,7 +697,7 @@
" cache until token is removed.\n"
"--pkcs11-id-management : Acquire identity from management interface.\n"
"--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
-#endif /* ENABLE_PKCS11 */
+#endif /* ENABLE_PKCS11 */
"\n"
"SSL Library information:\n"
"--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
@@ -787,13 +786,13 @@
"--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
#endif
" --verb option can be added *BEFORE* this.\n"
-#endif /* ENABLE_PKCS11 */
+#endif /* ENABLE_PKCS11 */
"\n"
"General Standalone Options:\n"
#ifdef ENABLE_DEBUG
"--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
#endif
-;
+ ;
#endif /* !ENABLE_SMALL */
@@ -894,7 +893,7 @@
#endif
#ifdef ENABLE_PKCS11
o->pkcs11_pin_cache_period = -1;
-#endif /* ENABLE_PKCS11 */
+#endif /* ENABLE_PKCS11 */
/* P2MP server context features */
o->auth_token_generate = false;
@@ -909,7 +908,7 @@
/* Error out if we can't find a valid temporary directory, which should
* be very unlikely. */
msg(M_USAGE, "Could not find a suitable temporary directory."
- " (GetTempPath() failed). Consider using --tmp-dir");
+ " (GetTempPath() failed). Consider using --tmp-dir");
}
#else /* ifdef _WIN32 */
/* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
@@ -972,23 +971,19 @@
}
#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
-#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
-#define SHOW_STR_INLINE(var) SHOW_PARM(var, \
- o->var ## _inline ? "[INLINE]" : \
- (o->var ? o->var : "[UNDEF]"), \
- "'%s'")
-#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
-#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
-#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
-#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
-#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
+#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
+#define SHOW_STR_INLINE(var) \
+ SHOW_PARM(var, o->var##_inline ? "[INLINE]" : (o->var ? o->var : "[UNDEF]"), "'%s'")
+#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
+#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
+#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
+#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
+#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
#endif /* ifndef ENABLE_SMALL */
static void
-setenv_connection_entry(struct env_set *es,
- const struct connection_entry *e,
- const int i)
+setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
{
setenv_str_i(es, "remote", e->remote, i);
setenv_str_i(es, "remote_port", e->remote_port, i);
@@ -1006,9 +1001,7 @@
}
static void
-setenv_local_entry(struct env_set *es,
- const struct local_entry *e,
- const int i)
+setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
{
setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i);
setenv_str_i(es, "local", e->local, i);
@@ -1030,7 +1023,7 @@
int i;
for (i = 0; i < o->connection_list->len; ++i)
{
- setenv_connection_entry(es, o->connection_list->array[i], i+1);
+ setenv_connection_entry(es, o->connection_list->array[i], i + 1);
}
}
else
@@ -1042,7 +1035,7 @@
{
for (int i = 0; i < o->ce.local_list->len; i++)
{
- setenv_local_entry(es, o->ce.local_list->array[i], i+1);
+ setenv_local_entry(es, o->ce.local_list->array[i], i + 1);
}
}
}
@@ -1087,12 +1080,12 @@
for (current = *list, prev = NULL; current != NULL; current = current->next)
{
char *tmp_value = NULL;
- if (!strncmp(current->string, "foreign_option_", sizeof("foreign_option_")-1))
+ if (!strncmp(current->string, "foreign_option_", sizeof("foreign_option_") - 1))
{
tmp_value = strchr(current->string, '=');
if (tmp_value && ++tmp_value)
{
- if (!strncmp(tmp_value, "dhcp-option ", sizeof("dhcp-option ")-1))
+ if (!strncmp(tmp_value, "dhcp-option ", sizeof("dhcp-option ") - 1))
{
if (prev)
{
@@ -1156,18 +1149,18 @@
}
static bool
-ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
+ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
{
struct in6_addr t_addr;
unsigned int t_bits;
- return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
+ return get_ipv6_addr(ipv6_prefix_spec, &t_addr, &t_bits, M_WARN);
}
static char *
string_substitute(const char *src, int from, int to, struct gc_arena *gc)
{
- char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
+ char *ret = (char *)gc_malloc(strlen(src) + 1, true, gc);
char *dest = ret;
char c;
@@ -1179,8 +1172,7 @@
c = to;
}
*dest++ = c;
- }
- while (c);
+ } while (c);
return ret;
}
@@ -1208,9 +1200,7 @@
while (*cp && i < nbytes)
{
/* valid segments consist of exactly two hex digits, then ':' or EOS */
- if (!isxdigit(cp[0])
- || !isxdigit(cp[1])
- || (cp[2] != ':' && cp[2] != '\0')
+ if (!isxdigit(cp[0]) || !isxdigit(cp[1]) || (cp[2] != ':' && cp[2] != '\0')
|| sscanf(cp, "%x", &byte) != 1)
{
msg(msglevel, "format error in hash fingerprint: %s", str);
@@ -1228,7 +1218,8 @@
}
if (i < nbytes)
{
- msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
+ msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i,
+ str);
}
else if (term != '\0')
{
@@ -1248,8 +1239,7 @@
* @param gc The returned list items will be allocated in this gc
*/
static struct verify_hash_list *
-parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
- struct gc_arena *gc)
+parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
{
struct gc_arena gc_temp = gc_new();
char *lines = string_alloc(str, &gc_temp);
@@ -1270,8 +1260,7 @@
continue;
}
- struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
- msglevel, gc);
+ struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes, msglevel, gc);
if (!hash)
{
@@ -1296,7 +1285,7 @@
int i;
for (i = 0; i < len; ++i)
{
- msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
+ msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i]);
}
}
@@ -1307,10 +1296,7 @@
int i;
for (i = 0; i < len; ++i)
{
- msg(D_SHOW_PARMS, " %s[%d] = %s",
- name,
- i,
- print_in_addr_t(array[i], 0, &gc));
+ msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, print_in_addr_t(array[i], 0, &gc));
}
gc_free(&gc);
}
@@ -1356,14 +1342,13 @@
}
}
static void
-dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
+dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len,
+ int msglevel)
{
if (*len >= N_DHCP_ADDR)
{
- msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
- name,
- N_DHCP_ADDR,
- name);
+ msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified", name,
+ N_DHCP_ADDR, name);
}
else
{
@@ -1408,12 +1393,15 @@
msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
- msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
+ msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc));
SHOW_INT(server_netbits_ipv6);
msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
- msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
- msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
- msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
+ msg(D_SHOW_PARMS, " server_bridge_netmask = %s",
+ print_in_addr_t(o->server_bridge_netmask, 0, &gc));
+ msg(D_SHOW_PARMS, " server_bridge_pool_start = %s",
+ print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
+ msg(D_SHOW_PARMS, " server_bridge_pool_end = %s",
+ print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
if (o->push_list.head)
{
const struct push_entry *e = o->push_list.head;
@@ -1427,13 +1415,16 @@
}
}
SHOW_BOOL(ifconfig_pool_defined);
- msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
+ msg(D_SHOW_PARMS, " ifconfig_pool_start = %s",
+ print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
- msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
+ msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s",
+ print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
SHOW_STR(ifconfig_pool_persist_filename);
SHOW_INT(ifconfig_pool_persist_refresh_freq);
SHOW_BOOL(ifconfig_ipv6_pool_defined);
- msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
+ msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s",
+ print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
SHOW_INT(ifconfig_ipv6_pool_netbits);
SHOW_INT(n_bcast_buf);
SHOW_INT(tcp_queue_limit);
@@ -1447,11 +1438,15 @@
SHOW_BOOL(ccd_exclusive);
SHOW_STR(tmp_dir);
SHOW_BOOL(push_ifconfig_defined);
- msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
- msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
+ msg(D_SHOW_PARMS, " push_ifconfig_local = %s",
+ print_in_addr_t(o->push_ifconfig_local, 0, &gc));
+ msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s",
+ print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
SHOW_BOOL(push_ifconfig_ipv6_defined);
- msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
- msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
+ msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d",
+ print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits);
+ msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s",
+ print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
SHOW_BOOL(enable_c2c);
SHOW_BOOL(duplicate_cn);
SHOW_INT(cf_max);
@@ -1484,16 +1479,13 @@
#endif /* ! ENABLE_SMALL */
static void
-option_iroute(struct options *o,
- const char *network_str,
- const char *netmask_str,
- int msglevel)
+option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel)
{
struct iroute *ir;
ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
- ir->netbits = 32; /* host route if no netmask given */
+ ir->netbits = 32; /* host route if no netmask given */
if (netmask_str)
{
@@ -1502,8 +1494,7 @@
if (ir->netbits < 0)
{
- msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
- network_str,
+ msg(msglevel, "in --iroute %s %s : Bad network/subnet specification", network_str,
netmask_str);
return;
}
@@ -1514,18 +1505,15 @@
}
static void
-option_iroute_ipv6(struct options *o,
- const char *prefix_str,
- int msglevel)
+option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel)
{
struct iroute_ipv6 *ir;
ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
- if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
+ if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel))
{
- msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
- prefix_str);
+ msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str);
return;
}
@@ -1548,17 +1536,16 @@
SHOW_BOOL(nocache);
SHOW_STR(http_version);
SHOW_STR(user_agent);
- for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
+ for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
{
if (o->custom_headers[i].content)
{
- msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
- o->custom_headers[i].name, o->custom_headers[i].content);
+ msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, o->custom_headers[i].name,
+ o->custom_headers[i].content);
}
else
{
- msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
- o->custom_headers[i].name);
+ msg(D_SHOW_PARMS, " custom_header[%d] = %s", i, o->custom_headers[i].name);
}
}
msg(D_SHOW_PARMS, "END http_proxy");
@@ -1615,7 +1602,8 @@
for (int i = 0; i < o->local_list->len; i++)
{
msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local,
- o->local_list->array[i]->port, proto2ascii(o->local_list->array[i]->proto, o->af, false));
+ o->local_list->array[i]->port,
+ proto2ascii(o->local_list->array[i]->proto, o->af, false));
}
SHOW_STR(remote);
SHOW_STR(remote_port);
@@ -1652,8 +1640,7 @@
SHOW_INT(explicit_exit_notification);
SHOW_STR_INLINE(tls_auth_file);
- SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
- "%s");
+ SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
SHOW_STR_INLINE(tls_crypt_file);
SHOW_STR_INLINE(tls_crypt_v2_file);
}
@@ -1908,7 +1895,7 @@
SHOW_INT(ns_cert_type);
{
int i;
- for (i = 0; i<MAX_PARMS; i++)
+ for (i = 0; i < MAX_PARMS; i++)
{
SHOW_INT(remote_cert_ku[i]);
}
@@ -1920,12 +1907,11 @@
SHOW_INT(verify_hash_depth);
struct gc_arena gc = gc_new();
struct verify_hash_list *hl = o->verify_hash;
- int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
- SHA256_DIGEST_LENGTH;
+ int digest_len =
+ (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH : SHA256_DIGEST_LENGTH;
while (hl)
{
- char *s = format_hex_ex(hl->hash, digest_len, 0,
- 1, ":", &gc);
+ char *s = format_hex_ex(hl->hash, digest_len, 0, 1, ":", &gc);
SHOW_PARM(verify_hash, s, "%s");
hl = hl->next;
}
@@ -1951,36 +1937,38 @@
#ifdef ENABLE_PKCS11
{
int i;
- for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
+ for (i = 0; i < MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
{
SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
}
}
{
int i;
- for (i = 0; i<MAX_PARMS; i++)
+ for (i = 0; i < MAX_PARMS; i++)
{
- SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
+ SHOW_PARM(pkcs11_protected_authentication,
+ o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
}
}
{
int i;
- for (i = 0; i<MAX_PARMS; i++)
+ for (i = 0; i < MAX_PARMS; i++)
{
SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
}
}
{
int i;
- for (i = 0; i<MAX_PARMS; i++)
+ for (i = 0; i < MAX_PARMS; i++)
{
- SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
+ SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED",
+ "%s");
}
}
SHOW_INT(pkcs11_pin_cache_period);
SHOW_STR(pkcs11_id);
SHOW_BOOL(pkcs11_id_management);
-#endif /* ENABLE_PKCS11 */
+#endif /* ENABLE_PKCS11 */
show_p2mp_parms(o);
@@ -2001,9 +1989,7 @@
#ifdef ENABLE_MANAGEMENT
static struct http_proxy_options *
-parse_http_proxy_override(const char *server,
- const char *port,
- const char *flags,
+parse_http_proxy_override(const char *server, const char *port, const char *flags,
struct gc_arena *gc)
{
if (server && port)
@@ -2058,7 +2044,8 @@
}
else
{
- msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
+ msg(M_WARN,
+ "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
}
}
@@ -2075,8 +2062,7 @@
}
static struct local_entry *
-alloc_local_entry(struct connection_entry *ce, const int msglevel,
- struct gc_arena *gc)
+alloc_local_entry(struct connection_entry *ce, const int msglevel, struct gc_arena *gc)
{
struct local_list *l = alloc_local_list_if_undef(ce, gc);
struct local_entry *e;
@@ -2089,7 +2075,9 @@
struct local_entry **new_array = gc_realloc(l->array, new_cap * elem_size, gc);
if (!new_array)
{
- msg(msglevel, "Unable to process more local options: out of memory. Number of entries = %d", l->len);
+ msg(msglevel,
+ "Unable to process more local options: out of memory. Number of entries = %d",
+ l->len);
return NULL;
}
@@ -2123,10 +2111,13 @@
if (l->len == l->capacity)
{
int capacity = l->capacity + CONNECTION_LIST_SIZE;
- struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc);
+ struct connection_entry **ce =
+ gc_realloc(l->array, capacity * sizeof(struct connection_entry *), &options->gc);
if (ce == NULL)
{
- msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len);
+ msg(msglevel,
+ "Unable to process more connection options: out of memory. Number of entries = %d",
+ l->len);
return NULL;
}
l->array = ce;
@@ -2156,10 +2147,13 @@
if (l->len == l->capacity)
{
int capacity = l->capacity + CONNECTION_LIST_SIZE;
- struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc);
+ struct remote_entry **re =
+ gc_realloc(l->array, capacity * sizeof(struct remote_entry *), &options->gc);
if (re == NULL)
{
- msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len);
+ msg(msglevel,
+ "Unable to process more remote options: out of memory. Number of entries = %d",
+ l->len);
return NULL;
}
l->array = re;
@@ -2223,8 +2217,7 @@
}
static void
-connection_entry_preload_key(const char **key_file, bool *key_inline,
- struct gc_arena *gc)
+connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
{
if (key_file && *key_file && !(*key_inline))
{
@@ -2234,7 +2227,7 @@
msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
}
- *key_file = (const char *) in.data;
+ *key_file = (const char *)in.data;
*key_inline = true;
}
}
@@ -2249,13 +2242,11 @@
}
#endif
- if (options->verify_hash_no_ca
- || options->pkcs12_file
- || options->ca_file
+ if (options->verify_hash_no_ca || options->pkcs12_file || options->ca_file
#ifndef ENABLE_CRYPTO_MBEDTLS
|| options->ca_path
#endif
- )
+ )
{
return;
}
@@ -2268,14 +2259,19 @@
msg(M_USAGE, "%s", str);
}
-#define MUST_BE_UNDEF(parm, parm_name) \
- if (options->parm != defaults.parm) { msg(M_USAGE, use_err, parm_name); }
+#define MUST_BE_UNDEF(parm, parm_name) \
+ if (options->parm != defaults.parm) \
+ { \
+ msg(M_USAGE, use_err, parm_name); \
+ }
#define MUST_BE_FALSE(condition, parm_name) \
- if (condition) { msg(M_USAGE, use_err, parm_name); }
+ if (condition) \
+ { \
+ msg(M_USAGE, use_err, parm_name); \
+ }
static void
-options_postprocess_verify_ce(const struct options *options,
- const struct connection_entry *ce)
+options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
{
struct options defaults;
int dev = DEV_TYPE_UNDEF;
@@ -2303,9 +2299,8 @@
*/
if (ce->proto == PROTO_TCP)
{
- msg(M_USAGE,
- "--proto tcp is ambiguous in this context. Please specify "
- "--proto tcp-server or --proto tcp-client");
+ msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify "
+ "--proto tcp-server or --proto tcp-client");
}
/*
@@ -2345,16 +2340,13 @@
if (string_defined_equal(ce->remote, options->ifconfig_local)
|| string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
{
- msg(M_USAGE,
- "--local and --remote addresses must be distinct from --ifconfig "
- "addresses");
+ msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig "
+ "addresses");
}
- if (string_defined_equal(options->ifconfig_local,
- options->ifconfig_remote_netmask))
+ if (string_defined_equal(options->ifconfig_local, options->ifconfig_remote_netmask))
{
- msg(M_USAGE,
- "local and remote/netmask --ifconfig addresses must be different");
+ msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
}
if (ce->bind_defined && !ce->bind_local)
@@ -2364,8 +2356,7 @@
if (ce->local_port_defined && !ce->bind_local)
{
- msg(M_USAGE,
- "--lport and --nobind don't make sense when used together");
+ msg(M_USAGE, "--lport and --nobind don't make sense when used together");
}
if (!ce->remote && !ce->bind_local)
@@ -2377,8 +2368,7 @@
{
struct local_entry *le = ce->local_list->array[i];
- if (proto_is_net(le->proto)
- && string_defined_equal(le->local, ce->remote)
+ if (proto_is_net(le->proto) && string_defined_equal(le->local, ce->remote)
&& string_defined_equal(le->port, ce->remote_port))
{
msg(M_USAGE, "--remote and one of the --local addresses are the same");
@@ -2404,7 +2394,8 @@
&& (options->management_flags
|| options->management_log_history_cache != defaults.management_log_history_cache))
{
- msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
+ msg(M_USAGE,
+ "--management is not specified, however one or more options which modify the behavior of --management were specified");
}
if ((options->management_client_user || options->management_client_group)
@@ -2413,24 +2404,21 @@
msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
}
- if (options->management_addr
- && !(options->management_flags & MF_UNIX_SOCK)
+ if (options->management_addr && !(options->management_flags & MF_UNIX_SOCK)
&& (!options->management_user_pass))
{
msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
- "passwords is STRONGLY discouraged and considered insecure");
+ "passwords is STRONGLY discouraged and considered insecure");
}
#endif /* ifdef ENABLE_MANAGEMENT */
#if !defined(HAVE_XKEY_PROVIDER)
- if ((tls_version_max() >= TLS_VER_1_3)
- && (options->management_flags & MF_EXTERNAL_KEY)
- && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
- )
+ if ((tls_version_max() >= TLS_VER_1_3) && (options->management_flags & MF_EXTERNAL_KEY)
+ && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING)))
{
msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
- "nopadding argument/support");
+ "nopadding argument/support");
}
#endif
/*
@@ -2438,7 +2426,8 @@
*/
#ifdef _WIN32
- if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
+ if (dev == DEV_TYPE_TUN
+ && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
{
msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
}
@@ -2454,14 +2443,13 @@
const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
{
- msg(M_USAGE, "%s, which is not supported by the selected %s driver",
- prefix, print_tun_backend_driver(options->windows_driver));
+ msg(M_USAGE, "%s, which is not supported by the selected %s driver", prefix,
+ print_tun_backend_driver(options->windows_driver));
}
else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
&& options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
{
- msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive",
- prefix);
+ msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive", prefix);
}
}
#endif /* ifdef _WIN32 */
@@ -2484,21 +2472,18 @@
if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
{
- msg(M_USAGE,
- "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
- "tcp-client)");
+ msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
+ "tcp-client)");
}
if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
{
- msg(M_USAGE,
- "--http-proxy not specified but other http proxy options present");
+ msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
}
if (ce->http_proxy_options && ce->socks_proxy_server)
{
- msg(M_USAGE,
- "--http-proxy can not be used together with --socks-proxy");
+ msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
}
if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
@@ -2518,7 +2503,8 @@
{
const char use_err[] = "--%s cannot be used with --mode server.";
-#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
+#define USAGE_VALID_SERVER_PROTOS \
+ "--mode server currently only supports " \
"--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
#ifdef TARGET_ANDROID
msg(M_FATAL, "--mode server not supported on Android");
@@ -2541,7 +2527,7 @@
&& (ce->proto != PROTO_TCP_SERVER))
{
msg(M_USAGE, "--port-share only works in TCP server mode "
- "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
+ "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
}
#endif
if (!options->tls_server)
@@ -2555,8 +2541,7 @@
/* <connection> blocks force to have a remote embedded, so we check
* for the --remote and bail out if it is present
*/
- if (options->connection_list->len >1
- || options->connection_list->array[0]->remote)
+ if (options->connection_list->len > 1 || options->connection_list->array[0]->remote)
{
msg(M_USAGE, "<connection> cannot be used with --mode server");
}
@@ -2564,9 +2549,8 @@
MUST_BE_UNDEF(shaper, "shaper");
if (options->ipchange)
{
- msg(M_USAGE,
- "--ipchange cannot be used with --mode server (use "
- "--client-connect instead)");
+ msg(M_USAGE, "--ipchange cannot be used with --mode server (use "
+ "--client-connect instead)");
}
if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
{
@@ -2574,20 +2558,23 @@
}
if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
{
- msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
+ msg(M_USAGE,
+ "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
}
- if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
+ if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET))
+ && options->ifconfig_pool_netmask)
{
- msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
+ msg(M_USAGE,
+ "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
}
if (options->routes && (options->routes->flags & RG_ENABLE))
{
- msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
+ msg(M_USAGE,
+ "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
}
MUST_BE_UNDEF(route_delay_defined, "route-delay");
MUST_BE_UNDEF(up_delay, "up-delay");
- if (!options->ifconfig_pool_defined
- && !options->ifconfig_ipv6_pool_defined
+ if (!options->ifconfig_pool_defined && !options->ifconfig_ipv6_pool_defined
&& options->ifconfig_pool_persist_filename)
{
msg(M_USAGE,
@@ -2600,7 +2587,8 @@
MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing");
if (options->auth_user_pass_file)
{
- msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
+ msg(M_USAGE,
+ "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
}
if (options->ccd_exclusive && !options->client_config_dir)
{
@@ -2609,24 +2597,24 @@
if (options->auth_token_generate && !options->renegotiate_seconds)
{
msg(M_USAGE, "--auth-gen-token needs a non-infinite "
- "--renegotiate_seconds setting");
+ "--renegotiate_seconds setting");
}
if (options->auth_token_generate && options->auth_token_renewal
&& options->auth_token_renewal < 2 * options->handshake_window)
{
- msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
+ msg(M_USAGE,
+ "--auth-gen-token renewal time needs to be at least "
" two times --hand-window (%d).",
options->handshake_window);
-
}
- if (!options->auth_user_pass_verify_script
- && !PLUGIN_OPTION_LIST(options)
+ if (!options->auth_user_pass_verify_script && !PLUGIN_OPTION_LIST(options)
&& !MAN_CLIENT_AUTH_ENABLED(options))
{
- const char *use_err = "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
+ const char *use_err =
+ "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
MUST_BE_FALSE(options->ssl_flags
- & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL),
+ & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL),
"verify-client-cert none|optional");
MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME,
"username-as-common-name");
@@ -2668,7 +2656,7 @@
MUST_BE_UNDEF(cf_max, "connect-freq");
MUST_BE_UNDEF(cf_per, "connect-freq");
MUST_BE_FALSE(options->ssl_flags
- & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL),
+ & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL),
"verify-client-cert");
MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
@@ -2676,15 +2664,16 @@
if (options->server_flags & SF_TCP_NODELAY_HELPER)
{
msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
- "affect the server. To have TCP_NODELAY in both direction use "
- "tcp-nodelay in the server configuration instead.");
+ "affect the server. To have TCP_NODELAY in both direction use "
+ "tcp-nodelay in the server configuration instead.");
}
MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify");
MUST_BE_UNDEF(auth_token_generate, "auth-gen-token");
#if PORT_SHARE
if (options->port_share_host || options->port_share_port)
{
- msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
+ msg(M_USAGE,
+ "--port-share requires TCP server mode (--mode server --proto tcp-server)");
}
#endif
MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check");
@@ -2697,8 +2686,7 @@
/*
* SSL/TLS mode sanity checks.
*/
- if (options->tls_server + options->tls_client
- + (options->shared_secret_file != NULL) > 1)
+ if (options->tls_server + options->tls_client + (options->shared_secret_file != NULL) > 1)
{
msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
}
@@ -2712,29 +2700,26 @@
}
msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
- "configuration detected. OpenVPN 2.8 will remove the "
- "functionality to run a VPN without TLS. "
- "See the examples section in the manual page for "
- "examples of a similar quick setup with peer-fingerprint. "
- "OpenVPN 2.7 allows using this configuration when using "
- "--allow-deprecated-insecure-static-crypto but you should move "
- "to a proper configuration using TLS as soon as possible."
- );
+ "configuration detected. OpenVPN 2.8 will remove the "
+ "functionality to run a VPN without TLS. "
+ "See the examples section in the manual page for "
+ "examples of a similar quick setup with peer-fingerprint. "
+ "OpenVPN 2.7 allows using this configuration when using "
+ "--allow-deprecated-insecure-static-crypto but you should move "
+ "to a proper configuration using TLS as soon as possible.");
}
- if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
+ if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL))
{
msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
- "--verify-client-cert none|optional "
- "may accept clients which do not present a certificate");
+ "--verify-client-cert none|optional "
+ "may accept clients which do not present a certificate");
}
const int tls_version_max =
- (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
- & SSLF_TLS_VERSION_MAX_MASK;
+ (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
const int tls_version_min =
- (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
- & SSLF_TLS_VERSION_MIN_MASK;
+ (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
if (tls_version_max > 0 && tls_version_max < tls_version_min)
{
@@ -2751,20 +2736,24 @@
}
else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
{
- msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
+ msg(M_WARN,
+ "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
}
if (options->pkcs11_providers[0])
{
if (options->pkcs11_id_management && options->pkcs11_id != NULL)
{
- msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
+ msg(M_USAGE,
+ "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
}
if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
{
- msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
+ msg(M_USAGE,
+ "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
}
- const char use_err[] = "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
+ const char use_err[] =
+ "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
MUST_BE_UNDEF(cert_file, "cert");
MUST_BE_UNDEF(priv_key_file, "key");
MUST_BE_UNDEF(pkcs12_file, "pkcs12");
@@ -2777,9 +2766,10 @@
else
#endif /* ifdef ENABLE_PKCS11 */
#ifdef ENABLE_CRYPTOAPI
- if (options->cryptoapi_cert)
+ if (options->cryptoapi_cert)
{
- const char use_err[] = "Parameter --%s cannot be used when --cryptoapicert is also specified.";
+ const char use_err[] =
+ "Parameter --%s cannot be used when --cryptoapicert is also specified.";
MUST_BE_UNDEF(cert_file, "cert");
MUST_BE_UNDEF(priv_key_file, "key");
MUST_BE_UNDEF(pkcs12_file, "pkcs12");
@@ -2788,7 +2778,7 @@
}
else
#endif
- if (options->pkcs12_file)
+ if (options->pkcs12_file)
{
#ifdef ENABLE_CRYPTO_MBEDTLS
msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
@@ -2799,7 +2789,7 @@
MUST_BE_UNDEF(priv_key_file, "key");
MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
-#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
+#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
}
else /* cert/key from none of pkcs11, pkcs12, cryptoapi */
{
@@ -2815,24 +2805,25 @@
}
else if (!(options->management_flags & MF_EXTERNAL_KEY))
{
- msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
+ msg(M_USAGE,
+ "--management-external-cert must be used with --management-external-key");
}
}
if (pull)
{
-
const int sum =
((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
- + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
+ + ((options->priv_key_file != NULL)
+ || (options->management_flags & MF_EXTERNAL_KEY));
if (sum == 0)
{
if (!options->auth_user_pass_file)
{
msg(M_USAGE, "No client-side authentication method is "
- "specified. You must use either "
- "--cert/--key, --pkcs12, or "
- "--auth-user-pass");
+ "specified. You must use either "
+ "--cert/--key, --pkcs12, or "
+ "--auth-user-pass");
}
}
else if (sum != 2)
@@ -2844,11 +2835,13 @@
{
if (!(options->management_flags & MF_EXTERNAL_CERT))
{
- notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
+ notnull(options->cert_file,
+ "certificate file (--cert) or PKCS#12 file (--pkcs12)");
}
if (!(options->management_flags & MF_EXTERNAL_KEY))
{
- notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
+ notnull(options->priv_key_file,
+ "private key file (--key) or PKCS#12 file (--pkcs12)");
}
}
}
@@ -2859,7 +2852,8 @@
if (options->tls_client && ce->tls_crypt_v2_file
&& (ce->tls_auth_file || ce->tls_crypt_file))
{
- msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
+ msg(M_USAGE,
+ "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
}
}
else
@@ -2988,12 +2982,12 @@
if (ce->af == AF_INET6)
{
msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
- "'--socks-proxy' today. Forcing IPv4 mode." );
+ "'--socks-proxy' today. Forcing IPv4 mode.");
}
else
{
msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
- "work correctly with '--socks-proxy' today. Forcing IPv4." );
+ "work correctly with '--socks-proxy' today. Forcing IPv4.");
}
ce->af = AF_INET;
}
@@ -3027,7 +3021,7 @@
}
else
#endif
- if (ce->tun_mtu_defined)
+ if (ce->tun_mtu_defined)
{
if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
{
@@ -3070,12 +3064,9 @@
/* Pre-cache tls-auth/crypt(-v2) key file if
* keys were not already embedded in the config file.
*/
- connection_entry_preload_key(&ce->tls_auth_file,
- &ce->tls_auth_file_inline, &o->gc);
- connection_entry_preload_key(&ce->tls_crypt_file,
- &ce->tls_crypt_file_inline, &o->gc);
- connection_entry_preload_key(&ce->tls_crypt_v2_file,
- &ce->tls_crypt_v2_file_inline, &o->gc);
+ connection_entry_preload_key(&ce->tls_auth_file, &ce->tls_auth_file_inline, &o->gc);
+ connection_entry_preload_key(&ce->tls_crypt_file, &ce->tls_crypt_file_inline, &o->gc);
+ connection_entry_preload_key(&ce->tls_crypt_v2_file, &ce->tls_crypt_v2_file_inline, &o->gc);
if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
@@ -3106,10 +3097,8 @@
static void
remap_redirect_gateway_flags(struct options *opt)
{
- if (opt->routes
- && opt->route_method == ROUTE_METHOD_SERVICE
- && opt->routes->flags & RG_REROUTE_GW
- && !(opt->routes->flags & RG_DEF1))
+ if (opt->routes && opt->route_method == ROUTE_METHOD_SERVICE
+ && opt->routes->flags & RG_REROUTE_GW && !(opt->routes->flags & RG_DEF1))
{
msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
opt->routes->flags |= RG_DEF1;
@@ -3288,8 +3277,7 @@
/* If p11-kit is present on the system then load its p11-kit-proxy.so
* by default if the user asks for PKCS#11 without otherwise specifying
* the module to use. */
- if (!options->pkcs11_providers[0]
- && (options->pkcs11_id || options->pkcs11_id_management))
+ if (!options->pkcs11_providers[0] && (options->pkcs11_id || options->pkcs11_id_management))
{
options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
}
@@ -3317,8 +3305,8 @@
if (dco_enabled(o) && o->enable_c2c)
{
msg(M_WARN, "Note: --client-to-client has no effect when using data "
- "channel offload: packets are always sent to the VPN "
- "interface and then routed based on the system routing table");
+ "channel offload: packets are always sent to the VPN "
+ "interface and then routed based on the system routing table");
}
}
@@ -3348,17 +3336,19 @@
* parts of OpenVPN assert that the ciphername is set */
o->ciphername = "BF-CBC";
- msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
+ msg(M_INFO,
+ "Note: --cipher is not set. OpenVPN versions before 2.5 "
"defaulted to BF-CBC as fallback when cipher negotiation "
"failed in this case. If you need this fallback please add "
"'--data-ciphers-fallback BF-CBC' to your configuration "
"and/or add BF-CBC to --data-ciphers. E.g. "
- "--data-ciphers %s:BF-CBC", o->ncp_ciphers_conf);
+ "--data-ciphers %s:BF-CBC",
+ o->ncp_ciphers_conf);
}
- else if (!o->enable_ncp_fallback
- && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
+ else if (!o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
{
- msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
+ msg(M_WARN,
+ "DEPRECATED OPTION: --cipher set to '%s' but missing in "
"--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
"negotiations. ",
o->ciphername, o->ncp_ciphers_conf);
@@ -3394,12 +3384,10 @@
options_set_backwards_compatible_options(struct options *o)
{
/* TLS min version is not set */
- int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
- & SSLF_TLS_VERSION_MIN_MASK;
+ int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
if (tls_ver_min == 0)
{
- int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
- & SSLF_TLS_VERSION_MAX_MASK;
+ int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
if (need_compatibility_before(o, 20307))
{
/* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
@@ -3455,7 +3443,7 @@
o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
}
}
-#else /* ifdef USE_COMP */
+#else /* ifdef USE_COMP */
o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
#endif
}
@@ -3466,17 +3454,16 @@
if (!check_tls_prf_working())
{
msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
- "supported by the TLS library. Your system does not support this "
- "calculation anymore or your security policy (e.g. FIPS 140-2) "
- "forbids it. Connections will only work with peers running "
- "OpenVPN 2.6.0 or higher)");
+ "supported by the TLS library. Your system does not support this "
+ "calculation anymore or your security policy (e.g. FIPS 140-2) "
+ "forbids it. Connections will only work with peers running "
+ "OpenVPN 2.6.0 or higher)");
if (o->mode == MODE_SERVER)
{
msg(M_WARN, "Automatically enabling option "
- "--force-tls-key-material-export");
+ "--force-tls-key-material-export");
o->force_key_material_export = true;
}
-
}
}
@@ -3521,9 +3508,9 @@
#if defined(_WIN32)
if (tt->ip_win32_type != IPW32_SET_DHCP_MASQ && tt->ip_win32_type != IPW32_SET_ADAPTIVE)
{
- return; /* Not in DHCP mode */
+ return; /* Not in DHCP mode */
}
-#endif /* if defined(_WIN32) */
+#endif /* if defined(_WIN32) */
/* Copy --dns options to tuntap_options */
@@ -3559,8 +3546,7 @@
}
}
if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
- || (s->dnssec && s->dnssec != DNS_SECURITY_NO)
- || non_standard_server_port)
+ || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
{
/* Skip servers requiring unsupported config to be set */
s = s->next;
@@ -3593,7 +3579,7 @@
}
}
-#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
+#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
/**
* @brief Postprocess DNS related settings
@@ -3715,8 +3701,7 @@
}
}
if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
- || (s->dnssec && s->dnssec != DNS_SECURITY_NO)
- || non_standard_server_port)
+ || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
{
/* Skip servers requiring unsupported config to be set */
s = s->next;
@@ -3852,7 +3837,7 @@
{
/* DH file is only meaningful in a tls-server context. */
msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
- "include this in your server configuration");
+ "include this in your server configuration");
o->dh_file = NULL;
}
#if ENABLE_MANAGEMENT
@@ -3861,25 +3846,23 @@
options_postprocess_http_proxy_override(o);
}
#endif
- if (!o->ca_file && !o->ca_path && o->verify_hash
- && o->verify_hash_depth == 0)
+ if (!o->ca_file && !o->ca_path && o->verify_hash && o->verify_hash_depth == 0)
{
msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
- "option set). ");
+ "option set). ");
o->verify_hash_no_ca = true;
}
if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
{
msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
- "incompatible with each other.");
+ "incompatible with each other.");
}
if (dco_enabled(o))
{
/* check if any option should force disabling DCO */
- o->disable_dco = !dco_check_option(D_DCO, o)
- || !dco_check_startup_option(D_DCO, o);
+ o->disable_dco = !dco_check_option(D_DCO, o) || !dco_check_startup_option(D_DCO, o);
}
#ifdef USE_COMP
if (dco_enabled(o))
@@ -3897,7 +3880,8 @@
{
if (o->windows_driver == DRIVER_DCO)
{
- msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
+ msg(M_WARN,
+ "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
}
else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
@@ -3909,7 +3893,7 @@
if (dco_enabled(o) && o->dev_node)
{
msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
- "data channel offload");
+ "data channel offload");
o->dev_node = NULL;
}
#endif /* _WIN32 */
@@ -3947,14 +3931,14 @@
* Check file/directory sanity
*
*/
-#ifndef ENABLE_SMALL /* Expect people using the stripped down version to know what they do */
+#ifndef ENABLE_SMALL /* Expect people using the stripped down version to know what they do */
-#define CHKACC_FILE (1<<0) /**< Check for a file/directory presence */
-#define CHKACC_DIRPATH (1<<1) /**< Check for directory presence where a file should reside */
-#define CHKACC_FILEXSTWR (1<<2) /**< If file exists, is it writable? */
-#define CHKACC_ACPTSTDIN (1<<3) /**< If filename is stdin, it's allowed and "exists" */
-#define CHKACC_PRIVATE (1<<4) /**< Warn if this (private) file is group/others accessible */
-#define CHKACC_ACCEPT_URI (1<<5) /**< Do not check URIs, unless they start with file: */
+#define CHKACC_FILE (1 << 0) /**< Check for a file/directory presence */
+#define CHKACC_DIRPATH (1 << 1) /**< Check for directory presence where a file should reside */
+#define CHKACC_FILEXSTWR (1 << 2) /**< If file exists, is it writable? */
+#define CHKACC_ACPTSTDIN (1 << 3) /**< If filename is stdin, it's allowed and "exists" */
+#define CHKACC_PRIVATE (1 << 4) /**< Warn if this (private) file is group/others accessible */
+#define CHKACC_ACCEPT_URI (1 << 5) /**< Do not check URIs, unless they start with file: */
static bool
check_file_access(const int type, const char *file, const int mode, const char *opt)
@@ -3970,7 +3954,7 @@
/* If stdin is allowed and the file name is 'stdin', then do no
* further checks as stdin is always available
*/
- if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
+ if ((type & CHKACC_ACPTSTDIN) && streq(file, "stdin"))
{
return false;
}
@@ -3993,10 +3977,11 @@
/* Is the directory path leading to the given file accessible? */
if (type & CHKACC_DIRPATH)
{
- char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
+ char *fullpath =
+ string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
char *dirpath = dirname(fullpath);
- if (platform_access(dirpath, mode|X_OK) != 0)
+ if (platform_access(dirpath, mode | X_OK) != 0)
{
errcode = errno;
}
@@ -4004,13 +3989,13 @@
}
/* Is the file itself accessible? */
- if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
+ if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0))
{
errcode = errno;
}
/* If the file exists and is accessible, is it writable? */
- if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
+ if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0))
{
if (platform_access(file, W_OK) != 0)
{
@@ -4029,7 +4014,7 @@
#ifndef _WIN32
else
{
- if (st.st_mode & (S_IRWXG|S_IRWXO))
+ if (st.st_mode & (S_IRWXG | S_IRWXO))
{
msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
}
@@ -4052,7 +4037,8 @@
* otherwise it will look for the file inside the given chroot directory instead.
*/
static bool
-check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
+check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode,
+ const char *opt)
{
bool ret = false;
@@ -4085,9 +4071,8 @@
* the file is inline (and therefore there is no access to check)
*/
static bool
-check_file_access_chroot_inline(bool is_inline, const char *chroot,
- const int type, const char *file,
- const int mode, const char *opt)
+check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type,
+ const char *file, const int mode, const char *opt)
{
if (is_inline)
{
@@ -4102,8 +4087,8 @@
* is inline (and therefore there is no access to check)
*/
static bool
-check_file_access_inline(bool is_inline, const int type, const char *file,
- const int mode, const char *opt)
+check_file_access_inline(bool is_inline, const int type, const char *file, const int mode,
+ const char *opt)
{
if (is_inline)
{
@@ -4156,8 +4141,7 @@
}
else
{
- msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
- opt, command);
+ msg(M_NOPREFIX | M_OPTERR, "%s fails with '%s': No path to executable.", opt, command);
return_code = true;
}
@@ -4176,55 +4160,51 @@
bool errs = false;
/* ** SSL/TLS/crypto related files ** */
- errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
- options->dh_file, R_OK, "--dh");
+ errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK,
+ "--dh");
if (!options->verify_hash_no_ca)
{
- errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
- options->ca_file, R_OK, "--ca");
+ errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, options->ca_file,
+ R_OK, "--ca");
}
- errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
- options->ca_path, R_OK, "--capath");
+ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK,
+ "--capath");
- errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE|CHKACC_ACCEPT_URI,
+ errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE | CHKACC_ACCEPT_URI,
options->cert_file, R_OK, "--cert");
errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
- options->extra_certs_file, R_OK,
- "--extra-certs");
+ options->extra_certs_file, R_OK, "--extra-certs");
if (!(options->management_flags & MF_EXTERNAL_KEY))
{
errs |= check_file_access_inline(options->priv_key_file_inline,
- CHKACC_FILE|CHKACC_PRIVATE|CHKACC_ACCEPT_URI,
+ CHKACC_FILE | CHKACC_PRIVATE | CHKACC_ACCEPT_URI,
options->priv_key_file, R_OK, "--key");
}
- errs |= check_file_access_inline(options->pkcs12_file_inline,
- CHKACC_FILE|CHKACC_PRIVATE,
+ errs |= check_file_access_inline(options->pkcs12_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
options->pkcs12_file, R_OK, "--pkcs12");
if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
{
- errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
- options->crl_file, R_OK|X_OK,
- "--crl-verify directory");
+ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file,
+ R_OK | X_OK, "--crl-verify directory");
}
else
{
- errs |= check_file_access_chroot_inline(options->crl_file_inline,
- options->chroot_dir,
- CHKACC_FILE, options->crl_file,
- R_OK, "--crl-verify");
+ errs |=
+ check_file_access_chroot_inline(options->crl_file_inline, options->chroot_dir,
+ CHKACC_FILE, options->crl_file, R_OK, "--crl-verify");
}
if (options->tls_export_peer_cert_dir)
{
- errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
- options->tls_export_peer_cert_dir,
- W_OK, "--tls-export-cert");
+ errs |=
+ check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
+ options->tls_export_peer_cert_dir, W_OK, "--tls-export-cert");
}
ASSERT(options->connection_list);
@@ -4232,55 +4212,46 @@
{
struct connection_entry *ce = options->connection_list->array[i];
- errs |= check_file_access_inline(ce->tls_auth_file_inline,
- CHKACC_FILE|CHKACC_PRIVATE,
- ce->tls_auth_file, R_OK,
- "--tls-auth");
- errs |= check_file_access_inline(ce->tls_crypt_file_inline,
- CHKACC_FILE|CHKACC_PRIVATE,
- ce->tls_crypt_file, R_OK,
- "--tls-crypt");
- errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
- CHKACC_FILE|CHKACC_PRIVATE,
- ce->tls_crypt_v2_file, R_OK,
- "--tls-crypt-v2");
+ errs |= check_file_access_inline(ce->tls_auth_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
+ ce->tls_auth_file, R_OK, "--tls-auth");
+ errs |= check_file_access_inline(ce->tls_crypt_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
+ ce->tls_crypt_file, R_OK, "--tls-crypt");
+ errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
+ ce->tls_crypt_v2_file, R_OK, "--tls-crypt-v2");
}
- errs |= check_file_access_inline(options->shared_secret_file_inline,
- CHKACC_FILE|CHKACC_PRIVATE,
- options->shared_secret_file, R_OK,
- "--secret");
+ errs |=
+ check_file_access_inline(options->shared_secret_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
+ options->shared_secret_file, R_OK, "--secret");
- errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
- options->packet_id_file, R_OK|W_OK, "--replay-persist");
+ errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->packet_id_file,
+ R_OK | W_OK, "--replay-persist");
/* ** Password files ** */
- errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
+ errs |= check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
options->key_pass_file, R_OK, "--askpass");
#ifdef ENABLE_MANAGEMENT
- errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
- options->management_user_pass, R_OK,
- "--management user/password file");
+ errs |=
+ check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
+ options->management_user_pass, R_OK, "--management user/password file");
#endif /* ENABLE_MANAGEMENT */
errs |= check_file_access_inline(options->auth_user_pass_file_inline,
- CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
- options->auth_user_pass_file, R_OK,
- "--auth-user-pass");
+ CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
+ options->auth_user_pass_file, R_OK, "--auth-user-pass");
/* ** System related ** */
- errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
- R_OK|X_OK, "--chroot directory");
- errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
- R_OK|W_OK, "--writepid");
+ errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK | X_OK, "--chroot directory");
+ errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->writepid, R_OK | W_OK,
+ "--writepid");
/* ** Log related ** */
- errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
- R_OK|W_OK, "--status");
+ errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->status_file, R_OK | W_OK,
+ "--status");
/* ** Config related ** */
errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
- R_OK|X_OK, "--client-config-dir");
+ R_OK | X_OK, "--client-config-dir");
errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
- R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
+ R_OK | W_OK | X_OK, "Temporary directory (--tmp-dir)");
if (errs)
{
@@ -4366,12 +4337,8 @@
* the other end of the connection]
*/
char *
-options_string(const struct options *o,
- const struct frame *frame,
- struct tuntap *tt,
- openvpn_net_ctx_t *ctx,
- bool remote,
- struct gc_arena *gc)
+options_string(const struct options *o, const struct frame *frame, struct tuntap *tt,
+ openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
{
struct buffer out = alloc_buf(OPTION_LINE_SIZE);
bool tt_local = false;
@@ -4387,8 +4354,7 @@
* cipher (p2p) or have a fallback cipher configured for older non
* ncp clients. But not sending it will make even 2.4 complain
* about it being missing. So still send it. */
- buf_printf(&out, ",link-mtu %u",
- (unsigned int) calc_options_string_link_mtu(o, frame));
+ buf_printf(&out, ",link-mtu %u", (unsigned int)calc_options_string_link_mtu(o, frame));
if (o->ce.occ_mtu != 0)
{
@@ -4399,7 +4365,7 @@
buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
}
- buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
+ buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
/* send tun_ipv6 only in peer2peer mode - in client/server mode, it
@@ -4416,20 +4382,9 @@
*/
if (!tt)
{
- tt = init_tun(o->dev,
- o->dev_type,
- o->topology,
- o->ifconfig_local,
- o->ifconfig_remote_netmask,
- o->ifconfig_ipv6_local,
- o->ifconfig_ipv6_netbits,
- o->ifconfig_ipv6_remote,
- NULL,
- NULL,
- false,
- NULL,
- ctx,
- NULL);
+ tt = init_tun(o->dev, o->dev_type, o->topology, o->ifconfig_local,
+ o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, o->ifconfig_ipv6_netbits,
+ o->ifconfig_ipv6_remote, NULL, NULL, false, NULL, ctx, NULL);
if (tt)
{
tt_local = true;
@@ -4453,7 +4408,8 @@
#ifdef USE_COMP
if (o->comp.alg != COMP_ALG_UNDEF)
{
- buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
+ buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression
+ context is active, not necessarily LZO per-se */
}
#endif
@@ -4485,10 +4441,7 @@
{
struct key_type kt;
- ASSERT((o->shared_secret_file != NULL)
- + (TLS_CLIENT == true)
- + (TLS_SERVER == true)
- <= 1);
+ ASSERT((o->shared_secret_file != NULL) + (TLS_CLIENT == true) + (TLS_SERVER == true) <= 1);
/* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
* to work here in the default configuration */
@@ -4597,8 +4550,7 @@
}
static const char *
-options_warning_extract_parm1(const char *option_string,
- struct gc_arena *gc_ret)
+options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
{
struct gc_arena gc = gc_new();
struct buffer b = string_alloc_buf(option_string, &gc);
@@ -4612,24 +4564,16 @@
}
static void
-options_warning_safe_scan2(const int msglevel,
- const int delim,
- const bool report_inconsistent,
- const char *p1,
- const struct buffer *b2_src,
- const char *b1_name,
+options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent,
+ const char *p1, const struct buffer *b2_src, const char *b1_name,
const char *b2_name)
{
/* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
* OCC in a future version (because it's not useful). To reduce questions
* when interoperating, we no longer printing a warning about it.
*/
- if (strprefix(p1, "key-method ")
- || strprefix(p1, "keydir ")
- || strprefix(p1, "proto ")
- || streq(p1, "tls-auth")
- || strprefix(p1, "tun-ipv6")
- || strprefix(p1, "cipher "))
+ if (strprefix(p1, "key-method ") || strprefix(p1, "keydir ") || strprefix(p1, "proto ")
+ || streq(p1, "tls-auth") || strprefix(p1, "tun-ipv6") || strprefix(p1, "cipher "))
{
return;
}
@@ -4656,10 +4600,7 @@
if (report_inconsistent)
{
msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
- safe_print(p1_prefix, &gc),
- b1_name,
- safe_print(p1, &gc),
- b2_name,
+ safe_print(p1_prefix, &gc), b1_name, safe_print(p1, &gc), b2_name,
safe_print(p2, &gc));
}
goto done;
@@ -4668,11 +4609,7 @@
}
msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
- safe_print(p1_prefix, &gc),
- b1_name,
- b2_name,
- b1_name,
- safe_print(p1, &gc));
+ safe_print(p1_prefix, &gc), b1_name, b2_name, b1_name, safe_print(p1, &gc));
done:
gc_free(&gc);
@@ -4680,13 +4617,9 @@
}
static void
-options_warning_safe_scan1(const int msglevel,
- const int delim,
- const bool report_inconsistent,
- const struct buffer *b1_src,
- const struct buffer *b2_src,
- const char *b1_name,
- const char *b2_name)
+options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent,
+ const struct buffer *b1_src, const struct buffer *b2_src,
+ const char *b1_name, const char *b2_name)
{
struct gc_arena gc = gc_new();
struct buffer b = *b1_src;
@@ -4694,7 +4627,8 @@
while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
{
- options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
+ options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name,
+ b2_name);
}
gc_free(&gc);
@@ -4714,13 +4648,9 @@
buf_printf(&local, "version %s", expected);
buf_printf(&remote, "version %s", actual);
- options_warning_safe_scan1(msglevel, ',', true,
- &local, &remote,
- "local", "remote");
+ options_warning_safe_scan1(msglevel, ',', true, &local, &remote, "local", "remote");
- options_warning_safe_scan1(msglevel, ',', false,
- &remote, &local,
- "remote", "local");
+ options_warning_safe_scan1(msglevel, ',', false, &remote, &local, "remote", "local");
}
gc_free(&gc);
@@ -4759,13 +4689,12 @@
options_string_version(const char *s, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc(4, gc);
- strncpynt((char *) BPTR(&out), s, 3);
+ strncpynt((char *)BPTR(&out), s, 3);
return BSTR(&out);
}
char *
-options_string_extract_option(const char *options_string, const char *opt_name,
- struct gc_arena *gc)
+options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
{
char *ret = NULL;
const size_t opt_name_len = strlen(opt_name);
@@ -4773,14 +4702,14 @@
const char *p = options_string;
while (p)
{
- if (0 == strncmp(p, opt_name, opt_name_len)
- && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
+ if (0 == strncmp(p, opt_name, opt_name_len) && strlen(p) > (opt_name_len + 1)
+ && p[opt_name_len] == ' ')
{
/* option found, extract value */
- const char *start = &p[opt_name_len+1];
+ const char *start = &p[opt_name_len + 1];
const char *end = strchr(p, ',');
size_t val_len = end ? end - start : strlen(start);
- ret = gc_malloc(val_len+1, true, gc);
+ ret = gc_malloc(val_len + 1, true, gc);
memcpy(ret, start, val_len);
break;
}
@@ -4912,20 +4841,13 @@
struct options o;
init_options(&o, true);
- fprintf(fp, usage_message,
- title_string,
- o.ce.connect_retry_seconds,
- o.ce.connect_retry_seconds_max,
- o.ce.local_port, o.ce.remote_port,
- TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
- o.verbosity,
- o.authname,
- o.replay_window, o.replay_time,
- o.tls_timeout, o.renegotiate_seconds,
- o.handshake_window, o.transition_window);
+ fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds,
+ o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT,
+ TAP_MTU_EXTRA_DEFAULT, o.verbosity, o.authname, o.replay_window, o.replay_time,
+ o.tls_timeout, o.renegotiate_seconds, o.handshake_window, o.transition_window);
fflush(fp);
-#endif /* ENABLE_SMALL */
+#endif /* ENABLE_SMALL */
openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
@@ -4933,7 +4855,7 @@
void
usage_small(void)
{
- msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
+ msg(M_WARN | M_NOPREFIX, "Use --help for more information.");
openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
@@ -4966,8 +4888,7 @@
#define LZO_LIB_VER_STR "", ""
#endif
- msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
- LZO_LIB_VER_STR);
+ msg(flags, "library versions: %s%s%s", get_ssl_library_version(), LZO_LIB_VER_STR);
#undef LZO_LIB_VER_STR
}
@@ -4975,20 +4896,20 @@
static void
usage_version(void)
{
- msg(M_INFO|M_NOPREFIX, "%s", title_string);
- show_library_versions( M_INFO|M_NOPREFIX );
+ msg(M_INFO | M_NOPREFIX, "%s", title_string);
+ show_library_versions(M_INFO | M_NOPREFIX);
#ifdef _WIN32
- show_windows_version( M_INFO|M_NOPREFIX );
+ show_windows_version(M_INFO | M_NOPREFIX);
#endif
show_dco_version(M_INFO | M_NOPREFIX);
- msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
- msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>");
+ msg(M_INFO | M_NOPREFIX, "Originally developed by James Yonan");
+ msg(M_INFO | M_NOPREFIX, "Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>");
#ifndef ENABLE_SMALL
#ifdef CONFIGURE_DEFINES
- msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
+ msg(M_INFO | M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
#endif
#ifdef CONFIGURE_SPECIAL_BUILD
- msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
+ msg(M_INFO | M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
#endif
#endif
openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
@@ -5024,7 +4945,7 @@
}
#endif
-#ifdef _WIN32 /* This function is only used when compiling on Windows */
+#ifdef _WIN32 /* This function is only used when compiling on Windows */
static unsigned int
atou(const char *str)
{
@@ -5041,13 +4962,8 @@
}
int
-parse_line(const char *line,
- char *p[],
- const int n,
- const char *file,
- const int line_num,
- int msglevel,
- struct gc_arena *gc)
+parse_line(const char *line, char *p[], const int n, const char *file, const int line_num,
+ int msglevel, struct gc_arena *gc)
{
const int STATE_INITIAL = 0;
const int STATE_READING_QUOTED_PARM = 1;
@@ -5156,9 +5072,13 @@
if (!(out == '\\' || out == '\"' || space(out)))
{
#ifdef ENABLE_SMALL
- msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
+ msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d",
+ error_prefix, file, line_num);
#else
- msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
+ msg(msglevel,
+ "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE
+ "\\\\static.key\"",
+ error_prefix, file, line_num);
#endif
return 0;
}
@@ -5173,7 +5093,7 @@
{
parm[SIZE(parm) - 1] = 0;
msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
- error_prefix, file, line_num, (int) SIZE(parm), parm);
+ error_prefix, file, line_num, (int)SIZE(parm), parm);
return 0;
}
parm[parm_len++] = out;
@@ -5189,17 +5109,20 @@
if (state == STATE_READING_QUOTED_PARM)
{
- msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
+ msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file,
+ line_num);
return 0;
}
if (state == STATE_READING_SQUOTED_PARM)
{
- msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
+ msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix,
+ file, line_num);
return 0;
}
if (state != STATE_INITIAL)
{
- msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
+ msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state,
+ file, line_num);
return 0;
}
#if 0
@@ -5223,11 +5146,13 @@
}
}
-struct in_src {
-#define IS_TYPE_FP 1
+struct in_src
+{
+#define IS_TYPE_FP 1
#define IS_TYPE_BUF 2
int type;
- union {
+ union
+ {
FILE *fp;
struct buffer *multiline;
} u;
@@ -5243,7 +5168,7 @@
else if (is->type == IS_TYPE_BUF)
{
bool status = buf_parse(is->u.multiline, '\n', line, size);
- if ((int) strlen(line) + 1 < size)
+ if ((int)strlen(line) + 1 < size)
{
strcat(line, "\n");
}
@@ -5257,11 +5182,10 @@
}
static char *
-read_inline_file(struct in_src *is, const char *close_tag,
- int *num_lines, struct gc_arena *gc)
+read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
{
char line[OPTION_LINE_SIZE];
- struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
+ struct buffer buf = alloc_buf(8 * OPTION_LINE_SIZE);
char *ret;
bool endtagfound = false;
@@ -5279,7 +5203,7 @@
endtagfound = true;
break;
}
- if (!buf_safe(&buf, strlen(line)+1))
+ if (!buf_safe(&buf, strlen(line) + 1))
{
/* Increase buffer size */
struct buffer buf2 = alloc_buf(buf.capacity * 2);
@@ -5309,7 +5233,7 @@
if (p[0] && !p[1])
{
char *arg = p[0];
- if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
+ if (arg[0] == '<' && arg[strlen(arg) - 1] == '>')
{
struct buffer close_tag;
@@ -5335,8 +5259,7 @@
}
static int
-check_inline_file_via_buf(struct buffer *multiline, char *p[],
- struct gc_arena *gc)
+check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
{
struct in_src is;
is.type = IS_TYPE_BUF;
@@ -5344,60 +5267,31 @@
return check_inline_file(&is, p, gc);
}
-static void
-add_option(struct options *options,
- char *p[],
- bool is_inline,
- const char *file,
- int line,
- const int level,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es);
+static void add_option(struct options *options, char *p[], bool is_inline, const char *file,
+ int line, const int level, const int msglevel,
+ const unsigned int permission_mask, unsigned int *option_types_found,
+ struct env_set *es);
+
+static void remove_option(struct context *c, struct options *options, char *p[], bool is_inline,
+ const char *file, int line, const int msglevel,
+ const unsigned int permission_mask, unsigned int *option_types_found,
+ struct env_set *es);
+
+static void update_option(struct context *c, struct options *options, char *p[], bool is_inline,
+ const char *file, int line, const int level, const int msglevel,
+ const unsigned int permission_mask, unsigned int *option_types_found,
+ struct env_set *es, unsigned int *update_options_found);
static void
-remove_option(struct context *c,
- struct options *options,
- char *p[],
- bool is_inline,
- const char *file,
- int line,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es);
-
-static void
-update_option(struct context *c,
- struct options *options,
- char *p[],
- bool is_inline,
- const char *file,
- int line,
- const int level,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es,
- unsigned int *update_options_found);
-
-static void
-read_config_file(struct options *options,
- const char *file,
- int level,
- const char *top_file,
- const int top_line,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+read_config_file(struct options *options, const char *file, int level, const char *top_file,
+ const int top_line, const int msglevel, const unsigned int permission_mask,
+ unsigned int *option_types_found, struct env_set *es)
{
const int max_recursive_levels = 10;
FILE *fp;
int line_num;
- char line[OPTION_LINE_SIZE+1];
- char *p[MAX_PARMS+1];
+ char line[OPTION_LINE_SIZE + 1];
+ char *p[MAX_PARMS + 1];
++level;
if (level <= max_recursive_levels)
@@ -5420,7 +5314,8 @@
++line_num;
if (strlen(line) == OPTION_LINE_SIZE)
{
- msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
+ msg(msglevel,
+ "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
file, line_num, OPTION_LINE_SIZE, line);
}
@@ -5429,13 +5324,13 @@
{
offset = 3;
}
- if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
+ if (parse_line(line + offset, p, SIZE(p) - 1, file, line_num, msglevel,
+ &options->gc))
{
bypass_doubledash(&p[0]);
int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
- add_option(options, p, lines_inline, file, line_num, level,
- msglevel, permission_mask, option_types_found,
- es);
+ add_option(options, p, lines_inline, file, line_num, level, msglevel,
+ permission_mask, option_types_found, es);
line_num += lines_inline;
}
}
@@ -5446,25 +5341,24 @@
}
else
{
- msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
+ msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line,
+ file);
}
}
else
{
- msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
+ msg(msglevel,
+ "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.",
+ top_file, top_line, file);
}
secure_memzero(line, sizeof(line));
CLEAR(p);
}
static void
-read_config_string(const char *prefix,
- struct options *options,
- const char *config,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+read_config_string(const char *prefix, struct options *options, const char *config,
+ const int msglevel, const unsigned int permission_mask,
+ unsigned int *option_types_found, struct env_set *es)
{
char line[OPTION_LINE_SIZE];
struct buffer multiline;
@@ -5474,15 +5368,15 @@
while (buf_parse(&multiline, '\n', line, sizeof(line)))
{
- char *p[MAX_PARMS+1];
+ char *p[MAX_PARMS + 1];
CLEAR(p);
++line_num;
- if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
+ if (parse_line(line, p, SIZE(p) - 1, prefix, line_num, msglevel, &options->gc))
{
bypass_doubledash(&p[0]);
int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
- add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
- permission_mask, option_types_found, es);
+ add_option(options, p, lines_inline, prefix, line_num, 0, msglevel, permission_mask,
+ option_types_found, es);
line_num += lines_inline;
}
CLEAR(p);
@@ -5491,13 +5385,8 @@
}
void
-parse_argv(struct options *options,
- const int argc,
- char *argv[],
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+parse_argv(struct options *options, const int argc, char *argv[], const int msglevel,
+ const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
{
/* usage message */
if (argc <= 1)
@@ -5508,24 +5397,26 @@
/* config filename specified only? */
if (argc == 2 && strncmp(argv[1], "--", 2))
{
- char *p[MAX_PARMS+1];
+ char *p[MAX_PARMS + 1];
CLEAR(p);
p[0] = "config";
p[1] = argv[1];
- add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
- option_types_found, es);
+ add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, option_types_found,
+ es);
}
else
{
/* parse command line */
for (int i = 1; i < argc; ++i)
{
- char *p[MAX_PARMS+1];
+ char *p[MAX_PARMS + 1];
CLEAR(p);
p[0] = argv[i];
if (strncmp(p[0], "--", 2))
{
- msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
+ msg(msglevel,
+ "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'",
+ p[0]);
}
else
{
@@ -5548,31 +5439,27 @@
}
}
}
- add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
- option_types_found, es);
+ add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, option_types_found,
+ es);
i += j - 1;
}
}
}
bool
-apply_push_options(struct context *c,
- struct options *options,
- struct buffer *buf,
- unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es,
- bool is_update)
+apply_push_options(struct context *c, struct options *options, struct buffer *buf,
+ unsigned int permission_mask, unsigned int *option_types_found,
+ struct env_set *es, bool is_update)
{
char line[OPTION_PARM_SIZE];
int line_num = 0;
const char *file = "[PUSH-OPTIONS]";
- const int msglevel = D_PUSH_ERRORS|M_OPTERR;
+ const int msglevel = D_PUSH_ERRORS | M_OPTERR;
unsigned int update_options_found = 0;
while (buf_parse(buf, ',', line, sizeof(line)))
{
- char *p[MAX_PARMS+1];
+ char *p[MAX_PARMS + 1];
CLEAR(p);
++line_num;
unsigned int push_update_option_flags = 0;
@@ -5602,22 +5489,22 @@
return false; /* Cause push/pull error and stop push processing */
}
- if (parse_line(&line[i], p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
+ if (parse_line(&line[i], p, SIZE(p) - 1, file, line_num, msglevel, &options->gc))
{
if (!is_update)
{
- add_option(options, p, false, file, line_num, 0, msglevel,
- permission_mask, option_types_found, es);
+ add_option(options, p, false, file, line_num, 0, msglevel, permission_mask,
+ option_types_found, es);
}
else if (push_update_option_flags & PUSH_OPT_TO_REMOVE)
{
- remove_option(c, options, p, false, file, line_num, msglevel,
- permission_mask, option_types_found, es);
+ remove_option(c, options, p, false, file, line_num, msglevel, permission_mask,
+ option_types_found, es);
}
else
{
- update_option(c, options, p, false, file, line_num, 0, msglevel,
- permission_mask, option_types_found, es, &update_options_found);
+ update_option(c, options, p, false, file, line_num, 0, msglevel, permission_mask,
+ option_types_found, es, &update_options_found);
}
}
}
@@ -5625,54 +5512,37 @@
}
void
-options_server_import(struct options *o,
- const char *filename,
- int msglevel,
- unsigned int permission_mask,
- unsigned int *option_types_found,
+options_server_import(struct options *o, const char *filename, int msglevel,
+ unsigned int permission_mask, unsigned int *option_types_found,
struct env_set *es)
{
msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
- read_config_file(o,
- filename,
- 0,
- filename,
- 0,
- msglevel,
- permission_mask,
- option_types_found,
+ read_config_file(o, filename, 0, filename, 0, msglevel, permission_mask, option_types_found,
es);
}
void
-options_string_import(struct options *options,
- const char *config,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
+options_string_import(struct options *options, const char *config, const int msglevel,
+ const unsigned int permission_mask, unsigned int *option_types_found,
struct env_set *es)
{
- read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
+ read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask,
+ option_types_found, es);
}
-#define VERIFY_PERMISSION(mask) { \
- if (!verify_permission(p[0], file, line, (mask), permission_mask, \
- option_types_found, msglevel, options, is_inline)) \
- { \
- goto err; \
- } \
-}
+#define VERIFY_PERMISSION(mask) \
+ { \
+ if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, \
+ msglevel, options, is_inline)) \
+ { \
+ goto err; \
+ } \
+ }
static bool
-verify_permission(const char *name,
- const char *file,
- int line,
- const unsigned int type,
- const unsigned int allowed,
- unsigned int *found,
- const int msglevel,
- struct options *options,
- bool is_inline)
+verify_permission(const char *name, const char *file, int line, const unsigned int type,
+ const unsigned int allowed, unsigned int *found, const int msglevel,
+ struct options *options, bool is_inline)
{
if (!(type & allowed))
{
@@ -5682,8 +5552,7 @@
if (is_inline && !(type & OPT_P_INLINE))
{
- msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
- file, line);
+ msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name, file, line);
return false;
}
@@ -5700,12 +5569,12 @@
* connection_list
*/
- if ((type & OPT_P_CONNECTION) && options->connection_list
- && !(allowed & OPT_P_PULL_MODE))
+ if ((type & OPT_P_CONNECTION) && options->connection_list && !(allowed & OPT_P_PULL_MODE))
{
if (file)
{
- msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
+ msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name,
+ file, line);
}
else
{
@@ -5721,13 +5590,10 @@
* many parameters.
*/
-#define NM_QUOTE_HINT (1<<0)
+#define NM_QUOTE_HINT (1 << 0)
static bool
-no_more_than_n_args(const int msglevel,
- char *p[],
- const int max,
- const unsigned int flags)
+no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags)
{
const int len = string_array_len((const char **)p);
@@ -5738,11 +5604,11 @@
if (len > max)
{
- msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
- p[0],
- max - 1,
+ msg(msglevel, "the --%s directive should have at most %d parameter%s.%s", p[0], max - 1,
max >= 3 ? "s" : "",
- (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
+ (flags & NM_QUOTE_HINT)
+ ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")."
+ : "");
return false;
}
else
@@ -5758,10 +5624,10 @@
}
#define RESET_OPTION_ROUTES(option_ptr, field) \
- if (option_ptr) \
- { \
- option_ptr->field = NULL; \
- option_ptr->flags = 0; \
+ if (option_ptr) \
+ { \
+ option_ptr->field = NULL; \
+ option_ptr->flags = 0; \
}
/**
@@ -5780,20 +5646,14 @@
* @param line The line number where the function is called.
* @param msglevel The message level.
* @param permission_mask The permission mask used by VERIFY_PERMISSION().
- * @param option_types_found A pointer to the variable where the flags corresponding to the options found are stored.
+ * @param option_types_found A pointer to the variable where the flags corresponding to the options
+ * found are stored.
* @param es The environment set structure.
*/
static void
-remove_option(struct context *c,
- struct options *options,
- char *p[],
- bool is_inline,
- const char *file,
- int line,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+remove_option(struct context *c, struct options *options, char *p[], bool is_inline,
+ const char *file, int line, const int msglevel, const unsigned int permission_mask,
+ unsigned int *option_types_found, struct env_set *es)
{
int msglevel_fc = msglevel_forward_compatible(options, msglevel);
@@ -5815,9 +5675,8 @@
VERIFY_PERMISSION(OPT_P_ROUTE);
if (c->c1.route_list)
{
- delete_routes_v4(c->c1.route_list, c->c1.tuntap,
- ROUTE_OPTION_FLAGS(&c->options),
- es, &c->net_ctx);
+ delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), es,
+ &c->net_ctx);
RESET_OPTION_ROUTES(options->routes, routes);
}
}
@@ -5826,8 +5685,7 @@
VERIFY_PERMISSION(OPT_P_ROUTE);
if (c->c1.route_ipv6_list)
{
- delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap,
- ROUTE_OPTION_FLAGS(&c->options),
+ delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
es, &c->net_ctx);
RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
}
@@ -5874,7 +5732,7 @@
}
else if (streq(p[0], "tun-mtu") && !p[1])
{
- VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION);
options->ce.tun_mtu = TUN_MTU_DEFAULT;
options->ce.tun_mtu_defined = false;
options->ce.occ_mtu = 0;
@@ -5942,7 +5800,9 @@
break;
}
}
- msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line, p[0], PACKAGE_VERSION);
+ msg(msglevel_unknown,
+ "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line,
+ p[0], PACKAGE_VERSION);
}
return;
err:
@@ -5956,7 +5816,8 @@
rol_check_alloc(options);
if (pull_mode)
{
- if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
+ if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
+ && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
{
msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
return false;
@@ -5966,7 +5827,8 @@
msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
return false;
}
- if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
+ if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn)
+ && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
{
msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
return false;
@@ -6002,7 +5864,8 @@
{
if (streq(p[1], "search-domains") && p[2])
{
- dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
+ dns_domain_list_append(&options->dns_options.search_domains, &p[2],
+ &options->dns_options.gc);
}
else if (streq(p[1], "server") && p[2] && p[3] && p[4])
{
@@ -6013,7 +5876,8 @@
return false;
}
- struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
+ struct dns_server *server =
+ dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
if (streq(p[3], "address") && p[4])
{
@@ -6021,7 +5885,8 @@
{
if (!dns_server_addr_parse(server, p[i]))
{
- msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
+ msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'",
+ priority, p[i]);
return false;
}
}
@@ -6076,7 +5941,9 @@
}
else
{
- msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
+ msg(msglevel,
+ "--dns server %ld: unknown option type '%s' or missing or unknown parameter",
+ priority, p[3]);
return false;
}
}
@@ -6092,7 +5959,8 @@
* @brief Processes an option to update. It first checks whether it has already
* received an option of the same type within the same update message.
* If the option has already been received, it calls add_option().
- * Otherwise, it deletes all existing values related to that option before calling add_option().
+ * Otherwise, it deletes all existing values related to that option before calling
+ * add_option().
*
* @param c The context structure.
* @param options A pointer to the options structure.
@@ -6103,24 +5971,18 @@
* @param level The level of the option.
* @param msglevel The message level for logging.
* @param permission_mask The permission mask used by VERIFY_PERMISSION().
- * @param option_types_found A pointer to the variable where the flags corresponding to the options found are stored.
+ * @param option_types_found A pointer to the variable where the flags corresponding to the options
+ * found are stored.
* @param es The environment set structure.
- * @param update_options_found A pointer to the variable where the flags corresponding to the update options found are stored,
- * used to check if an option of the same type has already been processed by update_option() within the same push-update message.
+ * @param update_options_found A pointer to the variable where the flags corresponding to the update
+ * options found are stored, used to check if an option of the same type has already been processed
+ * by update_option() within the same push-update message.
*/
static void
-update_option(struct context *c,
- struct options *options,
- char *p[],
- bool is_inline,
- const char *file,
- int line,
- const int level,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es,
- unsigned int *update_options_found)
+update_option(struct context *c, struct options *options, char *p[], bool is_inline,
+ const char *file, int line, const int level, const int msglevel,
+ const unsigned int permission_mask, unsigned int *option_types_found,
+ struct env_set *es, unsigned int *update_options_found)
{
const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
ASSERT(MAX_PARMS >= 7);
@@ -6136,8 +5998,7 @@
}
if (c->c1.route_list)
{
- delete_routes_v4(c->c1.route_list, c->c1.tuntap,
- ROUTE_OPTION_FLAGS(&c->options),
+ delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
es, &c->net_ctx);
RESET_OPTION_ROUTES(options->routes, routes);
}
@@ -6156,8 +6017,7 @@
if (c->c1.route_ipv6_list)
{
delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap,
- ROUTE_OPTION_FLAGS(&c->options),
- es, &c->net_ctx);
+ ROUTE_OPTION_FLAGS(&c->options), es, &c->net_ctx);
RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
}
*update_options_found |= OPT_P_U_ROUTE6;
@@ -6229,7 +6089,7 @@
*update_options_found |= OPT_P_U_DHCP;
}
}
-#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
+#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
{
if (!(*update_options_found & OPT_P_U_DHCP))
@@ -6240,8 +6100,7 @@
}
}
#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
- add_option(options, p, is_inline, file, line,
- level, msglevel, permission_mask,
+ add_option(options, p, is_inline, file, line, level, msglevel, permission_mask,
option_types_found, es);
return;
err:
@@ -6249,16 +6108,15 @@
}
static void
-set_user_script(struct options *options,
- const char **script,
- const char *new_script,
- const char *type,
- bool in_chroot)
+set_user_script(struct options *options, const char **script, const char *new_script,
+ const char *type, bool in_chroot)
{
if (*script)
{
- msg(M_WARN, "Multiple --%s scripts defined. "
- "The previously configured script is overridden.", type);
+ msg(M_WARN,
+ "Multiple --%s scripts defined. "
+ "The previously configured script is overridden.",
+ type);
}
*script = new_script;
options->user_script_used = true;
@@ -6266,14 +6124,12 @@
#ifndef ENABLE_SMALL
{
char script_name[100];
- snprintf(script_name, sizeof(script_name),
- "--%s script", type);
+ snprintf(script_name, sizeof(script_name), "--%s script", type);
if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
{
msg(M_USAGE, "Please correct this error.");
}
-
}
#endif
}
@@ -6284,9 +6140,9 @@
if (comp_non_stub_enabled(info))
{
msg(M_WARN, "WARNING: Compression for receiving enabled. "
- "Compression has been used in the past to break encryption. "
- "Compression support is deprecated and we recommend to disable "
- "it completely.");
+ "Compression has been used in the past to break encryption. "
+ "Compression support is deprecated and we recommend to disable "
+ "it completely.");
}
}
@@ -6306,16 +6162,9 @@
}
static void
-add_option(struct options *options,
- char *p[],
- bool is_inline,
- const char *file,
- int line,
- const int level,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+add_option(struct options *options, char *p[], bool is_inline, const char *file, int line,
+ const int level, const int msglevel, const unsigned int permission_mask,
+ unsigned int *option_types_found, struct env_set *es)
{
struct gc_arena gc = gc_new();
const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
@@ -6367,7 +6216,8 @@
options->config = p[1];
}
- read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
+ read_config_file(options, p[1], level, file, line, msglevel, permission_mask,
+ option_types_found, es);
}
#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
else if (streq(p[0], "show-gateway") && !p[2])
@@ -6420,9 +6270,7 @@
* can potentially include security-sensitive strings */
if (p[1] && strncmp(p[1], "msg", 3) == 0)
{
- msg(M_INFO, "%s:%s",
- pull_mode ? "ECHO-PULL" : "ECHO",
- BSTR(&string));
+ msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO", BSTR(&string));
}
#ifdef ENABLE_MANAGEMENT
if (management)
@@ -6537,8 +6385,7 @@
* When no option is present, assume that only PKCS1
* padding is supported
*/
- if (!(options->management_flags
- &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
+ if (!(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
{
options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
}
@@ -6615,7 +6462,8 @@
else if (streq(p[0], "windows-driver") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
- msg(M_WARN, "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. "
+ msg(M_WARN,
+ "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. "
"If incompatible options are used, OpenVPN will fall back to tap-windows6. Wintun support has been removed.");
}
#endif
@@ -6650,7 +6498,8 @@
{
if (!pull_mode)
{
- msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
+ msg(M_WARN,
+ "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
}
}
#ifdef ENABLE_IPROUTE
@@ -6663,7 +6512,8 @@
else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
{
VERIFY_PERMISSION(OPT_P_UP);
- if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
+ if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
+ && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
{
options->ifconfig_local = p[1];
options->ifconfig_remote_netmask = p[2];
@@ -6679,12 +6529,12 @@
unsigned int netbits;
VERIFY_PERMISSION(OPT_P_UP);
- if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
- && ipv6_addr_safe( p[2] ) )
+ if (get_ipv6_addr(p[1], NULL, &netbits, msglevel) && ipv6_addr_safe(p[2]))
{
if (netbits < 64 || netbits > 124)
{
- msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
+ msg(msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'",
+ netbits);
goto err;
}
@@ -6712,7 +6562,7 @@
{
struct local_entry *e;
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
e = alloc_local_entry(&options->ce, M_USAGE, &options->gc);
ASSERT(e);
@@ -6742,7 +6592,7 @@
}
else if (streq(p[0], "connection") && p[1] && !p[3])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
if (is_inline)
{
struct options sub;
@@ -6750,11 +6600,12 @@
init_options(&sub, true);
sub.ce = options->ce;
- read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
- OPT_P_CONNECTION, option_types_found, es);
+ read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel, OPT_P_CONNECTION,
+ option_types_found, es);
if (!sub.ce.remote)
{
- msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
+ msg(msglevel,
+ "Each 'connection' block must contain exactly one 'remote' directive");
uninit_options(&sub);
goto err;
}
@@ -6785,16 +6636,14 @@
}
/* add number of options already ignored */
- for (i = 0; options->ignore_unknown_option
- && options->ignore_unknown_option[i]; i++)
+ for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
{
numignored++;
}
/* Allocate array */
- ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
- for (i = 0; options->ignore_unknown_option
- && options->ignore_unknown_option[i]; i++)
+ ALLOC_ARRAY_GC(ignore, const char *, numignored + 1, &options->gc);
+ for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
{
ignore[i] = options->ignore_unknown_option[i];
}
@@ -6804,9 +6653,9 @@
for (j = 1; p[j]; j++)
{
/* Allow the user to specify ignore-unknown-option --opt too */
- if (p[j][0]=='-' && p[j][1]=='-')
+ if (p[j][0] == '-' && p[j][1] == '-')
{
- options->ignore_unknown_option[i] = (p[j]+2);
+ options->ignore_unknown_option[i] = (p[j] + 2);
}
else
{
@@ -6835,7 +6684,7 @@
re.proto = -1;
re.af = 0;
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
re.remote = p[1];
if (p[2])
{
@@ -6846,9 +6695,7 @@
const sa_family_t af = ascii2af(p[3]);
if (proto < 0)
{
- msg(msglevel,
- "remote: bad protocol associated with host %s: '%s'",
- p[1], p[3]);
+ msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
goto err;
}
re.proto = proto;
@@ -6894,7 +6741,7 @@
}
else if (streq(p[0], "connect-retry") && p[1] && !p[3])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel);
/*
* Limit the base value of retry wait interval to 16 bits to avoid
@@ -6913,15 +6760,15 @@
max_int(positive_atoi(p[2], msglevel), options->ce.connect_retry_seconds);
}
}
- else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
- && p[1] && !p[2])
+ else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout")) && p[1]
+ && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
options->ce.connect_timeout = positive_atoi(p[1], msglevel);
}
else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
options->connect_retry_max = positive_atoi(p[1], msglevel);
}
else if (streq(p[0], "ipchange") && p[1])
@@ -6931,14 +6778,12 @@
{
goto err;
}
- set_user_script(options,
- &options->ipchange,
- string_substitute(p[1], ',', ' ', &options->gc),
- "ipchange", true);
+ set_user_script(options, &options->ipchange,
+ string_substitute(p[1], ',', ' ', &options->gc), "ipchange", true);
}
else if (streq(p[0], "float") && !p[1])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
options->ce.remote_float = true;
}
#ifdef ENABLE_DEBUG
@@ -7026,7 +6871,9 @@
{
if (!didit)
{
- msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
+ msg(M_WARN,
+ "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)",
+ p[1]);
goto err;
}
}
@@ -7088,7 +6935,8 @@
/* Warn when a debug verbosity is supplied when built without debug support */
if (options->verbosity >= 7)
{
- msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
+ msg(M_WARN,
+ "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
options->verbosity);
}
#endif
@@ -7144,13 +6992,13 @@
}
else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
options->ce.link_mtu = positive_atoi(p[1], msglevel);
options->ce.link_mtu_defined = true;
}
else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
{
- VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION);
options->ce.tun_mtu = positive_atoi(p[1], msglevel);
options->ce.tun_mtu_defined = true;
if (p[2])
@@ -7164,7 +7012,7 @@
}
else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
{
- VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
int max_mtu = positive_atoi(p[1], msglevel);
if (max_mtu < 68 || max_mtu > 65536)
{
@@ -7177,22 +7025,23 @@
}
else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
options->ce.tun_mtu_extra = positive_atoi(p[1], msglevel);
options->ce.tun_mtu_extra_defined = true;
}
else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
int maxmtu = positive_atoi(p[1], msglevel);
options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
{
- msg(M_WARN, "Note: max-packet-size value outside of allowed "
+ msg(M_WARN,
+ "Note: max-packet-size value outside of allowed "
"control channel packet size (%d to %d), will use %d "
- "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
- options->ce.tls_mtu);
+ "instead.",
+ TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE, options->ce.tls_mtu);
}
/* also set mssfix maxmtu mtu */
@@ -7203,13 +7052,13 @@
#ifdef ENABLE_FRAGMENT
else if (streq(p[0], "mtu-dynamic"))
{
- VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
goto err;
}
else if (streq(p[0], "fragment") && p[1] && !p[3])
{
- VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
options->ce.fragment = positive_atoi(p[1], msglevel);
if (options->ce.fragment < 68)
@@ -7230,7 +7079,7 @@
#endif /* ifdef ENABLE_FRAGMENT */
else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
}
else if (streq(p[0], "mtu-test") && !p[1])
@@ -7301,20 +7150,19 @@
shaper = atoi_warn(p[1], msglevel);
if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
{
- msg(msglevel, "Bad shaper value, must be between %d and %d",
- SHAPER_MIN, SHAPER_MAX);
+ msg(msglevel, "Bad shaper value, must be between %d and %d", SHAPER_MIN, SHAPER_MAX);
goto err;
}
options->shaper = shaper;
}
else if (streq(p[0], "port") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
options->ce.local_port = options->ce.remote_port = p[1];
}
else if (streq(p[0], "lport") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
/* only trigger bind() if port is not 0 (or --local is used) */
if (!streq(p[1], "0"))
@@ -7325,22 +7173,21 @@
}
else if (streq(p[0], "rport") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
options->ce.remote_port = p[1];
}
else if (streq(p[0], "bind") && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
options->ce.bind_defined = true;
if (p[1] && streq(p[1], "ipv6only"))
{
options->ce.bind_ipv6_only = true;
}
-
}
else if (streq(p[0], "nobind") && !p[1])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
options->ce.bind_local = false;
}
else if (streq(p[0], "fast-io") && !p[1])
@@ -7358,11 +7205,12 @@
options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
if (options->inactivity_minimum_bytes > INT_MAX)
{
- msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
+ msg(M_WARN,
+ "WARNING: '--inactive' with a 'bytes' value"
" >2 Gbyte was silently ignored in older versions. If "
" your VPN exits unexpectedly with 'Inactivity timeout'"
" in %d seconds, revisit this value.",
- options->inactivity_timeout );
+ options->inactivity_timeout);
}
}
}
@@ -7375,14 +7223,12 @@
{
int proto;
sa_family_t af;
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
proto = ascii2proto(p[1]);
af = ascii2af(p[1]);
if (proto < 0)
{
- msg(msglevel,
- "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
- p[1],
+ msg(msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", p[1],
proto2ascii_all(&gc));
goto err;
}
@@ -7405,7 +7251,7 @@
{
struct http_proxy_options *ho;
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
{
if (!p[2])
@@ -7451,29 +7297,30 @@
else if (streq(p[0], "http-proxy-user-pass") && p[1])
{
struct http_proxy_options *ho;
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
ho->auth_file_up = p[1];
ho->inline_creds = is_inline;
}
else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
- "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
- "Use connect-retry-max 1 to get a similar behavior as before.");
+ "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
+ "Use connect-retry-max 1 to get a similar behavior as before.");
}
else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
- msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
+ msg(M_WARN,
+ "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
"server is established is managed with a single timeout set by connect-timeout");
}
else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
{
struct http_proxy_options *ho;
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
if (streq(p[1], "VERSION") && p[2] && !p[3])
@@ -7503,7 +7350,8 @@
}
if (!custom_header)
{
- msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
+ msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'",
+ MAX_CUSTOM_HTTP_HEADER, p[1]);
}
else
{
@@ -7520,7 +7368,7 @@
}
else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
if (p[2])
{
@@ -7563,7 +7411,7 @@
}
else if (streq(p[0], "explicit-exit-notify") && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_EXPLICIT_NOTIFY);
if (p[1])
{
options->ce.explicit_exit_notification = positive_atoi(p[1], msglevel);
@@ -7582,7 +7430,7 @@
{
VERIFY_PERMISSION(OPT_P_PERSIST);
msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
- "Keys are now always persisted across restarts. ");
+ "Keys are now always persisted across restarts. ");
}
else if (streq(p[0], "persist-local-ip") && !p[1])
{
@@ -7615,7 +7463,8 @@
{
goto err;
}
- add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4], options->route_default_table_id);
+ add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4],
+ options->route_default_table_id);
}
else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
{
@@ -7624,14 +7473,15 @@
{
goto err;
}
- add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3], options->route_default_table_id);
+ add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3],
+ options->route_default_table_id);
}
else if (streq(p[0], "max-routes") && !p[2])
{
msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. "
- "The number of routes is unlimited as of OpenVPN 2.4. "
- "This option will be removed in a future version, "
- "please remove it from your configuration.");
+ "The number of routes is unlimited as of OpenVPN 2.4. "
+ "This option will be removed in a future version, "
+ "please remove it from your configuration.");
}
else if (streq(p[0], "route-gateway") && p[1] && !p[2])
{
@@ -7642,7 +7492,8 @@
}
else
{
- if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
+ if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
+ || is_special_addr(p[1])) /* FQDN -- may be DNS name */
{
options->route_default_gateway = p[1];
}
@@ -7703,10 +7554,7 @@
{
goto err;
}
- set_user_script(options,
- &options->route_predown_script,
- p[1],
- "route-pre-down", true);
+ set_user_script(options, &options->route_predown_script, p[1], "route-pre-down", true);
}
else if (streq(p[0], "route-noexec") && !p[1])
{
@@ -7757,11 +7605,10 @@
if (options->routes->flags & RG_ENABLE)
{
- msg(M_WARN,
- "WARNING: You have specified redirect-gateway and "
- "redirect-private at the same time (or the same option "
- "multiple times). This is not well supported and may lead to "
- "unexpected results");
+ msg(M_WARN, "WARNING: You have specified redirect-gateway and "
+ "redirect-private at the same time (or the same option "
+ "multiple times). This is not well supported and may lead to "
+ "unexpected results");
}
options->routes->flags |= RG_ENABLE;
@@ -7861,8 +7708,7 @@
unsigned int major, minor, patch;
if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
{
- msg(msglevel, "cannot parse version number for --compat-mode: %s",
- p[1]);
+ msg(msglevel, "cannot parse version number for --compat-mode: %s", p[1]);
goto err;
}
@@ -7880,14 +7726,13 @@
}
else if (streq(p[0], "mssfix") && !p[3])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
if (p[1])
{
int mssfix = positive_atoi(p[1], msglevel);
/* can be 0, but otherwise it needs to be high enough so we can
* substract room for headers. */
- if (mssfix != 0
- && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
+ if (mssfix != 0 && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
{
msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
goto err;
@@ -7963,15 +7808,14 @@
unsigned int netbits = 0;
VERIFY_PERMISSION(OPT_P_GENERAL);
- if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
+ if (!get_ipv6_addr(p[1], &network, &netbits, lev))
{
msg(msglevel, "error parsing --server-ipv6 parameter");
goto err;
}
if (netbits < 64 || netbits > 124)
{
- msg(msglevel,
- "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
+ msg(msglevel, "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
netbits);
goto err;
@@ -8076,7 +7920,7 @@
unsigned int netbits = 0;
VERIFY_PERMISSION(OPT_P_GENERAL);
- if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
+ if (!get_ipv6_addr(p[1], &network, &netbits, lev))
{
msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
goto err;
@@ -8165,7 +8009,8 @@
else if (streq(p[0], "client-cert-not-required") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
- msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
+ msg(M_FATAL,
+ "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
}
else if (streq(p[0], "verify-client-cert") && !p[2])
{
@@ -8186,7 +8031,8 @@
}
else if (!streq(p[1], "require"))
{
- msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
+ msg(msglevel,
+ "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
goto err;
}
}
@@ -8205,7 +8051,7 @@
{
VERIFY_PERMISSION(OPT_P_GENERAL);
msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
- "in OpenVPN 2.7");
+ "in OpenVPN 2.7");
options->ssl_flags |= SSLF_OPT_VERIFY;
}
else if (streq(p[0], "auth-user-pass-verify") && p[1])
@@ -8227,18 +8073,19 @@
}
else
{
- msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
+ msg(msglevel,
+ "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
goto err;
}
}
else
{
- msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
+ msg(msglevel,
+ "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
goto err;
}
- set_user_script(options,
- &options->auth_user_pass_verify_script,
- p[1], "auth-user-pass-verify", true);
+ set_user_script(options, &options->auth_user_pass_verify_script, p[1],
+ "auth-user-pass-verify", true);
}
else if (streq(p[0], "auth-gen-token"))
{
@@ -8262,14 +8109,12 @@
msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
}
}
-
}
else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
options->auth_token_secret_file = p[1];
options->auth_token_secret_file_inline = is_inline;
-
}
else if (streq(p[0], "client-connect") && p[1])
{
@@ -8278,8 +8123,7 @@
{
goto err;
}
- set_user_script(options, &options->client_connect_script,
- p[1], "client-connect", true);
+ set_user_script(options, &options->client_connect_script, p[1], "client-connect", true);
}
else if (streq(p[0], "client-crresponse") && p[1])
{
@@ -8288,8 +8132,8 @@
{
goto err;
}
- set_user_script(options, &options->client_crresponse_script,
- p[1], "client-crresponse", true);
+ set_user_script(options, &options->client_crresponse_script, p[1], "client-crresponse",
+ true);
}
else if (streq(p[0], "client-disconnect") && p[1])
{
@@ -8298,8 +8142,8 @@
{
goto err;
}
- set_user_script(options, &options->client_disconnect_script,
- p[1], "client-disconnect", true);
+ set_user_script(options, &options->client_disconnect_script, p[1], "client-disconnect",
+ true);
}
else if (streq(p[0], "learn-address") && p[1])
{
@@ -8308,8 +8152,7 @@
{
goto err;
}
- set_user_script(options, &options->learn_address_script,
- p[1], "learn-address", true);
+ set_user_script(options, &options->learn_address_script, p[1], "learn-address", true);
}
else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
{
@@ -8384,8 +8227,8 @@
in_addr_t local, remote_netmask;
VERIFY_PERMISSION(OPT_P_INSTANCE);
- local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
- remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
+ local = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
+ remote_netmask = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[2], 0, NULL, NULL);
if (local && remote_netmask)
{
options->push_ifconfig_defined = true;
@@ -8393,7 +8236,8 @@
options->push_ifconfig_remote_netmask = remote_netmask;
if (p[3])
{
- options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
+ options->push_ifconfig_local_alias =
+ getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[3], 0, NULL, NULL);
}
}
else
@@ -8407,7 +8251,7 @@
in_addr_t network, netmask;
VERIFY_PERMISSION(OPT_P_GENERAL);
- network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
+ network = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
if (network && netmask)
{
@@ -8428,7 +8272,7 @@
VERIFY_PERMISSION(OPT_P_INSTANCE);
- if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
+ if (!get_ipv6_addr(p[1], &local, &netbits, msglevel))
{
msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
goto err;
@@ -8436,19 +8280,19 @@
if (p[2])
{
- if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
+ if (!get_ipv6_addr(p[2], &remote, NULL, msglevel))
{
- msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
+ msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
goto err;
}
}
else
{
if (!options->ifconfig_ipv6_local
- || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
- NULL, msglevel ) )
+ || !get_ipv6_addr(options->ifconfig_ipv6_local, &remote, NULL, msglevel))
{
- msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
+ msg(msglevel,
+ "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
goto err;
}
}
@@ -8469,8 +8313,10 @@
VERIFY_PERMISSION(OPT_P_INSTANCE);
if (strlen(p[1]) > USER_PASS_LEN)
{
- msg(msglevel, "override-username exceeds the maximum length of %d "
- "characters", USER_PASS_LEN);
+ msg(msglevel,
+ "override-username exceeds the maximum length of %d "
+ "characters",
+ USER_PASS_LEN);
/* disable the connection since ignoring the request to
* set another username might cause serious problems */
@@ -8506,7 +8352,7 @@
msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
goto err;
}
- options->stale_routes_ageing_time = ageing_time;
+ options->stale_routes_ageing_time = ageing_time;
options->stale_routes_check_interval = check_interval;
}
@@ -8527,7 +8373,7 @@
}
else if (streq(p[0], "auth-user-pass") && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
if (p[1])
{
options->auth_user_pass_file = p[1];
@@ -8568,15 +8414,15 @@
#ifdef _WIN32
VERIFY_PERMISSION(OPT_P_GENERAL);
HANDLE process = GetCurrentProcess();
- HANDLE handle = (HANDLE) ((intptr_t) atoll(p[1]));
- if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
- FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
+ HANDLE handle = (HANDLE)((intptr_t)atoll(p[1]));
+ if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, FALSE,
+ DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
{
msg(msglevel, "could not duplicate service pipe handle");
goto err;
}
options->route_method = ROUTE_METHOD_SERVICE;
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
msg(msglevel, "--msg-channel is only supported on Windows");
goto err;
#endif
@@ -8588,8 +8434,8 @@
if (streq(p[1], "env"))
{
msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
- "This entry will now be ignored. "
- "Please remove this entry from your configuration file.");
+ "This entry will now be ignored. "
+ "Please remove this entry from your configuration file.");
}
else
{
@@ -8626,9 +8472,7 @@
if (index < 0)
{
- msg(msglevel,
- "Bad --ip-win32 method: '%s'. Allowed methods: %s",
- p[1],
+ msg(msglevel, "Bad --ip-win32 method: '%s'. Allowed methods: %s", p[1],
ipset2ascii_all(&gc));
goto err;
}
@@ -8648,7 +8492,9 @@
if (!(offset > -256 && offset < 256))
{
- msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
+ msg(msglevel,
+ "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256",
+ offset);
goto err;
}
@@ -8663,7 +8509,9 @@
lease_time = atoi_warn(p[3], msglevel);
if (lease_time < min_lease)
{
- msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
+ msg(msglevel,
+ "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds",
+ lease_time, min_lease);
goto err;
}
to->dhcp_lease_time = lease_time;
@@ -8803,10 +8651,11 @@
#endif
else
{
- msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
+ msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter",
+ p[1]);
goto err;
}
-#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
+#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
setenv_foreign_option(options, p[1], p[2], es);
#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
@@ -8821,14 +8670,14 @@
else if (streq(p[0], "show-adapters") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
- show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
+ show_tap_win_adapters(M_INFO | M_NOPREFIX, M_WARN | M_NOPREFIX);
openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
else if (streq(p[0], "show-net") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
- show_routes(M_INFO|M_NOPREFIX);
- show_adapters(M_INFO|M_NOPREFIX);
+ show_routes(M_INFO | M_NOPREFIX);
+ show_adapters(M_INFO | M_NOPREFIX);
openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
else if (streq(p[0], "show-net-up") && !p[1])
@@ -8977,19 +8826,20 @@
if (streq(p[1], "no"))
{
- options->comp.flags =
- COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
+ options->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
if (comp_non_stub_enabled(&options->comp))
{
msg(msglevel, "'--allow-compression no' conflicts with "
- " enabling compression");
+ " enabling compression");
}
}
else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
{
/* Also printed on a push to hint at configuration problems */
- msg(msglevel, "Cannot set allow-compression to '%s' "
- "after set to 'no'", p[1]);
+ msg(msglevel,
+ "Cannot set allow-compression to '%s' "
+ "after set to 'no'",
+ p[1]);
goto err;
}
else if (streq(p[1], "asym"))
@@ -8998,15 +8848,18 @@
}
else if (streq(p[1], "yes"))
{
- msg(M_WARN, "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
+ msg(M_WARN,
+ "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
"We will use \"asym\" mode instead. See the manual page for more information.");
options->comp.flags |= COMP_F_ALLOW_ASYM;
}
else
{
- msg(msglevel, "bad allow-compression option: %s -- "
- "must be 'yes', 'no', or 'asym'", p[1]);
+ msg(msglevel,
+ "bad allow-compression option: %s -- "
+ "must be 'yes', 'no', or 'asym'",
+ p[1]);
goto err;
}
}
@@ -9030,7 +8883,8 @@
*/
else if (!(streq(p[1], "yes") || streq(p[1], "adaptive")))
{
- msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
+ msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'",
+ p[1]);
goto err;
}
}
@@ -9052,7 +8906,7 @@
if (streq(alg, "stub"))
{
options->comp.alg = COMP_ALG_STUB;
- options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
+ options->comp.flags |= (COMP_F_SWAP | COMP_F_ADVERTISE_STUBS_ONLY);
}
else if (streq(alg, "stub-v2"))
{
@@ -9105,7 +8959,7 @@
{
int key_direction;
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
key_direction = ascii2keydirection(msglevel, p[1]);
if (key_direction >= 0)
@@ -9127,7 +8981,7 @@
else if (streq(p[0], "secret") && p[1] && !p[3])
{
msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
options->shared_secret_file = p[1];
options->shared_secret_file_inline = is_inline;
if (!is_inline && p[2])
@@ -9149,7 +9003,6 @@
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->allow_deprecated_insecure_static_crypto = true;
-
}
else if (streq(p[0], "genkey") && !p[4])
{
@@ -9161,8 +9014,7 @@
}
else
{
- if (streq(p[1], "secret") || streq(p[1], "tls-auth")
- || streq(p[1], "tls-crypt"))
+ if (streq(p[1], "secret") || streq(p[1], "tls-auth") || streq(p[1], "tls-crypt"))
{
options->genkey_type = GENKEY_SECRET;
}
@@ -9186,7 +9038,6 @@
{
msg(msglevel, "unknown --genkey type: %s", p[1]);
}
-
}
if (p[2])
{
@@ -9200,23 +9051,22 @@
}
else if (streq(p[0], "cipher") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
+ VERIFY_PERMISSION(OPT_P_NCP | OPT_P_INSTANCE);
options->ciphername = p[1];
}
else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
options->ciphername = p[1];
options->enable_ncp_fallback = true;
}
- else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
- && p[1] && !p[2])
+ else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
if (streq(p[0], "ncp-ciphers"))
{
msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
- " '--data-ciphers' (renamed in OpenVPN 2.5).");
+ " '--data-ciphers' (renamed in OpenVPN 2.5).");
}
options->ncp_ciphers = p[1];
}
@@ -9278,7 +9128,7 @@
VERIFY_PERMISSION(OPT_P_GENERAL);
/* always error out, this breaks the connection */
msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
- "Update your configuration.");
+ "Update your configuration.");
}
else if (streq(p[0], "replay-window") && !p[3])
{
@@ -9291,9 +9141,7 @@
if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
{
msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
- replay_window,
- MIN_SEQ_BACKTRACK,
- MAX_SEQ_BACKTRACK);
+ replay_window, MIN_SEQ_BACKTRACK, MAX_SEQ_BACKTRACK);
goto err;
}
options->replay_window = replay_window;
@@ -9305,10 +9153,9 @@
replay_time = atoi_warn(p[2], msglevel);
if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
{
- msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
- replay_time,
- MIN_TIME_BACKTRACK,
- MAX_TIME_BACKTRACK);
+ msg(msglevel,
+ "replay-window time window parameter (%d) must be between %d and %d",
+ replay_time, MIN_TIME_BACKTRACK, MAX_TIME_BACKTRACK);
goto err;
}
options->replay_time = replay_time;
@@ -9377,8 +9224,8 @@
{
VERIFY_PERMISSION(OPT_P_GENERAL);
msg(M_WARN, "Consider setting groups/curves preference with "
- "tls-groups instead of forcing a specific curve with "
- "ecdh-curve.");
+ "tls-groups instead of forcing a specific curve with "
+ "ecdh-curve.");
options->ecdh_curve = p[1];
}
else if (streq(p[0], "tls-server") && !p[1])
@@ -9393,7 +9240,7 @@
}
else if (streq(p[0], "ca") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
options->ca_file = p[1];
options->ca_file_inline = is_inline;
}
@@ -9406,33 +9253,33 @@
#endif /* ENABLE_CRYPTO_MBEDTLS */
else if (streq(p[0], "dh") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
options->dh_file = p[1];
options->dh_file_inline = is_inline;
}
else if (streq(p[0], "cert") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
options->cert_file = p[1];
options->cert_file_inline = is_inline;
}
else if (streq(p[0], "extra-certs") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
options->extra_certs_file = p[1];
options->extra_certs_file_inline = is_inline;
}
else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
|| (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
int verify_hash_depth = 0;
if (streq(p[0], "verify-hash"))
{
msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
- "You should switch to the either use the level 1 certificate as "
- "--ca option, use --tls-verify or use --peer-fingerprint");
+ "You should switch to the either use the level 1 certificate as "
+ "--ca option, use --tls-verify or use --peer-fingerprint");
/* verify level 1 cert, i.e. the CA that signed the leaf cert */
verify_hash_depth = 1;
}
@@ -9443,8 +9290,10 @@
if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
{
- msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
- " --peer-fingerprint are mutually exclusive", p[0]);
+ msg(msglevel,
+ "ERROR: Setting %s not allowed. --verify-hash and"
+ " --peer-fingerprint are mutually exclusive",
+ p[0]);
goto err;
}
@@ -9457,15 +9306,16 @@
}
else if (p[2] && !streq(p[2], "SHA256"))
{
- msg(msglevel, "invalid or unsupported hashing algorithm: %s "
- "(only SHA1 and SHA256 are supported)", p[2]);
+ msg(msglevel,
+ "invalid or unsupported hashing algorithm: %s "
+ "(only SHA1 and SHA256 are supported)",
+ p[2]);
goto err;
}
}
struct verify_hash_list *newlist;
- newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
- msglevel, &options->gc);
+ newlist = parse_hash_fingerprint_multiline(p[1], digest_len, msglevel, &options->gc);
/* Append the new list to the end of our current list */
if (!options->verify_hash)
@@ -9494,7 +9344,7 @@
#endif
else if (streq(p[0], "key") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
options->priv_key_file = p[1];
options->priv_key_file_inline = is_inline;
}
@@ -9517,8 +9367,7 @@
}
#endif
- options->ssl_flags &=
- ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
+ options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
}
else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
@@ -9531,14 +9380,13 @@
msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
goto err;
}
- options->ssl_flags &=
- ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
+ options->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
}
#ifndef ENABLE_CRYPTO_MBEDTLS
else if (streq(p[0], "pkcs12") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
options->pkcs12_file = p[1];
options->pkcs12_file_inline = is_inline;
}
@@ -9611,10 +9459,9 @@
VERIFY_PERMISSION(OPT_P_GENERAL);
options->tls_groups = p[1];
}
- else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
- || !p[2]))
+ else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]))
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
if (p[2] && streq(p[2], "dir"))
{
options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
@@ -9630,8 +9477,7 @@
goto err;
}
set_user_script(options, &options->tls_verify,
- string_substitute(p[1], ',', ' ', &options->gc),
- "tls-verify", true);
+ string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true);
}
else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
{
@@ -9642,14 +9488,14 @@
{
VERIFY_PERMISSION(OPT_P_GENERAL);
msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
- "Update your configuration.");
+ "Update your configuration.");
goto err;
}
else if (streq(p[0], "no-name-remapping") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
- "Update your configuration.");
+ "Update your configuration.");
goto err;
}
else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
@@ -9708,7 +9554,7 @@
size_t j;
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
{
- sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
+ sscanf(p[j], "%x", &(options->remote_cert_ku[j - 1]));
}
if (j == 1)
{
@@ -9793,7 +9639,7 @@
{
int key_direction = -1;
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
if (permission_mask & OPT_P_GENERAL)
{
@@ -9809,7 +9655,6 @@
}
options->key_direction = key_direction;
}
-
}
else if (permission_mask & OPT_P_CONNECTION)
{
@@ -9830,7 +9675,7 @@
}
else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
if (permission_mask & OPT_P_GENERAL)
{
options->tls_crypt_file = p[1];
@@ -9844,7 +9689,7 @@
}
else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
if (permission_mask & OPT_P_GENERAL)
{
options->tls_crypt_v2_file = p[1];
@@ -9887,19 +9732,19 @@
{
char *s = p[j];
- if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s+4))
+ if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s + 4))
{
msg(msglevel, "Unsupported x509-username-field extension: %s", s);
}
- options->x509_username_field[j-1] = p[j];
+ options->x509_username_field[j - 1] = p[j];
}
}
#endif /* ENABLE_X509ALTUSERNAME */
#ifdef ENABLE_PKCS11
else if (streq(p[0], "show-pkcs11-ids") && !p[3])
{
- char *provider = p[1];
- bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0 ));
+ char *provider = p[1];
+ bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0));
#ifdef DEFAULT_PKCS11_MODULE
if (!provider)
@@ -9940,7 +9785,7 @@
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
{
- options->pkcs11_providers[j-1] = p[j];
+ options->pkcs11_providers[j - 1] = p[j];
}
}
else if (streq(p[0], "pkcs11-protected-authentication"))
@@ -9951,7 +9796,8 @@
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
{
- options->pkcs11_protected_authentication[j-1] = atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
+ options->pkcs11_protected_authentication[j - 1] =
+ atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
}
}
else if (streq(p[0], "pkcs11-private-mode") && p[1])
@@ -9962,7 +9808,7 @@
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
{
- sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
+ sscanf(p[j], "%x", &(options->pkcs11_private_mode[j - 1]));
}
}
else if (streq(p[0], "pkcs11-cert-private"))
@@ -9973,7 +9819,7 @@
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
{
- options->pkcs11_cert_private[j-1] = (bool) (atoi_warn(p[j], msglevel));
+ options->pkcs11_cert_private[j - 1] = (bool)(atoi_warn(p[j], msglevel));
}
}
else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
@@ -10019,13 +9865,13 @@
if (strncmp(p[1], "EXPORTER", 8))
{
msg(msglevel, "Keying material exporter label must begin with "
- "\"EXPORTER\"");
+ "\"EXPORTER\"");
goto err;
}
if (streq(p[1], EXPORT_KEY_DATA_LABEL))
{
- msg(msglevel, "Keying material exporter label must not be '"
- EXPORT_KEY_DATA_LABEL "'.");
+ msg(msglevel,
+ "Keying material exporter label must not be '" EXPORT_KEY_DATA_LABEL "'.");
}
if (ekm_length < 16 || ekm_length > 4095)
{
@@ -10069,13 +9915,12 @@
}
else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
+ VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
options->vlan_pvid = positive_atoi(p[1], msglevel);
if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
|| options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
{
- msg(msglevel,
- "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
+ msg(msglevel, "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
goto err;
}
@@ -10096,11 +9941,14 @@
}
if (file)
{
- msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
+ msg(msglevel_unknown,
+ "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file,
+ line, p[0], PACKAGE_VERSION);
}
else
{
- msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
+ msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)",
+ p[0], PACKAGE_VERSION);
}
}
err:
@@ -121,33 +121,34 @@
const char *socks_proxy_port;
const char *socks_proxy_authfile;
- int tun_mtu; /* MTU of tun device */
- int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */
- int tun_mtu_max; /* maximum MTU that can be pushed */
+ int tun_mtu; /* MTU of tun device */
+ int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */
+ int tun_mtu_max; /* maximum MTU that can be pushed */
bool tun_mtu_defined; /* true if user overriding parm with command line option */
int tun_mtu_extra;
bool tun_mtu_extra_defined;
- int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */
+ int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */
bool link_mtu_defined; /* true if user overriding parm with command line option */
- int tls_mtu; /* Maximum MTU for the control channel messages */
+ int tls_mtu; /* Maximum MTU for the control channel messages */
/* Advanced MTU negotiation and datagram fragmentation options */
int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
- int fragment; /* internal fragmentation size */
- bool fragment_encap; /* true if --fragment had the "mtu" parameter to
- * include overhead from IP and TCP/UDP encapsulation */
- int mssfix; /* Upper bound on TCP MSS */
- bool mssfix_default; /* true if --mssfix should use the default parameters */
- bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include
- * overhead from IP and TCP/UDP encapsulation */
- bool mssfix_fixed; /* use the mssfix value without any encapsulation adjustments */
+ int fragment; /* internal fragmentation size */
+ bool fragment_encap; /* true if --fragment had the "mtu" parameter to
+ * include overhead from IP and TCP/UDP encapsulation */
+ int mssfix; /* Upper bound on TCP MSS */
+ bool mssfix_default; /* true if --mssfix should use the default parameters */
+ bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include
+ * overhead from IP and TCP/UDP encapsulation */
+ bool mssfix_fixed; /* use the mssfix value without any encapsulation adjustments */
- int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */
+ int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or
+ [RESTART] message */
-#define CE_DISABLED (1<<0)
-#define CE_MAN_QUERY_PROXY (1<<1)
+#define CE_DISABLED (1 << 0)
+#define CE_MAN_QUERY_PROXY (1 << 1)
#define CE_MAN_QUERY_REMOTE_UNDEF 0
#define CE_MAN_QUERY_REMOTE_QUERY 1
#define CE_MAN_QUERY_REMOTE_ACCEPT 2
@@ -230,7 +231,8 @@
char port[RH_PORT_LEN];
};
-enum genkey_type {
+enum genkey_type
+{
GENKEY_SECRET,
GENKEY_TLS_CRYPTV2_CLIENT,
GENKEY_TLS_CRYPTV2_SERVER,
@@ -337,32 +339,32 @@
bool mlock;
- int keepalive_ping; /* a proxy for ping/ping-restart */
+ int keepalive_ping; /* a proxy for ping/ping-restart */
int keepalive_timeout;
- int inactivity_timeout; /* --inactive */
+ int inactivity_timeout; /* --inactive */
int64_t inactivity_minimum_bytes;
- int session_timeout; /* Force-kill session after n seconds */
+ int session_timeout; /* Force-kill session after n seconds */
- int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */
- int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */
- bool ping_timer_remote; /* Run ping timer only if we have a remote address */
+ int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */
+ int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */
+ bool ping_timer_remote; /* Run ping timer only if we have a remote address */
#define PING_UNDEF 0
#define PING_EXIT 1
#define PING_RESTART 2
int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */
- bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
- bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
- bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
+ bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
+ bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
+ bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
#if PASSTOS_CAPABILITY
bool passtos;
#endif
- int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */
+ int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */
bool resolve_in_advance;
const char *ip_remote_hint;
@@ -433,7 +435,7 @@
int route_delay_window;
bool route_delay_defined;
struct route_option_list *routes;
- struct route_ipv6_option_list *routes_ipv6; /* IPv6 */
+ struct route_ipv6_option_list *routes_ipv6; /* IPv6 */
bool block_ipv6;
bool route_nopull;
bool route_gateway_via_dhcp;
@@ -468,13 +470,13 @@
bool server_defined;
in_addr_t server_network;
in_addr_t server_netmask;
- bool server_ipv6_defined; /* IPv6 */
- struct in6_addr server_network_ipv6; /* IPv6 */
- unsigned int server_netbits_ipv6; /* IPv6 */
+ bool server_ipv6_defined; /* IPv6 */
+ struct in6_addr server_network_ipv6; /* IPv6 */
+ unsigned int server_netbits_ipv6; /* IPv6 */
-#define SF_NOPOOL (1<<0)
-#define SF_TCP_NODELAY_HELPER (1<<1)
-#define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
+#define SF_NOPOOL (1 << 0)
+#define SF_TCP_NODELAY_HELPER (1 << 1)
+#define SF_NO_PUSH_ROUTE_GATEWAY (1 << 2)
unsigned int server_flags;
bool server_bridge_proxy_dhcp;
@@ -493,9 +495,9 @@
const char *ifconfig_pool_persist_filename;
int ifconfig_pool_persist_refresh_freq;
- bool ifconfig_ipv6_pool_defined; /* IPv6 */
- struct in6_addr ifconfig_ipv6_pool_base; /* IPv6 */
- int ifconfig_ipv6_pool_netbits; /* IPv6 */
+ bool ifconfig_ipv6_pool_defined; /* IPv6 */
+ struct in6_addr ifconfig_ipv6_pool_base; /* IPv6 */
+ int ifconfig_ipv6_pool_netbits; /* IPv6 */
int real_hash_size;
int virtual_hash_size;
@@ -510,7 +512,7 @@
int n_bcast_buf;
int tcp_queue_limit;
struct iroute *iroutes;
- struct iroute_ipv6 *iroutes_ipv6; /* IPv6 */
+ struct iroute_ipv6 *iroutes_ipv6; /* IPv6 */
bool push_ifconfig_defined;
in_addr_t push_ifconfig_local;
in_addr_t push_ifconfig_remote_netmask;
@@ -518,12 +520,12 @@
bool push_ifconfig_constraint_defined;
in_addr_t push_ifconfig_constraint_network;
in_addr_t push_ifconfig_constraint_netmask;
- bool push_ifconfig_ipv4_blocked; /* IPv4 */
- bool push_ifconfig_ipv6_defined; /* IPv6 */
- struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */
- int push_ifconfig_ipv6_netbits; /* IPv6 */
- struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */
- bool push_ifconfig_ipv6_blocked; /* IPv6 */
+ bool push_ifconfig_ipv4_blocked; /* IPv4 */
+ bool push_ifconfig_ipv6_defined; /* IPv6 */
+ struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */
+ int push_ifconfig_ipv6_netbits; /* IPv6 */
+ struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */
+ bool push_ifconfig_ipv6_blocked; /* IPv6 */
bool enable_c2c;
bool duplicate_cn;
@@ -572,8 +574,8 @@
bool allow_deprecated_insecure_static_crypto;
int key_direction;
const char *ciphername;
- bool enable_ncp_fallback; /**< If defined fall back to
- * ciphername if NCP fails */
+ bool enable_ncp_fallback; /**< If defined fall back to
+ * ciphername if NCP fails */
/** The original ncp_ciphers specified by the user in the configuration*/
const char *ncp_ciphers_conf;
const char *ncp_ciphers;
@@ -727,40 +729,40 @@
/*
* Option classes.
*/
-#define OPT_P_GENERAL (1<<0)
-#define OPT_P_UP (1<<1)
-#define OPT_P_ROUTE (1<<2)
-#define OPT_P_DHCPDNS (1<<3) /* includes ip windows options like */
-#define OPT_P_SCRIPT (1<<4)
-#define OPT_P_SETENV (1<<5)
-#define OPT_P_SHAPER (1<<6)
-#define OPT_P_TIMER (1<<7)
-#define OPT_P_PERSIST (1<<8)
-#define OPT_P_PERSIST_IP (1<<9)
-#define OPT_P_COMP (1<<10) /* TODO */
-#define OPT_P_MESSAGES (1<<11)
-#define OPT_P_NCP (1<<12) /**< Negotiable crypto parameters */
-#define OPT_P_TLS_PARMS (1<<13) /* TODO */
-#define OPT_P_MTU (1<<14) /* TODO */
-#define OPT_P_NICE (1<<15)
-#define OPT_P_PUSH (1<<16)
-#define OPT_P_INSTANCE (1<<17) /**< allowed in ccd, client-connect etc*/
-#define OPT_P_CONFIG (1<<18)
-#define OPT_P_EXPLICIT_NOTIFY (1<<19)
-#define OPT_P_ECHO (1<<20)
-#define OPT_P_INHERIT (1<<21)
-#define OPT_P_ROUTE_EXTRAS (1<<22)
-#define OPT_P_PULL_MODE (1<<23)
-#define OPT_P_PLUGIN (1<<24)
-#define OPT_P_SOCKBUF (1<<25)
-#define OPT_P_SOCKFLAGS (1<<26)
-#define OPT_P_CONNECTION (1<<27)
-#define OPT_P_PEER_ID (1<<28)
-#define OPT_P_INLINE (1<<29)
-#define OPT_P_PUSH_MTU (1<<30)
-#define OPT_P_ROUTE_TABLE (1<<31)
+#define OPT_P_GENERAL (1 << 0)
+#define OPT_P_UP (1 << 1)
+#define OPT_P_ROUTE (1 << 2)
+#define OPT_P_DHCPDNS (1 << 3) /* includes ip windows options like */
+#define OPT_P_SCRIPT (1 << 4)
+#define OPT_P_SETENV (1 << 5)
+#define OPT_P_SHAPER (1 << 6)
+#define OPT_P_TIMER (1 << 7)
+#define OPT_P_PERSIST (1 << 8)
+#define OPT_P_PERSIST_IP (1 << 9)
+#define OPT_P_COMP (1 << 10) /* TODO */
+#define OPT_P_MESSAGES (1 << 11)
+#define OPT_P_NCP (1 << 12) /**< Negotiable crypto parameters */
+#define OPT_P_TLS_PARMS (1 << 13) /* TODO */
+#define OPT_P_MTU (1 << 14) /* TODO */
+#define OPT_P_NICE (1 << 15)
+#define OPT_P_PUSH (1 << 16)
+#define OPT_P_INSTANCE (1 << 17) /**< allowed in ccd, client-connect etc*/
+#define OPT_P_CONFIG (1 << 18)
+#define OPT_P_EXPLICIT_NOTIFY (1 << 19)
+#define OPT_P_ECHO (1 << 20)
+#define OPT_P_INHERIT (1 << 21)
+#define OPT_P_ROUTE_EXTRAS (1 << 22)
+#define OPT_P_PULL_MODE (1 << 23)
+#define OPT_P_PLUGIN (1 << 24)
+#define OPT_P_SOCKBUF (1 << 25)
+#define OPT_P_SOCKFLAGS (1 << 26)
+#define OPT_P_CONNECTION (1 << 27)
+#define OPT_P_PEER_ID (1 << 28)
+#define OPT_P_INLINE (1 << 29)
+#define OPT_P_PUSH_MTU (1 << 30)
+#define OPT_P_ROUTE_TABLE (1 << 31)
-#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
+#define OPT_P_DEFAULT (~(OPT_P_INSTANCE | OPT_P_PULL_MODE))
#define PULL_DEFINED(opt) ((opt)->pull)
#define PUSH_DEFINED(opt) ((opt)->push_list)
@@ -796,18 +798,18 @@
/*
* some PUSH_UPDATE options
*/
-#define OPT_P_U_ROUTE (1<<0)
-#define OPT_P_U_ROUTE6 (1<<1)
-#define OPT_P_U_DNS (1<<2)
-#define OPT_P_U_DHCP (1<<3)
-#define OPT_P_U_REDIR_GATEWAY (1<<4)
+#define OPT_P_U_ROUTE (1 << 0)
+#define OPT_P_U_ROUTE6 (1 << 1)
+#define OPT_P_U_DNS (1 << 2)
+#define OPT_P_U_DHCP (1 << 3)
+#define OPT_P_U_REDIR_GATEWAY (1 << 4)
struct pull_filter
{
-#define PUF_TYPE_UNDEF 0 /**< undefined filter type */
-#define PUF_TYPE_ACCEPT 1 /**< filter type to accept a matching option */
-#define PUF_TYPE_IGNORE 2 /**< filter type to ignore a matching option */
-#define PUF_TYPE_REJECT 3 /**< filter type to reject and trigger SIGUSR1 */
+#define PUF_TYPE_UNDEF 0 /**< undefined filter type */
+#define PUF_TYPE_ACCEPT 1 /**< filter type to accept a matching option */
+#define PUF_TYPE_IGNORE 2 /**< filter type to ignore a matching option */
+#define PUF_TYPE_REJECT 3 /**< filter type to reject and trigger SIGUSR1 */
int type;
int size;
char *pattern;
@@ -820,12 +822,8 @@
struct pull_filter *tail;
};
-void parse_argv(struct options *options,
- const int argc,
- char *argv[],
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
+void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel,
+ const unsigned int permission_mask, unsigned int *option_types_found,
struct env_set *es);
void notnull(const char *arg, const char *description);
@@ -853,12 +851,8 @@
const char *options_string_version(const char *s, struct gc_arena *gc);
-char *options_string(const struct options *o,
- const struct frame *frame,
- struct tuntap *tt,
- openvpn_net_ctx_t *ctx,
- bool remote,
- struct gc_arena *gc);
+char *options_string(const struct options *o, const struct frame *frame, struct tuntap *tt,
+ openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc);
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n);
@@ -878,8 +872,8 @@
* @return gc-allocated value of option with name opt_name if option was found,
* or NULL otherwise.
*/
-char *options_string_extract_option(const char *options_string,
- const char *opt_name, struct gc_arena *gc);
+char *options_string_extract_option(const char *options_string, const char *opt_name,
+ struct gc_arena *gc);
void options_postprocess(struct options *options, struct env_set *es);
@@ -888,34 +882,22 @@
void pre_connect_restore(struct options *o, struct gc_arena *gc);
-bool apply_push_options(struct context *c,
- struct options *options,
- struct buffer *buf,
- unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es,
- bool is_update);
+bool apply_push_options(struct context *c, struct options *options, struct buffer *buf,
+ unsigned int permission_mask, unsigned int *option_types_found,
+ struct env_set *es, bool is_update);
void options_detach(struct options *o);
-void options_server_import(struct options *o,
- const char *filename,
- int msglevel,
- unsigned int permission_mask,
- unsigned int *option_types_found,
+void options_server_import(struct options *o, const char *filename, int msglevel,
+ unsigned int permission_mask, unsigned int *option_types_found,
struct env_set *es);
void pre_pull_default(struct options *o);
void rol_check_alloc(struct options *options);
-int parse_line(const char *line,
- char *p[],
- const int n,
- const char *file,
- const int line_num,
- int msglevel,
- struct gc_arena *gc);
+int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num,
+ int msglevel, struct gc_arena *gc);
/*
* parse/print topology coding
@@ -939,11 +921,8 @@
const char *auth_retry_print(void);
-void options_string_import(struct options *options,
- const char *config,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
+void options_string_import(struct options *options, const char *config, const int msglevel,
+ const unsigned int permission_mask, unsigned int *option_types_found,
struct env_set *es);
bool key_is_external(const struct options *options);
@@ -124,12 +124,11 @@
if (i < 0 || *endptr != '\0' || i > INT_MAX)
{
- msg(msglevel, "Cannot parse argument '%s' as non-negative integer",
- str);
+ msg(msglevel, "Cannot parse argument '%s' as non-negative integer", str);
i = 0;
}
- return (int) i;
+ return (int)i;
}
int
@@ -144,27 +143,17 @@
i = 0;
}
- return (int) i;
+ return (int)i;
}
-static const char *updatable_options[] = {
- "block-ipv6",
- "block-outside-dns",
- "dhcp-option",
- "dns",
- "ifconfig",
- "ifconfig-ipv6",
- "push-continuation",
- "redirect-gateway",
- "redirect-private",
- "route",
- "route-gateway",
- "route-ipv6",
- "route-metric",
- "topology",
- "tun-mtu",
- "keepalive"
-};
+static const char *updatable_options[] = { "block-ipv6", "block-outside-dns",
+ "dhcp-option", "dns",
+ "ifconfig", "ifconfig-ipv6",
+ "push-continuation", "redirect-gateway",
+ "redirect-private", "route",
+ "route-gateway", "route-ipv6",
+ "route-metric", "topology",
+ "tun-mtu", "keepalive" };
bool
check_push_update_option_flags(char *line, int *i, unsigned int *flags)
@@ -196,7 +185,7 @@
}
size_t len = strlen(&line[*i]);
- int count = sizeof(updatable_options)/sizeof(char *);
+ int count = sizeof(updatable_options) / sizeof(char *);
for (int j = 0; j < count; ++j)
{
size_t opt_len = strlen(updatable_options[j]);
@@ -26,28 +26,24 @@
#include "options.h"
-const char *
-parse_auth_failed_temp(struct options *o, const char *reason);
+const char *parse_auth_failed_temp(struct options *o, const char *reason);
/** Checks if the string is a valid integer by checking if it can be
* converted to an integer */
-bool
-valid_integer(const char *str, bool positive);
+bool valid_integer(const char *str, bool positive);
/**
* Converts a str to a positive number if the string represents a postive
* integer number. Otherwise print a warning with msglevel and return 0
*/
-int
-positive_atoi(const char *str, int msglevel);
+int positive_atoi(const char *str, int msglevel);
/**
* Converts a str to an integer if the string can be represented as an
* integer number. Otherwise print a warning with msglevel and return 0
*/
-int
-atoi_warn(const char *str, int msglevel);
+int atoi_warn(const char *str, int msglevel);
/**
* Filter an option line by all pull filters.
@@ -57,9 +53,7 @@
* reject, SIGUSR1 is triggered and the return value is false.
* In that case the caller must end the push processing.
*/
-bool
-apply_pull_filter(const struct options *o,
- char *line);
+bool apply_pull_filter(const struct options *o, char *line);
/**
* @brief Checks the formatting and validity of options inside push-update messages.
@@ -89,7 +83,6 @@
* - The `line` parameter is empty or `NULL`.
* - The `?` flag is absent and the option is not updatable.
*/
-bool
-check_push_update_option_flags(char *line, int *i, unsigned int *flags);
+bool check_push_update_option_flags(char *line, int *i, unsigned int *flags);
#endif /* ifndef OPTIONS_UTIL_H_ */
@@ -83,9 +83,7 @@
tv_string(const struct timeval *tv, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc(64, gc);
- buf_printf(&out, "[%" PRIi64 "/%ld]",
- (int64_t)tv->tv_sec,
- (long)tv->tv_usec);
+ buf_printf(&out, "[%" PRIi64 "/%ld]", (int64_t)tv->tv_sec, (long)tv->tv_usec);
return BSTR(&out);
}
@@ -97,10 +95,7 @@
const char *
tv_string_abs(const struct timeval *tv, struct gc_arena *gc)
{
- return time_string((time_t) tv->tv_sec,
- (long) tv->tv_usec,
- true,
- gc);
+ return time_string((time_t)tv->tv_sec, (long)tv->tv_usec, true, gc);
}
/* format a time_t as ascii, or use current time if 0 */
@@ -124,9 +119,8 @@
t = tv.tv_sec;
struct tm *tm = localtime(&t);
- buf_printf(&out, "%04d-%02d-%02d %02d:%02d:%02d",
- tm->tm_year+1900, tm->tm_mon+1, tm->tm_mday,
- tm->tm_hour, tm->tm_min, tm->tm_sec);
+ buf_printf(&out, "%04d-%02d-%02d %02d:%02d:%02d", tm->tm_year + 1900, tm->tm_mon + 1,
+ tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec);
if (show_usec && tv.tv_usec)
{
@@ -196,9 +190,7 @@
t = time(NULL);
gettimeofday(&tv, NULL);
#if 1
- msg(M_INFO, "t=%" PRIi64 " s=%" PRIi64 " us=%ld",
- (int64_t)t,
- (int64_t)tv.tv_sec,
+ msg(M_INFO, "t=%" PRIi64 " s=%" PRIi64 " us=%ld", (int64_t)t, (int64_t)tv.tv_sec,
(long)tv.tv_usec);
#endif
}
@@ -236,7 +236,7 @@
dest->tv_usec = usec;
}
-#define TV_WITHIN_SIGMA_MAX_SEC 600
+#define TV_WITHIN_SIGMA_MAX_SEC 600
#define TV_WITHIN_SIGMA_MAX_USEC (TV_WITHIN_SIGMA_MAX_SEC * 1000000)
/*
@@ -259,7 +259,7 @@
{
if (at > current)
{
- const interval_t delta = (interval_t) (at - current);
+ const interval_t delta = (interval_t)(at - current);
if (delta < *wakeup)
{
*wakeup = delta;
@@ -32,42 +32,46 @@
#include <netinet/in.h>
/* Maximum size of an ioctl request. */
-#define OVPN_MAX_REQUEST_SIZE 4096
+#define OVPN_MAX_REQUEST_SIZE 4096
-enum ovpn_notif_type {
+enum ovpn_notif_type
+{
OVPN_NOTIF_DEL_PEER,
OVPN_NOTIF_ROTATE_KEY,
OVPN_NOTIF_FLOAT,
};
-enum ovpn_del_reason {
- OVPN_DEL_REASON_REQUESTED = 0,
- OVPN_DEL_REASON_TIMEOUT = 1
+enum ovpn_del_reason
+{
+ OVPN_DEL_REASON_REQUESTED = 0,
+ OVPN_DEL_REASON_TIMEOUT = 1
};
-enum ovpn_key_slot {
- OVPN_KEY_SLOT_PRIMARY = 0,
+enum ovpn_key_slot
+{
+ OVPN_KEY_SLOT_PRIMARY = 0,
OVPN_KEY_SLOT_SECONDARY = 1
};
-enum ovpn_key_cipher {
- OVPN_CIPHER_ALG_NONE = 0,
- OVPN_CIPHER_ALG_AES_GCM = 1,
- OVPN_CIPHER_ALG_CHACHA20_POLY1305 = 2
+enum ovpn_key_cipher
+{
+ OVPN_CIPHER_ALG_NONE = 0,
+ OVPN_CIPHER_ALG_AES_GCM = 1,
+ OVPN_CIPHER_ALG_CHACHA20_POLY1305 = 2
};
-#define OVPN_NEW_PEER _IO('D', 1)
-#define OVPN_DEL_PEER _IO('D', 2)
-#define OVPN_GET_STATS _IO('D', 3)
-#define OVPN_NEW_KEY _IO('D', 4)
-#define OVPN_SWAP_KEYS _IO('D', 5)
-#define OVPN_DEL_KEY _IO('D', 6)
-#define OVPN_SET_PEER _IO('D', 7)
-#define OVPN_START_VPN _IO('D', 8)
-#define OVPN_SEND_PKT _IO('D', 9)
-#define OVPN_POLL_PKT _IO('D', 10)
-#define OVPN_GET_PKT _IO('D', 11)
-#define OVPN_SET_IFMODE _IO('D', 12)
-#define OVPN_GET_PEER_STATS _IO('D', 13)
+#define OVPN_NEW_PEER _IO('D', 1)
+#define OVPN_DEL_PEER _IO('D', 2)
+#define OVPN_GET_STATS _IO('D', 3)
+#define OVPN_NEW_KEY _IO('D', 4)
+#define OVPN_SWAP_KEYS _IO('D', 5)
+#define OVPN_DEL_KEY _IO('D', 6)
+#define OVPN_SET_PEER _IO('D', 7)
+#define OVPN_START_VPN _IO('D', 8)
+#define OVPN_SEND_PKT _IO('D', 9)
+#define OVPN_POLL_PKT _IO('D', 10)
+#define OVPN_GET_PKT _IO('D', 11)
+#define OVPN_SET_IFMODE _IO('D', 12)
+#define OVPN_GET_PEER_STATS _IO('D', 13)
#endif /* ifndef _NET_IF_OVPN_H_ */
@@ -53,20 +53,15 @@
#define SEQ_EXPIRED ((time_t)1)
#ifdef ENABLE_DEBUG
-static void packet_id_debug_print(int msglevel,
- const struct packet_id_rec *p,
- const struct packet_id_net *pin,
- const char *message,
+static void packet_id_debug_print(int msglevel, const struct packet_id_rec *p,
+ const struct packet_id_net *pin, const char *message,
packet_id_print_type value);
#endif /* ENABLE_DEBUG */
static inline void
-packet_id_debug(int msglevel,
- const struct packet_id_rec *p,
- const struct packet_id_net *pin,
- const char *message,
- uint64_t value)
+packet_id_debug(int msglevel, const struct packet_id_rec *p, const struct packet_id_net *pin,
+ const char *message, uint64_t value)
{
#ifdef ENABLE_DEBUG
if (unlikely(check_debug_level(msglevel)))
@@ -77,7 +72,8 @@
}
static void
-packet_id_init_recv(struct packet_id_rec *rec, int seq_backtrack, int time_backtrack, const char *name, int unit)
+packet_id_init_recv(struct packet_id_rec *rec, int seq_backtrack, int time_backtrack,
+ const char *name, int unit)
{
rec->name = name;
rec->unit = unit;
@@ -92,10 +88,10 @@
rec->initialized = true;
}
void
-packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
+packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name,
+ int unit)
{
- dmsg(D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d",
- seq_backtrack,
+ dmsg(D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d", seq_backtrack,
time_backtrack);
ASSERT(p);
@@ -118,8 +114,7 @@
/* Reinitalise the source */
CLEAR(*src);
- packet_id_init_recv(src, dest->seq_backtrack, dest->time_backtrack,
- dest->name, dest->unit);
+ packet_id_init_recv(src, dest->seq_backtrack, dest->time_backtrack, dest->name, dest->unit);
}
void
@@ -145,10 +140,8 @@
* If time value increases, start a new sequence list of number
* sequence for the new time point.
*/
- if (!CIRC_LIST_SIZE(p->seq_list)
- || pin->time > p->time
- || (pin->id >= p->seq_backtrack
- && pin->id - p->seq_backtrack > p->id))
+ if (!CIRC_LIST_SIZE(p->seq_list) || pin->time > p->time
+ || (pin->id >= p->seq_backtrack && pin->id - p->seq_backtrack > p->id))
{
p->time = pin->time;
p->id = 0;
@@ -163,15 +156,14 @@
#ifdef PID_SIMULATE_BACKTRACK
|| (get_random() % 64) < 31
#endif
- )
+ )
{
CIRC_LIST_PUSH(p->seq_list, SEQ_UNSEEN);
++p->id;
}
diff = p->id - pin->id;
- if (diff < CIRC_LIST_SIZE(p->seq_list)
- && local_now > SEQ_EXPIRED)
+ if (diff < CIRC_LIST_SIZE(p->seq_list) && local_now > SEQ_EXPIRED)
{
CIRC_LIST_ITEM(p->seq_list, diff) = local_now;
}
@@ -220,8 +212,7 @@
* it is a replay.
*/
bool
-packet_id_test(struct packet_id_rec *p,
- const struct packet_id_net *pin)
+packet_id_test(struct packet_id_rec *p, const struct packet_id_net *pin)
{
uint64_t diff;
@@ -257,10 +248,11 @@
if (diff > p->max_backtrack_stat)
{
p->max_backtrack_stat = diff;
- packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR replay-window backtrack occurred", p->max_backtrack_stat);
+ packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR replay-window backtrack occurred",
+ p->max_backtrack_stat);
}
- if (diff >= (packet_id_type) CIRC_LIST_SIZE(p->seq_list))
+ if (diff >= (packet_id_type)CIRC_LIST_SIZE(p->seq_list))
{
packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR large diff", diff);
return false;
@@ -285,7 +277,7 @@
packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR time backtrack", 0);
return false;
}
- else /* time moved forward */
+ else /* time moved forward */
{
return true;
}
@@ -306,7 +298,7 @@
{
return false;
}
- else /* time moved forward */
+ else /* time moved forward */
{
return pin->id == 1;
}
@@ -382,8 +374,7 @@
}
bool
-packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form,
- bool prepend)
+packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend)
{
if (!packet_id_send_update(p, long_form))
{
@@ -431,8 +422,7 @@
buf_printf(&out, "[ #" packet_id_format, (packet_id_print_type)pin->id);
if (print_timestamp && pin->time)
{
- buf_printf(&out, " / time = (" packet_id_format ") %s",
- (packet_id_print_type)pin->time,
+ buf_printf(&out, " / time = (" packet_id_format ") %s", (packet_id_print_type)pin->time,
time_string(pin->time, 0, false, gc));
}
@@ -472,13 +462,10 @@
if (!packet_id_persist_enabled(p))
{
/* open packet-id persist file for both read and write */
- p->fd = platform_open(filename,
- O_CREAT | O_RDWR | O_BINARY,
- S_IRUSR | S_IWUSR);
+ p->fd = platform_open(filename, O_CREAT | O_RDWR | O_BINARY, S_IRUSR | S_IWUSR);
if (p->fd == -1)
{
- msg(D_PID_PERSIST | M_ERRNO,
- "Cannot open --replay-persist file %s for read/write",
+ msg(D_PID_PERSIST | M_ERRNO, "Cannot open --replay-persist file %s for read/write",
filename);
}
else
@@ -499,14 +486,12 @@
{
p->time = p->time_last_written = image.time;
p->id = p->id_last_written = image.id;
- dmsg(D_PID_PERSIST_DEBUG, "PID Persist Read from %s: %s",
- p->filename, packet_id_persist_print(p, &gc));
+ dmsg(D_PID_PERSIST_DEBUG, "PID Persist Read from %s: %s", p->filename,
+ packet_id_persist_print(p, &gc));
}
else if (n == -1)
{
- msg(D_PID_PERSIST | M_ERRNO,
- "Read error on --replay-persist file %s",
- p->filename);
+ msg(D_PID_PERSIST | M_ERRNO, "Read error on --replay-persist file %s", p->filename);
}
}
}
@@ -517,8 +502,8 @@
void
packet_id_persist_save(struct packet_id_persist *p)
{
- if (packet_id_persist_enabled(p) && p->time && (p->time != p->time_last_written
- || p->id != p->id_last_written))
+ if (packet_id_persist_enabled(p) && p->time
+ && (p->time != p->time_last_written || p->id != p->id_last_written))
{
struct packet_id_persist_file_image image;
ssize_t n;
@@ -535,20 +520,18 @@
{
p->time_last_written = p->time;
p->id_last_written = p->id;
- dmsg(D_PID_PERSIST_DEBUG, "PID Persist Write to %s: %s",
- p->filename, packet_id_persist_print(p, &gc));
+ dmsg(D_PID_PERSIST_DEBUG, "PID Persist Write to %s: %s", p->filename,
+ packet_id_persist_print(p, &gc));
}
else
{
- msg(D_PID_PERSIST | M_ERRNO,
- "Cannot write to --replay-persist file %s",
+ msg(D_PID_PERSIST | M_ERRNO, "Cannot write to --replay-persist file %s",
p->filename);
}
}
else
{
- msg(D_PID_PERSIST | M_ERRNO,
- "Cannot seek to beginning of --replay-persist file %s",
+ msg(D_PID_PERSIST | M_ERRNO, "Cannot seek to beginning of --replay-persist file %s",
p->filename);
}
gc_free(&gc);
@@ -578,8 +561,7 @@
buf_printf(&out, " #" packet_id_format, (packet_id_print_type)p->id);
if (p->time)
{
- buf_printf(&out, " / time = (" packet_id_format ") %s",
- (packet_id_print_type)p->time,
+ buf_printf(&out, " / time = (" packet_id_format ") %s", (packet_id_print_type)p->time,
time_string(p->time, 0, false, gc));
}
}
@@ -591,11 +573,8 @@
#ifdef ENABLE_DEBUG
static void
-packet_id_debug_print(int msglevel,
- const struct packet_id_rec *p,
- const struct packet_id_net *pin,
- const char *message,
- packet_id_print_type value)
+packet_id_debug_print(int msglevel, const struct packet_id_rec *p, const struct packet_id_net *pin,
+ const char *message, packet_id_print_type value)
{
struct gc_arena gc = gc_new();
struct buffer out = alloc_buf_gc(256, &gc);
@@ -648,23 +627,13 @@
buf_printf(&out, " %" PRIi64 ":" packet_id_format, (int64_t)pin->time, pin->id);
}
- buf_printf(&out, " t=%" PRIi64 "[%d]",
- (int64_t)prev_now,
- (int)(prev_now - tv.tv_sec));
+ buf_printf(&out, " t=%" PRIi64 "[%d]", (int64_t)prev_now, (int)(prev_now - tv.tv_sec));
- buf_printf(&out, " r=[%d,%" PRIu64 ",%d,%" PRIu64 ",%d]",
- (int)(p->last_reap - tv.tv_sec),
- p->seq_backtrack,
- p->time_backtrack,
- p->max_backtrack_stat,
- (int)p->initialized);
+ buf_printf(&out, " r=[%d,%" PRIu64 ",%d,%" PRIu64 ",%d]", (int)(p->last_reap - tv.tv_sec),
+ p->seq_backtrack, p->time_backtrack, p->max_backtrack_stat, (int)p->initialized);
if (sl != NULL)
{
- buf_printf(&out, " sl=[%d,%d,%d,%d]",
- sl->x_head,
- sl->x_size,
- sl->x_cap,
- sl->x_sizeof);
+ buf_printf(&out, " sl=[%d,%d,%d,%d]", sl->x_head, sl->x_size, sl->x_cap, sl->x_sizeof);
}
@@ -704,7 +673,7 @@
/* Highest 16 bits of packet id is the epoch.
*
* The lower 48 bits are the per-epoch packet id counter. */
- uint64_t net_id = ((uint64_t) epoch) << 48 | p->id;
+ uint64_t net_id = ((uint64_t)epoch) << 48 | p->id;
/* convert to network order. This ensures that the highest bytes
* also become the first ones on the wire*/
@@ -43,11 +43,11 @@
* These are ephemeral and are never saved to a file.
*/
typedef uint32_t packet_id_type;
-#define PACKET_ID_MAX UINT32_MAX
-#define PACKET_ID_EPOCH_MAX 0x0000ffffffffffffull
+#define PACKET_ID_MAX UINT32_MAX
+#define PACKET_ID_EPOCH_MAX 0x0000ffffffffffffull
/** Mask of the bits that contain the 48-bit of the per-epoch packet
* counter in the packet id*/
-#define PACKET_ID_MASK 0x0000ffffffffffffull
+#define PACKET_ID_MASK 0x0000ffffffffffffull
typedef uint32_t net_time_t;
/*
@@ -81,8 +81,8 @@
* sequence number due to packets arriving
* out of order.
*/
-#define MIN_SEQ_BACKTRACK 0
-#define MAX_SEQ_BACKTRACK 65536
+#define MIN_SEQ_BACKTRACK 0
+#define MAX_SEQ_BACKTRACK 65536
#define DEFAULT_SEQ_BACKTRACK 64
/*
@@ -90,8 +90,8 @@
* seconds due to packets arriving
* out of order.
*/
-#define MIN_TIME_BACKTRACK 0
-#define MAX_TIME_BACKTRACK 600
+#define MIN_TIME_BACKTRACK 0
+#define MAX_TIME_BACKTRACK 600
#define DEFAULT_TIME_BACKTRACK 15
/*
@@ -112,14 +112,14 @@
*/
struct packet_id_rec
{
- time_t last_reap; /* last call of packet_id_reap */
- time_t time; /* highest time stamp received */
- uint64_t id; /* highest sequence number received */
- uint64_t seq_backtrack; /* set from --replay-window */
- int time_backtrack; /* set from --replay-window */
- uint64_t max_backtrack_stat; /* maximum backtrack seen so far */
- bool initialized; /* true if packet_id_init was called */
- struct seq_list *seq_list; /* packet-id "memory" */
+ time_t last_reap; /* last call of packet_id_reap */
+ time_t time; /* highest time stamp received */
+ uint64_t id; /* highest sequence number received */
+ uint64_t seq_backtrack; /* set from --replay-window */
+ int time_backtrack; /* set from --replay-window */
+ uint64_t max_backtrack_stat; /* maximum backtrack seen so far */
+ bool initialized; /* true if packet_id_init was called */
+ struct seq_list *seq_list; /* packet-id "memory" */
const char *name;
int unit;
};
@@ -132,16 +132,16 @@
{
const char *filename;
int fd;
- time_t time; /* time stamp */
- packet_id_type id; /* sequence number */
+ time_t time; /* time stamp */
+ packet_id_type id; /* sequence number */
time_t time_last_written;
packet_id_type id_last_written;
};
struct packet_id_persist_file_image
{
- time_t time; /* time stamp */
- packet_id_type id; /* sequence number */
+ time_t time; /* time stamp */
+ packet_id_type id; /* sequence number */
};
/*
@@ -201,7 +201,8 @@
struct packet_id_rec rec;
};
-void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit);
+void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name,
+ int unit);
void packet_id_free(struct packet_id *p);
@@ -209,16 +210,13 @@
* Move the packet id recv structure from \c src to \c dest. \c src will
* be reinitialised. \c dest will be freed before the move.
*/
-void
-packet_id_move_recv(struct packet_id_rec *dest, struct packet_id_rec *src);
+void packet_id_move_recv(struct packet_id_rec *dest, struct packet_id_rec *src);
/* should we accept an incoming packet id ? */
-bool packet_id_test(struct packet_id_rec *p,
- const struct packet_id_net *pin);
+bool packet_id_test(struct packet_id_rec *p, const struct packet_id_net *pin);
/* change our current state to reflect an accepted packet id */
-void packet_id_add(struct packet_id_rec *p,
- const struct packet_id_net *pin);
+void packet_id_add(struct packet_id_rec *p, const struct packet_id_net *pin);
/* expire TIME_BACKTRACK sequence numbers */
void packet_id_reap(struct packet_id_rec *p);
@@ -262,8 +260,7 @@
*
* @return true if successful, false otherwise.
*/
-bool packet_id_write(struct packet_id_send *p, struct buffer *buf,
- bool long_form, bool prepend);
+bool packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend);
/*
* Inline functions.
@@ -309,7 +306,8 @@
p->id = 0;
}
-const char *packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc);
+const char *packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp,
+ struct gc_arena *gc);
static inline int
packet_id_size(bool long_form)
@@ -340,8 +338,7 @@
* @param buf buffer to write the packet id/epoch to
* @return false if the packet id space is exhausted and cannot be written
*/
-bool
-packet_id_write_epoch(struct packet_id_send *p, uint16_t epoch, struct buffer *buf);
+bool packet_id_write_epoch(struct packet_id_send *p, uint16_t epoch, struct buffer *buf);
/**
* Reads the packet ID containing both the epoch and the per-epoch counter
@@ -350,7 +347,6 @@
* @param buf buffer to read the packet id from.
* @return 0 for an error/invalid id, epoch otherwise
*/
-uint16_t
-packet_id_read_epoch(struct packet_id_net *p, struct buffer *buf);
+uint16_t packet_id_read_epoch(struct packet_id_net *p, struct buffer *buf);
#endif /* PACKET_ID_H */
@@ -35,34 +35,32 @@
#include "memdbg.h"
-static const char *metric_names[] = {
- "PERF_BIO_READ_PLAINTEXT",
- "PERF_BIO_WRITE_PLAINTEXT",
- "PERF_BIO_READ_CIPHERTEXT",
- "PERF_BIO_WRITE_CIPHERTEXT",
- "PERF_TLS_MULTI_PROCESS",
- "PERF_IO_WAIT",
- "PERF_EVENT_LOOP",
- "PERF_MULTI_CREATE_INSTANCE",
- "PERF_MULTI_CLOSE_INSTANCE",
- "PERF_MULTI_SHOW_STATS",
- "PERF_MULTI_BCAST",
- "PERF_MULTI_MCAST",
- "PERF_SCRIPT",
- "PERF_READ_IN_LINK",
- "PERF_PROC_IN_LINK",
- "PERF_READ_IN_TUN",
- "PERF_PROC_IN_TUN",
- "PERF_PROC_OUT_LINK",
- "PERF_PROC_OUT_TUN",
- "PERF_PROC_OUT_TUN_MTCP"
-};
+static const char *metric_names[] = { "PERF_BIO_READ_PLAINTEXT",
+ "PERF_BIO_WRITE_PLAINTEXT",
+ "PERF_BIO_READ_CIPHERTEXT",
+ "PERF_BIO_WRITE_CIPHERTEXT",
+ "PERF_TLS_MULTI_PROCESS",
+ "PERF_IO_WAIT",
+ "PERF_EVENT_LOOP",
+ "PERF_MULTI_CREATE_INSTANCE",
+ "PERF_MULTI_CLOSE_INSTANCE",
+ "PERF_MULTI_SHOW_STATS",
+ "PERF_MULTI_BCAST",
+ "PERF_MULTI_MCAST",
+ "PERF_SCRIPT",
+ "PERF_READ_IN_LINK",
+ "PERF_PROC_IN_LINK",
+ "PERF_READ_IN_TUN",
+ "PERF_PROC_IN_TUN",
+ "PERF_PROC_OUT_LINK",
+ "PERF_PROC_OUT_TUN",
+ "PERF_PROC_OUT_TUN_MTCP" };
struct perf
{
-#define PS_INITIAL 0
-#define PS_METER_RUNNING 1
-#define PS_METER_INTERRUPTED 2
+#define PS_INITIAL 0
+#define PS_METER_RUNNING 1
+#define PS_METER_INTERRUPTED 2
int state;
struct timeval start;
@@ -138,8 +136,7 @@
{
const int sindex = get_stack_index(0);
const int newlen = get_stack_index(1);
- if (sindex >= 0 && newlen >= 0
- && pindex >= 0 && pindex < PERF_N)
+ if (sindex >= 0 && newlen >= 0 && pindex >= 0 && pindex < PERF_N)
{
int i;
for (i = 0; i < sindex; ++i)
@@ -147,8 +144,7 @@
if (perf_set.stack[i] == pindex)
{
perf_print_state(M_INFO);
- msg(M_FATAL, "PERF: push_perf_index %s failed",
- metric_names [pindex]);
+ msg(M_FATAL, "PERF: push_perf_index %s failed", metric_names[pindex]);
}
}
@@ -180,9 +176,7 @@
{
if (p->state != wanted)
{
- msg(M_FATAL, "PERF: bad state actual=%d wanted=%d",
- p->state,
- wanted);
+ msg(M_FATAL, "PERF: bad state actual=%d wanted=%d", p->state, wanted);
}
}
@@ -191,7 +185,7 @@
{
struct timeval current;
ASSERT(!gettimeofday(¤t, NULL));
- p->sofar += (double) tv_subtract(¤t, &p->start, 600) / 1000000.0;
+ p->sofar += (double)tv_subtract(¤t, &p->start, 600) / 1000000.0;
tv_clear(&p->start);
}
@@ -287,7 +281,8 @@
if (p->count > 0.0)
{
const double mean = p->sum / p->count;
- msg(M_INFO, "%s n=%.0f mean=%.3f max=%.3f", metric_names[i], p->count, mean*1000.0, p->max*1000.0);
+ msg(M_INFO, "%s n=%.0f mean=%.3f max=%.3f", metric_names[i], p->count, mean * 1000.0,
+ p->max * 1000.0);
}
}
}
@@ -303,15 +298,8 @@
{
const int j = perf_set.stack[i];
const struct perf *p = &perf_set.perf[j];
- msg(lev, "[%d] %s state=%d start=%s sofar=%f sum=%f max=%f count=%f",
- i,
- metric_names[j],
- p->state,
- tv_string(&p->start, &gc),
- p->sofar,
- p->sum,
- p->max,
- p->count);
+ msg(lev, "[%d] %s state=%d start=%s sofar=%f sum=%f max=%f count=%f", i, metric_names[j],
+ p->state, tv_string(&p->start, &gc), p->sofar, p->sum, p->max, p->count);
}
gc_free(&gc);
}
@@ -34,27 +34,27 @@
/*
* Metrics
*/
-#define PERF_BIO_READ_PLAINTEXT 0
-#define PERF_BIO_WRITE_PLAINTEXT 1
-#define PERF_BIO_READ_CIPHERTEXT 2
-#define PERF_BIO_WRITE_CIPHERTEXT 3
-#define PERF_TLS_MULTI_PROCESS 4
-#define PERF_IO_WAIT 5
-#define PERF_EVENT_LOOP 6
-#define PERF_MULTI_CREATE_INSTANCE 7
-#define PERF_MULTI_CLOSE_INSTANCE 8
-#define PERF_MULTI_SHOW_STATS 9
-#define PERF_MULTI_BCAST 10
-#define PERF_MULTI_MCAST 11
-#define PERF_SCRIPT 12
-#define PERF_READ_IN_LINK 13
-#define PERF_PROC_IN_LINK 14
-#define PERF_READ_IN_TUN 15
-#define PERF_PROC_IN_TUN 16
-#define PERF_PROC_OUT_LINK 17
-#define PERF_PROC_OUT_TUN 18
-#define PERF_PROC_OUT_TUN_MTCP 19
-#define PERF_N 20
+#define PERF_BIO_READ_PLAINTEXT 0
+#define PERF_BIO_WRITE_PLAINTEXT 1
+#define PERF_BIO_READ_CIPHERTEXT 2
+#define PERF_BIO_WRITE_CIPHERTEXT 3
+#define PERF_TLS_MULTI_PROCESS 4
+#define PERF_IO_WAIT 5
+#define PERF_EVENT_LOOP 6
+#define PERF_MULTI_CREATE_INSTANCE 7
+#define PERF_MULTI_CLOSE_INSTANCE 8
+#define PERF_MULTI_SHOW_STATS 9
+#define PERF_MULTI_BCAST 10
+#define PERF_MULTI_MCAST 11
+#define PERF_SCRIPT 12
+#define PERF_READ_IN_LINK 13
+#define PERF_PROC_IN_LINK 14
+#define PERF_READ_IN_TUN 15
+#define PERF_PROC_IN_TUN 16
+#define PERF_PROC_OUT_LINK 17
+#define PERF_PROC_OUT_TUN 18
+#define PERF_PROC_OUT_TUN_MTCP 19
+#define PERF_N 20
#ifdef ENABLE_PERFORMANCE_METRICS
@@ -63,7 +63,7 @@
/*
* Stack size
*/
-#define STACK_N 64
+#define STACK_N 64
void perf_push(int type);
@@ -38,10 +38,8 @@
*
* PING_STRING_SIZE must be sizeof (ping_string)
*/
-const uint8_t ping_string[] = {
- 0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb,
- 0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48
-};
+const uint8_t ping_string[] = { 0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb,
+ 0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48 };
void
trigger_ping_timeout_signal(struct context *c)
@@ -50,8 +48,7 @@
switch (c->options.ping_rec_timeout_action)
{
case PING_EXIT:
- msg(M_INFO, "%sInactivity timeout (--ping-exit), exiting",
- format_common_name(c, &gc));
+ msg(M_INFO, "%sInactivity timeout (--ping-exit), exiting", format_common_name(c, &gc));
register_signal(c->sig, SIGTERM, "ping-exit");
break;
@@ -29,7 +29,7 @@
/*
* Initial default --ping-restart before --pull
*/
-#define PRE_PULL_INITIAL_PING_RESTART 120 /* in seconds */
+#define PRE_PULL_INITIAL_PING_RESTART 120 /* in seconds */
extern const uint8_t ping_string[];
@@ -59,11 +59,11 @@
check_ping_restart(struct context *c)
{
if (c->options.ping_rec_timeout
- && event_timeout_trigger(&c->c2.ping_rec_interval,
- &c->c2.timeval,
+ && event_timeout_trigger(&c->c2.ping_rec_interval, &c->c2.timeval,
(!c->options.ping_timer_remote
|| link_socket_actual_defined(&c->c1.link_socket_addrs[0].actual))
- ? ETT_DEFAULT : 15))
+ ? ETT_DEFAULT
+ : 15))
{
trigger_ping_timeout_signal(c);
}
@@ -76,8 +76,7 @@
check_ping_send(struct context *c)
{
if (c->options.ping_send_timeout
- && event_timeout_trigger(&c->c2.ping_send_interval,
- &c->c2.timeval,
+ && event_timeout_trigger(&c->c2.ping_send_interval, &c->c2.timeval,
!TO_LINK_DEF(c) ? ETT_DEFAULT : 1))
{
check_ping_send_dowork(c);
@@ -39,51 +39,41 @@
#include "console.h"
#include "pkcs11_backend.h"
-static
-time_t
+static time_t
__mytime(void)
{
return openvpn_time(NULL);
}
#if !defined(_WIN32)
-static
-int
+static int
__mygettimeofday(struct timeval *tv)
{
return gettimeofday(tv, NULL);
}
#endif
-static
-void
+static void
__mysleep(const unsigned long usec)
{
#if defined(_WIN32)
- Sleep(usec/1000);
+ Sleep(usec / 1000);
#else
usleep(usec);
#endif
}
-static pkcs11h_engine_system_t s_pkcs11h_sys_engine = {
- malloc,
- free,
- __mytime,
- __mysleep,
+static pkcs11h_engine_system_t s_pkcs11h_sys_engine = { malloc, free, __mytime, __mysleep,
#if defined(_WIN32)
- NULL
+ NULL
#else
- __mygettimeofday
+ __mygettimeofday
#endif
};
-static
-unsigned
-_pkcs11_msg_pkcs112openvpn(
- const unsigned flags
- )
+static unsigned
+_pkcs11_msg_pkcs112openvpn(const unsigned flags)
{
unsigned openvpn_flags;
@@ -121,11 +111,8 @@
return openvpn_flags;
}
-static
-unsigned
-_pkcs11_msg_openvpn2pkcs11(
- const unsigned flags
- )
+static unsigned
+_pkcs11_msg_openvpn2pkcs11(const unsigned flags)
{
unsigned pkcs11_flags;
@@ -161,33 +148,23 @@
return pkcs11_flags;
}
-static
-void
-_pkcs11_openvpn_log(
- void *const global_data,
- unsigned flags,
- const char *const szFormat,
- va_list args
- )
+static void
+_pkcs11_openvpn_log(void *const global_data, unsigned flags, const char *const szFormat,
+ va_list args)
{
- char Buffer[10*1024];
+ char Buffer[10 * 1024];
(void)global_data;
vsnprintf(Buffer, sizeof(Buffer), szFormat, args);
- Buffer[sizeof(Buffer)-1] = 0;
+ Buffer[sizeof(Buffer) - 1] = 0;
msg(_pkcs11_msg_pkcs112openvpn(flags), "%s", Buffer);
}
-static
-PKCS11H_BOOL
-_pkcs11_openvpn_token_prompt(
- void *const global_data,
- void *const user_data,
- const pkcs11h_token_id_t token,
- const unsigned retry
- )
+static PKCS11H_BOOL
+_pkcs11_openvpn_token_prompt(void *const global_data, void *const user_data,
+ const pkcs11h_token_id_t token, const unsigned retry)
{
struct user_pass token_resp;
@@ -195,26 +172,16 @@
(void)user_data;
(void)retry;
- ASSERT(token!=NULL);
+ ASSERT(token != NULL);
CLEAR(token_resp);
token_resp.defined = false;
token_resp.nocache = true;
- snprintf(
- token_resp.username,
- sizeof(token_resp.username),
- "Please insert %s token",
- token->label
- );
+ snprintf(token_resp.username, sizeof(token_resp.username), "Please insert %s token",
+ token->label);
- if (
- !get_user_pass(
- &token_resp,
- NULL,
- "token-insertion-request",
- GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL
- )
- )
+ if (!get_user_pass(&token_resp, NULL, "token-insertion-request",
+ GET_USER_PASS_MANAGEMENT | GET_USER_PASS_NEED_OK | GET_USER_PASS_NOFATAL))
{
return false;
}
@@ -224,16 +191,10 @@
}
}
-static
-PKCS11H_BOOL
-_pkcs11_openvpn_pin_prompt(
- void *const global_data,
- void *const user_data,
- const pkcs11h_token_id_t token,
- const unsigned retry,
- char *const pin,
- const size_t pin_max
- )
+static PKCS11H_BOOL
+_pkcs11_openvpn_pin_prompt(void *const global_data, void *const user_data,
+ const pkcs11h_token_id_t token, const unsigned retry, char *const pin,
+ const size_t pin_max)
{
struct user_pass token_pass;
char prompt[1024];
@@ -243,21 +204,16 @@
(void)user_data;
(void)retry;
- ASSERT(token!=NULL);
+ ASSERT(token != NULL);
snprintf(prompt, sizeof(prompt), "%s token", token->label);
token_pass.defined = false;
token_pass.nocache = true;
- if (
- !get_user_pass(
- &token_pass,
- NULL,
- prompt,
- GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
- )
- )
+ if (!get_user_pass(&token_pass, NULL, prompt,
+ GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY
+ | GET_USER_PASS_NOFATAL))
{
return false;
}
@@ -278,21 +234,16 @@
}
bool
-pkcs11_initialize(
- const bool protected_auth,
- const int nPINCachePeriod
- )
+pkcs11_initialize(const bool protected_auth, const int nPINCachePeriod)
{
CK_RV rv = CKR_FUNCTION_FAILED;
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_initialize - entered"
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - entered");
if ((rv = pkcs11h_engine_setSystem(&s_pkcs11h_sys_engine)) != CKR_OK)
{
- msg(M_FATAL, "PKCS#11: Cannot initialize system engine %ld-'%s'", rv, pkcs11h_getMessage(rv));
+ msg(M_FATAL, "PKCS#11: Cannot initialize system engine %ld-'%s'", rv,
+ pkcs11h_getMessage(rv));
goto cleanup;
}
@@ -330,7 +281,8 @@
if ((rv = pkcs11h_setProtectedAuthentication(protected_auth)) != CKR_OK)
{
- msg(M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage(rv));
+ msg(M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv,
+ pkcs11h_getMessage(rv));
goto cleanup;
}
@@ -343,12 +295,8 @@
rv = CKR_OK;
cleanup:
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_initialize - return %ld-'%s'",
- rv,
- pkcs11h_getMessage(rv)
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - return %ld-'%s'", rv,
+ pkcs11h_getMessage(rv));
return rv == CKR_OK;
}
@@ -356,105 +304,85 @@
void
pkcs11_terminate(void)
{
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_terminate - entered"
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_terminate - entered");
pkcs11h_terminate();
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_terminate - return"
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_terminate - return");
}
bool
-pkcs11_addProvider(
- const char *const provider,
- const bool protected_auth,
- const unsigned private_mode,
- const bool cert_private
- )
+pkcs11_addProvider(const char *const provider, const bool protected_auth,
+ const unsigned private_mode, const bool cert_private)
{
CK_RV rv = CKR_OK;
- ASSERT(provider!=NULL);
+ ASSERT(provider != NULL);
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_addProvider - entered - provider='%s', private_mode=%08x",
- provider,
- private_mode
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_addProvider - entered - provider='%s', private_mode=%08x",
+ provider, private_mode);
- msg(
- M_INFO,
- "PKCS#11: Adding PKCS#11 provider '%s'",
- provider
- );
+ msg(M_INFO, "PKCS#11: Adding PKCS#11 provider '%s'", provider);
-#if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0))
+#if PKCS11H_VERSION >= ((1 << 16) | (28 << 8) | (0 << 0))
if ((rv = pkcs11h_registerProvider(provider)) != CKR_OK)
{
- msg(M_WARN, "PKCS#11: Cannot register provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
+ msg(M_WARN, "PKCS#11: Cannot register provider '%s' %ld-'%s'", provider, rv,
+ pkcs11h_getMessage(rv));
}
else
{
PKCS11H_BOOL allow_protected_auth = protected_auth;
PKCS11H_BOOL cert_is_private = cert_private;
- rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOCATION, provider, strlen(provider) + 1);
+ rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOCATION, provider,
+ strlen(provider) + 1);
if (rv == CKR_OK)
{
- rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_ALLOW_PROTECTED_AUTH, &allow_protected_auth, sizeof(allow_protected_auth));
+ rv = pkcs11h_setProviderProperty(provider,
+ PKCS11H_PROVIDER_PROPERTY_ALLOW_PROTECTED_AUTH,
+ &allow_protected_auth, sizeof(allow_protected_auth));
}
if (rv == CKR_OK)
{
- rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE, &private_mode, sizeof(private_mode));
+ rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE,
+ &private_mode, sizeof(private_mode));
}
if (rv == CKR_OK)
{
- rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE, &cert_is_private, sizeof(cert_is_private));
+ rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE,
+ &cert_is_private, sizeof(cert_is_private));
}
#if defined(WIN32) && defined(PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS)
if (rv == CKR_OK && platform_absolute_pathname(provider))
{
- unsigned loader_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS | LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR;
- rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS, &loader_flags, sizeof(loader_flags));
+ unsigned loader_flags =
+ LOAD_LIBRARY_SEARCH_DEFAULT_DIRS | LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR;
+ rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS,
+ &loader_flags, sizeof(loader_flags));
}
#endif
if (rv != CKR_OK || (rv = pkcs11h_initializeProvider(provider)) != CKR_OK)
{
- msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
+ msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv,
+ pkcs11h_getMessage(rv));
pkcs11h_removeProvider(provider);
}
}
#else /* if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0)) */
- if (
- (rv = pkcs11h_addProvider(
- provider,
- provider,
- protected_auth,
- private_mode,
- PKCS11H_SLOTEVENT_METHOD_AUTO,
- 0,
- cert_private
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_addProvider(provider, provider, protected_auth, private_mode,
+ PKCS11H_SLOTEVENT_METHOD_AUTO, 0, cert_private))
+ != CKR_OK)
{
- msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
+ msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv,
+ pkcs11h_getMessage(rv));
}
#endif /* if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0)) */
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'",
- rv,
- pkcs11h_getMessage(rv)
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'", rv,
+ pkcs11h_getMessage(rv));
return rv == CKR_OK;
}
@@ -473,20 +401,11 @@
CK_RV rv = CKR_OK;
int count = 0;
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_management_id_count - entered"
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_count - entered");
- if (
- (rv = pkcs11h_certificate_enumCertificateIds(
- PKCS11H_ENUM_METHOD_CACHE_EXIST,
- NULL,
- PKCS11H_PROMPT_MASK_ALLOW_ALL,
- NULL,
- &id_list
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL,
+ PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL, &id_list))
+ != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
@@ -502,21 +421,13 @@
pkcs11h_certificate_freeCertificateIdList(id_list);
id_list = NULL;
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_management_id_count - return count=%d",
- count
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_count - return count=%d", count);
return count;
}
bool
-pkcs11_management_id_get(
- const int index,
- char **id,
- char **base64
- )
+pkcs11_management_id_get(const int index, char **id, char **base64)
{
pkcs11h_certificate_id_list_t id_list = NULL;
pkcs11h_certificate_id_list_t entry = NULL;
@@ -533,27 +444,17 @@
int count = 0;
bool success = false;
- ASSERT(id!=NULL);
- ASSERT(base64!=NULL);
+ ASSERT(id != NULL);
+ ASSERT(base64 != NULL);
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_management_id_get - entered index=%d",
- index
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_get - entered index=%d", index);
*id = NULL;
*base64 = NULL;
- if (
- (rv = pkcs11h_certificate_enumCertificateIds(
- PKCS11H_ENUM_METHOD_CACHE_EXIST,
- NULL,
- PKCS11H_PROMPT_MASK_ALLOW_ALL,
- NULL,
- &id_list
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL,
+ PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL, &id_list))
+ != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
@@ -569,23 +470,16 @@
if (entry == NULL)
{
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_management_id_get - no certificate at index=%d",
- index
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_get - no certificate at index=%d",
+ index);
goto cleanup;
}
- if (
- (rv = pkcs11h_certificate_serializeCertificateId(
- NULL,
- &max,
- entry->certificate_id
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_serializeCertificateId(NULL, &max, entry->certificate_id))
+ != CKR_OK)
{
- msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv));
+ msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv,
+ pkcs11h_getMessage(rv));
goto cleanup;
}
@@ -595,39 +489,24 @@
goto cleanup;
}
- if (
- (rv = pkcs11h_certificate_serializeCertificateId(
- internal_id,
- &max,
- entry->certificate_id
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_serializeCertificateId(internal_id, &max, entry->certificate_id))
+ != CKR_OK)
{
- msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv));
+ msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv,
+ pkcs11h_getMessage(rv));
goto cleanup;
}
- if (
- (rv = pkcs11h_certificate_create(
- entry->certificate_id,
- NULL,
- PKCS11H_PROMPT_MASK_ALLOW_ALL,
- PKCS11H_PIN_CACHE_INFINITE,
- &certificate
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_create(entry->certificate_id, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL,
+ PKCS11H_PIN_CACHE_INFINITE, &certificate))
+ != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
- if (
- (rv = pkcs11h_certificate_getCertificateBlob(
- certificate,
- NULL,
- &certificate_blob_size
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_getCertificateBlob(certificate, NULL, &certificate_blob_size))
+ != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
@@ -639,13 +518,9 @@
goto cleanup;
}
- if (
- (rv = pkcs11h_certificate_getCertificateBlob(
- certificate,
- certificate_blob,
- &certificate_blob_size
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_getCertificateBlob(certificate, certificate_blob,
+ &certificate_blob_size))
+ != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
@@ -677,22 +552,15 @@
free(certificate_blob);
certificate_blob = NULL;
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: pkcs11_management_id_get - return success=%d, id='%s'",
- success ? 1 : 0,
- *id
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_get - return success=%d, id='%s'",
+ success ? 1 : 0, *id);
return success;
}
int
-tls_ctx_use_pkcs11(
- struct tls_root_ctx *const ssl_ctx,
- bool pkcs11_id_management,
- const char *const pkcs11_id
- )
+tls_ctx_use_pkcs11(struct tls_root_ctx *const ssl_ctx, bool pkcs11_id_management,
+ const char *const pkcs11_id)
{
pkcs11h_certificate_id_t certificate_id = NULL;
pkcs11h_certificate_t certificate = NULL;
@@ -700,16 +568,13 @@
bool ok = false;
- ASSERT(ssl_ctx!=NULL);
- ASSERT(pkcs11_id_management || pkcs11_id!=NULL);
+ ASSERT(ssl_ctx != NULL);
+ ASSERT(pkcs11_id_management || pkcs11_id != NULL);
dmsg(
D_PKCS11_DEBUG,
"PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_id_management=%d, pkcs11_id='%s'",
- (void *)ssl_ctx,
- pkcs11_id_management ? 1 : 0,
- pkcs11_id
- );
+ (void *)ssl_ctx, pkcs11_id_management ? 1 : 0, pkcs11_id);
if (pkcs11_id_management)
{
@@ -719,30 +584,17 @@
id_resp.defined = false;
id_resp.nocache = true;
- snprintf(
- id_resp.username,
- sizeof(id_resp.username),
- "Please specify PKCS#11 id to use"
- );
+ snprintf(id_resp.username, sizeof(id_resp.username), "Please specify PKCS#11 id to use");
- if (
- !get_user_pass(
- &id_resp,
- NULL,
- "pkcs11-id-request",
- GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL
- )
- )
+ if (!get_user_pass(&id_resp, NULL, "pkcs11-id-request",
+ GET_USER_PASS_MANAGEMENT | GET_USER_PASS_NEED_STR
+ | GET_USER_PASS_NOFATAL))
{
goto cleanup;
}
- if (
- (rv = pkcs11h_certificate_deserializeCertificateId(
- &certificate_id,
- id_resp.password
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_deserializeCertificateId(&certificate_id, id_resp.password))
+ != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
@@ -750,38 +602,23 @@
}
else
{
- if (
- (rv = pkcs11h_certificate_deserializeCertificateId(
- &certificate_id,
- pkcs11_id
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_deserializeCertificateId(&certificate_id, pkcs11_id))
+ != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
}
- if (
- (rv = pkcs11h_certificate_create(
- certificate_id,
- NULL,
- PKCS11H_PROMPT_MASK_ALLOW_ALL,
- PKCS11H_PIN_CACHE_INFINITE,
- &certificate
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_create(certificate_id, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL,
+ PKCS11H_PIN_CACHE_INFINITE, &certificate))
+ != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
- if (
- (pkcs11_init_tls_session(
- certificate,
- ssl_ctx
- ))
- )
+ if ((pkcs11_init_tls_session(certificate, ssl_ctx)))
{
/* Handled by SSL context free */
certificate = NULL;
@@ -805,26 +642,15 @@
certificate_id = NULL;
}
- dmsg(
- D_PKCS11_DEBUG,
- "PKCS#11: tls_ctx_use_pkcs11 - return ok=%d, rv=%ld",
- ok ? 1 : 0,
- rv
- );
+ dmsg(D_PKCS11_DEBUG, "PKCS#11: tls_ctx_use_pkcs11 - return ok=%d, rv=%ld", ok ? 1 : 0, rv);
return ok ? 1 : 0;
}
-static
-PKCS11H_BOOL
-_pkcs11_openvpn_show_pkcs11_ids_pin_prompt(
- void *const global_data,
- void *const user_data,
- const pkcs11h_token_id_t token,
- const unsigned retry,
- char *const pin,
- const size_t pin_max
- )
+static PKCS11H_BOOL
+_pkcs11_openvpn_show_pkcs11_ids_pin_prompt(void *const global_data, void *const user_data,
+ const pkcs11h_token_id_t token, const unsigned retry,
+ char *const pin, const size_t pin_max)
{
struct gc_arena gc = gc_new();
struct buffer pass_prompt = alloc_buf_gc(128, &gc);
@@ -833,11 +659,10 @@
(void)user_data;
(void)retry;
- ASSERT(token!=NULL);
+ ASSERT(token != NULL);
buf_printf(&pass_prompt, "Please enter '%s' token PIN or 'cancel': ", token->display);
- if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt),
- pin, pin_max, false))
+ if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt), pin, pin_max, false))
{
msg(M_FATAL, "Could not retrieve the PIN");
}
@@ -855,10 +680,7 @@
}
void
-show_pkcs11_ids(
- const char *const provider,
- bool cert_private
- )
+show_pkcs11_ids(const char *const provider, bool cert_private)
{
struct gc_arena gc = gc_new();
pkcs11h_certificate_id_list_t user_certificates = NULL;
@@ -881,7 +703,8 @@
if ((rv = pkcs11h_setProtectedAuthentication(TRUE)) != CKR_OK)
{
- msg(M_FATAL, "PKCS#11: Cannot set protected authentication %ld-'%s'", rv, pkcs11h_getMessage(rv));
+ msg(M_FATAL, "PKCS#11: Cannot set protected authentication %ld-'%s'", rv,
+ pkcs11h_getMessage(rv));
goto cleanup;
}
@@ -897,118 +720,77 @@
goto cleanup;
}
- if (
- (rv = pkcs11h_certificate_enumCertificateIds(
- PKCS11H_ENUM_METHOD_CACHE_EXIST,
- NULL,
- PKCS11H_PROMPT_MASK_ALLOW_ALL,
- NULL,
- &user_certificates
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL,
+ PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL,
+ &user_certificates))
+ != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot enumerate certificates %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
- msg(
- M_INFO|M_NOPREFIX|M_NOLF,
- (
- "\n"
- "The following objects are available for use.\n"
- "Each object shown below may be used as parameter to\n"
- "--pkcs11-id option please remember to use single quote mark.\n"
- )
- );
+ msg(M_INFO | M_NOPREFIX | M_NOLF,
+ ("\n"
+ "The following objects are available for use.\n"
+ "Each object shown below may be used as parameter to\n"
+ "--pkcs11-id option please remember to use single quote mark.\n"));
for (current = user_certificates; current != NULL; current = current->next)
{
pkcs11h_certificate_t certificate = NULL;
char *dn = NULL;
- char serial[1024] = {0};
+ char serial[1024] = { 0 };
char *ser = NULL;
size_t ser_len = 0;
- if (
- (rv = pkcs11h_certificate_serializeCertificateId(
- NULL,
- &ser_len,
- current->certificate_id
- )) != CKR_OK
- )
+ if ((rv = pkcs11h_certificate_serializeCertificateId(NULL, &ser_len,
+ current->certificate_id))
+ != CKR_OK)
{
- msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
+ msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv,
+ pkcs11h_getMessage(rv));
goto cleanup1;
}
- if (
- rv == CKR_OK
- && (ser = (char *)malloc(ser_len)) == NULL
- )
+ if (rv == CKR_OK && (ser = (char *)malloc(ser_len)) == NULL)
{
msg(M_FATAL, "PKCS#11: Cannot allocate memory");
goto cleanup1;
}
- if (
- (rv = pkcs11h_certificate_serializeCertificateId(
- ser,
- &ser_len,
- current->certificate_id
- )) != CKR_OK
- )
+ if ((rv =
+ pkcs11h_certificate_serializeCertificateId(ser, &ser_len, current->certificate_id))
+ != CKR_OK)
{
- msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
+ msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv,
+ pkcs11h_getMessage(rv));
goto cleanup1;
}
- if (
- (rv = pkcs11h_certificate_create(
- current->certificate_id,
- NULL,
- PKCS11H_PROMPT_MASK_ALLOW_ALL,
- PKCS11H_PIN_CACHE_INFINITE,
- &certificate
- ))
- )
+ if ((rv = pkcs11h_certificate_create(current->certificate_id, NULL,
+ PKCS11H_PROMPT_MASK_ALLOW_ALL,
+ PKCS11H_PIN_CACHE_INFINITE, &certificate)))
{
msg(M_FATAL, "PKCS#11: Cannot create certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup1;
}
- if (
- (dn = pkcs11_certificate_dn(
- certificate,
- &gc
- )) == NULL
- )
+ if ((dn = pkcs11_certificate_dn(certificate, &gc)) == NULL)
{
goto cleanup1;
}
- if (
- (pkcs11_certificate_serial(
- certificate,
- serial,
- sizeof(serial)
- ))
- )
+ if ((pkcs11_certificate_serial(certificate, serial, sizeof(serial))))
{
goto cleanup1;
}
- msg(
- M_INFO|M_NOPREFIX|M_NOLF,
- (
- "\n"
- "Certificate\n"
- " DN: %s\n"
- " Serial: %s\n"
- " Serialized id: %s\n"
- ),
- dn,
- serial,
- ser
- );
+ msg(M_INFO | M_NOPREFIX | M_NOLF,
+ ("\n"
+ "Certificate\n"
+ " DN: %s\n"
+ " Serial: %s\n"
+ " Serialized id: %s\n"),
+ dn, serial, ser);
cleanup1:
@@ -27,49 +27,24 @@
#include "ssl_common.h"
-bool
-pkcs11_initialize(
- const bool fProtectedAuthentication,
- const int nPINCachePeriod
- );
+bool pkcs11_initialize(const bool fProtectedAuthentication, const int nPINCachePeriod);
-void
-pkcs11_terminate(void);
+void pkcs11_terminate(void);
-bool
-pkcs11_addProvider(
- const char *const provider,
- const bool fProtectedAuthentication,
- const unsigned private_mode,
- const bool fCertIsPrivate
- );
+bool pkcs11_addProvider(const char *const provider, const bool fProtectedAuthentication,
+ const unsigned private_mode, const bool fCertIsPrivate);
-int
-pkcs11_logout(void);
+int pkcs11_logout(void);
-int
-pkcs11_management_id_count(void);
+int pkcs11_management_id_count(void);
-bool
-pkcs11_management_id_get(
- const int index,
- char **id,
- char **base64
- );
+bool pkcs11_management_id_get(const int index, char **id, char **base64);
-int
-tls_ctx_use_pkcs11(
- struct tls_root_ctx *const ssl_ctx,
- bool pkcs11_id_management,
- const char *const pkcs11_id
- );
+int tls_ctx_use_pkcs11(struct tls_root_ctx *const ssl_ctx, bool pkcs11_id_management,
+ const char *const pkcs11_id);
-void
-show_pkcs11_ids(
- const char *const provider,
- bool cert_private
- );
+void show_pkcs11_ids(const char *const provider, bool cert_private);
-#endif /* ENABLE_PKCS11 */
+#endif /* ENABLE_PKCS11 */
-#endif /* OPENVPN_PKCS11H_H */
+#endif /* OPENVPN_PKCS11H_H */
@@ -56,8 +56,7 @@
*
* @return 1 on failure, 0 on success
*/
-int pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial,
- size_t serial_len);
+int pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, size_t serial_len);
/**
* Load PKCS #11 Certificate's information into the given TLS context
@@ -67,8 +66,7 @@
*
* @return 1 on failure, 0 on success
*/
-int pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
- struct tls_root_ctx *const ssl_ctx);
+int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx);
#endif /* defined(ENABLE_PKCS11) */
#endif /* PKCS11_BACKEND_H_ */
@@ -46,16 +46,14 @@
size_t cert_blob_size = 0;
bool ret = false;
- if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, NULL,
- &cert_blob_size) != CKR_OK)
+ if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, NULL, &cert_blob_size) != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot retrieve certificate object size");
goto cleanup;
}
check_malloc_return((cert_blob = calloc(1, cert_blob_size)));
- if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, cert_blob,
- &cert_blob_size) != CKR_OK)
+ if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, cert_blob, &cert_blob_size) != CKR_OK)
{
msg(M_WARN, "PKCS#11: Cannot retrieve certificate object");
goto cleanup;
@@ -74,16 +72,14 @@
}
static bool
-pkcs11_sign(void *pkcs11_cert, const void *src, size_t src_len,
- void *dst, size_t dst_len)
+pkcs11_sign(void *pkcs11_cert, const void *src, size_t src_len, void *dst, size_t dst_len)
{
- return CKR_OK == pkcs11h_certificate_signAny(pkcs11_cert, CKM_RSA_PKCS,
- src, src_len, dst, &dst_len);
+ return CKR_OK
+ == pkcs11h_certificate_signAny(pkcs11_cert, CKM_RSA_PKCS, src, src_len, dst, &dst_len);
}
int
-pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
- struct tls_root_ctx *const ssl_ctx)
+pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx)
{
ASSERT(NULL != ssl_ctx);
@@ -130,8 +126,7 @@
}
int
-pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial,
- size_t serial_len)
+pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial, size_t serial_len)
{
int ret = 1;
mbedtls_x509_crt mbed_crt = { 0 };
@@ -43,18 +43,21 @@
#ifdef HAVE_XKEY_PROVIDER
static XKEY_EXTERNAL_SIGN_fn xkey_pkcs11h_sign;
-#if PKCS11H_VERSION > ((1<<16) | (27<<8)) /* version > 1.27 */
+#if PKCS11H_VERSION > ((1 << 16) | (27 << 8)) /* version > 1.27 */
/* Table linking OpenSSL digest NID with CKM and CKG constants in PKCS#11 */
-#define MD_TYPE(n) {NID_sha ## n, CKM_SHA ## n, CKG_MGF1_SHA ## n}
+#define MD_TYPE(n) { NID_sha##n, CKM_SHA##n, CKG_MGF1_SHA##n }
static const struct
{
int nid;
unsigned long ckm_id;
unsigned long mgf_id;
-} mdtypes[] = {MD_TYPE(224), MD_TYPE(256), MD_TYPE(384), MD_TYPE(512),
- {NID_sha1, CKM_SHA_1, CKG_MGF1_SHA1}, /* SHA_1 naming is an oddity */
- {NID_undef, 0, 0}};
+} mdtypes[] = { MD_TYPE(224),
+ MD_TYPE(256),
+ MD_TYPE(384),
+ MD_TYPE(512),
+ { NID_sha1, CKM_SHA_1, CKG_MGF1_SHA1 }, /* SHA_1 naming is an oddity */
+ { NID_undef, 0, 0 } };
/* From sigalg, derive parameters for pss signature and fill in pss_params.
* Its of type CK_RSA_PKCS_PSS_PARAMS struct with three fields to be filled in:
@@ -62,15 +65,13 @@
* where hashAlg is CKM_SHA256 etc., mgf is CKG_MGF1_SHA256 etc.
*/
static int
-set_pss_params(CK_RSA_PKCS_PSS_PARAMS *pss_params, XKEY_SIGALG sigalg,
- pkcs11h_certificate_t cert)
+set_pss_params(CK_RSA_PKCS_PSS_PARAMS *pss_params, XKEY_SIGALG sigalg, pkcs11h_certificate_t cert)
{
int ret = 0;
X509 *x509 = NULL;
EVP_PKEY *pubkey = NULL;
- if ((x509 = pkcs11h_openssl_getX509(cert)) == NULL
- || (pubkey = X509_get0_pubkey(x509)) == NULL)
+ if ((x509 = pkcs11h_openssl_getX509(cert)) == NULL || (pubkey = X509_get0_pubkey(x509)) == NULL)
{
msg(M_WARN, "PKCS#11: Unable get public key");
goto cleanup;
@@ -90,8 +91,10 @@
const EVP_MD *md = EVP_get_digestbyname(sigalg.mdname);
if (!md)
{
- msg(M_WARN, "WARN: set_pss_params: EVP_get_digestbyname returned NULL "
- "for mdname = <%s>", sigalg.mdname);
+ msg(M_WARN,
+ "WARN: set_pss_params: EVP_get_digestbyname returned NULL "
+ "for mdname = <%s>",
+ sigalg.mdname);
goto cleanup;
}
int mdsize = EVP_MD_get_size(md);
@@ -108,14 +111,16 @@
if (saltlen < 0 || pss_params->hashAlg == 0)
{
- msg(M_WARN, "WARN: invalid RSA_PKCS1_PSS parameters: saltlen = <%s> "
- "mdname = <%s>.", sigalg.saltlen, sigalg.mdname);
+ msg(M_WARN,
+ "WARN: invalid RSA_PKCS1_PSS parameters: saltlen = <%s> "
+ "mdname = <%s>.",
+ sigalg.saltlen, sigalg.mdname);
goto cleanup;
}
- pss_params->sLen = (unsigned long) saltlen; /* saltlen >= 0 at this point */
+ pss_params->sLen = (unsigned long)saltlen; /* saltlen >= 0 at this point */
- msg(D_XKEY, "set_pss_params: sLen = %lu, hashAlg = %lu, mgf = %lu",
- pss_params->sLen, pss_params->hashAlg, pss_params->mgf);
+ msg(D_XKEY, "set_pss_params: sLen = %lu, hashAlg = %lu, mgf = %lu", pss_params->sLen,
+ pss_params->hashAlg, pss_params->mgf);
ret = 1;
@@ -138,14 +143,14 @@
* is PSS in which case we return an error.
*/
static CK_RV
-pkcs11h_certificate_signAny_ex(const pkcs11h_certificate_t cert,
- const CK_MECHANISM *mech, const unsigned char *tbs,
- size_t tbslen, unsigned char *sig, size_t *siglen)
+pkcs11h_certificate_signAny_ex(const pkcs11h_certificate_t cert, const CK_MECHANISM *mech,
+ const unsigned char *tbs, size_t tbslen, unsigned char *sig,
+ size_t *siglen)
{
if (mech->mechanism == CKM_RSA_PKCS_PSS)
{
msg(M_NONFATAL, "PKCS#11: Error: PSS padding is not supported by "
- "this version of pkcs11-helper library.");
+ "this version of pkcs11-helper library.");
return CKR_MECHANISM_INVALID;
}
return pkcs11h_certificate_signAny(cert, mech->mechanism, tbs, tbslen, sig, siglen);
@@ -158,12 +163,12 @@
* We support ECDSA, RSA_NO_PADDING, RSA_PKCS1_PADDING, RSA_PKCS_PSS_PADDING
*/
static int
-xkey_pkcs11h_sign(void *handle, unsigned char *sig,
- size_t *siglen, const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg)
+xkey_pkcs11h_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned char *tbs,
+ size_t tbslen, XKEY_SIGALG sigalg)
{
pkcs11h_certificate_t cert = handle;
- CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0}; /* default value */
- CK_RSA_PKCS_PSS_PARAMS pss_params = {0};
+ CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 }; /* default value */
+ CK_RSA_PKCS_PSS_PARAMS pss_params = { 0 };
unsigned char buf[EVP_MAX_MD_SIZE];
size_t buflen = 0;
@@ -178,7 +183,7 @@
if (xkey_digest(tbs, tbslen, buf, &buflen, sigalg.mdname))
{
tbs = buf;
- tbslen = (size_t) buflen;
+ tbslen = (size_t)buflen;
sigalg.op = "Sign";
}
else
@@ -194,8 +199,7 @@
}
else if (!strcmp(sigalg.keytype, "RSA"))
{
- msg(D_XKEY, "xkey_pkcs11h_sign: signing with RSA key: padmode = %s",
- sigalg.padmode);
+ msg(D_XKEY, "xkey_pkcs11h_sign: signing with RSA key: padmode = %s", sigalg.padmode);
if (!strcmp(sigalg.padmode, "none"))
{
mech.mechanism = CKM_RSA_X_509;
@@ -230,11 +234,10 @@
}
else
{
- ASSERT(0); /* coding error -- we couldnt have created any such key */
+ ASSERT(0); /* coding error -- we couldnt have created any such key */
}
- if (CKR_OK != pkcs11h_certificate_signAny_ex(cert, &mech,
- tbs, tbslen, sig, siglen))
+ if (CKR_OK != pkcs11h_certificate_signAny_ex(cert, &mech, tbs, tbslen, sig, siglen))
{
return 0;
}
@@ -244,7 +247,7 @@
}
/* For EC keys, pkcs11 returns signature as r|s: convert to der encoded */
- int derlen = ecdsa_bin2der(sig, (int) *siglen, siglen_max);
+ int derlen = ecdsa_bin2der(sig, (int)*siglen, siglen_max);
if (derlen <= 0)
{
@@ -274,8 +277,7 @@
* other xkey_load_.. routines
*/
static int
-xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate,
- struct tls_root_ctx *const ctx)
+xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ctx)
{
int ret = 0;
@@ -326,10 +328,8 @@
#endif /* HAVE_XKEY_PROVIDER */
int
-pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
- struct tls_root_ctx *const ssl_ctx)
+pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx)
{
-
#ifdef HAVE_XKEY_PROVIDER
return (xkey_load_from_pkcs11h(certificate, ssl_ctx) == 0); /* inverts the return value */
#else
@@ -403,7 +403,7 @@
openssl_session = NULL;
}
return ret;
-#endif /* ifdef HAVE_XKEY_PROVIDER */
+#endif /* ifdef HAVE_XKEY_PROVIDER */
}
char *
@@ -429,8 +429,7 @@
}
int
-pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial,
- size_t serial_len)
+pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, size_t serial_len)
{
X509 *x509 = NULL;
BIO *bio = NULL;
@@ -450,9 +449,9 @@
}
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(x509));
- n = BIO_read(bio, serial, serial_len-1);
+ n = BIO_read(bio, serial, serial_len - 1);
- if (n<0)
+ if (n < 0)
{
serial[0] = '\x0';
}
@@ -66,8 +66,10 @@
msg(M_ERR, "cd to '%s' failed", top);
}
msg(M_INFO, "chroot to '%s' and cd to '%s' succeeded", path, top);
-#else /* ifdef HAVE_CHROOT */
- msg(M_FATAL, "Sorry but I can't chroot to '%s' because this operating system doesn't appear to support the chroot() system call", path);
+#else /* ifdef HAVE_CHROOT */
+ msg(M_FATAL,
+ "Sorry but I can't chroot to '%s' because this operating system doesn't appear to support the chroot() system call",
+ path);
#endif
}
}
@@ -94,8 +96,10 @@
}
state->username = username;
ret = true;
-#else /* if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) */
- msg(M_FATAL, "cannot get UID for user %s -- platform lacks getpwname() or setuid() system calls", username);
+#else /* if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) */
+ msg(M_FATAL,
+ "cannot get UID for user %s -- platform lacks getpwname() or setuid() system calls",
+ username);
#endif
}
return ret;
@@ -138,8 +142,10 @@
}
state->groupname = groupname;
ret = true;
-#else /* if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) */
- msg(M_FATAL, "cannot get GID for group %s -- platform lacks getgrnam() or setgid() system calls", groupname);
+#else /* if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) */
+ msg(M_FATAL,
+ "cannot get GID for group %s -- platform lacks getgrnam() or setgid() system calls",
+ groupname);
#endif
}
return ret;
@@ -214,8 +220,7 @@
*/
void
platform_user_group_set(const struct platform_state_user *user_state,
- const struct platform_state_group *group_state,
- struct context *c)
+ const struct platform_state_group *group_state, struct context *c)
{
int keep_caps = need_keep_caps(c);
unsigned int err_flags = (keep_caps > 0) ? M_FATAL : M_NONFATAL;
@@ -258,8 +263,8 @@
{
/* -4 and -6 mean failure of setuid/gid respectively.
* There is no point for us to continue if those failed. */
- msg(M_ERR, "capng_change_id('%s','%s') failed: %d",
- user_state->username, group_state->groupname, res);
+ msg(M_ERR, "capng_change_id('%s','%s') failed: %d", user_state->username,
+ group_state->groupname, res);
}
else if (res == -3)
{
@@ -294,7 +299,7 @@
{
msg(M_ERR, "Clearing KEEPCAPS flag failed");
}
-#endif /* HAVE_LIBCAPNG */
+#endif /* HAVE_LIBCAPNG */
if (keep_caps)
{
@@ -321,7 +326,7 @@
{
msg(M_INFO, "nice %d succeeded", niceval);
}
-#else /* ifdef HAVE_NICE */
+#else /* ifdef HAVE_NICE */
msg(M_WARN, "WARNING: nice %d failed (function not implemented)", niceval);
#endif
}
@@ -332,9 +337,9 @@
platform_getpid(void)
{
#ifdef _WIN32
- return (unsigned int) GetCurrentProcessId();
+ return (unsigned int)GetCurrentProcessId();
#else
- return (unsigned int) getpid();
+ return (unsigned int)getpid();
#endif
}
@@ -354,12 +359,11 @@
else
{
msg(M_INFO, "mlock: MEMLOCK limit: soft=%ld KB, hard=%ld KB",
- ((long int) rl.rlim_cur) / 1024, ((long int) rl.rlim_max) / 1024);
- if (rl.rlim_cur < MIN_LOCKED_MEM_MB*1024*1024)
+ ((long int)rl.rlim_cur) / 1024, ((long int)rl.rlim_max) / 1024);
+ if (rl.rlim_cur < MIN_LOCKED_MEM_MB * 1024 * 1024)
{
- msg(M_INFO, "mlock: RLIMIT_MEMLOCK < %d MB, increase limit",
- MIN_LOCKED_MEM_MB);
- rl.rlim_cur = MIN_LOCKED_MEM_MB*1024*1024;
+ msg(M_INFO, "mlock: RLIMIT_MEMLOCK < %d MB, increase limit", MIN_LOCKED_MEM_MB);
+ rl.rlim_cur = MIN_LOCKED_MEM_MB * 1024 * 1024;
if (rl.rlim_max < rl.rlim_cur)
{
rl.rlim_max = rl.rlim_cur;
@@ -397,10 +401,10 @@
res = _wchdir(wide_string(dir, &gc));
gc_free(&gc);
return res;
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
#ifdef HAVE_CHDIR
return chdir(dir);
-#else /* ifdef HAVE_CHDIR */
+#else /* ifdef HAVE_CHDIR */
return -1;
#endif
#endif
@@ -550,9 +554,8 @@
{
++attempts;
- if (!snprintf(fname, sizeof(fname), fname_fmt, max_prefix_len,
- prefix, (unsigned long) get_random(),
- (unsigned long) get_random()))
+ if (!snprintf(fname, sizeof(fname), fname_fmt, max_prefix_len, prefix,
+ (unsigned long)get_random(), (unsigned long)get_random()))
{
msg(M_WARN, "ERROR: temporary filename too long");
return NULL;
@@ -576,8 +579,7 @@
else if (fd == -1 && errno != EEXIST)
{
/* Something else went wrong, no need to retry. */
- msg(M_WARN | M_ERRNO, "Could not create temporary file '%s'",
- retfname);
+ msg(M_WARN | M_ERRNO, "Could not create temporary file '%s'", retfname);
return NULL;
}
}
@@ -590,12 +592,12 @@
* Put a directory and filename together.
*/
const char *
-platform_gen_path(const char *directory, const char *filename,
- struct gc_arena *gc)
+platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
{
#ifdef _WIN32
- const int CC_PATH_RESERVED = CC_LESS_THAN|CC_GREATER_THAN|CC_COLON
- |CC_DOUBLE_QUOTE|CC_SLASH|CC_BACKSLASH|CC_PIPE|CC_QUESTION_MARK|CC_ASTERISK;
+ const int CC_PATH_RESERVED = CC_LESS_THAN | CC_GREATER_THAN | CC_COLON | CC_DOUBLE_QUOTE
+ | CC_SLASH | CC_BACKSLASH | CC_PIPE | CC_QUESTION_MARK
+ | CC_ASTERISK;
#else
const int CC_PATH_RESERVED = CC_SLASH;
#endif
@@ -607,13 +609,11 @@
const char *safe_filename = string_mod_const(filename, CC_PRINT, CC_PATH_RESERVED, '_', gc);
- if (safe_filename
- && strcmp(safe_filename, ".")
- && strcmp(safe_filename, "..")
+ if (safe_filename && strcmp(safe_filename, ".") && strcmp(safe_filename, "..")
#ifdef _WIN32
&& win_safe_filename(safe_filename)
#endif
- )
+ )
{
const size_t outsize = strlen(safe_filename) + (directory ? strlen(directory) : 0) + 16;
struct buffer out = alloc_buf_gc(outsize, gc);
@@ -671,14 +671,12 @@
{
if (errno == EACCES)
{
- msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename);
+ msg(M_WARN | M_ERRNO, "Could not access file '%s'", filename);
}
}
}
- dmsg(D_TEST_FILE, "TEST FILE '%s' [%d]",
- filename ? filename : "UNDEF",
- ret);
+ dmsg(D_TEST_FILE, "TEST FILE '%s' [%d]", filename ? filename : "UNDEF", ret);
return ret;
}
@@ -59,7 +59,8 @@
/* Get/Set UID of process */
-struct platform_state_user {
+struct platform_state_user
+{
#if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID)
const char *username;
uid_t uid;
@@ -70,7 +71,8 @@
/* Get/Set GID of process */
-struct platform_state_group {
+struct platform_state_group
+{
#if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID)
const char *groupname;
gid_t gid;
@@ -84,8 +86,7 @@
bool platform_group_get(const char *groupname, struct platform_state_group *state);
void platform_user_group_set(const struct platform_state_user *user_state,
- const struct platform_state_group *group_state,
- struct context *c);
+ const struct platform_state_group *group_state, struct context *c);
/*
@@ -116,7 +117,7 @@
unsigned int platform_getpid(void);
-void platform_mlockall(bool print_msg); /* Disable paging */
+void platform_mlockall(bool print_msg); /* Disable paging */
int platform_chdir(const char *dir);
@@ -152,8 +153,7 @@
struct gc_arena *gc);
/** Put a directory and filename together. */
-const char *platform_gen_path(const char *directory, const char *filename,
- struct gc_arena *gc);
+const char *platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc);
/** Return true if pathname is absolute. */
bool platform_absolute_pathname(const char *pathname);
@@ -44,7 +44,7 @@
#include "win32.h"
#include "memdbg.h"
-#define PLUGIN_SYMBOL_REQUIRED (1<<0)
+#define PLUGIN_SYMBOL_REQUIRED (1 << 0)
/* used only for program aborts */
static struct plugin_common *static_plugin_common = NULL; /* GLOBAL */
@@ -152,7 +152,7 @@
static inline unsigned int
plugin_supported_types(void)
{
- return ((1<<OPENVPN_PLUGIN_N)-1);
+ return ((1 << OPENVPN_PLUGIN_N) - 1);
}
struct plugin_option_list *
@@ -164,8 +164,7 @@
}
bool
-plugin_option_list_add(struct plugin_option_list *list, char **p,
- struct gc_arena *gc)
+plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
{
if (list->n < MAX_PLUGINS)
{
@@ -193,7 +192,8 @@
for (i = 0; i < list->n; ++i)
{
const struct plugin_option *o = &list->plugins[i];
- msg(msglevel, " plugin[%d] %s '%s'", i, o->so_pathname, print_argv(o->argv, &gc, PA_BRACKET));
+ msg(msglevel, " plugin[%d] %s '%s'", i, o->so_pathname,
+ print_argv(o->argv, &gc, PA_BRACKET));
}
gc_free(&gc);
@@ -203,24 +203,28 @@
#ifndef _WIN32
static void
-libdl_resolve_symbol(void *handle, void **dest, const char *symbol, const char *plugin_name, const unsigned int flags)
+libdl_resolve_symbol(void *handle, void **dest, const char *symbol, const char *plugin_name,
+ const unsigned int flags)
{
*dest = dlsym(handle, symbol);
if ((flags & PLUGIN_SYMBOL_REQUIRED) && !*dest)
{
- msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin shared object %s: %s", symbol, plugin_name, dlerror());
+ msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin shared object %s: %s",
+ symbol, plugin_name, dlerror());
}
}
#else /* ifndef _WIN32 */
static void
-dll_resolve_symbol(HMODULE module, void **dest, const char *symbol, const char *plugin_name, const unsigned int flags)
+dll_resolve_symbol(HMODULE module, void **dest, const char *symbol, const char *plugin_name,
+ const unsigned int flags)
{
*dest = GetProcAddress(module, symbol);
if ((flags & PLUGIN_SYMBOL_REQUIRED) && !*dest)
{
- msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin DLL %s", symbol, plugin_name);
+ msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin DLL %s", symbol,
+ plugin_name);
}
}
@@ -254,8 +258,7 @@
* was parsed.
*
*/
- if (!platform_absolute_pathname(p->so_pathname)
- && p->so_pathname[0] != '.')
+ if (!platform_absolute_pathname(p->so_pathname) && p->so_pathname[0] != '.')
{
char full[PATH_MAX];
@@ -269,24 +272,29 @@
}
if (!p->handle)
{
- msg(M_ERR, "PLUGIN_INIT: could not load plugin shared object %s: %s", p->so_pathname, dlerror());
+ msg(M_ERR, "PLUGIN_INIT: could not load plugin shared object %s: %s", p->so_pathname,
+ dlerror());
}
-#define PLUGIN_SYM(var, name, flags) libdl_resolve_symbol(p->handle, (void *)&p->var, name, p->so_pathname, flags)
+#define PLUGIN_SYM(var, name, flags) \
+ libdl_resolve_symbol(p->handle, (void *)&p->var, name, p->so_pathname, flags)
-#else /* ifndef _WIN32 */
+#else /* ifndef _WIN32 */
WCHAR *wpath = wide_string(p->so_pathname, &gc);
- WCHAR normalized_plugin_path[MAX_PATH] = {0};
+ WCHAR normalized_plugin_path[MAX_PATH] = { 0 };
/* Normalize the plugin path, converting any relative paths to absolute paths. */
if (!GetFullPathNameW(wpath, MAX_PATH, normalized_plugin_path, NULL))
{
- msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.", wpath);
+ msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.",
+ wpath);
}
if (!plugin_in_trusted_dir(normalized_plugin_path))
{
- msg(M_FATAL, "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.", normalized_plugin_path);
+ msg(M_FATAL,
+ "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.",
+ normalized_plugin_path);
}
p->module = LoadLibraryW(normalized_plugin_path);
@@ -295,7 +303,8 @@
msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls", normalized_plugin_path);
}
-#define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags)
+#define PLUGIN_SYM(var, name, flags) \
+ dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags)
#endif /* ifndef _WIN32 */
@@ -314,12 +323,14 @@
if (!p->open1 && !p->open2 && !p->open3)
{
- msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_open_vX is undefined in plugin: %s", p->so_pathname);
+ msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_open_vX is undefined in plugin: %s",
+ p->so_pathname);
}
if (!p->func1 && !p->func2 && !p->func3)
{
- msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_func_vX is undefined in plugin: %s", p->so_pathname);
+ msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_func_vX is undefined in plugin: %s",
+ p->so_pathname);
}
/*
@@ -330,10 +341,9 @@
const int plugin_needs_version = (*p->min_version_required)();
if (plugin_needs_version > OPENVPN_PLUGIN_VERSION)
{
- msg(M_FATAL, "PLUGIN_INIT: plugin needs interface version %d, but this version of OpenVPN only supports version %d: %s",
- plugin_needs_version,
- OPENVPN_PLUGIN_VERSION,
- p->so_pathname);
+ msg(M_FATAL,
+ "PLUGIN_INIT: plugin needs interface version %d, but this version of OpenVPN only supports version %d: %s",
+ plugin_needs_version, OPENVPN_PLUGIN_VERSION, p->so_pathname);
}
}
@@ -348,7 +358,9 @@
if (rel)
{
- msg(M_WARN, "WARNING: plugin '%s' specified by a relative pathname -- using an absolute pathname would be more secure", p->so_pathname);
+ msg(M_WARN,
+ "WARNING: plugin '%s' specified by a relative pathname -- using an absolute pathname would be more secure",
+ p->so_pathname);
}
p->initialized = true;
@@ -427,9 +439,9 @@
static struct openvpn_plugin_callbacks callbacks = {
plugin_log,
plugin_vlog,
- secure_memzero, /* plugin_secure_memzero */
- openvpn_base64_encode, /* plugin_base64_encode */
- openvpn_base64_decode, /* plugin_base64_decode */
+ secure_memzero, /* plugin_secure_memzero */
+ openvpn_base64_encode, /* plugin_base64_encode */
+ openvpn_base64_decode, /* plugin_base64_decode */
};
@@ -444,10 +456,8 @@
#endif
static void
-plugin_open_item(struct plugin *p,
- const struct plugin_option *o,
- struct openvpn_plugin_string_list **retlist,
- const char **envp,
+plugin_open_item(struct plugin *p, const struct plugin_option *o,
+ struct openvpn_plugin_string_list **retlist, const char **envp,
const int init_point)
{
ASSERT(p->initialized);
@@ -471,19 +481,20 @@
if (p->open3)
{
struct openvpn_plugin_args_open_in args = { p->plugin_type_mask,
- (const char **const) o->argv,
- (const char **const) envp,
+ (const char **const)o->argv,
+ (const char **const)envp,
&callbacks,
SSLAPI,
PACKAGE_VERSION,
OPENVPN_VERSION_MAJOR,
OPENVPN_VERSION_MINOR,
- _OPENVPN_PATCH_LEVEL};
+ _OPENVPN_PATCH_LEVEL };
struct openvpn_plugin_args_open_return retargs;
CLEAR(retargs);
retargs.return_list = retlist;
- if ((*p->open3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs) == OPENVPN_PLUGIN_FUNC_SUCCESS)
+ if ((*p->open3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs)
+ == OPENVPN_PLUGIN_FUNC_SUCCESS)
{
p->plugin_type_mask = retargs.type_mask;
p->plugin_handle = retargs.handle;
@@ -506,24 +517,20 @@
ASSERT(0);
}
- msg(D_PLUGIN, "PLUGIN_INIT: POST %s '%s' intercepted=%s %s",
- p->so_pathname,
- print_argv(o->argv, &gc, PA_BRACKET),
- plugin_mask_string(p->plugin_type_mask, &gc),
+ msg(D_PLUGIN, "PLUGIN_INIT: POST %s '%s' intercepted=%s %s", p->so_pathname,
+ print_argv(o->argv, &gc, PA_BRACKET), plugin_mask_string(p->plugin_type_mask, &gc),
(retlist && *retlist) ? "[RETLIST]" : "");
if ((p->plugin_type_mask | plugin_supported_types()) != plugin_supported_types())
{
- msg(M_FATAL, "PLUGIN_INIT: plugin %s expressed interest in unsupported plugin types: [want=0x%08x, have=0x%08x]",
- p->so_pathname,
- p->plugin_type_mask,
- plugin_supported_types());
+ msg(M_FATAL,
+ "PLUGIN_INIT: plugin %s expressed interest in unsupported plugin types: [want=0x%08x, have=0x%08x]",
+ p->so_pathname, p->plugin_type_mask, plugin_supported_types());
}
if (p->plugin_handle == NULL)
{
- msg(M_FATAL, "PLUGIN_INIT: plugin initialization function failed: %s",
- p->so_pathname);
+ msg(M_FATAL, "PLUGIN_INIT: plugin initialization function failed: %s", p->so_pathname);
}
gc_free(&gc);
@@ -531,15 +538,9 @@
}
static int
-plugin_call_item(const struct plugin *p,
- void *per_client_context,
- const int type,
- const struct argv *av,
- struct openvpn_plugin_string_list **retlist,
- const char **envp,
- int certdepth,
- openvpn_x509_cert_t *current_cert
- )
+plugin_call_item(const struct plugin *p, void *per_client_context, const int type,
+ const struct argv *av, struct openvpn_plugin_string_list **retlist,
+ const char **envp, int certdepth, openvpn_x509_cert_t *current_cert)
{
int status = OPENVPN_PLUGIN_FUNC_SUCCESS;
@@ -563,8 +564,8 @@
if (p->func3)
{
struct openvpn_plugin_args_func_in args = { type,
- (const char **const) a.argv,
- (const char **const) envp,
+ (const char **const)a.argv,
+ (const char **const)envp,
p->plugin_handle,
per_client_context,
(current_cert ? certdepth : -1),
@@ -578,7 +579,8 @@
}
else if (p->func2)
{
- status = (*p->func2)(p->plugin_handle, type, (const char **)a.argv, envp, per_client_context, retlist);
+ status = (*p->func2)(p->plugin_handle, type, (const char **)a.argv, envp,
+ per_client_context, retlist);
}
else if (p->func1)
{
@@ -589,17 +591,13 @@
ASSERT(0);
}
- msg(D_PLUGIN, "PLUGIN_CALL: POST %s/%s status=%d",
- p->so_pathname,
- plugin_type_name(type),
+ msg(D_PLUGIN, "PLUGIN_CALL: POST %s/%s status=%d", p->so_pathname, plugin_type_name(type),
status);
if (status == OPENVPN_PLUGIN_FUNC_ERROR)
{
msg(M_WARN, "PLUGIN_CALL: plugin function %s failed with status %d: %s",
- plugin_type_name(type),
- status,
- p->so_pathname);
+ plugin_type_name(type), status, p->so_pathname);
}
argv_free(&a);
@@ -652,8 +650,7 @@
}
static void
-plugin_per_client_init(const struct plugin_common *pc,
- struct plugin_per_client *cli,
+plugin_per_client_init(const struct plugin_common *pc, struct plugin_per_client *cli,
const int init_point)
{
const int n = pc->n;
@@ -662,8 +659,7 @@
for (i = 0; i < n; ++i)
{
const struct plugin *p = &pc->plugins[i];
- if (p->plugin_handle
- && (init_point < 0 || init_point == p->requested_initialization_point)
+ if (p->plugin_handle && (init_point < 0 || init_point == p->requested_initialization_point)
&& p->client_constructor)
{
cli->per_client_context[i] = (*p->client_constructor)(p->plugin_handle);
@@ -711,8 +707,7 @@
for (i = 0; i < list->n; ++i)
{
- plugin_init_item(&pc->plugins[i],
- &list->plugins[i]);
+ plugin_init_item(&pc->plugins[i], &list->plugins[i]);
pc->n = i + 1;
}
@@ -721,11 +716,8 @@
}
static void
-plugin_common_open(struct plugin_common *pc,
- const struct plugin_option_list *list,
- struct plugin_return *pr,
- const struct env_set *es,
- const int init_point)
+plugin_common_open(struct plugin_common *pc, const struct plugin_option_list *list,
+ struct plugin_return *pr, const struct env_set *es, const int init_point)
{
struct gc_arena gc = gc_new();
int i;
@@ -740,10 +732,7 @@
for (i = 0; i < pc->n; ++i)
{
- plugin_open_item(&pc->plugins[i],
- &list->plugins[i],
- pr ? &pr->list[i] : NULL,
- envp,
+ plugin_open_item(&pc->plugins[i], &list->plugins[i], pr ? &pr->list[i] : NULL, envp,
init_point);
}
@@ -782,25 +771,17 @@
}
void
-plugin_list_open(struct plugin_list *pl,
- const struct plugin_option_list *list,
- struct plugin_return *pr,
- const struct env_set *es,
- const int init_point)
+plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list,
+ struct plugin_return *pr, const struct env_set *es, const int init_point)
{
plugin_common_open(pl->common, list, pr, es, init_point);
plugin_per_client_init(pl->common, &pl->per_client, init_point);
}
int
-plugin_call_ssl(const struct plugin_list *pl,
- const int type,
- const struct argv *av,
- struct plugin_return *pr,
- struct env_set *es,
- int certdepth,
- openvpn_x509_cert_t *current_cert
- )
+plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av,
+ struct plugin_return *pr, struct env_set *es, int certdepth,
+ openvpn_x509_cert_t *current_cert)
{
if (pr)
{
@@ -821,23 +802,16 @@
for (i = 0; i < n; ++i)
{
- const int status = plugin_call_item(&pl->common->plugins[i],
- pl->per_client.per_client_context[i],
- type,
- av,
- pr ? &pr->list[i] : NULL,
- envp,
- certdepth,
- current_cert
- );
+ const int status =
+ plugin_call_item(&pl->common->plugins[i], pl->per_client.per_client_context[i],
+ type, av, pr ? &pr->list[i] : NULL, envp, certdepth, current_cert);
switch (status)
{
case OPENVPN_PLUGIN_FUNC_SUCCESS:
break;
case OPENVPN_PLUGIN_FUNC_DEFERRED:
- if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
- && deferred_auth_done)
+ if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) && deferred_auth_done)
{
/*
* Do not allow deferred auth if a deferred auth has
@@ -854,13 +828,12 @@
* error, we bail out and exit the OpenVPN process.
*/
error = true;
- msg(M_FATAL,
- "Exiting due to multiple authentication plug-ins "
- "performing deferred authentication. Only one "
- "authentication plug-in doing deferred auth is "
- "allowed. Ignoring the result and stopping now, "
- "the current authentication result is not to be "
- "trusted.");
+ msg(M_FATAL, "Exiting due to multiple authentication plug-ins "
+ "performing deferred authentication. Only one "
+ "authentication plug-in doing deferred auth is "
+ "allowed. Ignoring the result and stopping now, "
+ "the current authentication result is not to be "
+ "trusted.");
break;
}
deferred_auth_done = true;
@@ -996,8 +969,7 @@
}
void
-plugin_return_get_column(const struct plugin_return *src,
- struct plugin_return *dest,
+plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest,
const char *colname)
{
int i;
@@ -1035,10 +1007,7 @@
msg(msglevel, "PLUGIN #%d (%s)", i, prefix);
while (l)
{
- msg(msglevel, "[%d] '%s' -> '%s'\n",
- ++count,
- l->name,
- l->value);
+ msg(msglevel, "[%d] '%s' -> '%s'\n", ++count, l->name, l->value);
l = l->next;
}
}
@@ -41,17 +41,20 @@
#define MAX_PLUGINS 16
-struct plugin_option {
+struct plugin_option
+{
const char *so_pathname;
const char **argv;
};
-struct plugin_option_list {
+struct plugin_option_list
+{
int n;
struct plugin_option plugins[MAX_PLUGINS];
};
-struct plugin {
+struct plugin
+{
bool initialized;
const char *so_pathname;
unsigned int plugin_type_mask;
@@ -105,8 +108,7 @@
struct plugin_option_list *plugin_option_list_new(struct gc_arena *gc);
-bool plugin_option_list_add(struct plugin_option_list *list, char **p,
- struct gc_arena *gc);
+bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc);
#ifndef ENABLE_SMALL
void plugin_option_list_print(const struct plugin_option_list *list, int msglevel);
@@ -115,29 +117,20 @@
struct plugin_list *plugin_list_init(const struct plugin_option_list *list);
-void plugin_list_open(struct plugin_list *pl,
- const struct plugin_option_list *list,
- struct plugin_return *pr,
- const struct env_set *es,
- const int init_point);
+void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list,
+ struct plugin_return *pr, const struct env_set *es, const int init_point);
struct plugin_list *plugin_list_inherit(const struct plugin_list *src);
-int plugin_call_ssl(const struct plugin_list *pl,
- const int type,
- const struct argv *av,
- struct plugin_return *pr,
- struct env_set *es,
- int current_cert_depth,
- openvpn_x509_cert_t *current_cert
- );
+int plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av,
+ struct plugin_return *pr, struct env_set *es, int current_cert_depth,
+ openvpn_x509_cert_t *current_cert);
void plugin_list_close(struct plugin_list *pl);
bool plugin_defined(const struct plugin_list *pl, const int type);
-void plugin_return_get_column(const struct plugin_return *src,
- struct plugin_return *dest,
+void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest,
const char *colname);
void plugin_return_free(struct plugin_return *pr);
@@ -173,8 +166,14 @@
}
#else /* ifdef ENABLE_PLUGIN */
-struct plugin_list { int dummy; };
-struct plugin_return { int dummy; };
+struct plugin_list
+{
+ int dummy;
+};
+struct plugin_return
+{
+ int dummy;
+};
static inline bool
plugin_defined(const struct plugin_list *pl, const int type)
@@ -183,14 +182,9 @@
}
static inline int
-plugin_call_ssl(const struct plugin_list *pl,
- const int type,
- const struct argv *av,
- struct plugin_return *pr,
- struct env_set *es,
- int current_cert_depth,
- openvpn_x509_cert_t *current_cert
- )
+plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av,
+ struct plugin_return *pr, struct env_set *es, int current_cert_depth,
+ openvpn_x509_cert_t *current_cert)
{
return 0;
}
@@ -198,11 +192,8 @@
#endif /* ENABLE_PLUGIN */
static inline int
-plugin_call(const struct plugin_list *pl,
- const int type,
- const struct argv *av,
- struct plugin_return *pr,
- struct env_set *es)
+plugin_call(const struct plugin_list *pl, const int type, const struct argv *av,
+ struct plugin_return *pr, struct env_set *es)
{
return plugin_call_ssl(pl, type, av, pr, es, -1, NULL);
}
@@ -89,14 +89,11 @@
* Keep track of a possible allocation to us
* from an earlier session.
*/
- if (previous_usage < 0
- && common_name
- && ipe->common_name
+ if (previous_usage < 0 && common_name && ipe->common_name
&& !strcmp(common_name, ipe->common_name))
{
previous_usage = i;
}
-
}
}
@@ -125,16 +122,14 @@
if (start > end)
{
msg(msglevel, "--ifconfig-pool start IP [%s] is greater than end IP [%s]",
- print_in_addr_t(start, 0, &gc),
- print_in_addr_t(end, 0, &gc));
+ print_in_addr_t(start, 0, &gc), print_in_addr_t(end, 0, &gc));
ret = false;
}
if (end - start >= IFCONFIG_POOL_MAX)
{
- msg(msglevel, "--ifconfig-pool address range is too large [%s -> %s]. Current maximum is %d addresses, as defined by IFCONFIG_POOL_MAX variable.",
- print_in_addr_t(start, 0, &gc),
- print_in_addr_t(end, 0, &gc),
- IFCONFIG_POOL_MAX);
+ msg(msglevel,
+ "--ifconfig-pool address range is too large [%s -> %s]. Current maximum is %d addresses, as defined by IFCONFIG_POOL_MAX variable.",
+ print_in_addr_t(start, 0, &gc), print_in_addr_t(end, 0, &gc), IFCONFIG_POOL_MAX);
ret = false;
}
gc_free(&gc);
@@ -142,10 +137,9 @@
}
struct ifconfig_pool *
-ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start,
- in_addr_t end, const bool duplicate_cn,
- const bool ipv6_pool, const struct in6_addr ipv6_base,
- const int ipv6_netbits )
+ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end,
+ const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base,
+ const int ipv6_netbits)
{
struct gc_arena gc = gc_new();
struct ifconfig_pool *pool = NULL;
@@ -179,8 +173,7 @@
if (pool_ipv4_size < 2)
{
- msg(M_FATAL, "IPv4 pool size is too small (%d), must be at least 2",
- pool_ipv4_size);
+ msg(M_FATAL, "IPv4 pool size is too small (%d), must be at least 2", pool_ipv4_size);
}
msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv4: base=%s size=%d",
@@ -198,10 +191,8 @@
* 4 bytes, therefore we can just extract that and use it as base in
* integer form
*/
- uint32_t base = (ipv6_base.s6_addr[12] << 24)
- | (ipv6_base.s6_addr[13] << 16)
- | (ipv6_base.s6_addr[14] << 8)
- | ipv6_base.s6_addr[15];
+ uint32_t base = (ipv6_base.s6_addr[12] << 24) | (ipv6_base.s6_addr[13] << 16)
+ | (ipv6_base.s6_addr[14] << 8) | ipv6_base.s6_addr[15];
/* some bits of the last 4 bytes may still be part of the network
* portion of the address, therefore we need to set them to 0
*/
@@ -214,7 +205,7 @@
* the following operation first computes mask=0x3fffff and then
* uses mask to extract the wanted bits from base
*/
- uint32_t mask = (1 << (128 - ipv6_netbits) ) - 1;
+ uint32_t mask = (1 << (128 - ipv6_netbits)) - 1;
base &= mask;
}
@@ -232,24 +223,21 @@
if (base == 0)
{
msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: incrementing pool start "
- "to avoid ::0 assignment");
+ "to avoid ::0 assignment");
base++;
pool->ipv6.base.s6_addr[15]++;
}
- pool_ipv6_size = ipv6_netbits >= 112
- ? (1 << (128 - ipv6_netbits)) - base
- : IFCONFIG_POOL_MAX;
+ pool_ipv6_size =
+ ipv6_netbits >= 112 ? (1 << (128 - ipv6_netbits)) - base : IFCONFIG_POOL_MAX;
if (pool_ipv6_size < 2)
{
- msg(M_FATAL, "IPv6 pool size is too small (%d), must be at least 2",
- pool_ipv6_size);
+ msg(M_FATAL, "IPv6 pool size is too small (%d), must be at least 2", pool_ipv6_size);
}
msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: base=%s size=%d netbits=%d",
- print_in6_addr(pool->ipv6.base, 0, &gc), pool_ipv6_size,
- ipv6_netbits);
+ print_in6_addr(pool->ipv6.base, 0, &gc), pool_ipv6_size, ipv6_netbits);
/* if there is no v4 pool, or the v6 pool is smaller, use
* v6 pool size as "unified pool size"
@@ -264,16 +252,20 @@
{
if (pool_ipv4_size < pool_ipv6_size)
{
- msg(M_INFO, "NOTE: IPv4 pool size is %d, IPv6 pool size is %d. "
+ msg(M_INFO,
+ "NOTE: IPv4 pool size is %d, IPv6 pool size is %d. "
"IPv4 pool size limits the number of clients that can be "
- "served from the pool", pool_ipv4_size, pool_ipv6_size);
+ "served from the pool",
+ pool_ipv4_size, pool_ipv6_size);
}
else if (pool_ipv4_size > pool_ipv6_size)
{
- msg(M_WARN, "WARNING: IPv4 pool size is %d, IPv6 pool size is %d. "
+ msg(M_WARN,
+ "WARNING: IPv4 pool size is %d, IPv6 pool size is %d. "
"IPv6 pool size limits the number of clients that can be "
"served from the pool. This is likely a MISTAKE - please check "
- "your configuration", pool_ipv4_size, pool_ipv6_size);
+ "your configuration",
+ pool_ipv4_size, pool_ipv6_size);
}
}
@@ -302,7 +294,8 @@
}
ifconfig_pool_handle
-ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
+ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote,
+ struct in6_addr *remote_ipv6, const char *common_name)
{
int i;
@@ -402,8 +395,7 @@
}
static ifconfig_pool_handle
-ifconfig_pool_ipv6_base_to_handle(const struct ifconfig_pool *pool,
- const struct in6_addr *in_addr)
+ifconfig_pool_ipv6_base_to_handle(const struct ifconfig_pool *pool, const struct in6_addr *in_addr)
{
ifconfig_pool_handle ret;
uint32_t base, addr;
@@ -422,14 +414,10 @@
}
}
- base = (pool->ipv6.base.s6_addr[12] << 24)
- | (pool->ipv6.base.s6_addr[13] << 16)
- | (pool->ipv6.base.s6_addr[14] << 8)
- | pool->ipv6.base.s6_addr[15];
+ base = (pool->ipv6.base.s6_addr[12] << 24) | (pool->ipv6.base.s6_addr[13] << 16)
+ | (pool->ipv6.base.s6_addr[14] << 8) | pool->ipv6.base.s6_addr[15];
- addr = (in_addr->s6_addr[12] << 24)
- | (in_addr->s6_addr[13] << 16)
- | (in_addr->s6_addr[14] << 8)
+ addr = (in_addr->s6_addr[12] << 24) | (in_addr->s6_addr[13] << 16) | (in_addr->s6_addr[14] << 8)
| in_addr->s6_addr[15];
ret = addr - base;
@@ -478,14 +466,14 @@
/* IPv6 pools are always INDIV (--linear) */
if (pool->ipv6.enabled && hand >= 0 && hand < pool->size)
{
- ret = add_in6_addr( pool->ipv6.base, hand );
+ ret = add_in6_addr(pool->ipv6.base, hand);
}
return ret;
}
static void
-ifconfig_pool_set(struct ifconfig_pool *pool, const char *cn,
- ifconfig_pool_handle h, const bool fixed)
+ifconfig_pool_set(struct ifconfig_pool *pool, const char *cn, ifconfig_pool_handle h,
+ const bool fixed)
{
struct ifconfig_pool_entry *e = &pool->list[h];
ifconfig_pool_entry_free(e, true);
@@ -557,7 +545,8 @@
if (refresh_freq > 0)
{
ret->fixed = false;
- ret->file = status_open(filename, refresh_freq, -1, NULL, STATUS_OUTPUT_READ|STATUS_OUTPUT_WRITE);
+ ret->file =
+ status_open(filename, refresh_freq, -1, NULL, STATUS_OUTPUT_READ | STATUS_OUTPUT_WRITE);
}
else
{
@@ -640,8 +629,7 @@
* - CN,IP4
* - CN,,IP6
*/
- if (!buf_parse(&in, ',', cn_buf, buf_size)
- || !buf_parse(&in, ',', ip_buf, buf_size))
+ if (!buf_parse(&in, ',', cn_buf, buf_size) || !buf_parse(&in, ',', ip_buf, buf_size))
{
continue;
}
@@ -651,22 +639,18 @@
if (strlen(ip_buf) > 0)
{
bool v4_ok = true;
- in_addr_t addr = getaddr(GETADDR_HOST_ORDER, ip_buf, 0, &v4_ok,
- NULL);
+ in_addr_t addr = getaddr(GETADDR_HOST_ORDER, ip_buf, 0, &v4_ok, NULL);
if (!v4_ok)
{
- msg(M_WARN, "pool: invalid IPv4 (%s) for CN=%s", ip_buf,
- cn_buf);
+ msg(M_WARN, "pool: invalid IPv4 (%s) for CN=%s", ip_buf, cn_buf);
}
else
{
h = ifconfig_pool_ip_base_to_handle(pool, addr);
if (h < 0)
{
- msg(M_WARN,
- "pool: IPv4 (%s) out of pool range for CN=%s",
- ip_buf, cn_buf);
+ msg(M_WARN, "pool: IPv4 (%s) out of pool range for CN=%s", ip_buf, cn_buf);
}
}
}
@@ -677,17 +661,14 @@
if (!get_ipv6_addr(ip6_buf, &addr6, NULL, M_WARN))
{
- msg(M_WARN, "pool: invalid IPv6 (%s) for CN=%s", ip6_buf,
- cn_buf);
+ msg(M_WARN, "pool: invalid IPv6 (%s) for CN=%s", ip6_buf, cn_buf);
}
else
{
h6 = ifconfig_pool_ipv6_base_to_handle(pool, &addr6);
if (h6 < 0)
{
- msg(M_WARN,
- "pool: IPv6 (%s) out of pool range for CN=%s",
- ip6_buf, cn_buf);
+ msg(M_WARN, "pool: IPv6 (%s) out of pool range for CN=%s", ip6_buf, cn_buf);
}
/* Rely on IPv6 if no IPv4 was provided or the one provided
@@ -707,8 +688,7 @@
*/
if ((h6 >= 0) && (h != h6))
{
- msg(M_WARN,
- "pool: IPv4 (%s) and IPv6 (%s) have different offsets! Relying on IPv4",
+ msg(M_WARN, "pool: IPv4 (%s) and IPv6 (%s) have different offsets! Relying on IPv4",
ip_buf, ip6_buf);
}
@@ -759,7 +739,7 @@
CLEAR(array);
msg(M_INFO | M_NOPREFIX, "************ 1");
- for (i = 0; i < (int) SIZE(array); ++i)
+ for (i = 0; i < (int)SIZE(array); ++i)
{
char *cn;
ifconfig_pool_handle h;
@@ -777,15 +757,12 @@
break;
}
msg(M_INFO | M_NOPREFIX, "IFCONFIG_POOL TEST pass 1: l=%s r=%s cn=%s",
- print_in_addr_t(local, 0, &gc),
- print_in_addr_t(remote, 0, &gc),
- cn);
+ print_in_addr_t(local, 0, &gc), print_in_addr_t(remote, 0, &gc), cn);
array[i] = h;
-
}
msg(M_INFO | M_NOPREFIX, "************* 2");
- for (i = (int) SIZE(array) / 16; i < (int) SIZE(array) / 8; ++i)
+ for (i = (int)SIZE(array) / 16; i < (int)SIZE(array) / 8; ++i)
{
msg(M_INFO, "Attempt to release %d cn=%s", array[i], p->list[i].common_name);
if (!ifconfig_pool_release(p, array[i]))
@@ -798,13 +775,13 @@
CLEAR(array);
msg(M_INFO | M_NOPREFIX, "**************** 3");
- for (i = 0; i < (int) SIZE(array); ++i)
+ for (i = 0; i < (int)SIZE(array); ++i)
{
char *cn;
ifconfig_pool_handle h;
in_addr_t local, remote;
char buf[256];
- snprintf(buf, sizeof(buf), "common-name-%d", i+24);
+ snprintf(buf, sizeof(buf), "common-name-%d", i + 24);
#ifdef DUP_CN
cn = NULL;
#else
@@ -816,11 +793,8 @@
break;
}
msg(M_INFO | M_NOPREFIX, "IFCONFIG_POOL TEST pass 3: l=%s r=%s cn=%s",
- print_in_addr_t(local, 0, &gc),
- print_in_addr_t(remote, 0, &gc),
- cn);
+ print_in_addr_t(local, 0, &gc), print_in_addr_t(remote, 0, &gc), cn);
array[i] = h;
-
}
ifconfig_pool_free(p);
@@ -29,7 +29,7 @@
#include "status.h"
#define IFCONFIG_POOL_MAX 65536
-#define IFCONFIG_POOL_MIN_NETBITS 16
+#define IFCONFIG_POOL_MIN_NETBITS 16
enum pool_type
{
@@ -48,12 +48,14 @@
struct ifconfig_pool
{
bool duplicate_cn;
- struct {
+ struct
+ {
bool enabled;
enum pool_type type;
in_addr_t base;
} ipv4;
- struct {
+ struct
+ {
bool enabled;
struct in6_addr base;
} ipv6;
@@ -69,18 +71,18 @@
typedef int ifconfig_pool_handle;
-struct ifconfig_pool *ifconfig_pool_init(const bool ipv4_pool,
- enum pool_type type, in_addr_t start,
+struct ifconfig_pool *ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start,
in_addr_t end, const bool duplicate_cn,
- const bool ipv6_pool,
- const struct in6_addr ipv6_base,
+ const bool ipv6_pool, const struct in6_addr ipv6_base,
const int ipv6_netbits);
void ifconfig_pool_free(struct ifconfig_pool *pool);
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end);
-ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name);
+ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local,
+ in_addr_t *remote, struct in6_addr *remote_ipv6,
+ const char *common_name);
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard);
@@ -54,8 +54,7 @@
else if (tunnel_type == DEV_TYPE_TAP)
{
const struct openvpn_ethhdr *eh;
- if (BLEN(buf) < (sizeof(struct openvpn_ethhdr)
- + sizeof(struct openvpn_iphdr)))
+ if (BLEN(buf) < (sizeof(struct openvpn_ethhdr) + sizeof(struct openvpn_iphdr)))
{
return false;
}
@@ -71,8 +70,7 @@
if (proto == htons(OPENVPN_ETH_P_8021Q))
{
const struct openvpn_8021qhdr *evh;
- if (BLEN(buf) < (sizeof(struct openvpn_ethhdr)
- + sizeof(struct openvpn_iphdr)))
+ if (BLEN(buf) < (sizeof(struct openvpn_ethhdr) + sizeof(struct openvpn_iphdr)))
{
return false;
}
@@ -109,12 +107,12 @@
bool
is_ipv4(int tunnel_type, struct buffer *buf)
{
- return is_ipv_X( tunnel_type, buf, 4 );
+ return is_ipv_X(tunnel_type, buf, 4);
}
bool
is_ipv6(int tunnel_type, struct buffer *buf)
{
- return is_ipv_X( tunnel_type, buf, 6 );
+ return is_ipv_X(tunnel_type, buf, 6);
}
@@ -131,9 +129,8 @@
*/
for (int i = 0; i < len_payload; i += 2)
{
- sum += (uint16_t)(((payload[i] << 8) & 0xFF00)
- +((i + 1 < len_payload) ? (payload[i + 1] & 0xFF) : 0));
-
+ sum += (uint16_t)(((payload[i] << 8) & 0xFF00)
+ + ((i + 1 < len_payload) ? (payload[i + 1] & 0xFF) : 0));
}
/*
@@ -143,7 +140,6 @@
for (int i = 0; i < addr_len; i += 2)
{
sum += (uint16_t)((src_addr[i] << 8) & 0xFF00) + (src_addr[i + 1] & 0xFF);
-
}
for (int i = 0; i < addr_len; i += 2)
{
@@ -166,17 +162,14 @@
}
/* Take the one's complement of sum */
- return ((uint16_t) ~sum);
+ return ((uint16_t)~sum);
}
#ifdef PACKET_TRUNCATION_CHECK
void
-ipv4_packet_size_verify(const uint8_t *data,
- const int size,
- const int tunnel_type,
- const char *prefix,
- counter_type *errors)
+ipv4_packet_size_verify(const uint8_t *data, const int size, const int tunnel_type,
+ const char *prefix, counter_type *errors)
{
if (size > 0)
{
@@ -192,13 +185,13 @@
const char *msgstr = "PACKET SIZE INFO";
unsigned int msglevel = D_PACKET_TRUNC_DEBUG;
- if (BLEN(&buf) < (int) sizeof(struct openvpn_iphdr))
+ if (BLEN(&buf) < (int)sizeof(struct openvpn_iphdr))
{
return;
}
verify_align_4(&buf);
- pip = (struct openvpn_iphdr *) BPTR(&buf);
+ pip = (struct openvpn_iphdr *)BPTR(&buf);
hlen = OPENVPN_IPH_GET_LEN(pip->version_len);
totlen = ntohs(pip->tot_len);
@@ -213,13 +206,8 @@
}
}
- msg(msglevel, "%s %s: size=%d totlen=%d hlen=%d errcount=" counter_format,
- msgstr,
- prefix,
- BLEN(&buf),
- totlen,
- hlen,
- errors ? *errors : (counter_type)0);
+ msg(msglevel, "%s %s: size=%d totlen=%d hlen=%d errcount=" counter_format, msgstr,
+ prefix, BLEN(&buf), totlen, hlen, errors ? *errors : (counter_type)0);
}
}
}
@@ -32,15 +32,15 @@
* Tunnel types
*/
#define DEV_TYPE_UNDEF 0
-#define DEV_TYPE_TUN 2 /* point-to-point IP tunnel */
-#define DEV_TYPE_TAP 3 /* ethernet (802.3) tunnel */
+#define DEV_TYPE_TUN 2 /* point-to-point IP tunnel */
+#define DEV_TYPE_TAP 3 /* ethernet (802.3) tunnel */
/* TUN topologies */
-#define TOP_UNDEF 0
-#define TOP_NET30 1
-#define TOP_P2P 2
-#define TOP_SUBNET 3
+#define TOP_UNDEF 0
+#define TOP_NET30 1
+#define TOP_P2P 2
+#define TOP_SUBNET 3
/*
* IP and Ethernet protocol structs. For portability,
@@ -49,46 +49,45 @@
* native structs.
*/
-#define OPENVPN_ETH_ALEN 6 /* ethernet address length */
+#define OPENVPN_ETH_ALEN 6 /* ethernet address length */
struct openvpn_ethhdr
{
uint8_t dest[OPENVPN_ETH_ALEN]; /* destination ethernet addr */
uint8_t source[OPENVPN_ETH_ALEN]; /* source ethernet addr */
-#define OPENVPN_ETH_P_IPV4 0x0800 /* IPv4 protocol */
-#define OPENVPN_ETH_P_IPV6 0x86DD /* IPv6 protocol */
-#define OPENVPN_ETH_P_ARP 0x0806 /* ARP protocol */
-#define OPENVPN_ETH_P_8021Q 0x8100 /* 802.1Q protocol */
+#define OPENVPN_ETH_P_IPV4 0x0800 /* IPv4 protocol */
+#define OPENVPN_ETH_P_IPV6 0x86DD /* IPv6 protocol */
+#define OPENVPN_ETH_P_ARP 0x0806 /* ARP protocol */
+#define OPENVPN_ETH_P_8021Q 0x8100 /* 802.1Q protocol */
uint16_t proto; /* packet type ID field */
};
struct openvpn_8021qhdr
{
- uint8_t dest[OPENVPN_ETH_ALEN]; /* destination ethernet addr */
- uint8_t source[OPENVPN_ETH_ALEN]; /* source ethernet addr */
+ uint8_t dest[OPENVPN_ETH_ALEN]; /* destination ethernet addr */
+ uint8_t source[OPENVPN_ETH_ALEN]; /* source ethernet addr */
- uint16_t tpid; /* 802.1Q Tag Protocol Identifier */
+ uint16_t tpid; /* 802.1Q Tag Protocol Identifier */
#define OPENVPN_8021Q_MASK_PCP htons(0xE000) /* mask PCP out of pcp_cfi_vid */
#define OPENVPN_8021Q_MASK_CFI htons(0x1000) /* mask CFI out of pcp_cfi_vid */
#define OPENVPN_8021Q_MASK_VID htons(0x0FFF) /* mask VID out of pcp_cfi_vid */
- uint16_t pcp_cfi_vid; /* bit fields, see IEEE 802.1Q */
- uint16_t proto; /* contained packet type ID field */
+ uint16_t pcp_cfi_vid; /* bit fields, see IEEE 802.1Q */
+ uint16_t proto; /* contained packet type ID field */
};
/*
* Size difference between a regular Ethernet II header and an Ethernet II
* header with additional IEEE 802.1Q tagging.
*/
-#define SIZE_ETH_TO_8021Q_HDR (sizeof(struct openvpn_8021qhdr) \
- - sizeof(struct openvpn_ethhdr))
+#define SIZE_ETH_TO_8021Q_HDR (sizeof(struct openvpn_8021qhdr) - sizeof(struct openvpn_ethhdr))
/** Version of IN6_ARE_ADDR_EQUAL that is guaranteed to work for
* unaligned access. E.g. Linux uses 32bit compares which are
* not safe if the struct is unaligned. */
-#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b) \
- (memcmp(a, b, sizeof(struct in6_addr)) == 0)
+#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b) (memcmp(a, b, sizeof(struct in6_addr)) == 0)
-struct openvpn_iphdr {
+struct openvpn_iphdr
+{
#define OPENVPN_IPH_GET_VER(v) (((v) >> 4) & 0x0F)
#define OPENVPN_IPH_GET_LEN(v) (((v) & 0x0F) << 2)
uint8_t version_len;
@@ -102,9 +101,9 @@
uint8_t ttl;
-#define OPENVPN_IPPROTO_IGMP 2 /* IGMP protocol */
-#define OPENVPN_IPPROTO_TCP 6 /* TCP protocol */
-#define OPENVPN_IPPROTO_UDP 17 /* UDP protocol */
+#define OPENVPN_IPPROTO_IGMP 2 /* IGMP protocol */
+#define OPENVPN_IPPROTO_TCP 6 /* TCP protocol */
+#define OPENVPN_IPPROTO_UDP 17 /* UDP protocol */
#define OPENVPN_IPPROTO_ICMPV6 58 /* ICMPV6 protocol */
uint8_t protocol;
@@ -117,31 +116,33 @@
/*
* IPv6 header
*/
-struct openvpn_ipv6hdr {
+struct openvpn_ipv6hdr
+{
uint8_t version_prio;
uint8_t flow_lbl[3];
uint16_t payload_len;
uint8_t nexthdr;
uint8_t hop_limit;
- struct in6_addr saddr;
- struct in6_addr daddr;
+ struct in6_addr saddr;
+ struct in6_addr daddr;
};
/*
* ICMPv6 header
*/
-struct openvpn_icmp6hdr {
-#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE 1
-#define OPENVPN_ND_ROUTER_SOLICIT 133
-#define OPENVPN_ND_ROUTER_ADVERT 134
-#define OPENVPN_ND_NEIGHBOR_SOLICIT 135
-#define OPENVPN_ND_NEIGHBOR_ADVERT 136
-#define OPENVPN_ND_INVERSE_SOLICIT 141
-#define OPENVPN_ND_INVERSE_ADVERT 142
+struct openvpn_icmp6hdr
+{
+#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE 1
+#define OPENVPN_ND_ROUTER_SOLICIT 133
+#define OPENVPN_ND_ROUTER_ADVERT 134
+#define OPENVPN_ND_NEIGHBOR_SOLICIT 135
+#define OPENVPN_ND_NEIGHBOR_ADVERT 136
+#define OPENVPN_ND_INVERSE_SOLICIT 141
+#define OPENVPN_ND_INVERSE_ADVERT 142
uint8_t icmp6_type;
-#define OPENVPN_ICMP6_DU_NOROUTE 0
-#define OPENVPN_ICMP6_DU_COMMUNICATION_PROHIBTED 1
+#define OPENVPN_ICMP6_DU_NOROUTE 0
+#define OPENVPN_ICMP6_DU_COMMUNICATION_PROHIBTED 1
uint8_t icmp6_code;
uint16_t icmp6_cksum;
uint8_t icmp6_dataun[4];
@@ -150,7 +151,8 @@
/*
* UDP header
*/
-struct openvpn_udphdr {
+struct openvpn_udphdr
+{
uint16_t source;
uint16_t dest;
uint16_t len;
@@ -160,23 +162,24 @@
/*
* TCP header, per RFC 793.
*/
-struct openvpn_tcphdr {
- uint16_t source; /* source port */
- uint16_t dest; /* destination port */
- uint32_t seq; /* sequence number */
- uint32_t ack_seq; /* acknowledgement number */
+struct openvpn_tcphdr
+{
+ uint16_t source; /* source port */
+ uint16_t dest; /* destination port */
+ uint32_t seq; /* sequence number */
+ uint32_t ack_seq; /* acknowledgement number */
#define OPENVPN_TCPH_GET_DOFF(d) (((d) & 0xF0) >> 2)
uint8_t doff_res;
-#define OPENVPN_TCPH_FIN_MASK (1<<0)
-#define OPENVPN_TCPH_SYN_MASK (1<<1)
-#define OPENVPN_TCPH_RST_MASK (1<<2)
-#define OPENVPN_TCPH_PSH_MASK (1<<3)
-#define OPENVPN_TCPH_ACK_MASK (1<<4)
-#define OPENVPN_TCPH_URG_MASK (1<<5)
-#define OPENVPN_TCPH_ECE_MASK (1<<6)
-#define OPENVPN_TCPH_CWR_MASK (1<<7)
+#define OPENVPN_TCPH_FIN_MASK (1 << 0)
+#define OPENVPN_TCPH_SYN_MASK (1 << 1)
+#define OPENVPN_TCPH_RST_MASK (1 << 2)
+#define OPENVPN_TCPH_PSH_MASK (1 << 3)
+#define OPENVPN_TCPH_ACK_MASK (1 << 4)
+#define OPENVPN_TCPH_URG_MASK (1 << 5)
+#define OPENVPN_TCPH_ECE_MASK (1 << 6)
+#define OPENVPN_TCPH_CWR_MASK (1 << 7)
uint8_t flags;
uint16_t window;
@@ -189,9 +192,11 @@
#define OPENVPN_TCPOPT_MAXSEG 2
#define OPENVPN_TCPOLEN_MAXSEG 4
-struct ip_tcp_udp_hdr {
+struct ip_tcp_udp_hdr
+{
struct openvpn_iphdr ip;
- union {
+ union
+ {
struct openvpn_tcphdr tcp;
struct openvpn_udphdr udp;
} u;
@@ -207,30 +212,36 @@
* subtracting out new words), and "cksum"
* is the checksum value to be updated.
*/
-#define ADJUST_CHECKSUM(acc, cksum) { \
- int _acc = acc; \
- _acc += (cksum); \
- if (_acc < 0) { \
- _acc = -_acc; \
+#define ADJUST_CHECKSUM(acc, cksum) \
+ { \
+ int _acc = acc; \
+ _acc += (cksum); \
+ if (_acc < 0) \
+ { \
+ _acc = -_acc; \
_acc = (_acc >> 16) + (_acc & 0xffff); \
- _acc += _acc >> 16; \
- (cksum) = (uint16_t) ~_acc; \
- } else { \
+ _acc += _acc >> 16; \
+ (cksum) = (uint16_t)~_acc; \
+ } \
+ else \
+ { \
_acc = (_acc >> 16) + (_acc & 0xffff); \
- _acc += _acc >> 16; \
- (cksum) = (uint16_t) _acc; \
- } \
-}
+ _acc += _acc >> 16; \
+ (cksum) = (uint16_t)_acc; \
+ } \
+ }
-#define ADD_CHECKSUM_32(acc, u32) { \
- acc += (u32) & 0xffff; \
- acc += (u32) >> 16; \
-}
+#define ADD_CHECKSUM_32(acc, u32) \
+ { \
+ acc += (u32) & 0xffff; \
+ acc += (u32) >> 16; \
+ }
-#define SUB_CHECKSUM_32(acc, u32) { \
- acc -= (u32) & 0xffff; \
- acc -= (u32) >> 16; \
-}
+#define SUB_CHECKSUM_32(acc, u32) \
+ { \
+ acc -= (u32) & 0xffff; \
+ acc -= (u32) >> 16; \
+ }
/*
* This returns an ip protocol version of packet inside tun
@@ -245,7 +256,7 @@
if (tunnel_type == DEV_TYPE_TUN)
{
*ip_hdr_offset = 0;
- if (likely(BLEN(buf) >= (int) sizeof(struct openvpn_iphdr)))
+ if (likely(BLEN(buf) >= (int)sizeof(struct openvpn_iphdr)))
{
ip_ver = OPENVPN_IPH_GET_VER(*BPTR(buf));
}
@@ -256,7 +267,7 @@
/* for tap get ip version from eth header */
if (likely(BLEN(buf) >= *ip_hdr_offset))
{
- const struct openvpn_ethhdr *eh = (const struct openvpn_ethhdr *) BPTR(buf);
+ const struct openvpn_ethhdr *eh = (const struct openvpn_ethhdr *)BPTR(buf);
uint16_t proto = ntohs(eh->proto);
if (proto == OPENVPN_ETH_P_IPV6)
{
@@ -293,17 +304,12 @@
* @param proto next - header or IP protocol of the packet
* @return The calculated checksum in host order
*/
-uint16_t
-ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload,
- const uint8_t *src_addr, const uint8_t *dest_addr, const int proto);
+uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload,
+ const uint8_t *src_addr, const uint8_t *dest_addr, const int proto);
#ifdef PACKET_TRUNCATION_CHECK
-void ipv4_packet_size_verify(const uint8_t *data,
- const int size,
- const int tunnel_type,
- const char
- *prefix,
- counter_type *errors);
+void ipv4_packet_size_verify(const uint8_t *data, const int size, const int tunnel_type,
+ const char *prefix, counter_type *errors);
#endif
@@ -39,11 +39,10 @@
#include "memdbg.h"
#include "forward.h"
-#define UP_TYPE_PROXY "HTTP Proxy"
+#define UP_TYPE_PROXY "HTTP Proxy"
struct http_proxy_options *
-init_http_proxy_options_once(struct http_proxy_options **hpo,
- struct gc_arena *gc)
+init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
{
if (!*hpo)
{
@@ -59,13 +58,8 @@
static struct user_pass static_proxy_user_pass;
static bool
-recv_line(socket_descriptor_t sd,
- char *buf,
- int len,
- const int timeout_sec,
- const bool verbose,
- struct buffer *lookahead,
- volatile int *signal_received)
+recv_line(socket_descriptor_t sd, char *buf, int len, const int timeout_sec, const bool verbose,
+ struct buffer *lookahead, volatile int *signal_received)
{
struct buffer la;
int lastc = 0;
@@ -161,7 +155,8 @@
{
if (verbose)
{
- msg(D_LINK_ERRORS | M_ERRNO, "recv_line: Non-ASCII character (%d) read on recv()", (int)c);
+ msg(D_LINK_ERRORS | M_ERRNO,
+ "recv_line: Non-ASCII character (%d) read on recv()", (int)c);
}
*lookahead = la;
return false;
@@ -190,11 +185,10 @@
}
static bool
-send_line(socket_descriptor_t sd,
- const char *buf)
+send_line(socket_descriptor_t sd, const char *buf)
{
const ssize_t size = send(sd, buf, strlen(buf), MSG_NOSIGNAL);
- if (size != (ssize_t) strlen(buf))
+ if (size != (ssize_t)strlen(buf))
{
msg(D_LINK_ERRORS | M_ERRNO, "send_line: TCP port write failed on send()");
return false;
@@ -203,8 +197,7 @@
}
static bool
-send_line_crlf(socket_descriptor_t sd,
- const char *src)
+send_line_crlf(socket_descriptor_t sd, const char *src)
{
bool ret;
@@ -228,7 +221,7 @@
uint8_t *ret = NULL;
char *b64out = NULL;
ASSERT(openvpn_base64_encode((const void *)str, src_len, &b64out) >= 0);
- ret = (uint8_t *) string_alloc(b64out, gc);
+ ret = (uint8_t *)string_alloc(b64out, gc);
free(b64out);
return ret;
}
@@ -240,8 +233,7 @@
}
static const char *
-username_password_as_base64(const struct http_proxy_info *p,
- struct gc_arena *gc)
+username_password_as_base64(const struct http_proxy_info *p, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc(strlen(p->up.username) + strlen(p->up.password) + 2, gc);
ASSERT(strlen(p->up.username) > 0);
@@ -285,10 +277,7 @@
{
flags |= GET_USER_PASS_INLINE_CREDS;
}
- get_user_pass(&static_proxy_user_pass,
- auth_file,
- UP_TYPE_PROXY,
- flags);
+ get_user_pass(&static_proxy_user_pass, auth_file, UP_TYPE_PROXY, flags);
static_proxy_user_pass.nocache = p->options.nocache;
protect_user_pass(&static_proxy_user_pass);
}
@@ -325,9 +314,7 @@
* Consumes all headers.
*/
static int
-get_proxy_authenticate(socket_descriptor_t sd,
- int timeout,
- char **data,
+get_proxy_authenticate(socket_descriptor_t sd, int timeout, char **data,
volatile int *signal_received)
{
char buf[256];
@@ -347,22 +334,22 @@
}
if (ret == HTTP_AUTH_NONE && !strncmp(buf, "Proxy-Authenticate: ", 20))
{
- if (!strncmp(buf+20, "Basic ", 6))
+ if (!strncmp(buf + 20, "Basic ", 6))
{
msg(D_PROXY, "PROXY AUTH BASIC: '%s'", buf);
- *data = string_alloc(buf+26, NULL);
+ *data = string_alloc(buf + 26, NULL);
ret = HTTP_AUTH_BASIC;
}
#if PROXY_DIGEST_AUTH
- else if (!strncmp(buf+20, "Digest ", 7))
+ else if (!strncmp(buf + 20, "Digest ", 7))
{
msg(D_PROXY, "PROXY AUTH DIGEST: '%s'", buf);
- *data = string_alloc(buf+27, NULL);
+ *data = string_alloc(buf + 27, NULL);
ret = HTTP_AUTH_DIGEST;
}
#endif
#if NTLM
- else if (!strncmp(buf+20, "NTLM", 4))
+ else if (!strncmp(buf + 20, "NTLM", 4))
{
msg(D_PROXY, "PROXY AUTH NTLM: '%s'", buf);
*data = NULL;
@@ -385,18 +372,16 @@
* Return true on success, or false on parse failure.
*/
static bool
-get_key_value(const char *str, /* source string */
- char *key, /* key stored here */
- char *value, /* value stored here */
- int max_key_len,
- int max_value_len,
- const char **endptr) /* next search position */
+get_key_value(const char *str, /* source string */
+ char *key, /* key stored here */
+ char *value, /* value stored here */
+ int max_key_len, int max_value_len, const char **endptr) /* next search position */
{
int c;
bool starts_with_quote = false;
bool escape = false;
- for (c = max_key_len-1; (*str && (*str != '=') && c--); )
+ for (c = max_key_len - 1; (*str && (*str != '=') && c--);)
{
*key++ = *str++;
}
@@ -415,7 +400,7 @@
starts_with_quote = true;
}
- for (c = max_value_len-1; *str && c--; str++)
+ for (c = max_value_len - 1; *str && c--; str++)
{
switch (*str)
{
@@ -529,7 +514,8 @@
#if NTLM
else if (!strcmp(o->auth_method_string, "ntlm"))
{
- msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN 2.7. Will try to use NTLM v2 authentication.");
+ msg(M_WARN,
+ "NTLM v1 authentication has been removed in OpenVPN 2.7. Will try to use NTLM v2 authentication.");
p->auth_method = HTTP_AUTH_NTLM2;
}
else if (!strcmp(o->auth_method_string, "ntlm2"))
@@ -539,8 +525,7 @@
#endif
else
{
- msg(M_FATAL, "ERROR: unknown HTTP authentication method: '%s'",
- o->auth_method_string);
+ msg(M_FATAL, "ERROR: unknown HTTP authentication method: '%s'", o->auth_method_string);
}
}
@@ -555,7 +540,8 @@
#if !NTLM
if (p->auth_method == HTTP_AUTH_NTLM2)
{
- msg(M_FATAL, "Sorry, this version of " PACKAGE_NAME " was built without NTLM Proxy support.");
+ msg(M_FATAL,
+ "Sorry, this version of " PACKAGE_NAME " was built without NTLM Proxy support.");
}
#endif
@@ -570,10 +556,9 @@
}
static bool
-add_proxy_headers(struct http_proxy_info *p,
- socket_descriptor_t sd, /* already open to proxy */
- const char *host /* openvpn server remote */
- )
+add_proxy_headers(struct http_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */
+ const char *host /* openvpn server remote */
+)
{
char buf[512];
int i;
@@ -584,12 +569,11 @@
* If content is NULL the whole header is in name
* Also remember if we already sent a Host: header
*/
- for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && p->options.custom_headers[i].name; i++)
+ for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && p->options.custom_headers[i].name; i++)
{
if (p->options.custom_headers[i].content)
{
- snprintf(buf, sizeof(buf), "%s: %s",
- p->options.custom_headers[i].name,
+ snprintf(buf, sizeof(buf), "%s: %s", p->options.custom_headers[i].name,
p->options.custom_headers[i].content);
if (!strcasecmp(p->options.custom_headers[i].name, "Host"))
{
@@ -598,8 +582,7 @@
}
else
{
- snprintf(buf, sizeof(buf), "%s",
- p->options.custom_headers[i].name);
+ snprintf(buf, sizeof(buf), "%s", p->options.custom_headers[i].name);
if (!strncasecmp(p->options.custom_headers[i].name, "Host:", 5))
{
host_header_sent = true;
@@ -626,8 +609,7 @@
/* send User-Agent string if provided */
if (p->options.user_agent)
{
- snprintf(buf, sizeof(buf), "User-Agent: %s",
- p->options.user_agent);
+ snprintf(buf, sizeof(buf), "User-Agent: %s", p->options.user_agent);
msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf(sd, buf))
{
@@ -641,11 +623,10 @@
bool
establish_http_proxy_passthru(struct http_proxy_info *p,
- socket_descriptor_t sd, /* already open to proxy */
- const char *host, /* openvpn server remote */
- const char *port, /* openvpn server port */
- struct event_timeout *server_poll_timeout,
- struct buffer *lookahead,
+ socket_descriptor_t sd, /* already open to proxy */
+ const char *host, /* openvpn server remote */
+ const char *port, /* openvpn server port */
+ struct event_timeout *server_poll_timeout, struct buffer *lookahead,
struct signal_info *sig_info)
{
struct gc_arena gc = gc_new();
@@ -657,8 +638,7 @@
volatile int *signal_received = &sig_info->signal_received;
/* get user/pass if not previously given */
- if (p->auth_method == HTTP_AUTH_BASIC
- || p->auth_method == HTTP_AUTH_DIGEST
+ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_DIGEST
|| p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, false);
@@ -670,7 +650,8 @@
unprotect_user_pass(&p->up);
}
- /* are we being called again after getting the digest server nonce in the previous transaction? */
+ /* are we being called again after getting the digest server nonce in the previous transaction?
+ */
if (p->auth_method == HTTP_AUTH_DIGEST && p->proxy_authenticate)
{
nparms = 1;
@@ -679,10 +660,7 @@
else
{
/* format HTTP CONNECT message */
- snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s",
- host,
- port,
- p->options.http_version);
+ snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port, p->options.http_version);
msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
@@ -723,8 +701,7 @@
goto error;
}
- snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s",
- ntlm_phase_1(p, &gc));
+ snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s", ntlm_phase_1(p, &gc));
msg(D_PROXY, "Attempting NTLM Proxy-Authorization phase 1");
dmsg(D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf(sd, buf))
@@ -748,7 +725,8 @@
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout),
+ true, NULL, signal_received))
{
goto error;
}
@@ -760,7 +738,6 @@
/* parse return string */
nparms = sscanf(buf, "%*s %d", &status);
-
}
/* check for a "407 Proxy Authentication Required" response */
@@ -779,7 +756,9 @@
char buf2[512];
while (true)
{
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ if (!recv_line(sd, buf, sizeof(buf),
+ get_server_poll_remaining_time(server_poll_timeout), true, NULL,
+ signal_received))
{
goto error;
}
@@ -810,9 +789,7 @@
/* now send the phase 3 reply */
/* format HTTP CONNECT message */
- snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s",
- host,
- port,
+ snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port,
p->options.http_version);
msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
@@ -841,7 +818,8 @@
const char *np3 = ntlm_phase_3(p, buf2, &gc);
if (!np3)
{
- msg(D_PROXY, "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server");
+ msg(D_PROXY,
+ "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server");
goto error;
}
snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s", np3);
@@ -860,7 +838,9 @@
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ if (!recv_line(sd, buf, sizeof(buf),
+ get_server_poll_remaining_time(server_poll_timeout), true, NULL,
+ signal_received))
{
goto error;
}
@@ -904,7 +884,7 @@
if (!realm || !nonce)
{
msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response "
- "from server: realm= or nonce= missing" );
+ "from server: realm= or nonce= missing");
goto error;
}
@@ -914,38 +894,21 @@
/* build the digest response */
- snprintf(uri, sizeof(uri), "%s:%s",
- host,
- port);
+ snprintf(uri, sizeof(uri), "%s:%s", host, port);
if (opaque)
{
- const int len = strlen(opaque)+16;
+ const int len = strlen(opaque) + 16;
opaque_kv = gc_malloc(len, false, &gc);
snprintf(opaque_kv, len, ", opaque=\"%s\"", opaque);
}
- DigestCalcHA1(algor,
- username,
- realm,
- password,
- nonce,
- (char *)cnonce,
- session_key);
- DigestCalcResponse(session_key,
- nonce,
- nonce_count,
- (char *)cnonce,
- qop,
- http_method,
- uri,
- NULL,
- response);
+ DigestCalcHA1(algor, username, realm, password, nonce, (char *)cnonce, session_key);
+ DigestCalcResponse(session_key, nonce, nonce_count, (char *)cnonce, qop,
+ http_method, uri, NULL, response);
/* format HTTP CONNECT message */
- snprintf(buf, sizeof(buf), "%s %s HTTP/%s",
- http_method,
- uri,
+ snprintf(buf, sizeof(buf), "%s %s HTTP/%s", http_method, uri,
p->options.http_version);
msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
@@ -963,17 +926,10 @@
}
/* send digest response */
- int sret = snprintf(buf, sizeof(buf), "Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
- username,
- realm,
- nonce,
- uri,
- qop,
- nonce_count,
- cnonce,
- response,
- opaque_kv
- );
+ int sret = snprintf(
+ buf, sizeof(buf),
+ "Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
+ username, realm, nonce, uri, qop, nonce_count, cnonce, response, opaque_kv);
if (sret >= sizeof(buf))
{
goto error;
@@ -992,7 +948,9 @@
secure_memzero(buf, sizeof(buf));
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ if (!recv_line(sd, buf, sizeof(buf),
+ get_server_poll_remaining_time(server_poll_timeout), true, NULL,
+ signal_received))
{
goto error;
}
@@ -1017,10 +975,8 @@
{
/* figure out what kind of authentication the proxy needs */
char *pa = NULL;
- const int method = get_proxy_authenticate(sd,
- get_server_poll_remaining_time(server_poll_timeout),
- &pa,
- signal_received);
+ const int method = get_proxy_authenticate(
+ sd, get_server_poll_remaining_time(server_poll_timeout), &pa, signal_received);
if (method != HTTP_AUTH_NONE)
{
if (pa)
@@ -1029,7 +985,8 @@
}
if (p->options.auth_retry == PAR_NCT && method == HTTP_AUTH_BASIC)
{
- msg(D_PROXY, "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled");
+ msg(D_PROXY,
+ "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled");
free(pa);
goto error;
}
@@ -1040,7 +997,8 @@
}
else
{
- msg(D_PROXY, "HTTP proxy: do not recognize the authentication method required by proxy");
+ msg(D_PROXY,
+ "HTTP proxy: do not recognize the authentication method required by proxy");
free(pa);
goto error;
}
@@ -1069,7 +1027,8 @@
/* SUCCESS */
/* receive line from proxy and discard */
- if (!recv_line(sd, NULL, 0, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ if (!recv_line(sd, NULL, 0, get_server_poll_remaining_time(server_poll_timeout), true, NULL,
+ signal_received))
{
goto error;
}
@@ -1082,7 +1041,8 @@
{
}
- /* reset queried_creds so that we don't think that the next creds request is due to an auth error */
+ /* reset queried_creds so that we don't think that the next creds request is due to an auth
+ * error */
p->queried_creds = false;
#if 0
@@ -34,19 +34,21 @@
#define HTTP_AUTH_NTLM2 4
#define HTTP_AUTH_N 5 /* number of HTTP_AUTH methods */
-struct http_custom_header {
+struct http_custom_header
+{
const char *name;
const char *content;
};
#define MAX_CUSTOM_HTTP_HEADER 10
-struct http_proxy_options {
+struct http_proxy_options
+{
const char *server;
const char *port;
-#define PAR_NO 0 /* don't support any auth retries */
-#define PAR_ALL 1 /* allow all proxy auth protocols */
-#define PAR_NCT 2 /* disable cleartext proxy auth protocols */
+#define PAR_NO 0 /* don't support any auth retries */
+#define PAR_ALL 1 /* allow all proxy auth protocols */
+#define PAR_NCT 2 /* disable cleartext proxy auth protocols */
int auth_retry;
const char *auth_method_string;
@@ -56,11 +58,13 @@
const char *user_agent;
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER];
bool inline_creds; /* auth_file_up is inline credentials */
- bool first_time; /* indicates if we need to wipe user creds at the first iteration of the main loop */
+ bool first_time; /* indicates if we need to wipe user creds at the first iteration of the main
+ loop */
bool nocache;
};
-struct http_proxy_info {
+struct http_proxy_info
+{
bool defined;
int auth_method;
struct http_proxy_options options;
@@ -77,12 +81,11 @@
void http_proxy_close(struct http_proxy_info *hp);
bool establish_http_proxy_passthru(struct http_proxy_info *p,
- socket_descriptor_t sd, /* already open to proxy */
- const char *host, /* openvpn server remote */
- const char *port, /* openvpn server port */
+ socket_descriptor_t sd, /* already open to proxy */
+ const char *host, /* openvpn server remote */
+ const char *port, /* openvpn server port */
struct event_timeout *server_poll_timeout,
- struct buffer *lookahead,
- struct signal_info *sig_info);
+ struct buffer *lookahead, struct signal_info *sig_info);
uint8_t *make_base64_string2(const uint8_t *str, int str_len, struct gc_arena *gc);
@@ -46,24 +46,25 @@
#define COMMAND_EXIT 11
/* Response codes for background -> foreground communication */
-#define RESPONSE_INIT_SUCCEEDED 20
-#define RESPONSE_INIT_FAILED 21
+#define RESPONSE_INIT_SUCCEEDED 20
+#define RESPONSE_INIT_FAILED 21
/*
* Return values for proxy_connection_io functions
*/
-#define IOSTAT_EAGAIN_ON_READ 0 /* recv returned EAGAIN */
-#define IOSTAT_EAGAIN_ON_WRITE 1 /* send returned EAGAIN */
-#define IOSTAT_READ_ERROR 2 /* the other end of our read socket (pc) was closed */
-#define IOSTAT_WRITE_ERROR 3 /* the other end of our write socket (pc->counterpart) was closed */
-#define IOSTAT_GOOD 4 /* nothing to report */
+#define IOSTAT_EAGAIN_ON_READ 0 /* recv returned EAGAIN */
+#define IOSTAT_EAGAIN_ON_WRITE 1 /* send returned EAGAIN */
+#define IOSTAT_READ_ERROR 2 /* the other end of our read socket (pc) was closed */
+#define IOSTAT_WRITE_ERROR 3 /* the other end of our write socket (pc->counterpart) was closed */
+#define IOSTAT_GOOD 4 /* nothing to report */
/*
* A foreign (non-OpenVPN) connection we are proxying,
* usually HTTPS
*/
-struct proxy_connection {
+struct proxy_connection
+{
bool defined;
struct proxy_connection *next;
struct proxy_connection *counterpart;
@@ -156,11 +157,11 @@
static int
send_control(const socket_descriptor_t fd, int code)
{
- unsigned char c = (unsigned char) code;
+ unsigned char c = (unsigned char)code;
const ssize_t size = write(fd, &c, sizeof(c));
if (size == sizeof(c))
{
- return (int) size;
+ return (int)size;
}
else
{
@@ -182,9 +183,7 @@
* send commands, data, and file descriptors to the background process.
*/
static void
-port_share_sendmsg(const socket_descriptor_t sd,
- const char command,
- const struct buffer *head,
+port_share_sendmsg(const socket_descriptor_t sd, const char command, const struct buffer *head,
const socket_descriptor_t sd_send)
{
if (socket_defined(sd))
@@ -196,8 +195,7 @@
char cmd;
ssize_t status;
- dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: sendmsg sd=%d len=%d",
- (int)sd_send,
+ dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: sendmsg sd=%d len=%d", (int)sd_send,
head ? BLEN(head) : -1);
CLEAR(mesg);
@@ -218,7 +216,7 @@
mesg.msg_iov = iov;
mesg.msg_controllen = cmsg_size();
- mesg.msg_control = (char *) malloc(mesg.msg_controllen);
+ mesg.msg_control = (char *)malloc(mesg.msg_controllen);
check_malloc_return(mesg.msg_control);
mesg.msg_flags = 0;
@@ -240,9 +238,9 @@
status = sendmsg(sd, &mesg, MSG_NOSIGNAL);
if (status == -1)
{
- msg(M_WARN|M_ERRNO, "PORT SHARE: sendmsg failed -- unable to communicate with background process (%d,%d,%d,%d)",
- sd, sd_send, sd_null[0], sd_null[1]
- );
+ msg(M_WARN | M_ERRNO,
+ "PORT SHARE: sendmsg failed -- unable to communicate with background process (%d,%d,%d,%d)",
+ sd, sd_send, sd_null[0], sd_null[1]);
}
close_socket_if_defined(sd_null[0]);
@@ -345,13 +343,13 @@
slen = sizeof(from.addr);
dlen = sizeof(to.addr);
- if (!getpeername(pc->sd, (struct sockaddr *) &from.addr.sa, &slen)
- && !getsockname(cp->sd, (struct sockaddr *) &to.addr.sa, &dlen))
+ if (!getpeername(pc->sd, (struct sockaddr *)&from.addr.sa, &slen)
+ && !getsockname(cp->sd, (struct sockaddr *)&to.addr.sa, &dlen))
{
const char *f = print_openvpn_sockaddr(&from, &gc);
const char *t = print_openvpn_sockaddr(&to, &gc);
- fnlen = strlen(journal_dir) + strlen(t) + 2;
- jfn = (char *) malloc(fnlen);
+ fnlen = strlen(journal_dir) + strlen(t) + 2;
+ jfn = (char *)malloc(fnlen);
check_malloc_return(jfn);
snprintf(jfn, fnlen, "%s/%s", journal_dir, t);
dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: client origin %s -> %s", jfn, f);
@@ -367,7 +365,7 @@
}
else
{
- msg(M_WARN|M_ERRNO, "PORT SHARE: unable to write journal file in %s", jfn);
+ msg(M_WARN | M_ERRNO, "PORT SHARE: unable to write journal file in %s", jfn);
free(jfn);
}
}
@@ -393,11 +391,13 @@
}
static inline void
-proxy_connection_io_requeue(struct proxy_connection *pc, const int rwflags_new, struct event_set *es)
+proxy_connection_io_requeue(struct proxy_connection *pc, const int rwflags_new,
+ struct event_set *es)
{
if (socket_defined(pc->sd) && pc->rwflags != rwflags_new)
{
- /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: requeue[%d] rwflags=%d", (int)pc->sd, rwflags_new);*/
+ /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: requeue[%d] rwflags=%d", (int)pc->sd,
+ * rwflags_new);*/
event_ctl(es, pc->sd, rwflags_new, (void *)pc);
pc->rwflags = rwflags_new;
}
@@ -411,12 +411,9 @@
* on success and false on failure to connect to server.
*/
static bool
-proxy_entry_new(struct proxy_connection **list,
- struct event_set *es,
- const struct openvpn_sockaddr server_addr,
- const socket_descriptor_t sd_client,
- struct buffer *initial_data,
- const char *journal_dir)
+proxy_entry_new(struct proxy_connection **list, struct event_set *es,
+ const struct openvpn_sockaddr server_addr, const socket_descriptor_t sd_client,
+ struct buffer *initial_data, const char *journal_dir)
{
socket_descriptor_t sd_server;
int status;
@@ -426,7 +423,7 @@
/* connect to port share server */
if ((sd_server = socket(server_addr.addr.sa.sa_family, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
- msg(M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket");
+ msg(M_WARN | M_ERRNO, "PORT SHARE PROXY: cannot create socket");
return false;
}
status = openvpn_connect(sd_server, &server_addr.addr.sa, 5, NULL);
@@ -472,11 +469,12 @@
journal_add(journal_dir, pc, cp);
}
- dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client, (int)sd_server);
+ dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client,
+ (int)sd_server);
/* set initial i/o states */
proxy_connection_io_requeue(pc, EVENT_READ, es);
- proxy_connection_io_requeue(cp, EVENT_READ|EVENT_WRITE, es);
+ proxy_connection_io_requeue(cp, EVENT_READ | EVENT_WRITE, es);
return true;
}
@@ -488,12 +486,9 @@
* exit, true otherwise.
*/
static bool
-control_message_from_parent(const socket_descriptor_t sd_control,
- struct proxy_connection **list,
- struct event_set *es,
- const struct openvpn_sockaddr server_addr,
- const int max_initial_buf,
- const char *journal_dir)
+control_message_from_parent(const socket_descriptor_t sd_control, struct proxy_connection **list,
+ struct event_set *es, const struct openvpn_sockaddr server_addr,
+ const int max_initial_buf, const char *journal_dir)
{
/* this buffer needs to be large enough to handle the largest buffer
* that might be returned by the link_socket_read call in read_incoming_link. */
@@ -516,7 +511,7 @@
mesg.msg_iovlen = 2;
mesg.msg_controllen = cmsg_size();
- mesg.msg_control = (char *) malloc(mesg.msg_controllen);
+ mesg.msg_control = (char *)malloc(mesg.msg_controllen);
check_malloc_return(mesg.msg_control);
mesg.msg_flags = 0;
@@ -530,10 +525,8 @@
status = recvmsg(sd_control, &mesg, MSG_NOSIGNAL);
if (status != -1)
{
- if (h == NULL
- || h->cmsg_len != CMSG_LEN(sizeof(socket_descriptor_t))
- || h->cmsg_level != SOL_SOCKET
- || h->cmsg_type != SCM_RIGHTS)
+ if (h == NULL || h->cmsg_len != CMSG_LEN(sizeof(socket_descriptor_t))
+ || h->cmsg_level != SOL_SOCKET || h->cmsg_type != SCM_RIGHTS)
{
msg(M_WARN, "PORT SHARE PROXY: received unknown message");
}
@@ -546,12 +539,7 @@
if (status >= 2 && command == COMMAND_REDIRECT)
{
buf.len = status - 1;
- if (proxy_entry_new(list,
- es,
- server_addr,
- received_fd,
- &buf,
- journal_dir))
+ if (proxy_entry_new(list, es, server_addr, received_fd, &buf, journal_dir))
{
CLEAR(buf); /* we gave the buffer to proxy_entry_new */
}
@@ -610,7 +598,8 @@
*bytes_sent += status;
if (status != pc->buf.len)
{
- dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: partial write[%d], tried=%d got=%d", (int)sd, pc->buf.len, status);
+ dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: partial write[%d], tried=%d got=%d", (int)sd,
+ pc->buf.len, status);
buf_advance(&pc->buf, status);
return IOSTAT_EAGAIN_ON_WRITE;
}
@@ -698,9 +687,7 @@
* in the proxied connection.
*/
static int
-proxy_connection_io_dispatch(struct proxy_connection *pc,
- const int rwflags,
- struct event_set *es)
+proxy_connection_io_dispatch(struct proxy_connection *pc, const int rwflags, struct event_set *es)
{
const int max_transfer_per_iteration = 10000;
struct proxy_connection *cp = pc->counterpart;
@@ -739,10 +726,8 @@
* This is the main function for the port share proxy background process.
*/
static void
-port_share_proxy(const struct openvpn_sockaddr hostaddr,
- const socket_descriptor_t sd_control,
- const int max_initial_buf,
- const char *journal_dir)
+port_share_proxy(const struct openvpn_sockaddr hostaddr, const socket_descriptor_t sd_control,
+ const int max_initial_buf, const char *journal_dir)
{
if (send_control(sd_control, RESPONSE_INIT_SUCCEEDED) >= 0)
{
@@ -776,7 +761,8 @@
const struct event_set_return *e = &esr[i];
if (e->arg == sd_control_marker)
{
- if (!control_message_from_parent(sd_control, &list, es, hostaddr, max_initial_buf, journal_dir))
+ if (!control_message_from_parent(sd_control, &list, es, hostaddr,
+ max_initial_buf, journal_dir))
{
goto done;
}
@@ -814,9 +800,7 @@
* share proxy.
*/
struct port_share *
-port_share_open(const char *host,
- const char *port,
- const int max_initial_buf,
+port_share_open(const char *host, const char *port, const int max_initial_buf,
const char *journal_dir)
{
pid_t pid;
@@ -834,9 +818,9 @@
* Get host's IP address
*/
- status = openvpn_getaddrinfo(GETADDR_RESOLVE|GETADDR_FATAL,
- host, port, 0, NULL, AF_UNSPEC, &ai);
- ASSERT(status==0);
+ status =
+ openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_FATAL, host, port, 0, NULL, AF_UNSPEC, &ai);
+ ASSERT(status == 0);
ASSERT(sizeof(hostaddr.addr) >= ai->ai_addrlen);
memcpy(&hostaddr.addr.sa, ai->ai_addr, ai->ai_addrlen);
freeaddrinfo(ai);
@@ -982,7 +966,7 @@
bool
is_openvpn_protocol(const struct buffer *buf)
{
- const unsigned char *p = (const unsigned char *) BSTR(buf);
+ const unsigned char *p = (const unsigned char *)BSTR(buf);
const int len = BLEN(buf);
if (len >= 3)
{
@@ -1004,7 +988,7 @@
* We don't do the 2 byte check for tls-crypt-v2 because it is very
* unrealistic to have only 2 bytes available.
*/
- return (plen >= 336 && plen < (1024 + 255));
+ return (plen >= 336 && plen < (1024 + 255));
}
else
{
@@ -29,7 +29,8 @@
#include "buffer.h"
#include "ssl.h"
-struct port_share {
+struct port_share
+{
/* Foreground's socket to background process */
socket_descriptor_t foreground_fd;
@@ -39,9 +40,7 @@
extern struct port_share *port_share;
-struct port_share *port_share_open(const char *host,
- const char *port,
- const int max_initial_buf,
+struct port_share *port_share_open(const char *host, const char *port, const int max_initial_buf,
const char *journal_dir);
void port_share_close(struct port_share *ps);
@@ -95,7 +95,7 @@
case AR_INTERACT:
ssl_purge_auth(false);
- /* Intentional [[fallthrough]]; */
+ /* Intentional [[fallthrough]]; */
case AR_NOINTERACT:
/* SOFT-SIGTUSR1 -- Auth failure error */
@@ -114,20 +114,19 @@
/*
* Save the dynamic-challenge text even when management is defined
*/
- if (authfail_extended
- && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf))
+ if (authfail_extended && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf))
{
ssl_put_auth_challenge(BSTR(&buf));
}
#endif /* ifdef ENABLE_MANAGEMENT */
-
}
/*
* Act on received restart message from server
*/
void
-server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
+server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart,
+ const int adv)
{
if (c->options.pull)
{
@@ -250,7 +249,8 @@
}
else
{
- msg(D_PUSH_ERRORS, "WARNING: Received INFO command is too long, won't notify management client.");
+ msg(D_PUSH_ERRORS,
+ "WARNING: Received INFO command is too long, won't notify management client.");
}
gc_free(&gc);
@@ -292,20 +292,18 @@
* if the server does not push a timeout
*/
static void
-parse_auth_pending_keywords(const struct buffer *buffer,
- unsigned int *server_timeout)
+parse_auth_pending_keywords(const struct buffer *buffer, unsigned int *server_timeout)
{
struct buffer buf = *buffer;
/* does the buffer start with "AUTH_PENDING," ? */
- if (!buf_advance(&buf, strlen("AUTH_PENDING"))
- || !(buf_read_u8(&buf) == ',') || !BLEN(&buf))
+ if (!buf_advance(&buf, strlen("AUTH_PENDING")) || !(buf_read_u8(&buf) == ',') || !BLEN(&buf))
{
#ifdef ENABLE_MANAGEMENT
if (management)
{
- management_set_state(management, OPENVPN_STATE_AUTH_PENDING,
- "", NULL, NULL, NULL, NULL);
+ management_set_state(management, OPENVPN_STATE_AUTH_PENDING, "", NULL, NULL, NULL,
+ NULL);
}
#endif
@@ -320,8 +318,8 @@
* buf_parse is called, as it will insert \0 bytes into the buffer */
if (management)
{
- management_set_state(management, OPENVPN_STATE_AUTH_PENDING,
- BSTR(&buf), NULL, NULL, NULL, NULL);
+ management_set_state(management, OPENVPN_STATE_AUTH_PENDING, BSTR(&buf), NULL, NULL, NULL,
+ NULL);
}
#endif
@@ -344,17 +342,18 @@
/* Cap the increase at the maximum time we are willing stay in the
* pending authentication state */
- unsigned int max_timeout = max_uint(c->options.renegotiate_seconds/2,
- c->options.handshake_window);
+ unsigned int max_timeout =
+ max_uint(c->options.renegotiate_seconds / 2, c->options.handshake_window);
/* try to parse parameter keywords, default to hand-winow timeout if the
* server does not supply a timeout */
unsigned int server_timeout = c->options.handshake_window;
parse_auth_pending_keywords(buffer, &server_timeout);
- msg(D_PUSH, "AUTH_PENDING received, extending handshake timeout from %us "
- "to %us", c->options.handshake_window,
- min_uint(max_timeout, server_timeout));
+ msg(D_PUSH,
+ "AUTH_PENDING received, extending handshake timeout from %us "
+ "to %us",
+ c->options.handshake_window, min_uint(max_timeout, server_timeout));
const struct key_state *ks = get_primary_key(c->c2.tls_multi);
c->c2.push_request_timeout = ks->established + min_uint(max_timeout, server_timeout);
@@ -374,16 +373,16 @@
*
* @return true on success, false on failure.
*/
-static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
- int msglevel, const char *fmt, ...)
+static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel,
+ const char *fmt, ...)
#ifdef __GNUC__
#if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format(gnu_printf, 4, 5)))
+ __attribute__((format(gnu_printf, 4, 5)))
#else
-__attribute__ ((format(__printf__, 4, 5)))
+ __attribute__((format(__printf__, 4, 5)))
#endif
#endif
-;
+ ;
/*
* Send auth failed message from server to client.
@@ -403,7 +402,7 @@
static const char auth_failed[] = "AUTH_FAILED";
size_t len;
- len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
+ len = (client_reason ? strlen(client_reason) + 1 : 0) + sizeof(auth_failed);
if (len > PUSH_BUNDLE_SIZE)
{
len = PUSH_BUNDLE_SIZE;
@@ -419,13 +418,12 @@
/* We kill the whole session, send the AUTH_FAILED to any TLS session
* that might be active */
- send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_INITIAL],
- BSTR(&buf), D_PUSH);
- send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_ACTIVE],
- BSTR(&buf), D_PUSH);
+ send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_INITIAL], BSTR(&buf),
+ D_PUSH);
+ send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_ACTIVE], BSTR(&buf),
+ D_PUSH);
reschedule_multi_process(c);
-
}
gc_free(&gc);
@@ -433,8 +431,7 @@
bool
-send_auth_pending_messages(struct tls_multi *tls_multi,
- struct tls_session *session,
+send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session,
const char *extra, unsigned int timeout)
{
struct key_state *ks = &session->key[KS_PRIMARY];
@@ -446,8 +443,8 @@
/* Calculate the maximum timeout and subtract the time we already waited */
- unsigned int max_timeout = max_uint(tls_multi->opt.renegotiate_seconds/2,
- tls_multi->opt.handshake_window);
+ unsigned int max_timeout =
+ max_uint(tls_multi->opt.renegotiate_seconds / 2, tls_multi->opt.handshake_window);
max_timeout = max_timeout - (now - ks->initial);
timeout = min_uint(max_timeout, timeout);
@@ -506,17 +503,19 @@
struct gc_arena gc = gc_new();
unsigned int option_types_found = 0;
- msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc));
+ msg(D_PUSH, "PUSH: Received control message: '%s'",
+ sanitize_control_message(BSTR(buffer), &gc));
- int status = process_incoming_push_msg(c, buffer, c->options.pull,
- pull_permission_mask(c),
+ int status = process_incoming_push_msg(c, buffer, c->options.pull, pull_permission_mask(c),
&option_types_found);
if (status == PUSH_MSG_ERROR)
{
- msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
+ msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s",
+ sanitize_control_message(BSTR(buffer), &gc));
}
- else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_UPDATE || status == PUSH_MSG_CONTINUATION)
+ else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_UPDATE
+ || status == PUSH_MSG_CONTINUATION)
{
c->options.push_option_types_found |= option_types_found;
@@ -605,17 +604,14 @@
*/
if (tls_multi->auth_token)
{
- push_option_fmt(gc, push_list, M_USAGE, "auth-token %s",
- tls_multi->auth_token);
+ push_option_fmt(gc, push_list, M_USAGE, "auth-token %s", tls_multi->auth_token);
char *base64user = NULL;
int ret = openvpn_base64_encode(tls_multi->locked_username,
- (int)strlen(tls_multi->locked_username),
- &base64user);
+ (int)strlen(tls_multi->locked_username), &base64user);
if (ret < USER_PASS_LEN && ret > 0)
{
- push_option_fmt(gc, push_list, M_USAGE, "auth-token-user %s",
- base64user);
+ push_option_fmt(gc, push_list, M_USAGE, "auth-token-user %s", base64user);
}
free(base64user);
}
@@ -631,8 +627,7 @@
* @return true on success, false on failure.
*/
bool
-prepare_push_reply(struct context *c, struct gc_arena *gc,
- struct push_list *push_list)
+prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list)
{
struct tls_multi *tls_multi = c->c2.tls_multi;
struct options *o = &c->options;
@@ -643,14 +638,12 @@
push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s",
print_in6_addr(c->c2.push_ifconfig_ipv6_local, 0, gc),
c->c2.push_ifconfig_ipv6_netbits,
- print_in6_addr(c->c2.push_ifconfig_ipv6_remote,
- 0, gc));
+ print_in6_addr(c->c2.push_ifconfig_ipv6_remote, 0, gc));
}
/* ipv4 */
if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local
- && c->c2.push_ifconfig_remote_netmask
- && !o->push_ifconfig_ipv4_blocked)
+ && c->c2.push_ifconfig_remote_netmask && !o->push_ifconfig_ipv4_blocked)
{
in_addr_t ifconfig_local = c->c2.push_ifconfig_local;
if (c->c2.push_ifconfig_local_alias)
@@ -659,14 +652,12 @@
}
push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s",
print_in_addr_t(ifconfig_local, 0, gc),
- print_in_addr_t(c->c2.push_ifconfig_remote_netmask,
- 0, gc));
+ print_in_addr_t(c->c2.push_ifconfig_remote_netmask, 0, gc));
}
if (tls_multi->use_peer_id)
{
- push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
- tls_multi->peer_id);
+ push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", tls_multi->peer_id);
}
/*
* If server uses --auth-gen-token and we have an auth token
@@ -728,10 +719,11 @@
push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu);
if (client_max_mtu < o->ce.tun_mtu)
{
- msg(M_WARN, "Warning: reported maximum MTU from client (%d) is lower "
+ msg(M_WARN,
+ "Warning: reported maximum MTU from client (%d) is lower "
"than MTU used on the server (%d). Add tun-max-mtu %d "
- "to client configuration.", client_max_mtu,
- o->ce.tun_mtu, o->ce.tun_mtu);
+ "to client configuration.",
+ client_max_mtu, o->ce.tun_mtu, o->ce.tun_mtu);
}
}
@@ -739,8 +731,7 @@
}
static bool
-send_push_options(struct context *c, struct buffer *buf,
- struct push_list *push_list, int safe_cap,
+send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap,
bool *push_sent, bool *multi_push)
{
struct push_entry *e = push_list->head;
@@ -810,15 +801,13 @@
buf_printf(&buf, "%s", push_reply_cmd);
/* send options which are common to all clients */
- if (!send_push_options(c, &buf, &c->options.push_list, safe_cap,
- &push_sent, &multi_push))
+ if (!send_push_options(c, &buf, &c->options.push_list, safe_cap, &push_sent, &multi_push))
{
goto fail;
}
/* send client-specific options */
- if (!send_push_options(c, &buf, per_client_push_list, safe_cap,
- &push_sent, &multi_push))
+ if (!send_push_options(c, &buf, per_client_push_list, safe_cap, &push_sent, &multi_push))
{
goto fail;
}
@@ -828,7 +817,7 @@
buf_printf(&buf, ",push-continuation 1");
}
- if (BLEN(&buf) > sizeof(push_reply_cmd)-1)
+ if (BLEN(&buf) > sizeof(push_reply_cmd) - 1)
{
const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
if (!status)
@@ -863,8 +852,8 @@
}
static void
-push_option_ex(struct gc_arena *gc, struct push_list *push_list,
- const char *opt, bool enable, int msglevel)
+push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable,
+ int msglevel)
{
if (!string_class(opt, CC_ANY, CC_COMMA))
{
@@ -906,8 +895,7 @@
push_reset(o);
while (e)
{
- push_option_ex(&o->gc, &o->push_list,
- string_alloc(e->option, &o->gc), true, M_FATAL);
+ push_option_ex(&o->gc, &o->push_list, string_alloc(e->option, &o->gc), true, M_FATAL);
e = e->next;
}
}
@@ -922,16 +910,16 @@
}
static bool
-push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
- int msglevel, const char *format, ...)
+push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *format,
+ ...)
{
va_list arglist;
- char tmp[256] = {0};
+ char tmp[256] = { 0 };
int len;
va_start(arglist, format);
len = vsnprintf(tmp, sizeof(tmp), format, arglist);
va_end(arglist);
- if (len > sizeof(tmp)-1)
+ if (len > sizeof(tmp) - 1)
{
return false;
}
@@ -958,7 +946,7 @@
}
/* ifconfig-ipv6 is special, as not part of the push list */
- if (streq( p, "ifconfig-ipv6" ))
+ if (streq(p, "ifconfig-ipv6"))
{
o->push_ifconfig_ipv6_blocked = true;
return;
@@ -971,8 +959,7 @@
/* cycle through the push list */
while (e)
{
- if (e->enable
- && strncmp( e->option, p, strlen(p) ) == 0)
+ if (e->enable && strncmp(e->option, p, strlen(p)) == 0)
{
msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option);
e->enable = false;
@@ -1012,8 +999,7 @@
struct push_list push_list = { 0 };
struct gc_arena gc = gc_new();
- if (prepare_push_reply(c, &gc, &push_list)
- && send_push_reply(c, &push_list))
+ if (prepare_push_reply(c, &gc, &push_list) && send_push_reply(c, &push_list))
{
ret = PUSH_MSG_REQUEST;
c->c2.sent_push_reply_expiry = now + 30;
@@ -1035,9 +1021,9 @@
char line[OPTION_PARM_SIZE];
while (buf_parse(buf, ',', line, sizeof(line)))
{
- /* peer-id and auth-token might change on restart and this should not trigger reopening tun */
- if (strprefix(line, "peer-id ")
- || strprefix(line, "auth-token ")
+ /* peer-id and auth-token might change on restart and this should not trigger reopening tun
+ */
+ if (strprefix(line, "peer-id ") || strprefix(line, "auth-token ")
|| strprefix(line, "auth-token-user "))
{
continue;
@@ -1047,15 +1033,13 @@
{
continue;
}
- md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
+ md_ctx_update(ctx, (const uint8_t *)line, strlen(line) + 1);
}
}
static int
-process_incoming_push_reply(struct context *c,
- unsigned int permission_mask,
- unsigned int *option_types_found,
- struct buffer *buf)
+process_incoming_push_reply(struct context *c, unsigned int permission_mask,
+ unsigned int *option_types_found, struct buffer *buf)
{
int ret = PUSH_MSG_ERROR;
const uint8_t ch = buf_read_u8(buf);
@@ -1068,22 +1052,15 @@
md_ctx_init(c->c2.pulled_options_state, "SHA256");
c->c2.pulled_options_digest_init_done = true;
}
- if (apply_push_options(c,
- &c->options,
- buf,
- permission_mask,
- option_types_found,
- c->c2.es,
+ if (apply_push_options(c, &c->options, buf, permission_mask, option_types_found, c->c2.es,
false))
{
- push_update_digest(c->c2.pulled_options_state, &buf_orig,
- &c->options);
+ push_update_digest(c->c2.pulled_options_state, &buf_orig, &c->options);
switch (c->options.push_continuation)
{
case 0:
case 1:
- md_ctx_final(c->c2.pulled_options_state,
- c->c2.pulled_options_digest.digest);
+ md_ctx_final(c->c2.pulled_options_state, c->c2.pulled_options_digest.digest);
md_ctx_cleanup(c->c2.pulled_options_state);
md_ctx_free(c->c2.pulled_options_state);
c->c2.pulled_options_state = NULL;
@@ -1106,10 +1083,8 @@
}
int
-process_incoming_push_msg(struct context *c,
- const struct buffer *buffer,
- bool honor_received_options,
- unsigned int permission_mask,
+process_incoming_push_msg(struct context *c, const struct buffer *buffer,
+ bool honor_received_options, unsigned int permission_mask,
unsigned int *option_types_found)
{
struct buffer buf = *buffer;
@@ -1119,17 +1094,13 @@
c->c2.push_request_received = true;
return process_incoming_push_request(c);
}
- else if (honor_received_options
- && buf_string_compare_advance(&buf, push_reply_cmd))
+ else if (honor_received_options && buf_string_compare_advance(&buf, push_reply_cmd))
{
- return process_incoming_push_reply(c, permission_mask,
- option_types_found, &buf);
+ return process_incoming_push_reply(c, permission_mask, option_types_found, &buf);
}
- else if (honor_received_options
- && buf_string_compare_advance(&buf, push_update_cmd))
+ else if (honor_received_options && buf_string_compare_advance(&buf, push_update_cmd))
{
- return process_incoming_push_update(c, permission_mask,
- option_types_found, &buf);
+ return process_incoming_push_update(c, permission_mask, option_types_found, &buf);
}
else
{
@@ -1152,13 +1123,14 @@
/* cycle through the push list */
while (e)
{
- char *p[MAX_PARMS+1];
+ char *p[MAX_PARMS + 1];
bool enable = true;
/* parse the push item */
CLEAR(p);
if (e->enable
- && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
+ && parse_line(e->option, p, SIZE(p) - 1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG,
+ &gc))
{
/* is the push item a route directive? */
if (p[0] && !strcmp(p[0], "route") && !p[3] && o->iroutes)
@@ -1166,7 +1138,8 @@
/* get route parameters */
bool status1, status2;
const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
- const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
+ const in_addr_t netmask = getaddr(
+ GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
/* did route parameters parse correctly? */
if (status1 && status2)
@@ -1176,7 +1149,9 @@
/* does route match an iroute? */
for (ir = o->iroutes; ir != NULL; ir = ir->next)
{
- if (network == ir->network && netmask == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32))
+ if (network == ir->network
+ && netmask
+ == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32))
{
enable = false;
break;
@@ -1184,8 +1159,7 @@
}
}
}
- else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2]
- && o->iroutes_ipv6)
+ else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2] && o->iroutes_ipv6)
{
/* get route parameters */
struct in6_addr network;
@@ -34,17 +34,18 @@
#define PUSH_MSG_ALREADY_REPLIED 6
#define PUSH_MSG_UPDATE 7
-#define push_reply_cmd "PUSH_REPLY"
+#define push_reply_cmd "PUSH_REPLY"
#define push_update_cmd "PUSH_UPDATE"
/* Push-update options flags */
-#define PUSH_OPT_TO_REMOVE (1<<0)
-#define PUSH_OPT_OPTIONAL (1<<1)
+#define PUSH_OPT_TO_REMOVE (1 << 0)
+#define PUSH_OPT_OPTIONAL (1 << 1)
int process_incoming_push_request(struct context *c);
/**
- * @brief Handles the receiving of a push-update message and applies updates to the specified options.
+ * @brief Handles the receiving of a push-update message and applies updates to the specified
+ * options.
*
* This function processes a push-update message, validating its content and applying updates
* to the options specified in the message. It also handles split messages if the complete
@@ -63,22 +64,19 @@
* - `PUSH_MSG_ERROR`: An error occurred during message processing, or the message is invalid.
*/
-int process_incoming_push_update(struct context *c,
- unsigned int permission_mask,
- unsigned int *option_types_found,
- struct buffer *buf);
+int process_incoming_push_update(struct context *c, unsigned int permission_mask,
+ unsigned int *option_types_found, struct buffer *buf);
-int process_incoming_push_msg(struct context *c,
- const struct buffer *buffer,
- bool honor_received_options,
- unsigned int permission_mask,
+int process_incoming_push_msg(struct context *c, const struct buffer *buffer,
+ bool honor_received_options, unsigned int permission_mask,
unsigned int *option_types_found);
bool send_push_request(struct context *c);
void receive_auth_failed(struct context *c, const struct buffer *buffer);
-void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv);
+void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart,
+ const int adv);
void receive_exit_message(struct context *c);
@@ -92,8 +90,7 @@
void push_option(struct options *o, const char *opt, int msglevel);
-void push_options(struct options *o, char **p, int msglevel,
- struct gc_arena *gc);
+void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc);
void push_reset(struct options *o);
@@ -108,10 +105,8 @@
* doc/management-notes.txt under client-pending-auth for
* more details on message format
*/
-bool
-send_auth_pending_messages(struct tls_multi *tls_multi,
- struct tls_session *session, const char *extra,
- unsigned int timeout);
+bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session,
+ const char *extra, unsigned int timeout);
void send_restart(struct context *c, const char *kill_msg);
@@ -130,7 +125,6 @@
* @param c The context struct
* @param buffer Buffer containing the control message with AUTH_PENDING
*/
-void
-receive_auth_pending(struct context *c, const struct buffer *buffer);
+void receive_auth_pending(struct context *c, const struct buffer *buffer);
#endif /* ifndef PUSH_H */
@@ -5,21 +5,14 @@
#include "push.h"
int
-process_incoming_push_update(struct context *c,
- unsigned int permission_mask,
- unsigned int *option_types_found,
- struct buffer *buf)
+process_incoming_push_update(struct context *c, unsigned int permission_mask,
+ unsigned int *option_types_found, struct buffer *buf)
{
int ret = PUSH_MSG_ERROR;
const uint8_t ch = buf_read_u8(buf);
if (ch == ',')
{
- if (apply_push_options(c,
- &c->options,
- buf,
- permission_mask,
- option_types_found,
- c->c2.es,
+ if (apply_push_options(c, &c->options, buf, permission_mask, option_types_found, c->c2.es,
true))
{
switch (c->options.push_continuation)
@@ -25,13 +25,15 @@
/* parameters to be pushed to peer */
-struct push_entry {
+struct push_entry
+{
struct push_entry *next;
bool enable;
const char *option;
};
-struct push_list {
+struct push_list
+{
struct push_entry *head;
struct push_entry *tail;
};
@@ -46,10 +46,10 @@
int64_t dropped = irl->curr_period_counter - irl->max_per_period;
if (dropped > 0)
{
- msg(D_TLS_DEBUG_LOW, "Dropped %" PRId64 " initial handshake packets"
- " due to --connect-freq-initial %" PRId64 " %d", dropped,
- irl->max_per_period, irl->period_length);
-
+ msg(D_TLS_DEBUG_LOW,
+ "Dropped %" PRId64 " initial handshake packets"
+ " due to --connect-freq-initial %" PRId64 " %d",
+ dropped, irl->max_per_period, irl->period_length);
}
irl->last_period_reset = now;
irl->curr_period_counter = 0;
@@ -62,9 +62,11 @@
if (over_limit && !irl->warning_displayed)
{
- msg(M_WARN, "Note: --connect-freq-initial %" PRId64 " %d rate limit "
+ msg(M_WARN,
+ "Note: --connect-freq-initial %" PRId64 " %d rate limit "
"exceeded, dropping initial handshake packets for the next %d "
- "seconds", irl->max_per_period, irl->period_length,
+ "seconds",
+ irl->max_per_period, irl->period_length,
(int)(irl->last_period_reset + irl->period_length - now));
irl->warning_displayed = true;
}
@@ -26,7 +26,8 @@
/** struct that handles all the rate limiting logic for initial
* responses */
-struct initial_packet_rate_limit {
+struct initial_packet_rate_limit
+{
/** This is a hard limit for packets per seconds. */
int64_t max_per_period;
@@ -50,22 +51,19 @@
* checks if the connection is still allowed to connect under the rate
* limit. This also increases the internal counter at the same time
*/
-bool
-reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl);
+bool reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl);
/**
* decreases the counter of initial packets seen, so connections that
* successfully completed the three-way handshake do not count against
* the counter of initial connection attempts
*/
-void
-reflect_filter_rate_limit_decrease(struct initial_packet_rate_limit *irl);
+void reflect_filter_rate_limit_decrease(struct initial_packet_rate_limit *irl);
/**
* allocate and initialize the initial-packet rate limiter structure
*/
-struct initial_packet_rate_limit *
-initial_rate_limit_init(int max_per_period, int period_length);
+struct initial_packet_rate_limit *initial_rate_limit_init(int max_per_period, int period_length);
/**
* free the initial-packet rate limiter structure
@@ -50,8 +50,7 @@
* verify that test - base < extent while allowing for base or test wraparound
*/
static inline bool
-reliable_pid_in_range1(const packet_id_type test,
- const packet_id_type base,
+reliable_pid_in_range1(const packet_id_type test, const packet_id_type base,
const unsigned int extent)
{
return subtract_pid(test, base) < extent;
@@ -61,8 +60,7 @@
* verify that test < base + extent while allowing for base or test wraparound
*/
static inline bool
-reliable_pid_in_range2(const packet_id_type test,
- const packet_id_type base,
+reliable_pid_in_range2(const packet_id_type test, const packet_id_type base,
const unsigned int extent)
{
if (base + extent >= base)
@@ -74,7 +72,7 @@
}
else
{
- if ((test+0x80000000u) < (base+0x80000000u) + extent)
+ if ((test + 0x80000000u) < (base + 0x80000000u) + extent)
{
return true;
}
@@ -87,8 +85,7 @@
* verify that p1 < p2 while allowing for p1 or p2 wraparound
*/
static inline bool
-reliable_pid_min(const packet_id_type p1,
- const packet_id_type p2)
+reliable_pid_min(const packet_id_type p1, const packet_id_type p2)
{
return !reliable_pid_in_range1(p1, p2, 0x80000000u);
}
@@ -144,8 +141,7 @@
bool
-reliable_ack_read(struct reliable_ack *ack,
- struct buffer *buf, const struct session_id *sid)
+reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
{
struct session_id session_id_remote;
@@ -154,12 +150,11 @@
return false;
}
- if (ack->len >= 1 && (!session_id_defined(&session_id_remote)
- || !session_id_equal(&session_id_remote, sid)))
+ if (ack->len >= 1
+ && (!session_id_defined(&session_id_remote) || !session_id_equal(&session_id_remote, sid)))
{
struct gc_arena gc = gc_new();
- dmsg(D_REL_LOW,
- "ACK read BAD SESSION-ID FROM REMOTE, local=%s, remote=%s",
+ dmsg(D_REL_LOW, "ACK read BAD SESSION-ID FROM REMOTE, local=%s, remote=%s",
session_id_print(sid, &gc), session_id_print(&session_id_remote, &gc));
gc_free(&gc);
return false;
@@ -210,7 +205,7 @@
{
ASSERT(ack->len >= n);
/* This loop is backward to ensure the same order as in ack */
- for (int i = n-1; i >= 0; i--)
+ for (int i = n - 1; i >= 0; i--)
{
packet_id_type id = ack->packet_id[i];
@@ -250,9 +245,7 @@
/* write a packet ID acknowledgement record to buf, */
/* removing all acknowledged entries from ack */
bool
-reliable_ack_write(struct reliable_ack *ack,
- struct reliable_ack *ack_mru,
- struct buffer *buf,
+reliable_ack_write(struct reliable_ack *ack, struct reliable_ack *ack_mru, struct buffer *buf,
const struct session_id *sid, int max, bool prepend)
{
int i, j, n;
@@ -284,7 +277,8 @@
packet_id_type pid = ack_mru->packet_id[i];
packet_id_type net_pid = htonpid(pid);
ASSERT(buf_write(&sub, &net_pid, sizeof(net_pid)));
- dmsg(D_REL_DEBUG, "ACK write ID " packet_id_format " (ack->len=%d, n=%d)", (packet_id_print_type)pid, ack->len, n);
+ dmsg(D_REL_DEBUG, "ACK write ID " packet_id_format " (ack->len=%d, n=%d)",
+ (packet_id_print_type)pid, ack->len, n);
}
if (total_acks)
{
@@ -293,7 +287,7 @@
}
if (n)
{
- for (i = 0, j = n; j < ack->len; )
+ for (i = 0, j = n; j < ack->len;)
{
ack->packet_id[i++] = ack->packet_id[j++];
}
@@ -494,7 +488,8 @@
return true;
bad:
- dmsg(D_REL_DEBUG, "ACK " packet_id_format " is a replay: %s", (packet_id_print_type)id, reliable_print_ids(rel, &gc));
+ dmsg(D_REL_DEBUG, "ACK " packet_id_format " is a replay: %s", (packet_id_print_type)id,
+ reliable_print_ids(rel, &gc));
gc_free(&gc);
return false;
}
@@ -513,7 +508,8 @@
gc_free(&gc);
}
- dmsg(D_REL_DEBUG, "ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d", rel->size, rel->packet_id, id, ret);
+ dmsg(D_REL_DEBUG, "ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d", rel->size,
+ rel->packet_id, id, ret);
return ret;
}
@@ -630,9 +626,7 @@
}
}
(void)n_active; /* dmsg might not generate code */
- dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s",
- n_active,
- n_current,
+ dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s", n_active, n_current,
reliable_print_ids(rel, &gc));
gc_free(&gc);
@@ -653,8 +647,7 @@
/* If N_ACK_RETRANSMIT later packets have received ACKs, we assume
* that the packet was lost and resend it even if the timeout has
* not expired yet. */
- if (e->active
- && (e->n_acks >= N_ACK_RETRANSMIT || local_now >= e->next_try))
+ if (e->active && (e->n_acks >= N_ACK_RETRANSMIT || local_now >= e->next_try))
{
if (!best || reliable_pid_min(e->packet_id, best->packet_id))
{
@@ -720,9 +713,7 @@
}
}
- dmsg(D_REL_DEBUG, "ACK reliable_send_timeout %d %s",
- (int) ret,
- reliable_print_ids(rel, &gc));
+ dmsg(D_REL_DEBUG, "ACK reliable_send_timeout %d %s", (int)ret, reliable_print_ids(rel, &gc));
gc_free(&gc);
return ret;
@@ -733,8 +724,8 @@
*/
void
-reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf,
- packet_id_type pid, int opcode)
+reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid,
+ int opcode)
{
for (int i = 0; i < rel->size; ++i)
{
@@ -753,11 +744,12 @@
e->next_try = 0;
e->timeout = 0;
e->n_acks = 0;
- dmsg(D_REL_DEBUG, "ACK mark active incoming ID " packet_id_format, (packet_id_print_type)e->packet_id);
+ dmsg(D_REL_DEBUG, "ACK mark active incoming ID " packet_id_format,
+ (packet_id_print_type)e->packet_id);
return;
}
}
- ASSERT(0); /* buf not found in rel */
+ ASSERT(0); /* buf not found in rel */
}
/*
@@ -782,11 +774,12 @@
e->opcode = opcode;
e->next_try = 0;
e->timeout = rel->initial_timeout;
- dmsg(D_REL_DEBUG, "ACK mark active outgoing ID " packet_id_format, (packet_id_print_type)e->packet_id);
+ dmsg(D_REL_DEBUG, "ACK mark active outgoing ID " packet_id_format,
+ (packet_id_print_type)e->packet_id);
return;
}
}
- ASSERT(0); /* buf not found in rel */
+ ASSERT(0); /* buf not found in rel */
}
/* delete a buffer previously activated by reliable_mark_active() */
@@ -40,18 +40,21 @@
* @{ */
-#define RELIABLE_ACK_SIZE 8 /**< The maximum number of packet IDs
- * waiting to be acknowledged which can
- * be stored in one \c reliable_ack
- * structure. */
+#define RELIABLE_ACK_SIZE \
+ 8 /**< The maximum number of packet IDs \
+ * waiting to be acknowledged which can \
+ * be stored in one \c reliable_ack \
+ * structure. */
-#define RELIABLE_CAPACITY 12 /**< The maximum number of packets that
- * the reliability layer for one VPN
- * tunnel in one direction can store. */
+#define RELIABLE_CAPACITY \
+ 12 /**< The maximum number of packets that \
+ * the reliability layer for one VPN \
+ * tunnel in one direction can store. */
-#define N_ACK_RETRANSMIT 3 /**< We retry sending a packet early if
- * this many later packets have been
- * ACKed. */
+#define N_ACK_RETRANSMIT \
+ 3 /**< We retry sending a packet early if \
+ * this many later packets have been \
+ * ACKed. */
/**
* The acknowledgment structure in which packet IDs are stored for later
@@ -76,9 +79,9 @@
interval_t timeout;
time_t next_try;
packet_id_type packet_id;
- size_t n_acks; /* Number of acks received for packets with higher PID.
- * Used for fast retransmission when there were at least
- * N_ACK_RETRANSMIT. */
+ size_t n_acks; /* Number of acks received for packets with higher PID.
+ * Used for fast retransmission when there were at least
+ * N_ACK_RETRANSMIT. */
int opcode;
struct buffer buf;
};
@@ -93,7 +96,7 @@
interval_t initial_timeout;
packet_id_type packet_id;
int offset; /**< Offset of the bufs in the reliable_entry array */
- bool hold; /* don't xmit until reliable_schedule_now is called */
+ bool hold; /* don't xmit until reliable_schedule_now is called */
struct reliable_entry array[RELIABLE_CAPACITY];
};
@@ -120,8 +123,7 @@
* @li True, if processing was successful.
* @li False, if an error occurs during processing.
*/
-bool reliable_ack_read(struct reliable_ack *ack,
- struct buffer *buf, const struct session_id *sid);
+bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid);
/**
@@ -141,9 +143,8 @@
* @li True, if processing was successful.
* @li False, if an error occurs during processing.
*/
-bool
-reliable_ack_parse(struct buffer *buf, struct reliable_ack *ack,
- struct session_id *session_id_remote);
+bool reliable_ack_parse(struct buffer *buf, struct reliable_ack *ack,
+ struct session_id *session_id_remote);
/**
* Remove acknowledged packets from a reliable structure.
@@ -212,9 +213,7 @@
* @li True, if processing was successful.
* @li False, if an error occurs during processing.
*/
-bool reliable_ack_write(struct reliable_ack *ack,
- struct reliable_ack *ack_mru,
- struct buffer *buf,
+bool reliable_ack_write(struct reliable_ack *ack, struct reliable_ack *ack_mru, struct buffer *buf,
const struct session_id *sid, int max, bool prepend);
/** @} name Functions for processing outgoing acknowledgments */
@@ -337,8 +336,8 @@
* @param pid The packet's packet ID.
* @param opcode The packet's opcode.
*/
-void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf,
- packet_id_type pid, int opcode);
+void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid,
+ int opcode);
/**
* Record a packet ID for later acknowledgment.
@@ -374,7 +373,6 @@
struct reliable_entry *reliable_get_entry_sequenced(struct reliable *rel);
-
/**
* Copies the first n acks from \c ack to \c ack_mru
*
@@ -382,8 +380,7 @@
* @param ack_mru The reliable structure to insert the acks into
* @param n The number of ACKS to copy
*/
-void
-copy_acks_to_mru(struct reliable_ack *ack, struct reliable_ack *ack_mru, int n);
+void copy_acks_to_mru(struct reliable_ack *ack, struct reliable_ack *ack_mru, int n);
/**
@@ -426,8 +423,7 @@
* @return the number of buffer that are available for sending without
* breaking ack sequence
* */
-int
-reliable_get_num_output_sequenced_available(struct reliable *rel);
+int reliable_get_num_output_sequenced_available(struct reliable *rel);
/**
* Mark the reliable entry associated with the given buffer as
new file mode 100644
@@ -0,0 +1,124 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
+ * 2019 Lev Stipakov <lev@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef _WIN32
+#ifndef OPENVPN_RING_BUFFER_H
+#define OPENVPN_RING_BUFFER_H
+
+#include <windows.h>
+#include <winioctl.h>
+
+#include <stdint.h>
+#include <stdbool.h>
+
+/*
+ * Values below are taken from Wireguard Windows client
+ * https://github.com/WireGuard/wireguard-go/blob/master/tun/wintun/ring_windows.go#L14
+ */
+#define WINTUN_RING_CAPACITY 0x800000
+#define WINTUN_RING_TRAILING_BYTES 0x10000
+#define WINTUN_MAX_PACKET_SIZE 0xffff
+#define WINTUN_PACKET_ALIGN 4
+
+#define TUN_IOCTL_REGISTER_RINGS \
+ CTL_CODE(51820U, 0x970U, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
+
+/**
+ * Wintun ring buffer
+ * See https://github.com/WireGuard/wintun#ring-layout
+ */
+struct tun_ring
+{
+ volatile ULONG head;
+ volatile ULONG tail;
+ volatile LONG alertable;
+ UCHAR data[WINTUN_RING_CAPACITY + WINTUN_RING_TRAILING_BYTES];
+};
+
+/**
+ * Struct for ring buffers registration
+ * See https://github.com/WireGuard/wintun#registering-rings
+ */
+struct tun_register_rings
+{
+ struct
+ {
+ ULONG ring_size;
+ struct tun_ring *ring;
+ HANDLE tail_moved;
+ } send, receive;
+};
+
+struct TUN_PACKET_HEADER
+{
+ uint32_t size;
+};
+
+struct TUN_PACKET
+{
+ uint32_t size;
+ UCHAR data[WINTUN_MAX_PACKET_SIZE];
+};
+
+/**
+ * Registers ring buffers used to exchange data between
+ * userspace openvpn process and wintun kernel driver,
+ * see https://github.com/WireGuard/wintun#registering-rings
+ *
+ * @param device handle to opened wintun device
+ * @param send_ring pointer to send ring
+ * @param receive_ring pointer to receive ring
+ * @param send_tail_moved event set by wintun to signal openvpn
+ * that data is available for reading in send ring
+ * @param receive_tail_moved event set by openvpn to signal wintun
+ * that data has been written to receive ring
+ * @return true if registration is successful, false otherwise - use
+ * GetLastError()
+ */
+static inline bool
+register_ring_buffers(HANDLE device, struct tun_ring *send_ring, struct tun_ring *receive_ring,
+ HANDLE send_tail_moved, HANDLE receive_tail_moved)
+{
+ struct tun_register_rings rr;
+ BOOL res;
+ DWORD bytes_returned;
+
+ ZeroMemory(&rr, sizeof(rr));
+
+ rr.send.ring = send_ring;
+ rr.send.ring_size = sizeof(struct tun_ring);
+ rr.send.tail_moved = send_tail_moved;
+
+ rr.receive.ring = receive_ring;
+ rr.receive.ring_size = sizeof(struct tun_ring);
+ rr.receive.tail_moved = receive_tail_moved;
+
+ res = DeviceIoControl(device, TUN_IOCTL_REGISTER_RINGS, &rr, sizeof(rr), NULL, 0,
+ &bytes_returned, NULL);
+
+ return res != FALSE;
+}
+
+#endif /* ifndef OPENVPN_RING_BUFFER_H */
+#endif /* ifdef _WIN32 */
@@ -46,11 +46,11 @@
#include "memdbg.h"
#if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
-#include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
+#include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
#endif
#if defined(TARGET_NETBSD)
-#include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
+#include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
#endif
#ifdef _WIN32
@@ -67,7 +67,8 @@
static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *);
-static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index);
+static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt,
+ DWORD adapter_index);
static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt);
@@ -89,9 +90,7 @@
int i;
for (i = 0; i < rb->n_bypass; ++i)
{
- msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s",
- i,
- print_in_addr_t(rb->bypass[i], 0, &gc));
+ msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s", i, print_in_addr_t(rb->bypass[i], 0, &gc));
}
gc_free(&gc);
}
@@ -99,9 +98,9 @@
#endif
/* Route addition return status codes */
-#define RTA_ERROR 0 /* route addition failed */
-#define RTA_SUCCESS 1 /* route addition succeeded */
-#define RTA_EEXIST 2 /* route not added as it already exists */
+#define RTA_ERROR 0 /* route addition failed */
+#define RTA_SUCCESS 1 /* route addition succeeded */
+#define RTA_EEXIST 2 /* route not added as it already exists */
static bool
add_bypass_address(struct route_bypass *rb, const in_addr_t a)
@@ -169,7 +168,8 @@
}
void
-copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
+copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src,
+ struct gc_arena *a)
{
*dest = *src;
dest->gc = a;
@@ -177,8 +177,7 @@
void
copy_route_ipv6_option_list(struct route_ipv6_option_list *dest,
- const struct route_ipv6_option_list *src,
- struct gc_arena *a)
+ const struct route_ipv6_option_list *src, struct gc_arena *a)
{
*dest = *src;
dest->gc = a;
@@ -188,11 +187,8 @@
route_string(const struct route_ipv4 *r, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc(256, gc);
- buf_printf(&out, "ROUTE network %s netmask %s gateway %s",
- print_in_addr_t(r->network, 0, gc),
- print_in_addr_t(r->netmask, 0, gc),
- print_in_addr_t(r->gateway, 0, gc)
- );
+ buf_printf(&out, "ROUTE network %s netmask %s gateway %s", print_in_addr_t(r->network, 0, gc),
+ print_in_addr_t(r->netmask, 0, gc), print_in_addr_t(r->gateway, 0, gc));
if (r->flags & RT_METRIC_DEFINED)
{
buf_printf(&out, " metric %d", r->metric);
@@ -232,10 +228,7 @@
}
static bool
-get_special_addr(const struct route_list *rl,
- const char *string,
- in_addr_t *out,
- bool *status)
+get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
{
if (status)
{
@@ -270,7 +263,8 @@
}
else
{
- msg(M_INFO, PACKAGE_NAME " ROUTE: net_gateway undefined -- unable to get default gateway from system");
+ msg(M_INFO, PACKAGE_NAME
+ " ROUTE: net_gateway undefined -- unable to get default gateway from system");
if (status)
{
*status = false;
@@ -315,15 +309,13 @@
}
static bool
-init_route(struct route_ipv4 *r,
- struct addrinfo **network_list,
- const struct route_option *ro,
+init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro,
const struct route_list *rl)
{
const in_addr_t default_netmask = IPV4_NETMASK_HOST;
bool status;
int ret;
- struct in_addr special = {0};
+ struct in_addr special = { 0 };
CLEAR(*r);
r->option = ro;
@@ -337,7 +329,7 @@
/* get_special_addr replaces specialaddr with a special ip addr
* like gw. getaddrinfo is called to convert a a addrinfo struct */
- if (get_special_addr(rl, ro->network, (in_addr_t *) &special.s_addr, &status))
+ if (get_special_addr(rl, ro->network, (in_addr_t *)&special.s_addr, &status))
{
if (!status)
{
@@ -346,13 +338,12 @@
special.s_addr = htonl(special.s_addr);
char buf[INET_ADDRSTRLEN];
inet_ntop(AF_INET, &special, buf, sizeof(buf));
- ret = openvpn_getaddrinfo(0, buf, NULL, 0, NULL,
- AF_INET, network_list);
+ ret = openvpn_getaddrinfo(0, buf, NULL, 0, NULL, AF_INET, network_list);
}
else
{
- ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL,
- ro->network, NULL, 0, NULL, AF_INET, network_list);
+ ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL, ro->network, NULL, 0,
+ NULL, AF_INET, network_list);
}
status = (ret == 0);
@@ -366,13 +357,8 @@
if (is_route_parm_defined(ro->netmask))
{
- r->netmask = getaddr(
- GETADDR_HOST_ORDER
- | GETADDR_WARN_ON_SIGNAL,
- ro->netmask,
- 0,
- &status,
- NULL);
+ r->netmask =
+ getaddr(GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, ro->netmask, 0, &status, NULL);
if (!status)
{
goto fail;
@@ -389,14 +375,8 @@
{
if (!get_special_addr(rl, ro->gateway, &r->gateway, &status))
{
- r->gateway = getaddr(
- GETADDR_RESOLVE
- | GETADDR_HOST_ORDER
- | GETADDR_WARN_ON_SIGNAL,
- ro->gateway,
- 0,
- &status,
- NULL);
+ r->gateway = getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL,
+ ro->gateway, 0, &status, NULL);
}
if (!status)
{
@@ -411,7 +391,9 @@
}
else
{
- msg(M_WARN, PACKAGE_NAME " ROUTE: " PACKAGE_NAME " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
+ msg(M_WARN, PACKAGE_NAME
+ " ROUTE: " PACKAGE_NAME
+ " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
goto fail;
}
}
@@ -425,8 +407,7 @@
if (r->metric < 0)
{
msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
- ro->network,
- ro->metric);
+ ro->network, ro->metric);
goto fail;
}
r->flags |= RT_METRIC_DEFINED;
@@ -451,13 +432,12 @@
}
static bool
-init_route_ipv6(struct route_ipv6 *r6,
- const struct route_ipv6_option *r6o,
- const struct route_ipv6_list *rl6 )
+init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o,
+ const struct route_ipv6_list *rl6)
{
CLEAR(*r6);
- if (!get_ipv6_addr( r6o->prefix, &r6->network, &r6->netbits, M_WARN ))
+ if (!get_ipv6_addr(r6o->prefix, &r6->network, &r6->netbits, M_WARN))
{
goto fail;
}
@@ -465,9 +445,9 @@
/* gateway */
if (is_route_parm_defined(r6o->gateway))
{
- if (inet_pton( AF_INET6, r6o->gateway, &r6->gateway ) != 1)
+ if (inet_pton(AF_INET6, r6o->gateway, &r6->gateway) != 1)
{
- msg( M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway );
+ msg(M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway);
}
}
else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT)
@@ -484,8 +464,7 @@
if (r6->metric < 0)
{
msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
- r6o->prefix,
- r6o->metric);
+ r6o->prefix, r6o->metric);
goto fail;
}
r6->flags |= RT_METRIC_DEFINED;
@@ -510,12 +489,8 @@
}
void
-add_route_to_option_list(struct route_option_list *l,
- const char *network,
- const char *netmask,
- const char *gateway,
- const char *metric,
- int table_id)
+add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask,
+ const char *gateway, const char *metric, int table_id)
{
struct route_option *ro;
ALLOC_OBJ_GC(ro, struct route_option, l->gc);
@@ -526,15 +501,11 @@
ro->table_id = table_id;
ro->next = l->routes;
l->routes = ro;
-
}
void
-add_route_ipv6_to_option_list(struct route_ipv6_option_list *l,
- const char *prefix,
- const char *gateway,
- const char *metric,
- int table_id)
+add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix,
+ const char *gateway, const char *metric, int table_id)
{
struct route_ipv6_option *ro;
ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
@@ -561,9 +532,7 @@
}
void
-route_list_add_vpn_gateway(struct route_list *rl,
- struct env_set *es,
- const in_addr_t addr)
+route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
{
ASSERT(rl);
rl->spec.remote_endpoint = addr;
@@ -572,8 +541,7 @@
}
static void
-add_block_local_item(struct route_list *rl,
- const struct route_gateway_address *gateway,
+add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway,
in_addr_t target)
{
if (rl->rgi.gateway.netmask < 0xFFFFFFFF)
@@ -585,11 +553,11 @@
ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc);
/* split a route into two smaller blocking routes, and direct them to target */
- l2 = ((~gateway->netmask)+1)>>1;
+ l2 = ((~gateway->netmask) + 1) >> 1;
r1->flags = RT_DEFINED;
r1->gateway = target;
r1->network = gateway->addr & gateway->netmask;
- r1->netmask = ~(l2-1);
+ r1->netmask = ~(l2 - 1);
r1->next = rl->routes;
rl->routes = r1;
@@ -627,21 +595,15 @@
bool
block_local_needed(const struct route_list *rl)
{
- const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
- return (rl->flags & RG_BLOCK_LOCAL)
- && (rl->rgi.flags & rgi_needed) == rgi_needed
- && (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
- && rl->spec.remote_host_local != TLA_LOCAL;
+ const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED);
+ return (rl->flags & RG_BLOCK_LOCAL) && (rl->rgi.flags & rgi_needed) == rgi_needed
+ && (rl->spec.flags & RTSA_REMOTE_ENDPOINT) && rl->spec.remote_host_local != TLA_LOCAL;
}
bool
-init_route_list(struct route_list *rl,
- const struct route_option_list *opt,
- const char *remote_endpoint,
- int default_metric,
- in_addr_t remote_host,
- struct env_set *es,
- openvpn_net_ctx_t *ctx)
+init_route_list(struct route_list *rl, const struct route_option_list *opt,
+ const char *remote_endpoint, int default_metric, in_addr_t remote_host,
+ struct env_set *es, openvpn_net_ctx_t *ctx)
{
struct gc_arena gc = gc_new();
bool ret = true;
@@ -683,14 +645,9 @@
if (is_route_parm_defined(remote_endpoint))
{
bool defined = false;
- rl->spec.remote_endpoint = getaddr(
- GETADDR_RESOLVE
- | GETADDR_HOST_ORDER
- | GETADDR_WARN_ON_SIGNAL,
- remote_endpoint,
- 0,
- &defined,
- NULL);
+ rl->spec.remote_endpoint =
+ getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, remote_endpoint,
+ 0, &defined, NULL);
if (defined)
{
@@ -758,14 +715,13 @@
* "good enough")
*/
static bool
-route_ipv6_match_host( const struct route_ipv6 *r6,
- const struct in6_addr *host )
+route_ipv6_match_host(const struct route_ipv6 *r6, const struct in6_addr *host)
{
unsigned int bits = r6->netbits;
int i;
unsigned int mask;
- if (bits>128)
+ if (bits > 128)
{
return false;
}
@@ -783,9 +739,9 @@
return true;
}
- mask = 0xff << (8-bits);
+ mask = 0xff << (8 - bits);
- if ( (r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask ))
+ if ((r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask))
{
return true;
}
@@ -794,12 +750,9 @@
}
bool
-init_route_ipv6_list(struct route_ipv6_list *rl6,
- const struct route_ipv6_option_list *opt6,
- const char *remote_endpoint,
- int default_metric,
- const struct in6_addr *remote_host_ipv6,
- struct env_set *es,
+init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6,
+ const char *remote_endpoint, int default_metric,
+ const struct in6_addr *remote_host_ipv6, struct env_set *es,
openvpn_net_ctx_t *ctx)
{
struct gc_arena gc = gc_new();
@@ -823,7 +776,7 @@
}
msg(D_ROUTE, "GDG6: remote_host_ipv6=%s",
- remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a" );
+ remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a");
get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6, ctx);
if (rl6->rgi6.flags & RGI_ADDR_DEFINED)
@@ -838,16 +791,16 @@
dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF");
}
- if (is_route_parm_defined( remote_endpoint ))
+ if (is_route_parm_defined(remote_endpoint))
{
- if (inet_pton( AF_INET6, remote_endpoint,
- &rl6->remote_endpoint_ipv6) == 1)
+ if (inet_pton(AF_INET6, remote_endpoint, &rl6->remote_endpoint_ipv6) == 1)
{
rl6->spec_flags |= RTSA_REMOTE_ENDPOINT;
}
else
{
- msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", remote_endpoint);
+ msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s",
+ remote_endpoint);
ret = false;
}
}
@@ -877,11 +830,11 @@
* avoiding routing loops, so ignore this part and let
* need_remote_ipv6_route always evaluate to false
*/
- if (remote_host_ipv6
- && route_ipv6_match_host( r6, remote_host_ipv6 ) )
+ if (remote_host_ipv6 && route_ipv6_match_host(r6, remote_host_ipv6))
{
need_remote_ipv6_route = true;
- msg(D_ROUTE, "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
+ msg(D_ROUTE,
+ "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
print_in6_addr(r6->network, 0, &gc), r6->netbits,
print_in6_addr(*remote_host_ipv6, 0, &gc));
}
@@ -893,15 +846,15 @@
/* add VPN server host route if needed */
if (need_remote_ipv6_route)
{
- if ( (rl6->rgi6.flags & (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) ==
- (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) )
+ if ((rl6->rgi6.flags & (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED))
+ == (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED))
{
struct route_ipv6 *r6;
ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc);
r6->network = *remote_host_ipv6;
r6->netbits = 128;
- if (!(rl6->rgi6.flags & RGI_ON_LINK) )
+ if (!(rl6->rgi6.flags & RGI_ON_LINK))
{
r6->gateway = rl6->rgi6.gateway.addr_ipv6;
}
@@ -918,7 +871,8 @@
}
else
{
- msg(M_WARN, "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n" );
+ msg(M_WARN,
+ "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n");
}
}
@@ -927,13 +881,8 @@
}
static bool
-add_route3(in_addr_t network,
- in_addr_t netmask,
- in_addr_t gateway,
- const struct tuntap *tt,
- unsigned int flags,
- const struct route_gateway_info *rgi,
- const struct env_set *es,
+add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
+ unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
openvpn_net_ctx_t *ctx)
{
struct route_ipv4 r;
@@ -946,18 +895,13 @@
}
static void
-del_route3(in_addr_t network,
- in_addr_t netmask,
- in_addr_t gateway,
- const struct tuntap *tt,
- unsigned int flags,
- const struct route_gateway_info *rgi,
- const struct env_set *es,
+del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
+ unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
openvpn_net_ctx_t *ctx)
{
struct route_ipv4 r;
CLEAR(r);
- r.flags = RT_DEFINED|RT_ADDED;
+ r.flags = RT_DEFINED | RT_ADDED;
r.network = network;
r.netmask = netmask;
r.gateway = gateway;
@@ -965,56 +909,42 @@
}
static bool
-add_bypass_routes(struct route_bypass *rb,
- in_addr_t gateway,
- const struct tuntap *tt,
- unsigned int flags,
- const struct route_gateway_info *rgi,
- const struct env_set *es,
- openvpn_net_ctx_t *ctx)
+add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
+ unsigned int flags, const struct route_gateway_info *rgi,
+ const struct env_set *es, openvpn_net_ctx_t *ctx)
{
int ret = true;
for (int i = 0; i < rb->n_bypass; ++i)
{
if (rb->bypass[i])
{
- ret = add_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt,
- flags | ROUTE_REF_GW, rgi, es, ctx) && ret;
+ ret = add_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW,
+ rgi, es, ctx)
+ && ret;
}
}
return ret;
}
static void
-del_bypass_routes(struct route_bypass *rb,
- in_addr_t gateway,
- const struct tuntap *tt,
- unsigned int flags,
- const struct route_gateway_info *rgi,
- const struct env_set *es,
- openvpn_net_ctx_t *ctx)
+del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
+ unsigned int flags, const struct route_gateway_info *rgi,
+ const struct env_set *es, openvpn_net_ctx_t *ctx)
{
int i;
for (i = 0; i < rb->n_bypass; ++i)
{
if (rb->bypass[i])
{
- del_route3(rb->bypass[i],
- IPV4_NETMASK_HOST,
- gateway,
- tt,
- flags | ROUTE_REF_GW,
- rgi,
- es,
+ del_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW, rgi, es,
ctx);
}
}
}
static bool
-redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt,
- unsigned int flags, const struct env_set *es,
- openvpn_net_ctx_t *ctx)
+redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
+ const struct env_set *es, openvpn_net_ctx_t *ctx)
{
const char err[] = "NOTE: unable to redirect IPv4 default gateway --";
bool ret = true;
@@ -1064,9 +994,8 @@
if ((rl->spec.flags & RTSA_REMOTE_HOST)
&& rl->spec.remote_host != IPV4_INVALID_ADDR)
{
- ret = add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST,
- rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW,
- &rl->rgi, es, ctx);
+ ret = add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr,
+ tt, flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
if (ret)
{
rl->iflags |= RL_DID_LOCAL;
@@ -1080,20 +1009,23 @@
#endif /* ifndef TARGET_ANDROID */
/* route DHCP/DNS server traffic through original default gateway */
- ret = add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags,
- &rl->rgi, es, ctx) && ret;
+ ret = add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es,
+ ctx)
+ && ret;
if (rl->flags & RG_REROUTE_GW)
{
if (rl->flags & RG_DEF1)
{
/* add new default route (1st component) */
- ret = add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint,
- tt, flags, &rl->rgi, es, ctx) && ret;
+ ret = add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
+ &rl->rgi, es, ctx)
+ && ret;
/* add new default route (2nd component) */
- ret = add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint,
- tt, flags, &rl->rgi, es, ctx) && ret;
+ ret = add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
+ &rl->rgi, es, ctx)
+ && ret;
}
else
{
@@ -1101,13 +1033,13 @@
if (rl->rgi.flags & RGI_ADDR_DEFINED)
{
/* delete default route */
- del_route3(0, 0, rl->rgi.gateway.addr, tt,
- flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
+ del_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi,
+ es, ctx);
}
/* add new default route */
- ret = add_route3(0, 0, rl->spec.remote_endpoint, tt,
- flags, &rl->rgi, es, ctx) && ret;
+ ret = add_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx)
+ && ret;
}
}
@@ -1119,9 +1051,8 @@
}
static void
-undo_redirect_default_route_to_vpn(struct route_list *rl,
- const struct tuntap *tt, unsigned int flags,
- const struct env_set *es,
+undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt,
+ unsigned int flags, const struct env_set *es,
openvpn_net_ctx_t *ctx)
{
if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY)
@@ -1129,61 +1060,35 @@
/* delete remote host route */
if (rl->iflags & RL_DID_LOCAL)
{
- del_route3(rl->spec.remote_host,
- IPV4_NETMASK_HOST,
- rl->rgi.gateway.addr,
- tt,
- flags | ROUTE_REF_GW,
- &rl->rgi,
- es,
- ctx);
+ del_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr, tt,
+ flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
rl->iflags &= ~RL_DID_LOCAL;
}
/* delete special DHCP/DNS bypass route */
- del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags,
- &rl->rgi, es, ctx);
+ del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es, ctx);
if (rl->flags & RG_REROUTE_GW)
{
if (rl->flags & RG_DEF1)
{
/* delete default route (1st component) */
- del_route3(0x00000000,
- 0x80000000,
- rl->spec.remote_endpoint,
- tt,
- flags,
- &rl->rgi,
- es,
- ctx);
+ del_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
+ es, ctx);
/* delete default route (2nd component) */
- del_route3(0x80000000,
- 0x80000000,
- rl->spec.remote_endpoint,
- tt,
- flags,
- &rl->rgi,
- es,
- ctx);
+ del_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
+ es, ctx);
}
else
{
/* delete default route */
- del_route3(0,
- 0,
- rl->spec.remote_endpoint,
- tt,
- flags,
- &rl->rgi,
- es,
- ctx);
+ del_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx);
/* restore original default route if there was any */
if (rl->rgi.flags & RGI_ADDR_DEFINED)
{
- add_route3(0, 0, rl->rgi.gateway.addr, tt,
- flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
+ add_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es,
+ ctx);
}
}
}
@@ -1193,32 +1098,28 @@
}
bool
-add_routes(struct route_list *rl, struct route_ipv6_list *rl6,
- const struct tuntap *tt, unsigned int flags,
- const struct env_set *es, openvpn_net_ctx_t *ctx)
+add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
+ unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
{
bool ret = redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
- if (rl && !(rl->iflags & RL_ROUTES_ADDED) )
+ if (rl && !(rl->iflags & RL_ROUTES_ADDED))
{
struct route_ipv4 *r;
if (rl->routes && !tt->did_ifconfig_setup)
{
- msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv4 "
+ msg(M_INFO,
+ "WARNING: OpenVPN was configured to add an IPv4 "
"route. However, no IPv4 has been configured for %s, "
"therefore the route installation may fail or may not work "
- "as expected.", tt->actual_name);
+ "as expected.",
+ tt->actual_name);
}
#ifdef ENABLE_MANAGEMENT
if (management && rl->routes)
{
- management_set_state(management,
- OPENVPN_STATE_ADD_ROUTES,
- NULL,
- NULL,
- NULL,
- NULL,
+ management_set_state(management, OPENVPN_STATE_ADD_ROUTES, NULL, NULL, NULL, NULL,
NULL);
}
#endif
@@ -1233,16 +1134,18 @@
}
rl->iflags |= RL_ROUTES_ADDED;
}
- if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) )
+ if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED))
{
struct route_ipv6 *r;
if (!tt->did_ifconfig_ipv6_setup)
{
- msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 "
+ msg(M_INFO,
+ "WARNING: OpenVPN was configured to add an IPv6 "
"route. However, no IPv6 has been configured for %s, "
"therefore the route installation may fail or may not work "
- "as expected.", tt->actual_name);
+ "as expected.",
+ tt->actual_name);
}
for (r = rl6->routes_ipv6; r; r = r->next)
@@ -1260,18 +1163,16 @@
}
void
-delete_routes(struct route_list *rl, struct route_ipv6_list *rl6,
- const struct tuntap *tt, unsigned int flags,
- const struct env_set *es, openvpn_net_ctx_t *ctx)
+delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
+ unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
{
delete_routes_v4(rl, tt, flags, es, ctx);
delete_routes_v6(rl6, tt, flags, es, ctx);
}
void
-delete_routes_v4(struct route_list *rl, const struct tuntap *tt,
- unsigned int flags, const struct env_set *es,
- openvpn_net_ctx_t *ctx)
+delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
+ const struct env_set *es, openvpn_net_ctx_t *ctx)
{
if (rl && (rl->iflags & RL_ROUTES_ADDED))
{
@@ -1292,9 +1193,8 @@
}
void
-delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt,
- unsigned int flags, const struct env_set *es,
- openvpn_net_ctx_t *ctx)
+delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags,
+ const struct env_set *es, openvpn_net_ctx_t *ctx)
{
if (rl6 && (rl6->iflags & RL_ROUTES_ADDED))
{
@@ -1330,22 +1230,17 @@
static void
print_route_option(const struct route_option *ro, int level)
{
- msg(level, " route %s/%s/%s/%s",
- show_opt(ro->network),
- show_opt(ro->netmask),
- show_opt(ro->gateway),
- show_opt(ro->metric));
+ msg(level, " route %s/%s/%s/%s", show_opt(ro->network), show_opt(ro->netmask),
+ show_opt(ro->gateway), show_opt(ro->metric));
}
void
-print_route_options(const struct route_option_list *rol,
- int level)
+print_route_options(const struct route_option_list *rol, int level)
{
struct route_option *ro;
if (rol->flags & RG_ENABLE)
{
- msg(level, " [redirect_default_gateway local=%d]",
- (rol->flags & RG_LOCAL) != 0);
+ msg(level, " [redirect_default_gateway local=%d]", (rol->flags & RG_LOCAL) != 0);
}
for (ro = rol->routes; ro; ro = ro->next)
{
@@ -1354,8 +1249,7 @@
}
void
-print_default_gateway(const int msglevel,
- const struct route_gateway_info *rgi,
+print_default_gateway(const int msglevel, const struct route_gateway_info *rgi,
const struct route_ipv6_gateway_info *rgi6)
{
struct gc_arena gc = gc_new();
@@ -1486,23 +1380,22 @@
struct gc_arena gc = gc_new();
if (r6->flags & RT_DEFINED)
{
- struct buffer name1 = alloc_buf_gc( 256, &gc );
- struct buffer val = alloc_buf_gc( 256, &gc );
- struct buffer name2 = alloc_buf_gc( 256, &gc );
+ struct buffer name1 = alloc_buf_gc(256, &gc);
+ struct buffer val = alloc_buf_gc(256, &gc);
+ struct buffer name2 = alloc_buf_gc(256, &gc);
- buf_printf( &name1, "route_ipv6_network_%d", i );
- buf_printf( &val, "%s/%d", print_in6_addr( r6->network, 0, &gc ),
- r6->netbits );
- setenv_str( es, BSTR(&name1), BSTR(&val) );
+ buf_printf(&name1, "route_ipv6_network_%d", i);
+ buf_printf(&val, "%s/%d", print_in6_addr(r6->network, 0, &gc), r6->netbits);
+ setenv_str(es, BSTR(&name1), BSTR(&val));
- buf_printf( &name2, "route_ipv6_gateway_%d", i );
- setenv_str( es, BSTR(&name2), print_in6_addr( r6->gateway, 0, &gc ));
+ buf_printf(&name2, "route_ipv6_gateway_%d", i);
+ setenv_str(es, BSTR(&name2), print_in6_addr(r6->gateway, 0, &gc));
if (r6->flags & RT_METRIC_DEFINED)
{
- struct buffer name3 = alloc_buf_gc( 256, &gc );
- buf_printf( &name3, "route_ipv6_metric_%d", i);
- setenv_int( es, BSTR(&name3), r6->metric);
+ struct buffer name3 = alloc_buf_gc(256, &gc);
+ buf_printf(&name3, "route_ipv6_metric_%d", i);
+ setenv_int(es, BSTR(&name3), r6->metric);
}
}
gc_free(&gc);
@@ -1542,19 +1435,15 @@
#define LR_ERROR 2 /* caller should abort adding route */
static int
-local_route(in_addr_t network,
- in_addr_t netmask,
- in_addr_t gateway,
+local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway,
const struct route_gateway_info *rgi)
{
/* set LR_MATCH on local host routes */
- const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED|RGI_IFACE_DEFINED);
- if (rgi
- && (rgi->flags & rgi_needed) == rgi_needed
- && gateway == rgi->gateway.addr
+ const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED | RGI_IFACE_DEFINED);
+ if (rgi && (rgi->flags & rgi_needed) == rgi_needed && gateway == rgi->gateway.addr
&& netmask == 0xFFFFFFFF)
{
- if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
+ if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
{
return LR_MATCH;
}
@@ -1581,17 +1470,16 @@
static inline bool
is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
{
- return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
+ return rgi
+ && (is_local_route == LR_MATCH
+ || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
}
#endif
bool
-add_route(struct route_ipv4 *r,
- const struct tuntap *tt,
- unsigned int flags,
- const struct route_gateway_info *rgi, /* may be NULL */
- const struct env_set *es,
- openvpn_net_ctx_t *ctx)
+add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
+ const struct route_gateway_info *rgi, /* may be NULL */
+ const struct env_set *es, openvpn_net_ctx_t *ctx)
{
int status = 0;
int is_local_route;
@@ -1634,8 +1522,8 @@
status = RTA_SUCCESS;
- int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask),
- &r->gateway, iface, r->table_id, metric);
+ int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway,
+ iface, r->table_id, metric);
if (ret == -EEXIST)
{
msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
@@ -1647,7 +1535,7 @@
status = RTA_ERROR;
}
-#elif defined (TARGET_ANDROID)
+#elif defined(TARGET_ANDROID)
char out[128];
if (rgi)
@@ -1661,15 +1549,11 @@
bool ret = management_android_control(management, "ROUTE", out);
status = ret ? RTA_SUCCESS : RTA_ERROR;
-#elif defined (_WIN32)
+#elif defined(_WIN32)
{
DWORD ai = TUN_ADAPTER_INDEX_INVALID;
- argv_printf(&argv, "%s%s ADD %s MASK %s %s",
- get_win_sys_path(),
- WIN_ROUTE_PATH_SUFFIX,
- network,
- netmask,
- gateway);
+ argv_printf(&argv, "%s%s ADD %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
+ network, netmask, gateway);
if (r->flags & RT_METRIC_DEFINED)
{
argv_printf_cat(&argv, "METRIC %d", r->metric);
@@ -1695,8 +1579,8 @@
else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
{
netcmd_semaphore_lock();
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: Windows route add command failed");
+ bool ret =
+ openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
netcmd_semaphore_release();
method = "route.exe";
@@ -1709,8 +1593,8 @@
{
msg(D_ROUTE, "Route addition fallback to route.exe");
netcmd_semaphore_lock();
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: Windows route add command failed [adaptive]");
+ bool ret = openvpn_execve_check(
+ &argv, es, 0, "ERROR: Windows route add command failed [adaptive]");
status = ret ? RTA_SUCCESS : RTA_ERROR;
netcmd_semaphore_release();
method = "route.exe";
@@ -1727,17 +1611,13 @@
}
}
-#elif defined (TARGET_SOLARIS)
+#elif defined(TARGET_SOLARIS)
/* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
- argv_printf(&argv, "%s add",
- ROUTE_PATH);
+ argv_printf(&argv, "%s add", ROUTE_PATH);
- argv_printf_cat(&argv, "%s -netmask %s %s",
- network,
- netmask,
- gateway);
+ argv_printf_cat(&argv, "%s -netmask %s %s", network, netmask, gateway);
/* Solaris can only distinguish between "metric 0" == "on-link on the
* interface where the IP address given is configured" and "metric > 0"
@@ -1752,14 +1632,12 @@
}
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: Solaris route add command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_FREEBSD)
- argv_printf(&argv, "%s add",
- ROUTE_PATH);
+ argv_printf(&argv, "%s add", ROUTE_PATH);
#if 0
if (r->flags & RT_METRIC_DEFINED)
@@ -1768,22 +1646,17 @@
}
#endif
- argv_printf_cat(&argv, "-net %s %s %s",
- network,
- gateway,
- netmask);
+ argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
/* FIXME -- add on-link support for FreeBSD */
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: FreeBSD route add command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_DRAGONFLY)
- argv_printf(&argv, "%s add",
- ROUTE_PATH);
+ argv_printf(&argv, "%s add", ROUTE_PATH);
#if 0
if (r->flags & RT_METRIC_DEFINED)
@@ -1792,22 +1665,17 @@
}
#endif
- argv_printf_cat(&argv, "-net %s %s %s",
- network,
- gateway,
- netmask);
+ argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
/* FIXME -- add on-link support for Dragonfly */
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: DragonFly route add command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_DARWIN)
- argv_printf(&argv, "%s add",
- ROUTE_PATH);
+ argv_printf(&argv, "%s add", ROUTE_PATH);
#if 0
if (r->flags & RT_METRIC_DEFINED)
@@ -1820,28 +1688,21 @@
{
/* Mac OS X route syntax for ON_LINK:
* route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
- argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s",
- network,
- netmask,
+ argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s", network, netmask,
rgi->iface);
}
else
{
- argv_printf_cat(&argv, "-net %s %s %s",
- network,
- gateway,
- netmask);
+ argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
}
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: OS X route add command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
- argv_printf(&argv, "%s add",
- ROUTE_PATH);
+ argv_printf(&argv, "%s add", ROUTE_PATH);
#if 0
if (r->flags & RT_METRIC_DEFINED)
@@ -1850,47 +1711,36 @@
}
#endif
- argv_printf_cat(&argv, "-net %s %s -netmask %s",
- network,
- gateway,
- netmask);
+ argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask);
/* FIXME -- add on-link support for OpenBSD/NetBSD */
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: OpenBSD/NetBSD route add command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_AIX)
{
int netbits = netmask_to_netbits2(r->netmask);
- argv_printf(&argv, "%s add -net %s/%d %s",
- ROUTE_PATH,
- network, netbits, gateway);
+ argv_printf(&argv, "%s add -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: AIX route add command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
}
#elif defined(TARGET_HAIKU)
/* ex: route add /dev/net/ipro1000/0 0.0.0.0 gw 192.168.1.1 netmask 128.0.0.0 */
- argv_printf(&argv, "%s add %s inet %s gw %s netmask %s",
- ROUTE_PATH,
- rgi->iface,
- network,
- gateway,
- netmask);
+ argv_printf(&argv, "%s add %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
+ gateway, netmask);
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: Haiku inet route add command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
-#else /* if defined(TARGET_LINUX) */
- msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
+#else /* if defined(TARGET_LINUX) */
+ msg(M_FATAL,
+ "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
#endif /* if defined(TARGET_LINUX) */
done:
@@ -1912,7 +1762,7 @@
void
-route_ipv6_clear_host_bits( struct route_ipv6 *r6 )
+route_ipv6_clear_host_bits(struct route_ipv6 *r6)
{
/* clear host bit parts of route
* (needed if routes are specified improperly, or if we need to
@@ -1925,24 +1775,25 @@
{
if (bits_to_clear >= 8)
{
- r6->network.s6_addr[byte--] = 0; bits_to_clear -= 8;
+ r6->network.s6_addr[byte--] = 0;
+ bits_to_clear -= 8;
}
else
{
- r6->network.s6_addr[byte--] &= (0xff << bits_to_clear); bits_to_clear = 0;
+ r6->network.s6_addr[byte--] &= (0xff << bits_to_clear);
+ bits_to_clear = 0;
}
}
}
bool
-add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt,
- unsigned int flags, const struct env_set *es,
- openvpn_net_ctx_t *ctx)
+add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags,
+ const struct env_set *es, openvpn_net_ctx_t *ctx)
{
int status = 0;
bool gateway_needed = false;
- if (!(r6->flags & RT_DEFINED) )
+ if (!(r6->flags & RT_DEFINED))
{
return true; /* no error */
}
@@ -1952,10 +1803,10 @@
#ifndef _WIN32
const char *device = tt->actual_name;
- if (r6->iface != NULL) /* vpn server special route */
+ if (r6->iface != NULL) /* vpn server special route */
{
device = r6->iface;
- if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
+ if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
{
gateway_needed = true;
}
@@ -1963,11 +1814,10 @@
#endif
route_ipv6_clear_host_bits(r6);
- const char *network = print_in6_addr( r6->network, 0, &gc);
- const char *gateway = print_in6_addr( r6->gateway, 0, &gc);
+ const char *network = print_in6_addr(r6->network, 0, &gc);
+ const char *gateway = print_in6_addr(r6->gateway, 0, &gc);
-#if defined(TARGET_DARWIN) \
- || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
+#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
|| defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
/* the BSD platforms cannot specify gateway and interface independently,
@@ -1975,22 +1825,21 @@
* we build a combined "$gateway%$interface" gateway string
*/
if (r6->iface != NULL && gateway_needed
- && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
+ && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
{
- int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
- char *tmp = gc_malloc( len, true, &gc );
- snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
+ int len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
+ char *tmp = gc_malloc(len, true, &gc);
+ snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
gateway = tmp;
}
#endif
#ifndef _WIN32
- msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
- network, r6->netbits, gateway, r6->metric, device );
+ msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway,
+ r6->metric, device);
#else
- msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) IF %lu",
- network, r6->netbits, gateway, r6->metric,
- r6->adapter_index ? r6->adapter_index : tt->adapter_index);
+ msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) IF %lu", network, r6->netbits, gateway,
+ r6->metric, r6->adapter_index ? r6->adapter_index : tt->adapter_index);
#endif
/*
@@ -2004,18 +1853,19 @@
* interfaces. OTOH, on "tap" interface, we must always set the
* gateway unless the route is to be an on-link network
*/
- if (tt->type == DEV_TYPE_TAP
- && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
+ if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
{
gateway_needed = true;
}
if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
{
- msg(M_WARN, "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
+ msg(M_WARN,
+ "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
"parameter for a --route-ipv6 option and no default was set via "
"--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing "
- "IPv6 route to %s/%d.", network, r6->netbits);
+ "IPv6 route to %s/%d.",
+ network, r6->netbits);
status = 0;
goto done;
}
@@ -2028,8 +1878,7 @@
}
status = RTA_SUCCESS;
- int ret = net_route_v6_add(ctx, &r6->network, r6->netbits,
- gateway_needed ? &r6->gateway : NULL,
+ int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
device, r6->table_id, metric);
if (ret == -EEXIST)
{
@@ -2042,14 +1891,14 @@
status = RTA_ERROR;
}
-#elif defined (TARGET_ANDROID)
+#elif defined(TARGET_ANDROID)
char out[64];
snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device);
status = management_android_control(management, "ROUTE6", out);
-#elif defined (_WIN32)
+#elif defined(_WIN32)
if (tt->options.msg_channel)
{
@@ -2059,7 +1908,7 @@
{
status = route_ipv6_ipapi(true, r6, tt);
}
-#elif defined (TARGET_SOLARIS)
+#elif defined(TARGET_SOLARIS)
/* example: route add -inet6 2001:db8::/32 somegateway 0 */
@@ -2072,11 +1921,7 @@
* use the GW addresses - it seems to still work for fe80:: addresses,
* however this is done internally. NUD maybe?)
*/
- argv_printf(&argv, "%s add -inet6 %s/%d %s",
- ROUTE_PATH,
- network,
- r6->netbits,
- gateway );
+ argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
/* on tun (not tap), not "elsewhere"? -> metric 0 */
if (tt->type == DEV_TYPE_TUN && !r6->iface)
@@ -2085,16 +1930,12 @@
}
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: Solaris route add -inet6 command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
- argv_printf(&argv, "%s add -inet6 %s/%d",
- ROUTE_PATH,
- network,
- r6->netbits);
+ argv_printf(&argv, "%s add -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
if (gateway_needed)
{
@@ -2106,15 +1947,12 @@
}
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: *BSD route add -inet6 command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_DARWIN)
- argv_printf(&argv, "%s add -inet6 %s -prefixlen %d",
- ROUTE_PATH,
- network, r6->netbits );
+ argv_printf(&argv, "%s add -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
if (gateway_needed)
{
@@ -2126,58 +1964,45 @@
}
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: MacOS X route add -inet6 command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_OPENBSD)
- argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s",
- ROUTE_PATH,
- network, r6->netbits, gateway );
+ argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
+ gateway);
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: OpenBSD route add -inet6 command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_NETBSD)
- argv_printf(&argv, "%s add -inet6 %s/%d %s",
- ROUTE_PATH,
- network, r6->netbits, gateway );
+ argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: NetBSD route add -inet6 command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_AIX)
- argv_printf(&argv, "%s add -inet6 %s/%d %s",
- ROUTE_PATH,
- network, r6->netbits, gateway);
+ argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: AIX route add command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#elif defined(TARGET_HAIKU)
/* ex: route add /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
- argv_printf(&argv, "%s add %s inet6 %s gw %s prefixlen %d",
- ROUTE_PATH,
- r6->iface,
- network,
- gateway,
- r6->netbits);
+ argv_printf(&argv, "%s add %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
+ gateway, r6->netbits);
argv_msg(D_ROUTE, &argv);
- bool ret = openvpn_execve_check(&argv, es, 0,
- "ERROR: Haiku inet6 route add command failed");
+ bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route add command failed");
status = ret ? RTA_SUCCESS : RTA_ERROR;
#else /* if defined(TARGET_LINUX) */
- msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
+ msg(M_FATAL,
+ "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
#endif /* if defined(TARGET_LINUX) */
done:
@@ -2198,12 +2023,8 @@
}
static void
-delete_route(struct route_ipv4 *r,
- const struct tuntap *tt,
- unsigned int flags,
- const struct route_gateway_info *rgi,
- const struct env_set *es,
- openvpn_net_ctx_t *ctx)
+delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
+ const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
{
#if !defined(TARGET_LINUX)
const char *network;
@@ -2213,12 +2034,12 @@
#if !defined(TARGET_ANDROID)
const char *gateway;
#endif
-#else /* if !defined(TARGET_LINUX) */
+#else /* if !defined(TARGET_LINUX) */
int metric;
#endif
int is_local_route;
- if ((r->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
+ if ((r->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
{
return;
}
@@ -2249,19 +2070,16 @@
metric = r->metric;
}
- if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask),
- &r->gateway, NULL, r->table_id, metric) < 0)
+ if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway, NULL,
+ r->table_id, metric)
+ < 0)
{
msg(M_WARN, "ERROR: Linux route delete command failed");
}
-#elif defined (_WIN32)
+#elif defined(_WIN32)
- argv_printf(&argv, "%s%s DELETE %s MASK %s %s",
- get_win_sys_path(),
- WIN_ROUTE_PATH_SUFFIX,
- network,
- netmask,
- gateway);
+ argv_printf(&argv, "%s%s DELETE %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
+ network, netmask, gateway);
argv_msg(D_ROUTE, &argv);
@@ -2289,7 +2107,8 @@
{
msg(D_ROUTE, "Route deletion fallback to route.exe");
netcmd_semaphore_lock();
- openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed [adaptive]");
+ openvpn_execve_check(&argv, es, 0,
+ "ERROR: Windows route delete command failed [adaptive]");
netcmd_semaphore_release();
}
}
@@ -2298,35 +2117,23 @@
ASSERT(0);
}
-#elif defined (TARGET_SOLARIS)
+#elif defined(TARGET_SOLARIS)
- argv_printf(&argv, "%s delete %s -netmask %s %s",
- ROUTE_PATH,
- network,
- netmask,
- gateway);
+ argv_printf(&argv, "%s delete %s -netmask %s %s", ROUTE_PATH, network, netmask, gateway);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
#elif defined(TARGET_FREEBSD)
- argv_printf(&argv, "%s delete -net %s %s %s",
- ROUTE_PATH,
- network,
- gateway,
- netmask);
+ argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed");
#elif defined(TARGET_DRAGONFLY)
- argv_printf(&argv, "%s delete -net %s %s %s",
- ROUTE_PATH,
- network,
- gateway,
- netmask);
+ argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed");
@@ -2335,19 +2142,12 @@
if (is_on_link(is_local_route, flags, rgi))
{
- argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s",
- ROUTE_PATH,
- network,
- netmask,
- rgi->iface);
+ argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s", ROUTE_PATH,
+ network, netmask, rgi->iface);
}
else
{
- argv_printf(&argv, "%s delete -net %s %s %s",
- ROUTE_PATH,
- network,
- gateway,
- netmask);
+ argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
}
argv_msg(D_ROUTE, &argv);
@@ -2355,26 +2155,20 @@
#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
- argv_printf(&argv, "%s delete -net %s %s -netmask %s",
- ROUTE_PATH,
- network,
- gateway,
- netmask);
+ argv_printf(&argv, "%s delete -net %s %s -netmask %s", ROUTE_PATH, network, gateway, netmask);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
#elif defined(TARGET_ANDROID)
msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
- "needed. The VpnService API allows routes to be set "
- "on connect only and will clean up automatically.");
+ "needed. The VpnService API allows routes to be set "
+ "on connect only and will clean up automatically.");
#elif defined(TARGET_AIX)
{
int netbits = netmask_to_netbits2(r->netmask);
- argv_printf(&argv, "%s delete -net %s/%d %s",
- ROUTE_PATH,
- network, netbits, gateway);
+ argv_printf(&argv, "%s delete -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed");
}
@@ -2382,17 +2176,14 @@
#elif defined(TARGET_HAIKU)
/* ex: route delete /dev/net/ipro1000/0 inet 192.168.0.0 gw 192.168.1.1 netmask 255.255.0.0 */
- argv_printf(&argv, "%s delete %s inet %s gw %s netmask %s",
- ROUTE_PATH,
- rgi->iface,
- network,
- gateway,
- netmask);
+ argv_printf(&argv, "%s delete %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
+ gateway, netmask);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route delete command failed");
#else /* if defined(TARGET_LINUX) */
- msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
+ msg(M_FATAL,
+ "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
#endif /* if defined(TARGET_LINUX) */
done:
@@ -2404,13 +2195,12 @@
}
void
-delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt,
- const struct env_set *es,
+delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es,
openvpn_net_ctx_t *ctx)
{
const char *network;
- if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
+ if ((r6->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
{
return;
}
@@ -2422,7 +2212,7 @@
#if !defined(TARGET_SOLARIS)
bool gateway_needed = false;
const char *device = tt->actual_name;
- if (r6->iface != NULL) /* vpn server special route */
+ if (r6->iface != NULL) /* vpn server special route */
{
device = r6->iface;
gateway_needed = true;
@@ -2431,8 +2221,7 @@
/* if we used a gateway on "add route", we also need to specify it on
* delete, otherwise some OSes will refuse to delete the route
*/
- if (tt->type == DEV_TYPE_TAP
- && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
+ if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
{
gateway_needed = true;
}
@@ -2442,13 +2231,12 @@
struct gc_arena gc = gc_new();
struct argv argv = argv_new();
- network = print_in6_addr( r6->network, 0, &gc);
+ network = print_in6_addr(r6->network, 0, &gc);
#if !defined(TARGET_LINUX) && !defined(_WIN32)
- gateway = print_in6_addr( r6->gateway, 0, &gc);
+ gateway = print_in6_addr(r6->gateway, 0, &gc);
#endif
-#if defined(TARGET_DARWIN) \
- || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
+#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
|| defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
/* the BSD platforms cannot specify gateway and interface independently,
@@ -2456,16 +2244,16 @@
* we build a combined "$gateway%$interface" gateway string
*/
if (r6->iface != NULL && gateway_needed
- && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
+ && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
{
- int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
- char *tmp = gc_malloc( len, true, &gc );
- snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
+ int len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
+ char *tmp = gc_malloc(len, true, &gc);
+ snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
gateway = tmp;
}
#endif
- msg(D_ROUTE, "delete_route_ipv6(%s/%d)", network, r6->netbits );
+ msg(D_ROUTE, "delete_route_ipv6(%s/%d)", network, r6->netbits);
#if defined(TARGET_LINUX)
int metric = -1;
@@ -2474,14 +2262,14 @@
metric = r6->metric;
}
- if (net_route_v6_del(ctx, &r6->network, r6->netbits,
- gateway_needed ? &r6->gateway : NULL, device, r6->table_id,
- metric) < 0)
+ if (net_route_v6_del(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
+ device, r6->table_id, metric)
+ < 0)
{
msg(M_WARN, "ERROR: Linux route v6 delete command failed");
}
-#elif defined (_WIN32)
+#elif defined(_WIN32)
if (tt->options.msg_channel)
{
@@ -2491,25 +2279,18 @@
{
route_ipv6_ipapi(false, r6, tt);
}
-#elif defined (TARGET_SOLARIS)
+#elif defined(TARGET_SOLARIS)
/* example: route delete -inet6 2001:db8::/32 somegateway */
- argv_printf(&argv, "%s delete -inet6 %s/%d %s",
- ROUTE_PATH,
- network,
- r6->netbits,
- gateway );
+ argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
- argv_printf(&argv, "%s delete -inet6 %s/%d",
- ROUTE_PATH,
- network,
- r6->netbits );
+ argv_printf(&argv, "%s delete -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
if (gateway_needed)
{
@@ -2525,9 +2306,7 @@
#elif defined(TARGET_DARWIN)
- argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d",
- ROUTE_PATH,
- network, r6->netbits );
+ argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
if (gateway_needed)
{
@@ -2543,48 +2322,40 @@
#elif defined(TARGET_OPENBSD)
- argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s",
- ROUTE_PATH,
- network, r6->netbits, gateway );
+ argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
+ gateway);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed");
#elif defined(TARGET_NETBSD)
- argv_printf(&argv, "%s delete -inet6 %s/%d %s",
- ROUTE_PATH,
- network, r6->netbits, gateway );
+ argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed");
#elif defined(TARGET_AIX)
- argv_printf(&argv, "%s delete -inet6 %s/%d %s",
- ROUTE_PATH,
- network, r6->netbits, gateway);
+ argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
#elif defined(TARGET_ANDROID)
msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
- "needed. The VpnService API allows routes to be set "
- "on connect only and will clean up automatically.");
+ "needed. The VpnService API allows routes to be set "
+ "on connect only and will clean up automatically.");
#elif defined(TARGET_HAIKU)
/* ex: route delete /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
- argv_printf(&argv, "%s delete %s inet6 %s gw %s prefixlen %d",
- ROUTE_PATH,
- r6->iface,
- network,
- gateway,
- r6->netbits);
+ argv_printf(&argv, "%s delete %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
+ gateway, r6->netbits);
argv_msg(D_ROUTE, &argv);
openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route delete command failed");
#else /* if defined(TARGET_LINUX) */
- msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
+ msg(M_FATAL,
+ "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
#endif /* if defined(TARGET_LINUX) */
argv_free(&argv);
@@ -2610,13 +2381,12 @@
status = GetIpForwardTable(NULL, &size, TRUE);
if (status == ERROR_INSUFFICIENT_BUFFER)
{
- rt = (PMIB_IPFORWARDTABLE) gc_malloc(size, false, gc);
+ rt = (PMIB_IPFORWARDTABLE)gc_malloc(size, false, gc);
status = GetIpForwardTable(rt, &size, TRUE);
if (status != NO_ERROR)
{
msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
- strerror_win32(status, gc),
- (unsigned int)status);
+ strerror_win32(status, gc), (unsigned int)status);
rt = NULL;
}
}
@@ -2624,9 +2394,7 @@
}
static int
-test_route(const IP_ADAPTER_INFO *adapters,
- const in_addr_t gateway,
- DWORD *index)
+test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
{
int count = 0;
DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL);
@@ -2638,11 +2406,7 @@
}
static void
-test_route_helper(bool *ret,
- int *count,
- int *good,
- int *ambig,
- const IP_ADAPTER_INFO *adapters,
+test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters,
const in_addr_t gateway)
{
int c;
@@ -2702,13 +2466,8 @@
}
}
- msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s",
- good,
- count,
- len,
- (int)ret,
- ambig,
- adapter_up ? "up" : "down");
+ msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s", good, count, len,
+ (int)ret, ambig, adapter_up ? "up" : "down");
gc_free(&gc);
return ret;
@@ -2732,12 +2491,9 @@
const DWORD index = row->dwForwardIfIndex;
const DWORD metric = row->dwForwardMetric1;
- dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d",
- i,
- print_in_addr_t((in_addr_t) net, 0, &gc),
- print_in_addr_t((in_addr_t) mask, 0, &gc),
- (int)index,
- (int)metric);
+ dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d", i,
+ print_in_addr_t((in_addr_t)net, 0, &gc), print_in_addr_t((in_addr_t)mask, 0, &gc),
+ (int)index, (int)metric);
if (!net && !mask && metric < lowest_metric)
{
@@ -2778,8 +2534,7 @@
if (status != NO_ERROR)
{
msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)",
- strerror_win32(status, gc),
- (unsigned int)status);
+ strerror_win32(status, gc), (unsigned int)status);
goto done;
}
@@ -2790,13 +2545,11 @@
CLEAR(luid);
SOCKADDR_INET best_src;
CLEAR(best_src);
- status = GetBestRoute2(&luid, best_if_index, NULL,
- dest, 0, best_route, &best_src);
+ status = GetBestRoute2(&luid, best_if_index, NULL, dest, 0, best_route, &best_src);
if (status != NO_ERROR)
{
msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)",
- strerror_win32(status, gc),
- (unsigned int)status);
+ strerror_win32(status, gc), (unsigned int)status);
goto done;
}
@@ -2887,13 +2640,10 @@
else if (count > 1)
{
msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)",
- print_in_addr_t(r->gateway, 0, &gc),
- count);
+ print_in_addr_t(r->gateway, 0, &gc), count);
}
- dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d",
- on_tun,
- count,
+ dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d", on_tun, count,
(int)ret);
gc_free(&gc);
@@ -2906,8 +2656,8 @@
* https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx
*/
void
-get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
- const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
+get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
+ openvpn_net_ctx_t *ctx)
{
struct gc_arena gc = gc_new();
CLEAR(*rgi6);
@@ -2929,23 +2679,19 @@
goto done;
}
- msg( D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s",
- BestRoute.InterfaceIndex,
- print_in6_addr( BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
- BestRoute.DestinationPrefix.PrefixLength,
- print_in6_addr( BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc) );
- msg( D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d",
- (int) BestRoute.Metric,
- (int) BestRoute.Loopback,
- (int) BestRoute.AutoconfigureAddress,
- (int) BestRoute.Immortal );
+ msg(D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s", BestRoute.InterfaceIndex,
+ print_in6_addr(BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
+ BestRoute.DestinationPrefix.PrefixLength,
+ print_in6_addr(BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc));
+ msg(D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d", (int)BestRoute.Metric,
+ (int)BestRoute.Loopback, (int)BestRoute.AutoconfigureAddress, (int)BestRoute.Immortal);
rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr;
- rgi6->adapter_index = BestRoute.InterfaceIndex;
+ rgi6->adapter_index = BestRoute.InterfaceIndex;
rgi6->flags |= RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
/* on-link is signalled by receiving an empty (::) NextHop */
- if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr) )
+ if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr))
{
rgi6->flags |= RGI_ON_LINK;
}
@@ -2961,7 +2707,9 @@
struct gc_arena gc = gc_new();
int ret = RTA_ERROR;
DWORD status;
- const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID) ? windows_route_find_if_index(r, tt) : adapter_index;
+ const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID)
+ ? windows_route_find_if_index(r, tt)
+ : adapter_index;
if (if_index != TUN_ADAPTER_INDEX_INVALID)
{
@@ -2972,7 +2720,7 @@
fr.dwForwardPolicy = 0;
fr.dwForwardNextHop = htonl(r->gateway);
fr.dwForwardIfIndex = if_index;
- fr.dwForwardType = 4; /* the next hop is not the final dest */
+ fr.dwForwardType = 4; /* the next hop is not the final dest */
fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */
fr.dwForwardAge = 0;
fr.dwForwardNextHopAS = 0;
@@ -2985,8 +2733,7 @@
if ((r->network & r->netmask) != r->network)
{
msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s",
- print_in_addr_t(r->network, 0, &gc),
- print_in_addr_t(r->netmask, 0, &gc));
+ print_in_addr_t(r->network, 0, &gc), print_in_addr_t(r->netmask, 0, &gc));
}
status = CreateIpForwardEntry(&fr);
@@ -3002,20 +2749,22 @@
else
{
/* failed, try increasing the metric to work around Vista issue */
- const unsigned int forward_metric_limit = 2048; /* iteratively retry higher metrics up to this limit */
+ const unsigned int forward_metric_limit =
+ 2048; /* iteratively retry higher metrics up to this limit */
for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1)
{
- /* try a different forward type=3 ("the next hop is the final dest") in addition to 4.
+ /* try a different forward type=3 ("the next hop is the final dest") in addition
+ * to 4.
* --redirect-gateway over RRAS seems to need this. */
for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType)
{
status = CreateIpForwardEntry(&fr);
if (status == NO_ERROR)
{
- msg(D_ROUTE, "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
- (unsigned int)fr.dwForwardMetric1,
- (unsigned int)fr.dwForwardType);
+ msg(D_ROUTE,
+ "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
+ (unsigned int)fr.dwForwardMetric1, (unsigned int)fr.dwForwardType);
ret = RTA_SUCCESS;
goto doublebreak;
}
@@ -3035,9 +2784,10 @@
}
else
{
- msg(M_WARN, "ERROR: route addition failed using CreateIpForwardEntry: "
- "%s [status=%u if_index=%u]", strerror_win32(status, &gc),
- (unsigned int)status, (unsigned int)if_index);
+ msg(M_WARN,
+ "ERROR: route addition failed using CreateIpForwardEntry: "
+ "%s [status=%u if_index=%u]",
+ strerror_win32(status, &gc), (unsigned int)status, (unsigned int)if_index);
}
}
}
@@ -3125,18 +2875,13 @@
return RTA_ERROR;
}
- route_message_t msg = {
- .header = {
- (add ? msg_add_route : msg_del_route),
- sizeof(route_message_t),
- 0
- },
- .family = AF_INET,
- .prefix.ipv4.s_addr = htonl(r->network),
- .gateway.ipv4.s_addr = htonl(r->gateway),
- .iface = { .index = if_index, .name = "" },
- .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1)
- };
+ route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route),
+ sizeof(route_message_t), 0 },
+ .family = AF_INET,
+ .prefix.ipv4.s_addr = htonl(r->network),
+ .gateway.ipv4.s_addr = htonl(r->gateway),
+ .iface = { .index = if_index, .name = "" },
+ .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1) };
netmask_to_netbits(r->network, r->netmask, &msg.prefix_len);
if (msg.prefix_len == -1)
@@ -3166,7 +2911,7 @@
fwd_row->Metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1);
fwd_row->DestinationPrefix.Prefix.si_family = AF_INET6;
fwd_row->DestinationPrefix.Prefix.Ipv6.sin6_addr = r->network;
- fwd_row->DestinationPrefix.PrefixLength = (UINT8) r->netbits;
+ fwd_row->DestinationPrefix.PrefixLength = (UINT8)r->netbits;
fwd_row->NextHop.si_family = AF_INET6;
fwd_row->NextHop.Ipv6.sin6_addr = r->gateway;
fwd_row->InterfaceIndex = r->adapter_index ? r->adapter_index : tt->adapter_index;
@@ -3231,21 +2976,16 @@
do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
{
int status;
- route_message_t msg = {
- .header = {
- (add ? msg_add_route : msg_del_route),
- sizeof(route_message_t),
- 0
- },
- .family = AF_INET6,
- .prefix.ipv6 = r->network,
- .prefix_len = r->netbits,
- .gateway.ipv6 = r->gateway,
- .iface = { .index = tt->adapter_index, .name = "" },
- .metric = ( (r->flags & RT_METRIC_DEFINED) ? r->metric : -1)
- };
+ route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route),
+ sizeof(route_message_t), 0 },
+ .family = AF_INET6,
+ .prefix.ipv6 = r->network,
+ .prefix_len = r->netbits,
+ .gateway.ipv6 = r->gateway,
+ .iface = { .index = tt->adapter_index, .name = "" },
+ .metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1) };
- if (r->adapter_index) /* vpn server special route */
+ if (r->adapter_index) /* vpn server special route */
{
msg.iface.index = r->adapter_index;
}
@@ -3254,8 +2994,7 @@
* The tapdrvr knows about it and will answer neighbor discovery packets.
* (only do this for routes actually using the tun/tap device)
*/
- if (tt->type == DEV_TYPE_TUN
- && msg.iface.index == tt->adapter_index)
+ if (tt->type == DEV_TYPE_TUN && msg.iface.index == tt->adapter_index)
{
inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
}
@@ -3269,8 +3008,7 @@
status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
if (status != RTA_ERROR)
{
- msg(D_ROUTE, "IPv6 route %s via service %s",
- add ? "addition" : "deletion",
+ msg(D_ROUTE, "IPv6 route %s via service %s", add ? "addition" : "deletion",
(status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
}
return status;
@@ -3309,17 +3047,10 @@
buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc),
print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc),
- print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc),
- (int)r->dwForwardPolicy,
- (int)r->dwForwardIfIndex,
- (int)r->dwForwardType,
- (int)r->dwForwardProto,
- (int)r->dwForwardAge,
- (int)r->dwForwardNextHopAS,
- (int)r->dwForwardMetric1,
- (int)r->dwForwardMetric2,
- (int)r->dwForwardMetric3,
- (int)r->dwForwardMetric4,
+ print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc), (int)r->dwForwardPolicy,
+ (int)r->dwForwardIfIndex, (int)r->dwForwardType, (int)r->dwForwardProto,
+ (int)r->dwForwardAge, (int)r->dwForwardNextHopAS, (int)r->dwForwardMetric1,
+ (int)r->dwForwardMetric2, (int)r->dwForwardMetric3, (int)r->dwForwardMetric4,
(int)r->dwForwardMetric5);
return BSTR(&out);
}
@@ -3368,12 +3099,11 @@
* normally on Linux.
* It always fails and "ioctl(SIOCGIFCONF) failed" confuses users
*/
-
}
void
-get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
- const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
+get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
+ openvpn_net_ctx_t *ctx)
{
/* Same for ipv6 */
@@ -3437,7 +3167,7 @@
if (ifr->ifr_addr.sa_family == AF_INET)
{
/* get interface addr */
- addr = ntohl(((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr.s_addr);
+ addr = ntohl(((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr.s_addr);
/* get interface name */
strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
@@ -3455,7 +3185,7 @@
if (rgi->flags & RGI_ON_LINK)
{
/* check that interface name of current interface
- * matches interface name of best default route */
+ * matches interface name of best default route */
if (strcmp(ifreq.ifr_name, best_name))
{
continue;
@@ -3479,7 +3209,7 @@
{
continue;
}
- netmask = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
+ netmask = ntohl(((struct sockaddr_in *)&ifreq.ifr_addr)->sin_addr.s_addr);
/* check that interface matches default route */
if (((rgi->gateway.addr ^ addr) & netmask) != 0)
@@ -3524,22 +3254,22 @@
* netlink(3), netlink(7), rtnetlink(7)
* http://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/rtmon_linux.c
*/
-struct rtreq {
+struct rtreq
+{
struct nlmsghdr nh;
struct rtmsg rtm;
char attrbuf[512];
};
void
-get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
- const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
+get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
+ openvpn_net_ctx_t *ctx)
{
int flags;
CLEAR(*rgi6);
- if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6,
- rgi6->iface) == 0)
+ if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6, rgi6->iface) == 0)
{
if (!IN6_IS_ADDR_UNSPECIFIED(&rgi6->gateway.addr_ipv6))
{
@@ -3564,9 +3294,8 @@
}
}
-#elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) \
- || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
- || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
+#elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) || defined(TARGET_FREEBSD) \
+ || defined(TARGET_DRAGONFLY) || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
#include <sys/types.h>
#include <sys/socket.h>
@@ -3577,7 +3306,8 @@
#include <ifaddrs.h>
#endif
-struct rtmsg {
+struct rtmsg
+{
struct rt_msghdr m_rtm;
char m_space[512];
};
@@ -3599,26 +3329,30 @@
*/
#if defined(TARGET_DARWIN)
-#define ROUNDUP(a) \
- ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
+#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
#elif defined(TARGET_NETBSD)
#define ROUNDUP(a) RT_ROUNDUP(a)
#else
-#define ROUNDUP(a) \
- ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
+#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
#endif
#if defined(TARGET_SOLARIS)
-#define NEXTADDR(w, u) \
- if (rtm_addrs & (w)) { \
- l = sizeof(u); memmove(cp, &(u), l); cp += ROUNDUP(l); \
+#define NEXTADDR(w, u) \
+ if (rtm_addrs & (w)) \
+ { \
+ l = sizeof(u); \
+ memmove(cp, &(u), l); \
+ cp += ROUNDUP(l); \
}
#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in)))
-#else /* if defined(TARGET_SOLARIS) */
-#define NEXTADDR(w, u) \
- if (rtm_addrs & (w)) { \
- l = ((struct sockaddr *)&(u))->sa_len; memmove(cp, &(u), l); cp += ROUNDUP(l); \
+#else /* if defined(TARGET_SOLARIS) */
+#define NEXTADDR(w, u) \
+ if (rtm_addrs & (w)) \
+ { \
+ l = ((struct sockaddr *)&(u))->sa_len; \
+ memmove(cp, &(u), l); \
+ cp += ROUNDUP(l); \
}
#define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
@@ -3637,7 +3371,7 @@
struct sockaddr so_dst, so_mask;
char *cp = m_rtmsg.m_space;
struct sockaddr *gate = NULL, *ifp = NULL, *sa;
- struct rt_msghdr *rtm_aux;
+ struct rt_msghdr *rtm_aux;
#define rtm m_rtmsg.m_rtm
@@ -3647,7 +3381,7 @@
pid = getpid();
seq = 0;
#ifdef TARGET_OPENBSD
- rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
+ rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
#else
rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
#endif
@@ -3688,7 +3422,7 @@
}
if (write(sockfd, (char *)&m_rtmsg, l) < 0)
{
- msg(M_WARN|M_ERRNO, "GDG: problem writing to routing socket");
+ msg(M_WARN | M_ERRNO, "GDG: problem writing to routing socket");
goto done;
}
do
@@ -3738,7 +3472,7 @@
if (ifp)
{
/* get interface name */
- const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
+ const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
{
memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen);
@@ -3806,15 +3540,14 @@
if (getifaddrs(&ifap) != 0)
{
- msg(M_WARN|M_ERRNO, "GDG: getifaddrs() failed");
+ msg(M_WARN | M_ERRNO, "GDG: getifaddrs() failed");
goto done;
}
for (ifa = ifap; ifa; ifa = ifa->ifa_next)
{
- if (ifa->ifa_addr != NULL
- && ifa->ifa_addr->sa_family == AF_LINK
- && !strncmp(ifa->ifa_name, rgi->iface, IFNAMSIZ) )
+ if (ifa->ifa_addr != NULL && ifa->ifa_addr->sa_family == AF_LINK
+ && !strncmp(ifa->ifa_name, rgi->iface, IFNAMSIZ))
{
struct sockaddr_dl *sdl = (struct sockaddr_dl *)ifa->ifa_addr;
memcpy(rgi->hwaddr, LLADDR(sdl), 6);
@@ -3847,10 +3580,9 @@
#endif
void
-get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
- const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
+get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
+ openvpn_net_ctx_t *ctx)
{
-
struct rtmsg m_rtmsg;
int sockfd = -1;
int seq, l, pid, rtm_addrs;
@@ -3866,7 +3598,7 @@
pid = getpid();
seq = 0;
#ifdef TARGET_OPENBSD
- rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
+ rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
#else
rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
#endif
@@ -3887,8 +3619,8 @@
so_dst.sin6_family = AF_INET6;
so_mask.sin6_family = AF_INET6;
- if (dest != NULL /* specific host? */
- && !IN6_IS_ADDR_UNSPECIFIED(dest) )
+ if (dest != NULL /* specific host? */
+ && !IN6_IS_ADDR_UNSPECIFIED(dest))
{
so_dst.sin6_addr = *dest;
/* :: needs /0 "netmask", host route wants "no netmask */
@@ -3916,15 +3648,14 @@
}
if (write(sockfd, (char *)&m_rtmsg, l) < 0)
{
- msg(M_WARN|M_ERRNO, "GDG6: problem writing to routing socket");
+ msg(M_WARN | M_ERRNO, "GDG6: problem writing to routing socket");
goto done;
}
do
{
l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
- }
- while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
+ } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
close(sockfd);
sockfd = -1;
@@ -3967,14 +3698,12 @@
* (KAME encodes the 16 bit scope_id in s6_addr[2] + [3],
* but for a correct link-local address these must be :0000: )
*/
- if (gate->sa_len == sizeof(struct sockaddr_in6)
- && IN6_IS_ADDR_LINKLOCAL(&gw) )
+ if (gate->sa_len == sizeof(struct sockaddr_in6) && IN6_IS_ADDR_LINKLOCAL(&gw))
{
gw.s6_addr[2] = gw.s6_addr[3] = 0;
}
- if (gate->sa_len != sizeof(struct sockaddr_in6)
- || IN6_IS_ADDR_UNSPECIFIED(&gw) )
+ if (gate->sa_len != sizeof(struct sockaddr_in6) || IN6_IS_ADDR_UNSPECIFIED(&gw))
{
rgi6->flags |= RGI_ON_LINK;
}
@@ -3988,7 +3717,7 @@
if (ifp)
{
/* get interface name */
- const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
+ const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface))
{
memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen);
@@ -4072,15 +3801,15 @@
address_size += route.gateway->sa_len;
}
- interface = (struct ifreq *)((addr_t)interface + IF_NAMESIZE
- + sizeof(struct route_entry) + address_size);
+ interface = (struct ifreq *)((addr_t)interface + IF_NAMESIZE + sizeof(struct route_entry)
+ + address_size);
}
free(buffer);
}
void
-get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
- const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
+get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
+ openvpn_net_ctx_t *ctx)
{
/* TODO: Same for ipv6 with AF_INET6 */
CLEAR(*rgi6);
@@ -4118,8 +3847,8 @@
CLEAR(*rgi);
}
void
-get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
- const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
+get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
+ openvpn_net_ctx_t *ctx)
{
msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system");
CLEAR(*rgi6);
@@ -4199,7 +3928,8 @@
while (iplist)
{
bool succeed = false;
- const in_addr_t ip = getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
+ const in_addr_t ip =
+ getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
if (succeed)
{
add_host_route_if_nonlocal(rb, ip);
@@ -4247,7 +3977,7 @@
#else /* if defined(_WIN32) */
static void
-get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
+get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
{
}
@@ -4268,7 +3998,8 @@
test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
{
struct gc_arena gc = gc_new();
- const in_addr_t nonlocal_netmask = 0x80000000L; /* routes with netmask <= to this are considered non-local */
+ const in_addr_t nonlocal_netmask =
+ 0x80000000L; /* routes with netmask <= to this are considered non-local */
int ret = TLA_NONLOCAL;
/* get full routing table */
@@ -4295,7 +4026,7 @@
#else /* if defined(_WIN32) */
int
-test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
+test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
{
if (rgi)
{
@@ -36,18 +36,18 @@
/*
* Windows route methods
*/
-#define ROUTE_METHOD_ADAPTIVE 0 /* try IP helper first then route.exe */
-#define ROUTE_METHOD_IPAPI 1 /* use IP helper API */
-#define ROUTE_METHOD_EXE 2 /* use route.exe */
-#define ROUTE_METHOD_SERVICE 3 /* use the privileged Windows service */
-#define ROUTE_METHOD_MASK 3
+#define ROUTE_METHOD_ADAPTIVE 0 /* try IP helper first then route.exe */
+#define ROUTE_METHOD_IPAPI 1 /* use IP helper API */
+#define ROUTE_METHOD_EXE 2 /* use route.exe */
+#define ROUTE_METHOD_SERVICE 3 /* use the privileged Windows service */
+#define ROUTE_METHOD_MASK 3
#endif
/*
* Route add/delete flags (must stay clear of ROUTE_METHOD bits)
*/
-#define ROUTE_DELETE_FIRST (1<<2)
-#define ROUTE_REF_GW (1<<3)
+#define ROUTE_DELETE_FIRST (1 << 2)
+#define ROUTE_REF_GW (1 << 3)
struct route_bypass
{
@@ -59,9 +59,9 @@
struct route_special_addr
{
/* bits indicating which members below are defined */
-#define RTSA_REMOTE_ENDPOINT (1<<0)
-#define RTSA_REMOTE_HOST (1<<1)
-#define RTSA_DEFAULT_METRIC (1<<2)
+#define RTSA_REMOTE_ENDPOINT (1 << 0)
+#define RTSA_REMOTE_HOST (1 << 1)
+#define RTSA_DEFAULT_METRIC (1 << 2)
unsigned int flags;
in_addr_t remote_endpoint;
@@ -72,7 +72,8 @@
int default_metric;
};
-struct route_option {
+struct route_option
+{
struct route_option *next;
const char *network;
const char *netmask;
@@ -82,39 +83,43 @@
};
/* redirect-gateway flags */
-#define RG_ENABLE (1<<0)
-#define RG_LOCAL (1<<1)
-#define RG_DEF1 (1<<2)
-#define RG_BYPASS_DHCP (1<<3)
-#define RG_BYPASS_DNS (1<<4)
-#define RG_REROUTE_GW (1<<5)
-#define RG_AUTO_LOCAL (1<<6)
-#define RG_BLOCK_LOCAL (1<<7)
+#define RG_ENABLE (1 << 0)
+#define RG_LOCAL (1 << 1)
+#define RG_DEF1 (1 << 2)
+#define RG_BYPASS_DHCP (1 << 3)
+#define RG_BYPASS_DNS (1 << 4)
+#define RG_REROUTE_GW (1 << 5)
+#define RG_AUTO_LOCAL (1 << 6)
+#define RG_BLOCK_LOCAL (1 << 7)
-struct route_option_list {
+struct route_option_list
+{
unsigned int flags; /* RG_x flags */
struct route_option *routes;
struct gc_arena *gc;
};
-struct route_ipv6_option {
+struct route_ipv6_option
+{
struct route_ipv6_option *next;
- const char *prefix; /* e.g. "2001:db8:1::/64" */
- const char *gateway; /* e.g. "2001:db8:0::2" */
- const char *metric; /* e.g. "5" */
+ const char *prefix; /* e.g. "2001:db8:1::/64" */
+ const char *gateway; /* e.g. "2001:db8:0::2" */
+ const char *metric; /* e.g. "5" */
int table_id;
};
-struct route_ipv6_option_list {
- unsigned int flags; /* RG_x flags, see route_option-list */
+struct route_ipv6_option_list
+{
+ unsigned int flags; /* RG_x flags, see route_option-list */
struct route_ipv6_option *routes_ipv6;
struct gc_arena *gc;
};
-struct route_ipv4 {
-#define RT_DEFINED (1<<0)
-#define RT_ADDED (1<<1)
-#define RT_METRIC_DEFINED (1<<2)
+struct route_ipv4
+{
+#define RT_DEFINED (1 << 0)
+#define RT_ADDED (1 << 1)
+#define RT_METRIC_DEFINED (1 << 2)
struct route_ipv4 *next;
unsigned int flags;
const struct route_option *option;
@@ -125,9 +130,10 @@
int metric;
};
-struct route_ipv6 {
+struct route_ipv6
+{
struct route_ipv6 *next;
- unsigned int flags; /* RT_ flags, see route_ipv4 */
+ unsigned int flags; /* RT_ flags, see route_ipv4 */
struct in6_addr network;
unsigned int netbits;
struct in6_addr gateway;
@@ -135,25 +141,27 @@
int table_id;
/* gateway interface */
#ifdef _WIN32
- DWORD adapter_index; /* interface or ~0 if undefined */
+ DWORD adapter_index; /* interface or ~0 if undefined */
#else
- char *iface; /* interface name (null terminated) */
+ char *iface; /* interface name (null terminated) */
#endif
};
-struct route_gateway_address {
+struct route_gateway_address
+{
in_addr_t addr;
in_addr_t netmask;
};
-struct route_gateway_info {
-#define RGI_ADDR_DEFINED (1<<0) /* set if gateway.addr defined */
-#define RGI_NETMASK_DEFINED (1<<1) /* set if gateway.netmask defined */
-#define RGI_HWADDR_DEFINED (1<<2) /* set if hwaddr is defined */
-#define RGI_IFACE_DEFINED (1<<3) /* set if iface is defined */
-#define RGI_OVERFLOW (1<<4) /* set if more interface addresses than will fit in addrs */
-#define RGI_ON_LINK (1<<5)
+struct route_gateway_info
+{
+#define RGI_ADDR_DEFINED (1 << 0) /* set if gateway.addr defined */
+#define RGI_NETMASK_DEFINED (1 << 1) /* set if gateway.netmask defined */
+#define RGI_HWADDR_DEFINED (1 << 2) /* set if hwaddr is defined */
+#define RGI_IFACE_DEFINED (1 << 3) /* set if iface is defined */
+#define RGI_OVERFLOW (1 << 4) /* set if more interface addresses than will fit in addrs */
+#define RGI_ON_LINK (1 << 5)
unsigned int flags;
/* gateway interface */
@@ -173,17 +181,19 @@
/* address/netmask pairs bound to interface */
#define RGI_N_ADDRESSES 8
- int n_addrs; /* len of addrs, may be 0 */
+ int n_addrs; /* len of addrs, may be 0 */
struct route_gateway_address addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */
};
-struct route_ipv6_gateway_address {
+struct route_ipv6_gateway_address
+{
struct in6_addr addr_ipv6;
int netbits_ipv6;
};
-struct route_ipv6_gateway_info {
-/* RGI_ flags used as in route_gateway_info */
+struct route_ipv6_gateway_info
+{
+ /* RGI_ flags used as in route_gateway_info */
unsigned int flags;
/* gateway interface */
@@ -210,45 +220,50 @@
/* address/netmask pairs bound to interface */
#define RGI_N_ADDRESSES 8
- int n_addrs; /* len of addrs, may be 0 */
- struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */
+ int n_addrs; /* len of addrs, may be 0 */
+ struct route_ipv6_gateway_address
+ addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */
};
-struct route_list {
-#define RL_DID_REDIRECT_DEFAULT_GATEWAY (1<<0)
-#define RL_DID_LOCAL (1<<1)
-#define RL_ROUTES_ADDED (1<<2)
+struct route_list
+{
+#define RL_DID_REDIRECT_DEFAULT_GATEWAY (1 << 0)
+#define RL_DID_LOCAL (1 << 1)
+#define RL_ROUTES_ADDED (1 << 2)
unsigned int iflags;
struct route_special_addr spec;
struct route_gateway_info rgi;
- unsigned int flags; /* RG_x flags */
+ unsigned int flags; /* RG_x flags */
struct route_ipv4 *routes;
struct gc_arena gc;
};
-struct route_ipv6_list {
- unsigned int iflags; /* RL_ flags, see route_list */
+struct route_ipv6_list
+{
+ unsigned int iflags; /* RL_ flags, see route_list */
- unsigned int spec_flags; /* RTSA_ flags, route_special_addr */
+ unsigned int spec_flags; /* RTSA_ flags, route_special_addr */
struct in6_addr remote_endpoint_ipv6; /* inside tun */
- struct in6_addr remote_host_ipv6; /* --remote address */
+ struct in6_addr remote_host_ipv6; /* --remote address */
int default_metric;
struct route_ipv6_gateway_info rgi6;
- unsigned int flags; /* RG_x flags, see route_option_list */
+ unsigned int flags; /* RG_x flags, see route_option_list */
struct route_ipv6 *routes_ipv6;
struct gc_arena gc;
};
/* internal OpenVPN route */
-struct iroute {
+struct iroute
+{
in_addr_t network;
int netbits;
struct iroute *next;
};
-struct iroute_ipv6 {
+struct iroute_ipv6
+{
struct in6_addr network;
unsigned int netbits;
struct iroute_ipv6 *next;
@@ -270,79 +285,58 @@
struct route_ipv6_option_list *new_route_ipv6_option_list(struct gc_arena *a);
-struct route_option_list *clone_route_option_list(const struct route_option_list *src, struct gc_arena *a);
+struct route_option_list *clone_route_option_list(const struct route_option_list *src,
+ struct gc_arena *a);
-struct route_ipv6_option_list *clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a);
+struct route_ipv6_option_list *clone_route_ipv6_option_list(
+ const struct route_ipv6_option_list *src, struct gc_arena *a);
-void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a);
+void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src,
+ struct gc_arena *a);
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest,
- const struct route_ipv6_option_list *src,
- struct gc_arena *a);
+ const struct route_ipv6_option_list *src, struct gc_arena *a);
-void route_ipv6_clear_host_bits( struct route_ipv6 *r6 );
+void route_ipv6_clear_host_bits(struct route_ipv6 *r6);
-bool add_route_ipv6(struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx);
+bool add_route_ipv6(struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags,
+ const struct env_set *es, openvpn_net_ctx_t *ctx);
-void delete_route_ipv6(const struct route_ipv6 *r, const struct tuntap *tt, const struct env_set *es, openvpn_net_ctx_t *ctx);
+void delete_route_ipv6(const struct route_ipv6 *r, const struct tuntap *tt,
+ const struct env_set *es, openvpn_net_ctx_t *ctx);
bool add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
const struct route_gateway_info *rgi, const struct env_set *es,
openvpn_net_ctx_t *ctx);
-void add_route_to_option_list(struct route_option_list *l,
- const char *network,
- const char *netmask,
- const char *gateway,
- const char *metric,
- int table_id);
+void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask,
+ const char *gateway, const char *metric, int table_id);
-void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l,
- const char *prefix,
- const char *gateway,
- const char *metric,
- int table_id);
+void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix,
+ const char *gateway, const char *metric, int table_id);
-bool init_route_list(struct route_list *rl,
- const struct route_option_list *opt,
- const char *remote_endpoint,
- int default_metric,
- in_addr_t remote_host,
- struct env_set *es,
- openvpn_net_ctx_t *ctx);
+bool init_route_list(struct route_list *rl, const struct route_option_list *opt,
+ const char *remote_endpoint, int default_metric, in_addr_t remote_host,
+ struct env_set *es, openvpn_net_ctx_t *ctx);
-bool init_route_ipv6_list(struct route_ipv6_list *rl6,
- const struct route_ipv6_option_list *opt6,
- const char *remote_endpoint,
- int default_metric,
- const struct in6_addr *remote_host,
- struct env_set *es,
+bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6,
+ const char *remote_endpoint, int default_metric,
+ const struct in6_addr *remote_host, struct env_set *es,
openvpn_net_ctx_t *ctx);
-void route_list_add_vpn_gateway(struct route_list *rl,
- struct env_set *es,
- const in_addr_t addr);
+void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr);
-bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6,
- const struct tuntap *tt, unsigned int flags,
- const struct env_set *es, openvpn_net_ctx_t *ctx);
+bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
+ unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx);
-void delete_routes(struct route_list *rl,
- struct route_ipv6_list *rl6,
- const struct tuntap *tt,
- unsigned int flags,
- const struct env_set *es,
- openvpn_net_ctx_t *ctx);
+void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
+ unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx);
-void
-delete_routes_v4(struct route_list *rl, const struct tuntap *tt,
- unsigned int flags, const struct env_set *es,
- openvpn_net_ctx_t *ctx);
+void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
+ const struct env_set *es, openvpn_net_ctx_t *ctx);
-void
-delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt,
- unsigned int flags, const struct env_set *es,
- openvpn_net_ctx_t *ctx);
+void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags,
+ const struct env_set *es, openvpn_net_ctx_t *ctx);
void setenv_routes(struct env_set *es, const struct route_list *rl);
@@ -357,16 +351,12 @@
* @param dest Destination IP address in host byte order.
* @param ctx Pointer to a platform-specific network context struct.
*/
-void get_default_gateway(struct route_gateway_info *rgi,
- in_addr_t dest,
- openvpn_net_ctx_t *ctx);
+void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx);
-void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi,
- const struct in6_addr *dest,
+void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi, const struct in6_addr *dest,
openvpn_net_ctx_t *ctx);
-void print_default_gateway(const int msglevel,
- const struct route_gateway_info *rgi,
+void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi,
const struct route_ipv6_gateway_info *rgi6);
/*
@@ -381,8 +371,7 @@
int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi);
#ifndef ENABLE_SMALL
-void print_route_options(const struct route_option_list *rol,
- int level);
+void print_route_options(const struct route_option_list *rol, int level);
#endif
@@ -394,7 +383,7 @@
bool test_routes(const struct route_list *rl, const struct tuntap *tt);
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
static inline bool
test_routes(const struct route_list *rl, const struct tuntap *tt)
{
@@ -413,7 +402,7 @@
in_addr_t mask = 0;
if (netbits > 0 && netbits <= addrlen)
{
- mask = IPV4_NETMASK_HOST << (addrlen-netbits);
+ mask = IPV4_NETMASK_HOST << (addrlen - netbits);
}
return mask;
}
@@ -67,7 +67,7 @@
#ifdef _WIN32
case OPENVPN_EXECVE_ERROR:
buf_printf(&out, "external program did not execute -- ");
- /* fall through */
+ /* fall through */
default:
buf_printf(&out, "returned error code %d", stat);
@@ -126,20 +126,16 @@
if (exitcode == OPENVPN_EXECVE_FAILURE)
{
- msg(msglevel, "%scould not execute external program (exit code 127)",
- msg_prefix);
+ msg(msglevel, "%scould not execute external program (exit code 127)", msg_prefix);
}
else
{
- msg(msglevel, "%sexternal program exited with error status: %d",
- msg_prefix, exitcode);
+ msg(msglevel, "%sexternal program exited with error status: %d", msg_prefix, exitcode);
}
-
}
else if (WIFSIGNALED(status))
{
- msg(msglevel, "%sexternal program received signal %d",
- msg_prefix, WTERMSIG(status));
+ msg(msglevel, "%sexternal program received signal %d", msg_prefix, WTERMSIG(status));
}
return false;
@@ -234,7 +230,8 @@
* Wrapper around openvpn_execve
*/
int
-openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
+openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags,
+ const char *error_message)
{
struct gc_arena gc = gc_new();
const int stat = openvpn_execve(a, es, flags);
@@ -260,8 +257,7 @@
}
if (error_message)
{
- msg(((flags & S_FATAL) ? M_FATAL : M_WARN), "%s: %s",
- error_message,
+ msg(((flags & S_FATAL) ? M_FATAL : M_WARN), "%s: %s", error_message,
system_error_message(stat, &gc));
}
done:
@@ -276,7 +272,7 @@
* associated with formatting and parsing a command line.
*/
int
-openvpn_popen(const struct argv *a, const struct env_set *es)
+openvpn_popen(const struct argv *a, const struct env_set *es)
{
struct gc_arena gc = gc_new();
int ret = -1;
@@ -298,20 +294,20 @@
pid = fork();
if (pid == (pid_t)0) /* child side */
{
- close(pipe_stdout[0]); /* Close read end */
+ close(pipe_stdout[0]); /* Close read end */
dup2(pipe_stdout[1], 1);
execve(cmd, argv, envp);
exit(OPENVPN_EXECVE_FAILURE);
}
- else if (pid > (pid_t)0) /* parent side */
+ else if (pid > (pid_t)0) /* parent side */
{
int status = 0;
- close(pipe_stdout[1]); /* Close write end */
+ close(pipe_stdout[1]); /* Close write end */
waitpid(pid, &status, 0);
ret = pipe_stdout[0];
}
- else /* fork failed */
+ else /* fork failed */
{
close(pipe_stdout[0]);
close(pipe_stdout[1]);
@@ -27,36 +27,38 @@
#include "env_set.h"
/* Script security */
-#define SSEC_NONE 0 /* strictly no calling of external programs */
-#define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/
-#define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */
-#define SSEC_PW_ENV 3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */
+#define SSEC_NONE 0 /* strictly no calling of external programs */
+#define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/
+#define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */
+#define SSEC_PW_ENV \
+ 3 /* allow calling of built-in programs and user-defined scripts that may receive a password \
+ as an environmental variable */
-#define OPENVPN_EXECVE_ERROR -1 /* generic error while forking to run an external program */
-#define OPENVPN_EXECVE_NOT_ALLOWED -2 /* external program not run due to script security */
-#define OPENVPN_EXECVE_FAILURE 127 /* exit code passed back from child when execve fails */
+#define OPENVPN_EXECVE_ERROR -1 /* generic error while forking to run an external program */
+#define OPENVPN_EXECVE_NOT_ALLOWED -2 /* external program not run due to script security */
+#define OPENVPN_EXECVE_FAILURE 127 /* exit code passed back from child when execve fails */
int script_security(void);
void script_security_set(int level);
/* openvpn_execve flags */
-#define S_SCRIPT (1<<0)
-#define S_FATAL (1<<1)
+#define S_SCRIPT (1 << 0)
+#define S_FATAL (1 << 1)
/** Instead of returning 1/0 for success/fail,
* return exit code when between 0 and 255 and -1 otherwise */
-#define S_EXITCODE (1<<2)
+#define S_EXITCODE (1 << 2)
/** instead of waiting for child process to exit and report the status,
* return the pid of the child process */
-#define S_NOWAITPID (1<<3)
+#define S_NOWAITPID (1 << 3)
/* wrapper around the execve() call */
-int openvpn_popen(const struct argv *a, const struct env_set *es);
+int openvpn_popen(const struct argv *a, const struct env_set *es);
bool openvpn_execve_allowed(const unsigned int flags);
-int openvpn_execve_check(const struct argv *a, const struct env_set *es,
- const unsigned int flags, const char *error_message);
+int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags,
+ const char *error_message);
#ifndef WIN32
@@ -72,9 +74,7 @@
* @return true if the process is still running, false if
* an error condition occurred
*/
-bool
-openvpn_waitpid_check(pid_t pid, const char *msg_prefix,
- int msglevel);
+bool openvpn_waitpid_check(pid_t pid, const char *msg_prefix, int msglevel);
#endif
@@ -83,13 +83,12 @@
* 0 and 255, -1 otherwise
*/
static inline int
-openvpn_run_script(const struct argv *a, const struct env_set *es,
- const unsigned int flags, const char *hook)
+openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags,
+ const char *hook)
{
char msg[256];
- snprintf(msg, sizeof(msg),
- "WARNING: Failed running command (%s)", hook);
+ snprintf(msg, sizeof(msg), "WARNING: Failed running command (%s)", hook);
return openvpn_execve_check(a, es, flags | S_SCRIPT, msg);
}
@@ -54,15 +54,12 @@
struct gc_arena gc = gc_new();
if (e)
{
- dmsg(D_SCHEDULER, "SCHEDULE: %s wakeup=[%s] pri=%u",
- caller,
- tv_string_abs(&e->tv, &gc),
+ dmsg(D_SCHEDULER, "SCHEDULE: %s wakeup=[%s] pri=%u", caller, tv_string_abs(&e->tv, &gc),
e->pri);
}
else
{
- dmsg(D_SCHEDULER, "SCHEDULE: %s NULL",
- caller);
+ dmsg(D_SCHEDULER, "SCHEDULE: %s NULL", caller);
}
gc_free(&gc);
}
@@ -84,8 +81,7 @@
* that keys do not collide.
*/
static inline int
-schedule_entry_compare(const struct schedule_entry *e1,
- const struct schedule_entry *e2)
+schedule_entry_compare(const struct schedule_entry *e1, const struct schedule_entry *e2)
{
if (e1->tv.tv_sec < e2->tv.tv_sec)
{
@@ -360,12 +356,11 @@
if (s->root)
{
- schedule_insert(s, e); /* trivial insert into tree */
+ schedule_insert(s, e); /* trivial insert into tree */
}
else
{
s->root = e; /* tree was empty, we are the first element */
-
}
/* This is the magic of the randomized treap algorithm which
* keeps the tree balanced. Move the node up the tree until
@@ -446,12 +441,8 @@
* internally consistent.
*/
int
-schedule_debug_entry(const struct schedule_entry *e,
- int depth,
- int *count,
- struct timeval *least,
- const struct timeval *min,
- const struct timeval *max)
+schedule_debug_entry(const struct schedule_entry *e, int depth, int *count, struct timeval *least,
+ const struct timeval *min, const struct timeval *max)
{
struct gc_arena gc = gc_new();
int maxdepth = depth;
@@ -493,13 +484,13 @@
*least = e->tv;
}
- d = schedule_debug_entry(e->lt, depth+1, count, least, min, &e->tv);
+ d = schedule_debug_entry(e->lt, depth + 1, count, least, min, &e->tv);
if (d > maxdepth)
{
maxdepth = d;
}
- d = schedule_debug_entry(e->gt, depth+1, count, least, &e->tv, max);
+ d = schedule_debug_entry(e->gt, depth + 1, count, least, &e->tv, max);
if (d > maxdepth)
{
maxdepth = d;
@@ -576,14 +567,8 @@
if (e)
{
- printf("Verification Phase count=%d maxlev=%d sru=%d ins=%d coll=%d ls=%d l=%s",
- count,
- maxlev,
- zz.sru,
- zz.ins,
- zz.coll,
- zz.lsteps,
- tv_string(&e->tv, &gc));
+ printf("Verification Phase count=%d maxlev=%d sru=%d ins=%d coll=%d ls=%d l=%s", count,
+ maxlev, zz.sru, zz.ins, zz.coll, zz.lsteps, tv_string(&e->tv, &gc));
if (!tv_eq(&least, &e->tv))
{
@@ -604,11 +589,11 @@
for (i = 0; i < size; ++i)
{
const int src = get_random() % size;
- struct schedule_entry *tmp = array [i];
+ struct schedule_entry *tmp = array[i];
if (i != src)
{
- array [i] = array [src];
- array [src] = tmp;
+ array[i] = array[src];
+ array[src] = tmp;
}
}
}
@@ -625,14 +610,10 @@
if (e)
{
printf("%s [%u] e=" ptr_format ", p=" ptr_format " lt=" ptr_format " gt=" ptr_format "\n",
- tv_string(&e->tv, &gc),
- e->pri,
- (ptr_type)e,
- (ptr_type)e->parent,
- (ptr_type)e->lt,
+ tv_string(&e->tv, &gc), e->pri, (ptr_type)e, (ptr_type)e->parent, (ptr_type)e->lt,
(ptr_type)e->gt);
- schedule_print_work(e->lt, indent+1);
- schedule_print_work(e->gt, indent+1);
+ schedule_print_work(e->lt, indent + 1);
+ schedule_print_work(e->gt, indent + 1);
}
else
{
@@ -42,8 +42,8 @@
struct schedule_entry
{
- struct timeval tv; /* wakeup time */
- unsigned int pri; /* random treap priority */
+ struct timeval tv; /* wakeup time */
+ unsigned int pri; /* random treap priority */
struct schedule_entry *parent; /* treap (btree) links */
struct schedule_entry *lt;
struct schedule_entry *gt;
@@ -52,7 +52,7 @@
struct schedule
{
struct schedule_entry *earliest_wakeup; /* cached earliest wakeup */
- struct schedule_entry *root; /* the root of the treap (btree) */
+ struct schedule_entry *root; /* the root of the treap (btree) */
};
/* Public functions */
@@ -94,9 +94,7 @@
* an opaque object.
*/
static inline void
-schedule_add_entry(struct schedule *s,
- struct schedule_entry *e,
- const struct timeval *tv,
+schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv,
unsigned int sigma)
{
if (!IN_TREE(e) || !sigma || !tv_within_sigma(tv, &e->tv, sigma))
@@ -114,8 +112,7 @@
* is randomized every time an entry is re-added).
*/
static inline struct schedule_entry *
-schedule_get_earliest_wakeup(struct schedule *s,
- struct timeval *wakeup)
+schedule_get_earliest_wakeup(struct schedule *s, struct timeval *wakeup)
{
struct schedule_entry *ret;
@@ -44,8 +44,7 @@
#define SID_SIZE (sizeof(x_session_id_zero.id))
static inline bool
-session_id_equal(const struct session_id *sid1,
- const struct session_id *sid2)
+session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
{
return !memcmp(sid1->id, sid2->id, SID_SIZE);
}
@@ -86,6 +86,5 @@
void
shaper_msg(struct shaper *s)
{
- msg(M_INFO, "Output Traffic Shaping initialized at %d bytes per second",
- s->bytes_per_second);
+ msg(M_INFO, "Output Traffic Shaping initialized at %d bytes per second", s->bytes_per_second);
}
@@ -36,10 +36,10 @@
* the output direction.
*/
-#define SHAPER_MIN 100 /* bytes per second */
+#define SHAPER_MIN 100 /* bytes per second */
#define SHAPER_MAX 100000000
-#define SHAPER_MAX_TIMEOUT 10 /* seconds */
+#define SHAPER_MAX_TIMEOUT 10 /* seconds */
#define SHAPER_USE_FP
@@ -125,11 +125,12 @@
/* compute delay in microseconds */
tv.tv_sec = 0;
#ifdef SHAPER_USE_FP
- tv.tv_usec = min_int((int)((double)max_int(nbytes, 100) * s->factor), (SHAPER_MAX_TIMEOUT*1000000));
+ tv.tv_usec =
+ min_int((int)((double)max_int(nbytes, 100) * s->factor), (SHAPER_MAX_TIMEOUT * 1000000));
#else
tv.tv_usec = s->bytes_per_second
- ? min_int(max_int(nbytes, 100) * s->factor, (SHAPER_MAX_TIMEOUT*1000000))
- : 0;
+ ? min_int(max_int(nbytes, 100) * s->factor, (SHAPER_MAX_TIMEOUT * 1000000))
+ : 0;
#endif
if (tv.tv_usec)
@@ -138,11 +139,9 @@
tv_add(&s->wakeup, &tv);
#ifdef SHAPER_DEBUG
- dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%" PRIi64 " usec=%ld",
- nbytes,
- (long)tv.tv_usec,
- (int64_t)s->wakeup.tv_sec,
- (long)s->wakeup.tv_usec);
+ dmsg(D_SHAPER_DEBUG,
+ "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%" PRIi64 " usec=%ld", nbytes,
+ (long)tv.tv_usec, (int64_t)s->wakeup.tv_sec, (long)s->wakeup.tv_usec);
#endif
}
}
@@ -43,20 +43,19 @@
struct signal_info siginfo_static; /* GLOBAL */
-struct signame {
+struct signame
+{
int value;
int priority;
const char *upper;
const char *lower;
};
-static const struct signame signames[] = {
- { SIGINT, 5, "SIGINT", "sigint"},
- { SIGTERM, 4, "SIGTERM", "sigterm" },
- { SIGHUP, 3, "SIGHUP", "sighup" },
- { SIGUSR1, 2, "SIGUSR1", "sigusr1" },
- { SIGUSR2, 1, "SIGUSR2", "sigusr2" }
-};
+static const struct signame signames[] = { { SIGINT, 5, "SIGINT", "sigint" },
+ { SIGTERM, 4, "SIGTERM", "sigterm" },
+ { SIGHUP, 3, "SIGHUP", "sighup" },
+ { SIGUSR1, 2, "SIGUSR1", "sigusr1" },
+ { SIGUSR2, 1, "SIGUSR2", "sigusr2" } };
/* mask for hard signals from management or windows */
static unsigned long long ignored_hard_signals_mask;
@@ -209,8 +208,7 @@
if (try_throw_signal(&siginfo_static, signum, SIG_SOURCE_SOFT))
{
siginfo_static.signal_text = signal_text;
- msg(D_SIGNAL_DEBUG, "Throw signal (soft): %s (%s)", signal_name(signum, true),
- signal_text);
+ msg(D_SIGNAL_DEBUG, "Throw signal (soft): %s (%s)", signal_name(signum, true), signal_text);
}
else
{
@@ -241,8 +239,7 @@
{
si->source = SIG_SOURCE_CONNECTION_FAILED;
}
- msg(D_SIGNAL_DEBUG, "register signal: %s (%s)", signal_name(signum, true),
- signal_text);
+ msg(D_SIGNAL_DEBUG, "register signal: %s (%s)", signal_name(signum, true), signal_text);
}
else
{
@@ -330,7 +327,8 @@
break;
default:
- msg(msglevel, "Unknown signal %d [%s,%s] received by %s", si->signal_received, hs, type, t);
+ msg(msglevel, "Unknown signal %d [%s,%s] received by %s", si->signal_received, hs,
+ type, t);
break;
}
}
@@ -365,13 +363,10 @@
if (state >= 0)
{
- management_set_state(management,
- state,
- si->signal_text ? si->signal_text : signal_name(si->signal_received, true),
- NULL,
- NULL,
- NULL,
- NULL);
+ management_set_state(management, state,
+ si->signal_text ? si->signal_text
+ : signal_name(si->signal_received, true),
+ NULL, NULL, NULL, NULL);
}
}
#endif /* ifdef ENABLE_MANAGEMENT */
@@ -401,7 +396,7 @@
struct sigaction sa;
CLEAR(sa);
- sigfillset(&block_mask); /* all signals */
+ sigfillset(&block_mask); /* all signals */
sa.sa_handler = signal_handler;
sa.sa_mask = block_mask; /* signals blocked inside the handler */
sa.sa_flags = SA_RESTART; /* match with the behaviour of signal() on Linux and BSD */
@@ -430,9 +425,9 @@
struct sigaction sa;
CLEAR(sa);
- sigfillset(&block_mask); /* all signals */
+ sigfillset(&block_mask); /* all signals */
sa.sa_handler = signal_handler;
- sa.sa_mask = block_mask; /* signals blocked inside the handler */
+ sa.sa_mask = block_mask; /* signals blocked inside the handler */
sa.sa_flags = SA_RESTART; /* match with the behaviour of signal() on Linux and BSD */
signal_mode = SM_POST_INIT;
@@ -498,8 +493,10 @@
status_printf(so, "Updated,%s", time_string(0, 0, false, &gc));
status_printf(so, "TUN/TAP read bytes," counter_format, c->c2.tun_read_bytes);
status_printf(so, "TUN/TAP write bytes," counter_format, c->c2.tun_write_bytes);
- status_printf(so, "TCP/UDP read bytes," counter_format, c->c2.link_read_bytes + c->c2.dco_read_bytes);
- status_printf(so, "TCP/UDP write bytes," counter_format, c->c2.link_write_bytes + c->c2.dco_write_bytes);
+ status_printf(so, "TCP/UDP read bytes," counter_format,
+ c->c2.link_read_bytes + c->c2.dco_read_bytes);
+ status_printf(so, "TCP/UDP write bytes," counter_format,
+ c->c2.link_write_bytes + c->c2.dco_write_bytes);
status_printf(so, "Auth read bytes," counter_format, c->c2.link_read_bytes_auth);
#ifdef USE_COMP
if (c->c2.comp_context)
@@ -565,12 +562,13 @@
void
process_explicit_exit_notification_timer_wakeup(struct context *c)
{
- if (event_timeout_trigger(&c->c2.explicit_exit_notification_interval,
- &c->c2.timeval,
+ if (event_timeout_trigger(&c->c2.explicit_exit_notification_interval, &c->c2.timeval,
ETT_DEFAULT))
{
- ASSERT(c->c2.explicit_exit_notification_time_wait && c->options.ce.explicit_exit_notification);
- if (now >= c->c2.explicit_exit_notification_time_wait + c->options.ce.explicit_exit_notification)
+ ASSERT(c->c2.explicit_exit_notification_time_wait
+ && c->options.ce.explicit_exit_notification);
+ if (now >= c->c2.explicit_exit_notification_time_wait
+ + c->options.ce.explicit_exit_notification)
{
event_timeout_clear(&c->c2.explicit_exit_notification_interval);
register_signal(c->sig, SIGTERM, "exit-with-notification");
@@ -608,8 +606,7 @@
process_sigterm(struct context *c)
{
bool ret = true;
- if (c->options.ce.explicit_exit_notification
- && !c->c2.explicit_exit_notification_time_wait)
+ if (c->options.ce.explicit_exit_notification && !c->c2.explicit_exit_notification_time_wait)
{
process_explicit_exit_notification_init(c);
ret = false;
@@ -26,8 +26,8 @@
#include "status.h"
#include "win32.h"
-#define SIG_SOURCE_SOFT 0
-#define SIG_SOURCE_HARD 1
+#define SIG_SOURCE_SOFT 0
+#define SIG_SOURCE_HARD 1
/* CONNECTION_FAILED is also a "soft" status,
* It is thrown if a connection attempt fails
*/
@@ -60,8 +60,7 @@
* Convert sockflags/getaddr_flags into getaddr_flags
*/
static unsigned int
-sf2gaf(const unsigned int getaddr_flags,
- const unsigned int sockflags)
+sf2gaf(const unsigned int getaddr_flags, const unsigned int sockflags)
{
if (sockflags & SF_HOST_RANDOMIZE)
{
@@ -77,9 +76,8 @@
* Functions related to the translation of DNS names to IP addresses.
*/
static int
-get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname,
- void *network, unsigned int *netbits,
- int resolve_retry_seconds, struct signal_info *sig_info,
+get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, void *network,
+ unsigned int *netbits, int resolve_retry_seconds, struct signal_info *sig_info,
int msglevel)
{
char *endp, *sep, *var_host = NULL;
@@ -108,9 +106,7 @@
break;
default:
- msg(M_WARN,
- "Unsupported AF family passed to getaddrinfo for %s (%d)",
- hostname, af);
+ msg(M_WARN, "Unsupported AF family passed to getaddrinfo for %s (%d)", hostname, af);
goto out;
}
@@ -122,8 +118,7 @@
var_host = strdup(hostname);
if (!var_host)
{
- msg(M_NONFATAL | M_ERRNO,
- "Can't allocate hostname buffer for getaddrinfo");
+ msg(M_NONFATAL | M_ERRNO, "Can't allocate hostname buffer for getaddrinfo");
goto out;
}
@@ -134,15 +129,14 @@
bits = strtoul(sep + 1, &endp, 10);
if ((*endp != '\0') || (bits > max_bits))
{
- msg(msglevel, "IP prefix '%s': invalid '/bits' spec (%s)", hostname,
- sep + 1);
+ msg(msglevel, "IP prefix '%s': invalid '/bits' spec (%s)", hostname, sep + 1);
goto out;
}
*sep = '\0';
}
- ret = openvpn_getaddrinfo(flags & ~GETADDR_HOST_ORDER, var_host, NULL,
- resolve_retry_seconds, sig_info, af, &ai);
+ ret = openvpn_getaddrinfo(flags & ~GETADDR_HOST_ORDER, var_host, NULL, resolve_retry_seconds,
+ sig_info, af, &ai);
if ((ret == 0) && network)
{
struct in6_addr *ip6;
@@ -167,8 +161,7 @@
default:
/* can't get here because 'af' was previously checked */
- msg(M_WARN,
- "Unsupported AF family for %s (%d)", var_host, af);
+ msg(M_WARN, "Unsupported AF family for %s (%d)", var_host, af);
goto out;
}
}
@@ -191,19 +184,15 @@
}
in_addr_t
-getaddr(unsigned int flags,
- const char *hostname,
- int resolve_retry_seconds,
- bool *succeeded,
+getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded,
struct signal_info *sig_info)
{
in_addr_t addr;
int status;
- status = get_addr_generic(AF_INET, flags, hostname, &addr, NULL,
- resolve_retry_seconds, sig_info,
- M_WARN);
- if (status==0)
+ status = get_addr_generic(AF_INET, flags, hostname, &addr, NULL, resolve_retry_seconds,
+ sig_info, M_WARN);
+ if (status == 0)
{
if (succeeded)
{
@@ -222,16 +211,15 @@
}
bool
-get_ipv6_addr(const char *hostname, struct in6_addr *network,
- unsigned int *netbits, int msglevel)
+get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
{
- if (get_addr_generic(AF_INET6, GETADDR_RESOLVE, hostname, network, netbits,
- 0, NULL, msglevel) < 0)
+ if (get_addr_generic(AF_INET6, GETADDR_RESOLVE, hostname, network, netbits, 0, NULL, msglevel)
+ < 0)
{
return false;
}
- return true; /* parsing OK, values set */
+ return true; /* parsing OK, values set */
}
static inline bool
@@ -256,12 +244,8 @@
* otherwise. (like getaddrinfo)
*/
static int
-get_cached_dns_entry(struct cached_dns_entry *dns_cache,
- const char *hostname,
- const char *servname,
- int ai_family,
- int resolve_flags,
- struct addrinfo **ai)
+get_cached_dns_entry(struct cached_dns_entry *dns_cache, const char *hostname, const char *servname,
+ int ai_family, int resolve_flags, struct addrinfo **ai)
{
struct cached_dns_entry *ph;
int flags;
@@ -271,10 +255,8 @@
for (ph = dns_cache; ph; ph = ph->next)
{
- if (streqnull(ph->hostname, hostname)
- && streqnull(ph->servname, servname)
- && ph->ai_family == ai_family
- && ph->flags == flags)
+ if (streqnull(ph->hostname, hostname) && streqnull(ph->servname, servname)
+ && ph->ai_family == ai_family && ph->flags == flags)
{
*ai = ph->ai;
return 0;
@@ -285,28 +267,19 @@
static int
-do_preresolve_host(struct context *c,
- const char *hostname,
- const char *servname,
- const int af,
+do_preresolve_host(struct context *c, const char *hostname, const char *servname, const int af,
const int flags)
{
struct addrinfo *ai;
int status;
- if (get_cached_dns_entry(c->c1.dns_cache,
- hostname,
- servname,
- af,
- flags,
- &ai) == 0)
+ if (get_cached_dns_entry(c->c1.dns_cache, hostname, servname, af, flags, &ai) == 0)
{
/* entry already cached, return success */
return 0;
}
- status = openvpn_getaddrinfo(flags, hostname, servname,
- c->options.resolve_retry_seconds, NULL,
+ status = openvpn_getaddrinfo(flags, hostname, servname, c->options.resolve_retry_seconds, NULL,
af, &ai);
if (status == 0)
{
@@ -333,7 +306,6 @@
}
gc_addspecial(ai, &gc_freeaddrinfo_callback, &c->gc);
-
}
return status;
}
@@ -342,10 +314,8 @@
do_preresolve(struct context *c)
{
struct connection_list *l = c->options.connection_list;
- const unsigned int preresolve_flags = GETADDR_RESOLVE
- |GETADDR_UPDATE_MANAGEMENT_STATE
- |GETADDR_MENTION_RESOLVE_RETRY
- |GETADDR_FATAL;
+ const unsigned int preresolve_flags = GETADDR_RESOLVE | GETADDR_UPDATE_MANAGEMENT_STATE
+ | GETADDR_MENTION_RESOLVE_RETRY | GETADDR_FATAL;
for (int i = 0; i < l->len; ++i)
@@ -378,8 +348,7 @@
/* HTTP remote hostname does not need to be resolved */
if (!ce->http_proxy_options)
{
- status = do_preresolve_host(c, remote, ce->remote_port,
- ce->af, flags);
+ status = do_preresolve_host(c, remote, ce->remote_port, ce->af, flags);
if (status != 0)
{
goto err;
@@ -389,11 +358,8 @@
/* Preresolve proxy */
if (ce->http_proxy_options)
{
- status = do_preresolve_host(c,
- ce->http_proxy_options->server,
- ce->http_proxy_options->port,
- ce->af,
- preresolve_flags);
+ status = do_preresolve_host(c, ce->http_proxy_options->server,
+ ce->http_proxy_options->port, ce->af, preresolve_flags);
if (status != 0)
{
@@ -403,11 +369,8 @@
if (ce->socks_proxy_server)
{
- status = do_preresolve_host(c,
- ce->socks_proxy_server,
- ce->socks_proxy_port,
- ce->af,
- flags);
+ status =
+ do_preresolve_host(c, ce->socks_proxy_server, ce->socks_proxy_port, ce->af, flags);
if (status != 0)
{
goto err;
@@ -433,10 +396,8 @@
{
goto err;
}
-
}
}
-
}
return;
@@ -453,9 +414,11 @@
{
switch (af)
{
- case AF_INET: return "[AF_INET]";
+ case AF_INET:
+ return "[AF_INET]";
- case AF_INET6: return "[AF_INET6]";
+ case AF_INET6:
+ return "[AF_INET6]";
}
return "";
}
@@ -465,17 +428,13 @@
* If resolve error, try again for resolve_retry_seconds seconds.
*/
int
-openvpn_getaddrinfo(unsigned int flags,
- const char *hostname,
- const char *servname,
- int resolve_retry_seconds,
- struct signal_info *sig_info,
- int ai_family,
+openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname,
+ int resolve_retry_seconds, struct signal_info *sig_info, int ai_family,
struct addrinfo **res)
{
struct addrinfo hints;
int status;
- struct signal_info sigrec = {0};
+ struct signal_info sigrec = { 0 };
int msglevel = (flags & GETADDR_FATAL) ? M_FATAL : D_RESOLVE_ERRORS;
struct gc_arena gc = gc_new();
const char *print_hostname;
@@ -500,8 +459,7 @@
msglevel |= M_MSG_VIRT_OUT;
}
- if ((flags & (GETADDR_FATAL_ON_SIGNAL|GETADDR_WARN_ON_SIGNAL))
- && !sig_info)
+ if ((flags & (GETADDR_FATAL_ON_SIGNAL | GETADDR_WARN_ON_SIGNAL)) && !sig_info)
{
sig_info = &sigrec;
}
@@ -533,12 +491,12 @@
status = getaddrinfo(hostname, servname, &hints, res);
- if (status != 0) /* parse as numeric address failed? */
+ if (status != 0) /* parse as numeric address failed? */
{
const int fail_wait_interval = 5; /* seconds */
/* Add +4 to cause integer division rounding up (1 + 4) = 5, (0+4)/5=0 */
- int resolve_retries = (flags & GETADDR_TRY_ONCE) ? 1 :
- ((resolve_retry_seconds + 4)/ fail_wait_interval);
+ int resolve_retries =
+ (flags & GETADDR_TRY_ONCE) ? 1 : ((resolve_retry_seconds + 4) / fail_wait_interval);
const char *fmt;
int level = 0;
@@ -561,8 +519,7 @@
}
fmt = "RESOLVE: Cannot resolve host address: %s:%s%s (%s)";
- if ((flags & GETADDR_MENTION_RESOLVE_RETRY)
- && !resolve_retry_seconds)
+ if ((flags & GETADDR_MENTION_RESOLVE_RETRY) && !resolve_retry_seconds)
{
fmt = "RESOLVE: Cannot resolve host address: %s:%s%s (%s)"
"(I would have retried this name query if you had "
@@ -571,8 +528,8 @@
if (!(flags & GETADDR_RESOLVE) || status == EAI_FAIL)
{
- msg(msglevel, "RESOLVE: Cannot parse IP address: %s:%s (%s)",
- print_hostname, print_servname, gai_strerror(status));
+ msg(msglevel, "RESOLVE: Cannot parse IP address: %s:%s (%s)", print_hostname,
+ print_servname, gai_strerror(status));
goto done;
}
@@ -581,12 +538,7 @@
{
if (management)
{
- management_set_state(management,
- OPENVPN_STATE_RESOLVE,
- NULL,
- NULL,
- NULL,
- NULL,
+ management_set_state(management, OPENVPN_STATE_RESOLVE, NULL, NULL, NULL, NULL,
NULL);
}
}
@@ -603,9 +555,8 @@
#endif
/* try hostname lookup */
hints.ai_flags &= ~AI_NUMERICHOST;
- dmsg(D_SOCKET_DEBUG,
- "GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d",
- flags, hints.ai_family, hints.ai_socktype);
+ dmsg(D_SOCKET_DEBUG, "GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d", flags,
+ hints.ai_family, hints.ai_socktype);
status = getaddrinfo(hostname, servname, &hints, res);
if (sig_info)
@@ -616,9 +567,8 @@
/* why are we overwriting SIGUSR1 ? */
if (signal_reset(sig_info, SIGUSR1) == SIGUSR1) /* ignore SIGUSR1 */
{
- msg(level,
- "RESOLVE: Ignored SIGUSR1 signal received during "
- "DNS resolution attempt");
+ msg(level, "RESOLVE: Ignored SIGUSR1 signal received during "
+ "DNS resolution attempt");
}
else
{
@@ -650,11 +600,7 @@
level = D_RESOLVE_ERRORS;
}
- msg(level,
- fmt,
- print_hostname,
- print_servname,
- getaddrinfo_addr_family_name(ai_family),
+ msg(level, fmt, print_hostname, print_servname, getaddrinfo_addr_family_name(ai_family),
gai_strerror(status));
if (--resolve_retries <= 0)
@@ -679,9 +625,8 @@
/* IP address parse succeeded */
if (flags & GETADDR_RANDOMIZE)
{
- msg(M_WARN,
- "WARNING: ignoring --remote-random-hostname because the "
- "hostname is an IP address");
+ msg(M_WARN, "WARNING: ignoring --remote-random-hostname because the "
+ "hostname is an IP address");
}
}
@@ -718,11 +663,11 @@
{
if (a < 256 && b < 256 && c < 256 && d < 256)
{
- addr->s_addr = htonl(a<<24 | b<<16 | c<<8 | d);
+ addr->s_addr = htonl(a << 24 | b << 16 | c << 8 | d);
return OIA_IP; /* good dotted quad */
}
}
- if (string_class(dotted_quad, CC_DIGIT|CC_DOT, 0))
+ if (string_class(dotted_quad, CC_DIGIT | CC_DOT, 0))
{
return OIA_ERROR; /* probably a badly formatted dotted quad */
}
@@ -800,7 +745,7 @@
/* verify that string will convert to IPv6 address */
{
struct in6_addr a6;
- return inet_pton( AF_INET6, ipv6_text_addr, &a6 ) == 1;
+ return inet_pton(AF_INET6, ipv6_text_addr, &a6) == 1;
}
}
@@ -810,7 +755,7 @@
if (addr)
{
const size_t len = strlen(addr);
- return len > 0 && len <= 255 && string_class(addr, CC_ALNUM|CC_DASH|CC_DOT, 0);
+ return len > 0 && len <= 255 && string_class(addr, CC_ALNUM | CC_DASH | CC_DOT, 0);
}
else
{
@@ -859,7 +804,7 @@
while ((c = *p++))
{
- if ( (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') )
+ if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F'))
{
++nnum;
if (nnum > 2)
@@ -890,8 +835,7 @@
socklen_t len;
len = sizeof(val);
- if (getsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *) &val, &len) == 0
- && len == sizeof(val))
+ if (getsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *)&val, &len) == 0 && len == sizeof(val))
{
return val;
}
@@ -903,7 +847,7 @@
socket_set_sndbuf(socket_descriptor_t sd, int size)
{
#if defined(SOL_SOCKET) && defined(SO_SNDBUF)
- if (setsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *) &size, sizeof(size)) != 0)
+ if (setsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *)&size, sizeof(size)) != 0)
{
msg(M_WARN, "NOTE: setsockopt SO_SNDBUF=%d failed", size);
}
@@ -918,8 +862,7 @@
socklen_t len;
len = sizeof(val);
- if (getsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *) &val, &len) == 0
- && len == sizeof(val))
+ if (getsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *)&val, &len) == 0 && len == sizeof(val))
{
return val;
}
@@ -931,7 +874,7 @@
socket_set_rcvbuf(socket_descriptor_t sd, int size)
{
#if defined(SOL_SOCKET) && defined(SO_RCVBUF)
- if (setsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *) &size, sizeof(size)) != 0)
+ if (setsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *)&size, sizeof(size)) != 0)
{
msg(M_WARN, "NOTE: setsockopt SO_RCVBUF=%d failed", size);
return false;
@@ -941,31 +884,25 @@
}
void
-socket_set_buffers(socket_descriptor_t fd, const struct socket_buffer_size *sbs,
- bool reduce_size)
+socket_set_buffers(socket_descriptor_t fd, const struct socket_buffer_size *sbs, bool reduce_size)
{
if (sbs)
{
const int sndbuf_old = socket_get_sndbuf(fd);
const int rcvbuf_old = socket_get_rcvbuf(fd);
- if (sbs->sndbuf
- && (reduce_size || sndbuf_old < sbs->sndbuf))
+ if (sbs->sndbuf && (reduce_size || sndbuf_old < sbs->sndbuf))
{
socket_set_sndbuf(fd, sbs->sndbuf);
}
- if (sbs->rcvbuf
- && (reduce_size || rcvbuf_old < sbs->rcvbuf))
+ if (sbs->rcvbuf && (reduce_size || rcvbuf_old < sbs->rcvbuf))
{
socket_set_rcvbuf(fd, sbs->rcvbuf);
}
- msg(D_OSBUF, "Socket Buffers: R=[%d->%d] S=[%d->%d]",
- rcvbuf_old,
- socket_get_rcvbuf(fd),
- sndbuf_old,
- socket_get_sndbuf(fd));
+ msg(D_OSBUF, "Socket Buffers: R=[%d->%d] S=[%d->%d]", rcvbuf_old, socket_get_rcvbuf(fd),
+ sndbuf_old, socket_get_sndbuf(fd));
}
}
@@ -977,7 +914,7 @@
socket_set_tcp_nodelay(socket_descriptor_t sd, int state)
{
#if defined(_WIN32) || (defined(IPPROTO_TCP) && defined(TCP_NODELAY))
- if (setsockopt(sd, IPPROTO_TCP, TCP_NODELAY, (void *) &state, sizeof(state)) != 0)
+ if (setsockopt(sd, IPPROTO_TCP, TCP_NODELAY, (void *)&state, sizeof(state)) != 0)
{
msg(M_WARN, "NOTE: setsockopt TCP_NODELAY=%d failed", state);
return false;
@@ -987,7 +924,7 @@
dmsg(D_OSBUF, "Socket flags: TCP_NODELAY=%d succeeded", state);
return true;
}
-#else /* if defined(_WIN32) || (defined(IPPROTO_TCP) && defined(TCP_NODELAY)) */
+#else /* if defined(_WIN32) || (defined(IPPROTO_TCP) && defined(TCP_NODELAY)) */
msg(M_WARN, "NOTE: setsockopt TCP_NODELAY=%d failed (No kernel support)", state);
return false;
#endif
@@ -997,7 +934,7 @@
socket_set_mark(socket_descriptor_t sd, int mark)
{
#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
- if (mark && setsockopt(sd, SOL_SOCKET, SO_MARK, (void *) &mark, sizeof(mark)) != 0)
+ if (mark && setsockopt(sd, SOL_SOCKET, SO_MARK, (void *)&mark, sizeof(mark)) != 0)
{
msg(M_WARN, "NOTE: setsockopt SO_MARK=%d failed", mark);
}
@@ -1065,8 +1002,7 @@
/* set SO_REUSEADDR on socket */
{
int on = 1;
- if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR,
- (void *) &on, sizeof(on)) < 0)
+ if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)) < 0)
{
msg(M_ERR, "TCP: Cannot setsockopt SO_REUSEADDR on TCP socket");
}
@@ -1099,31 +1035,29 @@
if (addrinfo->ai_family == AF_INET)
{
#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- if (setsockopt(sd, SOL_IP, IP_PKTINFO,
- (void *)&pad, sizeof(pad)) < 0)
+ if (setsockopt(sd, SOL_IP, IP_PKTINFO, (void *)&pad, sizeof(pad)) < 0)
{
msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO");
}
#elif defined(IP_RECVDSTADDR)
- if (setsockopt(sd, IPPROTO_IP, IP_RECVDSTADDR,
- (void *)&pad, sizeof(pad)) < 0)
+ if (setsockopt(sd, IPPROTO_IP, IP_RECVDSTADDR, (void *)&pad, sizeof(pad)) < 0)
{
msg(M_ERR, "UDP: failed setsockopt for IP_RECVDSTADDR");
}
-#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
+#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif
}
else if (addrinfo->ai_family == AF_INET6)
{
#ifndef IPV6_RECVPKTINFO /* Some older Darwin platforms require this */
- if (setsockopt(sd, IPPROTO_IPV6, IPV6_PKTINFO,
- (void *)&pad, sizeof(pad)) < 0)
+ if (setsockopt(sd, IPPROTO_IPV6, IPV6_PKTINFO, (void *)&pad, sizeof(pad)) < 0)
#else
- if (setsockopt(sd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
- (void *)&pad, sizeof(pad)) < 0)
+ if (setsockopt(sd, IPPROTO_IPV6, IPV6_RECVPKTINFO, (void *)&pad, sizeof(pad)) < 0)
#endif
- { msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO");}
+ {
+ msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO");
+ }
}
}
#endif /* if ENABLE_IP_PKTINFO */
@@ -1143,14 +1077,12 @@
{
if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
{
- socket_bind(sock->ctrl_sd, sock->info.lsa->bind_local,
- ai_family, "SOCKS", false);
+ socket_bind(sock->ctrl_sd, sock->info.lsa->bind_local, ai_family, "SOCKS", false);
}
else
{
- socket_bind(sock->sd, sock->info.lsa->bind_local,
- ai_family,
- "TCP/UDP", sock->info.bind_ipv6_only);
+ socket_bind(sock->sd, sock->info.lsa->bind_local, ai_family, "TCP/UDP",
+ sock->info.bind_ipv6_only);
}
}
}
@@ -1198,11 +1130,12 @@
if (sock->bind_dev)
{
msg(M_INFO, "Using bind-dev %s", sock->bind_dev);
- if (setsockopt(sock->sd, SOL_SOCKET, SO_BINDTODEVICE, sock->bind_dev, strlen(sock->bind_dev) + 1) != 0)
+ if (setsockopt(sock->sd, SOL_SOCKET, SO_BINDTODEVICE, sock->bind_dev,
+ strlen(sock->bind_dev) + 1)
+ != 0)
{
- msg(M_WARN|M_ERRNO, "WARN: setsockopt SO_BINDTODEVICE=%s failed", sock->bind_dev);
+ msg(M_WARN | M_ERRNO, "WARN: setsockopt SO_BINDTODEVICE=%s failed", sock->bind_dev);
}
-
}
#endif
@@ -1237,9 +1170,7 @@
* Functions used for establishing a TCP stream connection.
*/
static void
-socket_do_listen(socket_descriptor_t sd,
- const struct addrinfo *local,
- bool do_listen,
+socket_do_listen(socket_descriptor_t sd, const struct addrinfo *local, bool do_listen,
bool do_set_nonblock)
{
struct gc_arena gc = gc_new();
@@ -1264,9 +1195,7 @@
}
socket_descriptor_t
-socket_do_accept(socket_descriptor_t sd,
- struct link_socket_actual *act,
- const bool nowait)
+socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const bool nowait)
{
/* af_addr_size WILL return 0 in this case if AFs other than AF_INET
* are compiled because act is empty here.
@@ -1314,7 +1243,8 @@
/* only valid if we have remote_len_af!=0 */
else if (remote_len_af && remote_len != remote_len_af)
{
- msg(D_LINK_ERRORS, "TCP: Received strange incoming connection with unknown address length=%d", remote_len);
+ msg(D_LINK_ERRORS,
+ "TCP: Received strange incoming connection with unknown address length=%d", remote_len);
openvpn_close_socket(new_sd);
new_sd = SOCKET_UNDEFINED;
}
@@ -1331,19 +1261,14 @@
tcp_connection_established(const struct link_socket_actual *act)
{
struct gc_arena gc = gc_new();
- msg(M_INFO, "TCP connection established with %s",
- print_link_socket_actual(act, &gc));
+ msg(M_INFO, "TCP connection established with %s", print_link_socket_actual(act, &gc));
gc_free(&gc);
}
static socket_descriptor_t
-socket_listen_accept(socket_descriptor_t sd,
- struct link_socket_actual *act,
- const char *remote_dynamic,
- const struct addrinfo *local,
- bool do_listen,
- bool nowait,
- volatile int *signal_received)
+socket_listen_accept(socket_descriptor_t sd, struct link_socket_actual *act,
+ const char *remote_dynamic, const struct addrinfo *local, bool do_listen,
+ bool nowait, volatile int *signal_received)
{
struct gc_arena gc = gc_new();
/* struct openvpn_sockaddr *remote = &act->dest; */
@@ -1397,8 +1322,7 @@
if (ai && !addrlist_match(&remote_verify, ai))
{
- msg(M_WARN,
- "TCP NOTE: Rejected connection attempt from %s due to --remote setting",
+ msg(M_WARN, "TCP NOTE: Rejected connection attempt from %s due to --remote setting",
print_link_socket_actual(act, &gc));
if (openvpn_close_socket(new_sd))
{
@@ -1430,10 +1354,7 @@
}
void
-socket_bind(socket_descriptor_t sd,
- struct addrinfo *local,
- int ai_family,
- const char *prefix,
+socket_bind(socket_descriptor_t sd, struct addrinfo *local, int ai_family, const char *prefix,
bool ipv6only)
{
struct gc_arena gc = gc_new();
@@ -1460,33 +1381,30 @@
}
if (!cur)
{
- msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record",
- prefix, addr_family_name(ai_family));
+ msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", prefix,
+ addr_family_name(ai_family));
}
if (ai_family == AF_INET6)
{
- int v6only = ipv6only ? 1 : 0; /* setsockopt must have an "int" */
+ int v6only = ipv6only ? 1 : 0; /* setsockopt must have an "int" */
msg(M_INFO, "setsockopt(IPV6_V6ONLY=%d)", v6only);
- if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, (void *) &v6only, sizeof(v6only)))
+ if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&v6only, sizeof(v6only)))
{
- msg(M_NONFATAL|M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only);
+ msg(M_NONFATAL | M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only);
}
}
if (bind(sd, cur->ai_addr, cur->ai_addrlen))
{
- msg(M_FATAL | M_ERRNO, "%s: Socket bind failed on local address %s",
- prefix,
+ msg(M_FATAL | M_ERRNO, "%s: Socket bind failed on local address %s", prefix,
print_sockaddr_ex(local->ai_addr, ":", PS_SHOW_PORT, &gc));
}
gc_free(&gc);
}
int
-openvpn_connect(socket_descriptor_t sd,
- const struct sockaddr *remote,
- int connect_timeout,
+openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout,
volatile int *signal_received)
{
int status = 0;
@@ -1506,7 +1424,7 @@
#else
status == EINPROGRESS
#endif
- )
+ )
{
while (true)
{
@@ -1561,7 +1479,7 @@
socklen_t len;
len = sizeof(val);
- if (getsockopt(sd, SOL_SOCKET, SO_ERROR, (void *) &val, &len) == 0
+ if (getsockopt(sd, SOL_SOCKET, SO_ERROR, (void *)&val, &len) == 0
&& len == sizeof(val))
{
status = val;
@@ -1586,43 +1504,31 @@
if (ai->ai_family == AF_INET)
{
- actual->dest.addr.in4 =
- *((struct sockaddr_in *) ai->ai_addr);
+ actual->dest.addr.in4 = *((struct sockaddr_in *)ai->ai_addr);
}
else if (ai->ai_family == AF_INET6)
{
- actual->dest.addr.in6 =
- *((struct sockaddr_in6 *) ai->ai_addr);
+ actual->dest.addr.in6 = *((struct sockaddr_in6 *)ai->ai_addr);
}
else
{
ASSERT(0);
}
-
}
static void
-socket_connect(socket_descriptor_t *sd,
- const struct sockaddr *dest,
- const int connect_timeout,
+socket_connect(socket_descriptor_t *sd, const struct sockaddr *dest, const int connect_timeout,
struct signal_info *sig_info)
{
struct gc_arena gc = gc_new();
int status;
- msg(M_INFO, "Attempting to establish TCP connection with %s",
- print_sockaddr(dest, &gc));
+ msg(M_INFO, "Attempting to establish TCP connection with %s", print_sockaddr(dest, &gc));
#ifdef ENABLE_MANAGEMENT
if (management)
{
- management_set_state(management,
- OPENVPN_STATE_TCP_CONNECT,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL);
+ management_set_state(management, OPENVPN_STATE_TCP_CONNECT, NULL, NULL, NULL, NULL, NULL);
}
#endif
@@ -1637,9 +1543,8 @@
if (status)
{
-
- msg(D_LINK_ERRORS, "TCP: connect to %s failed: %s",
- print_sockaddr(dest, &gc), strerror(status));
+ msg(D_LINK_ERRORS, "TCP: connect to %s failed: %s", print_sockaddr(dest, &gc),
+ strerror(status));
openvpn_close_socket(*sd);
*sd = SOCKET_UNDEFINED;
@@ -1647,8 +1552,7 @@
}
else
{
- msg(M_INFO, "TCP connection established with %s",
- print_sockaddr(dest, &gc));
+ msg(M_INFO, "TCP connection established with %s", print_sockaddr(dest, &gc));
}
done:
@@ -1661,15 +1565,12 @@
* such as TCP.
*/
-static void
-stream_buf_init(struct stream_buf *sb, struct buffer *buf,
- const unsigned int sockflags, const int proto);
+static void stream_buf_init(struct stream_buf *sb, struct buffer *buf, const unsigned int sockflags,
+ const int proto);
-static void
-stream_buf_close(struct stream_buf *sb);
+static void stream_buf_close(struct stream_buf *sb);
-static bool
-stream_buf_added(struct stream_buf *sb, int length_added);
+static bool stream_buf_added(struct stream_buf *sb, int length_added);
/* For stream protocols, allocate a buffer to build up packet.
* Called after frame has been finalized. */
@@ -1687,16 +1588,12 @@
if (link_socket_connection_oriented(sock))
{
#ifdef _WIN32
- stream_buf_init(&sock->stream_buf,
- &sock->reads.buf_init,
- sock->sockflags,
+ stream_buf_init(&sock->stream_buf, &sock->reads.buf_init, sock->sockflags,
sock->info.proto);
#else
alloc_buf_sock_tun(&sock->stream_buf_data, frame);
- stream_buf_init(&sock->stream_buf,
- &sock->stream_buf_data,
- sock->sockflags,
+ stream_buf_init(&sock->stream_buf, &sock->stream_buf_data, sock->sockflags,
sock->info.proto);
#endif
}
@@ -1710,8 +1607,7 @@
/* resolve local address if undefined */
if (!sock->info.lsa->bind_local)
{
- int flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL
- |GETADDR_FATAL | GETADDR_PASSIVE;
+ int flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | GETADDR_FATAL | GETADDR_PASSIVE;
int status;
if (proto_is_dgram(sock->info.proto))
@@ -1720,24 +1616,19 @@
}
/* will return AF_{INET|INET6}from local_host */
- status = get_cached_dns_entry(sock->dns_cache,
- sock->local_host,
- sock->local_port,
- af,
- flags,
- &sock->info.lsa->bind_local);
+ status = get_cached_dns_entry(sock->dns_cache, sock->local_host, sock->local_port, af,
+ flags, &sock->info.lsa->bind_local);
if (status)
{
- status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0,
- NULL, af, &sock->info.lsa->bind_local);
+ status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0, NULL, af,
+ &sock->info.lsa->bind_local);
}
- if (status !=0)
+ if (status != 0)
{
- msg(M_FATAL, "getaddrinfo() failed for local \"%s:%s\": %s",
- sock->local_host, sock->local_port,
- gai_strerror(status));
+ msg(M_FATAL, "getaddrinfo() failed for local \"%s:%s\": %s", sock->local_host,
+ sock->local_port, gai_strerror(status));
}
/* the address family returned by openvpn_getaddrinfo() should be
@@ -1759,9 +1650,7 @@
}
static void
-resolve_remote(struct link_socket *sock,
- int phase,
- const char **remote_dynamic,
+resolve_remote(struct link_socket *sock, int phase, const char **remote_dynamic,
struct signal_info *sig_info)
{
volatile int *signal_received = sig_info ? &sig_info->signal_received : NULL;
@@ -1772,7 +1661,8 @@
{
if (sock->remote_host)
{
- unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags);
+ unsigned int flags =
+ sf2gaf(GETADDR_RESOLVE | GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags);
int retry = 0;
int status = -1;
struct addrinfo *ai;
@@ -1819,15 +1709,12 @@
}
- status = get_cached_dns_entry(sock->dns_cache,
- sock->remote_host,
- sock->remote_port,
- sock->info.af,
- flags, &ai);
+ status = get_cached_dns_entry(sock->dns_cache, sock->remote_host, sock->remote_port,
+ sock->info.af, flags, &ai);
if (status)
{
- status = openvpn_getaddrinfo(flags, sock->remote_host, sock->remote_port,
- retry, sig_info, sock->info.af, &ai);
+ status = openvpn_getaddrinfo(flags, sock->remote_host, sock->remote_port, retry,
+ sig_info, sock->info.af, &ai);
}
if (status == 0)
@@ -1835,19 +1722,14 @@
sock->info.lsa->remote_list = ai;
sock->info.lsa->current_remote = ai;
- dmsg(D_SOCKET_DEBUG,
- "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d",
- flags,
- phase,
- retry,
- signal_received ? *signal_received : -1,
- status);
+ dmsg(D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d",
+ flags, phase, retry, signal_received ? *signal_received : -1, status);
}
if (signal_received && *signal_received)
{
goto done;
}
- if (status!=0)
+ if (status != 0)
{
if (signal_received)
{
@@ -1874,8 +1756,7 @@
CLEAR(sock->info.lsa->actual);
if (sock->info.lsa->current_remote)
{
- set_actual_address(&sock->info.lsa->actual,
- sock->info.lsa->current_remote);
+ set_actual_address(&sock->info.lsa->actual, sock->info.lsa->current_remote);
}
}
@@ -1884,7 +1765,6 @@
}
-
struct link_socket *
link_socket_new(void)
{
@@ -2077,8 +1957,7 @@
}
ASSERT(cur);
msg(msglevel, "%s link local (bound): %s",
- proto2ascii(sock->info.proto, sock->info.af, true),
- print_sockaddr(cur->ai_addr, &gc));
+ proto2ascii(sock->info.proto, sock->info.af, true), print_sockaddr(cur->ai_addr, &gc));
}
else
{
@@ -2087,12 +1966,8 @@
}
/* print active remote address */
- msg(msglevel, "%s link remote: %s",
- proto2ascii(sock->info.proto, sock->info.af, true),
- print_link_socket_actual_ex(&sock->info.lsa->actual,
- ":",
- PS_SHOW_PORT_IF_DEFINED,
- &gc));
+ msg(msglevel, "%s link remote: %s", proto2ascii(sock->info.proto, sock->info.af, true),
+ print_link_socket_actual_ex(&sock->info.lsa->actual, ":", PS_SHOW_PORT_IF_DEFINED, &gc));
gc_free(&gc);
}
@@ -2105,26 +1980,17 @@
switch (sock->mode)
{
case LS_MODE_DEFAULT:
- sock->sd = socket_listen_accept(sock->sd,
- &sock->info.lsa->actual,
- remote_dynamic,
- sock->info.lsa->bind_local,
- true,
- false,
- signal_received);
+ sock->sd =
+ socket_listen_accept(sock->sd, &sock->info.lsa->actual, remote_dynamic,
+ sock->info.lsa->bind_local, true, false, signal_received);
break;
case LS_MODE_TCP_LISTEN:
- socket_do_listen(sock->sd,
- sock->info.lsa->bind_local,
- true,
- false);
+ socket_do_listen(sock->sd, sock->info.lsa->bind_local, true, false);
break;
case LS_MODE_TCP_ACCEPT_FROM:
- sock->sd = socket_do_accept(sock->sd,
- &sock->info.lsa->actual,
- false);
+ sock->sd = socket_do_accept(sock->sd, &sock->info.lsa->actual, false);
if (!socket_defined(sock->sd))
{
register_signal(sig_info, SIGTERM, "socket-undefined");
@@ -2145,10 +2011,8 @@
bool proxy_retry = false;
do
{
- socket_connect(&sock->sd,
- sock->info.lsa->current_remote->ai_addr,
- get_server_poll_remaining_time(sock->server_poll_timeout),
- sig_info);
+ socket_connect(&sock->sd, sock->info.lsa->current_remote->ai_addr,
+ get_server_poll_remaining_time(sock->server_poll_timeout), sig_info);
if (sig_info->signal_received)
{
@@ -2157,21 +2021,14 @@
if (sock->http_proxy)
{
- proxy_retry = establish_http_proxy_passthru(sock->http_proxy,
- sock->sd,
- sock->proxy_dest_host,
- sock->proxy_dest_port,
- sock->server_poll_timeout,
- &sock->stream_buf.residual,
- sig_info);
+ proxy_retry = establish_http_proxy_passthru(
+ sock->http_proxy, sock->sd, sock->proxy_dest_host, sock->proxy_dest_port,
+ sock->server_poll_timeout, &sock->stream_buf.residual, sig_info);
}
else if (sock->socks_proxy)
{
- establish_socks_proxy_passthru(sock->socks_proxy,
- sock->sd,
- sock->proxy_dest_host,
- sock->proxy_dest_port,
- sock->server_poll_timeout,
+ establish_socks_proxy_passthru(sock->socks_proxy, sock->sd, sock->proxy_dest_host,
+ sock->proxy_dest_port, sock->server_poll_timeout,
sig_info);
}
if (proxy_retry)
@@ -2181,27 +2038,21 @@
}
} while (proxy_retry);
-
}
static void
phase2_socks_client(struct link_socket *sock, struct signal_info *sig_info)
{
- socket_connect(&sock->ctrl_sd,
- sock->info.lsa->current_remote->ai_addr,
- get_server_poll_remaining_time(sock->server_poll_timeout),
- sig_info);
+ socket_connect(&sock->ctrl_sd, sock->info.lsa->current_remote->ai_addr,
+ get_server_poll_remaining_time(sock->server_poll_timeout), sig_info);
if (sig_info->signal_received)
{
return;
}
- establish_socks_proxy_udpassoc(sock->socks_proxy,
- sock->ctrl_sd,
- &sock->socks_relay.dest,
- sock->server_poll_timeout,
- sig_info);
+ establish_socks_proxy_udpassoc(sock->socks_proxy, sock->ctrl_sd, &sock->socks_relay.dest,
+ sock->server_poll_timeout, sig_info);
if (sig_info->signal_received)
{
@@ -2224,8 +2075,7 @@
#if defined(_WIN32)
static void
-create_socket_dco_win(struct context *c, struct link_socket *sock,
- struct signal_info *sig_info)
+create_socket_dco_win(struct context *c, struct link_socket *sock, struct signal_info *sig_info)
{
/* in P2P mode we must have remote resolved at this point */
struct addrinfo *remoteaddr = sock->info.lsa->current_remote;
@@ -2273,14 +2123,13 @@
/* finalize socket initialization */
void
-link_socket_init_phase2(struct context *c,
- struct link_socket *sock)
+link_socket_init_phase2(struct context *c, struct link_socket *sock)
{
const struct frame *frame = &c->c2.frame;
struct signal_info *sig_info = c->sig;
const char *remote_dynamic = NULL;
- struct signal_info sig_save = {0};
+ struct signal_info sig_save = { 0 };
ASSERT(sock);
ASSERT(sig_info);
@@ -2305,7 +2154,7 @@
}
/* Second chance to resolv/create socket */
- resolve_remote(sock, 2, &remote_dynamic, sig_info);
+ resolve_remote(sock, 2, &remote_dynamic, sig_info);
/* If a valid remote has been found, create the socket with its addrinfo */
#if defined(_WIN32)
@@ -2326,7 +2175,7 @@
/* If we have no --remote and have still not figured out the
* protocol family to use we will use the first of the bind */
- if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local)
+ if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local)
{
/* Warn if this is because neither v4 or v6 was specified
* and we should not connect a remote */
@@ -2360,7 +2209,6 @@
else if (sock->info.proto == PROTO_TCP_CLIENT)
{
phase2_tcp_client(sock, sig_info);
-
}
else if (sock->info.proto == PROTO_UDP && sock->socks_proxy)
{
@@ -2454,7 +2302,8 @@
}
static void
-ipchange_fmt(const bool include_cmd, struct argv *argv, const struct link_socket_info *info, struct gc_arena *gc)
+ipchange_fmt(const bool include_cmd, struct argv *argv, const struct link_socket_info *info,
+ struct gc_arena *gc)
{
const char *host = print_sockaddr_ex(&info->lsa->actual.dest.addr.sa, " ", PS_SHOW_PORT, gc);
if (include_cmd)
@@ -2466,13 +2315,11 @@
{
argv_printf(argv, "%s", host);
}
-
}
void
link_socket_connection_initiated(struct link_socket_info *info,
- const struct link_socket_actual *act,
- const char *common_name,
+ const struct link_socket_actual *act, const char *common_name,
struct env_set *es)
{
struct gc_arena gc = gc_new();
@@ -2488,7 +2335,8 @@
{
buf_printf(&out, "[%s] ", common_name);
}
- buf_printf(&out, "Peer Connection Initiated with %s", print_link_socket_actual(&info->lsa->actual, &gc));
+ buf_printf(&out, "Peer Connection Initiated with %s",
+ print_link_socket_actual(&info->lsa->actual, &gc));
msg(M_INFO, "%s", BSTR(&out));
}
@@ -2500,7 +2348,8 @@
{
struct argv argv = argv_new();
ipchange_fmt(false, &argv, info, &gc);
- if (plugin_call(info->plugins, OPENVPN_PLUGIN_IPCHANGE, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
+ if (plugin_call(info->plugins, OPENVPN_PLUGIN_IPCHANGE, &argv, NULL, es)
+ != OPENVPN_PLUGIN_FUNC_SUCCESS)
{
msg(M_WARN, "WARNING: ipchange plugin call failed");
}
@@ -2521,8 +2370,7 @@
}
void
-link_socket_bad_incoming_addr(struct buffer *buf,
- const struct link_socket_info *info,
+link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info,
const struct link_socket_actual *from_addr)
{
struct gc_arena gc = gc_new();
@@ -2534,8 +2382,7 @@
case AF_INET6:
msg(D_LINK_ERRORS,
"TCP/UDP: Incoming packet rejected from %s[%d], expected peer address: %s (allow this incoming source address/port by removing --remote or adding --float)",
- print_link_socket_actual(from_addr, &gc),
- (int)from_addr->dest.addr.sa.sa_family,
+ print_link_socket_actual(from_addr, &gc), (int)from_addr->dest.addr.sa.sa_family,
print_sockaddr_ex(info->lsa->remote_list->ai_addr, ":", PS_SHOW_PORT, &gc));
/* print additional remote addresses */
for (ai = info->lsa->remote_list->ai_next; ai; ai = ai->ai_next)
@@ -2560,16 +2407,16 @@
{
const struct link_socket_addr *lsa = info->lsa;
-/*
- * This logic supports "redirect-gateway" semantic, which
- * makes sense only for PF_INET routes over PF_INET endpoints
- *
- * Maybe in the future consider PF_INET6 endpoints also ...
- * by now just ignore it
- *
- * For --remote entries with multiple addresses this
- * only return the actual endpoint we have successfully connected to
- */
+ /*
+ * This logic supports "redirect-gateway" semantic, which
+ * makes sense only for PF_INET routes over PF_INET endpoints
+ *
+ * Maybe in the future consider PF_INET6 endpoints also ...
+ * by now just ignore it
+ *
+ * For --remote entries with multiple addresses this
+ * only return the actual endpoint we have successfully connected to
+ */
if (lsa->actual.dest.addr.sa.sa_family != AF_INET)
{
return IPV4_INVALID_ADDR;
@@ -2581,8 +2428,7 @@
}
else if (lsa->current_remote)
{
- return ntohl(((struct sockaddr_in *)lsa->current_remote->ai_addr)
- ->sin_addr.s_addr);
+ return ntohl(((struct sockaddr_in *)lsa->current_remote->ai_addr)->sin_addr.s_addr);
}
else
{
@@ -2595,12 +2441,12 @@
{
const struct link_socket_addr *lsa = info->lsa;
-/* This logic supports "redirect-gateway" semantic,
- * for PF_INET6 routes over PF_INET6 endpoints
- *
- * For --remote entries with multiple addresses this
- * only return the actual endpoint we have successfully connected to
- */
+ /* This logic supports "redirect-gateway" semantic,
+ * for PF_INET6 routes over PF_INET6 endpoints
+ *
+ * For --remote entries with multiple addresses this
+ * only return the actual endpoint we have successfully connected to
+ */
if (lsa->actual.dest.addr.sa.sa_family != AF_INET6)
{
return NULL;
@@ -2631,20 +2477,16 @@
{
if (rwflags & EVENT_READ)
{
- buf_printf(&out, "S%s",
- (s->rwflags_debug & EVENT_READ) ? "R" : "r");
+ buf_printf(&out, "S%s", (s->rwflags_debug & EVENT_READ) ? "R" : "r");
#ifdef _WIN32
- buf_printf(&out, "%s",
- overlapped_io_state_ascii(&s->reads));
+ buf_printf(&out, "%s", overlapped_io_state_ascii(&s->reads));
#endif
}
if (rwflags & EVENT_WRITE)
{
- buf_printf(&out, "S%s",
- (s->rwflags_debug & EVENT_WRITE) ? "W" : "w");
+ buf_printf(&out, "S%s", (s->rwflags_debug & EVENT_WRITE) ? "W" : "w");
#ifdef _WIN32
- buf_printf(&out, "%s",
- overlapped_io_state_ascii(&s->writes));
+ buf_printf(&out, "%s", overlapped_io_state_ascii(&s->writes));
#endif
}
}
@@ -2671,9 +2513,7 @@
}
static void
-stream_buf_init(struct stream_buf *sb,
- struct buffer *buf,
- const unsigned int sockflags,
+stream_buf_init(struct stream_buf *sb, struct buffer *buf, const unsigned int sockflags,
const int proto)
{
sb->buf_init = *buf;
@@ -2682,9 +2522,8 @@
sb->residual = alloc_buf(sb->maxlen);
sb->error = false;
#if PORT_SHARE
- sb->port_share_state = ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCP_SERVER))
- ? PS_ENABLED
- : PS_DISABLED;
+ sb->port_share_state =
+ ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCP_SERVER)) ? PS_ENABLED : PS_DISABLED;
#endif
stream_buf_reset(sb);
@@ -2699,9 +2538,7 @@
sb->next.offset = sb->buf.offset + sb->buf.len;
sb->next.len = (sb->len >= 0 ? sb->len : sb->maxlen) - sb->buf.len;
dmsg(D_STREAM_DEBUG, "STREAM: SET NEXT, buf=[%d,%d] next=[%d,%d] len=%d maxlen=%d",
- sb->buf.offset, sb->buf.len,
- sb->next.offset, sb->next.len,
- sb->len, sb->maxlen);
+ sb->buf.offset, sb->buf.len, sb->next.offset, sb->next.len, sb->len, sb->maxlen);
ASSERT(sb->next.len > 0);
ASSERT(buf_safe(&sb->buf, sb->next.len));
}
@@ -2709,8 +2546,7 @@
static inline void
stream_buf_get_final(struct stream_buf *sb, struct buffer *buf)
{
- dmsg(D_STREAM_DEBUG, "STREAM: GET FINAL len=%d",
- buf_defined(&sb->buf) ? sb->buf.len : -1);
+ dmsg(D_STREAM_DEBUG, "STREAM: GET FINAL len=%d", buf_defined(&sb->buf) ? sb->buf.len : -1);
ASSERT(buf_defined(&sb->buf));
*buf = sb->buf;
}
@@ -2718,8 +2554,7 @@
static inline void
stream_buf_get_next(struct stream_buf *sb, struct buffer *buf)
{
- dmsg(D_STREAM_DEBUG, "STREAM: GET NEXT len=%d",
- buf_defined(&sb->next) ? sb->next.len : -1);
+ dmsg(D_STREAM_DEBUG, "STREAM: GET NEXT len=%d", buf_defined(&sb->next) ? sb->next.len : -1);
ASSERT(buf_defined(&sb->next));
*buf = sb->next;
}
@@ -2733,8 +2568,7 @@
ASSERT(buf_init(&sock->stream_buf.residual, 0));
sock->stream_buf.residual_fully_formed = stream_buf_added(&sock->stream_buf, 0);
dmsg(D_STREAM_DEBUG, "STREAM: RESIDUAL FULLY FORMED [%s], len=%d",
- sock->stream_buf.residual_fully_formed ? "YES" : "NO",
- sock->stream_buf.residual.len);
+ sock->stream_buf.residual_fully_formed ? "YES" : "NO", sock->stream_buf.residual.len);
}
if (!sock->stream_buf.residual_fully_formed)
@@ -2745,8 +2579,7 @@
}
static bool
-stream_buf_added(struct stream_buf *sb,
- int length_added)
+stream_buf_added(struct stream_buf *sb, int length_added)
{
dmsg(D_STREAM_DEBUG, "STREAM: ADD length_added=%d", length_added);
if (length_added > 0)
@@ -2756,7 +2589,7 @@
/* if length unknown, see if we can get the length prefix from
* the head of the buffer */
- if (sb->len < 0 && sb->buf.len >= (int) sizeof(packet_size_type))
+ if (sb->len < 0 && sb->buf.len >= (int)sizeof(packet_size_type))
{
packet_size_type net_size;
@@ -2782,7 +2615,9 @@
if (sb->len < 1 || sb->len > sb->maxlen)
{
- msg(M_WARN, "WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]", sb->len, sb->maxlen);
+ msg(M_WARN,
+ "WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]",
+ sb->len, sb->maxlen);
stream_buf_reset(sb);
sb->error = true;
return false;
@@ -2799,8 +2634,7 @@
ASSERT(buf_copy_excess(&sb->residual, &sb->buf, sb->len));
}
dmsg(D_STREAM_DEBUG, "STREAM: ADD returned TRUE, buf_len=%d, residual_len=%d",
- BLEN(&sb->buf),
- BLEN(&sb->residual));
+ BLEN(&sb->buf), BLEN(&sb->residual));
return true;
}
else
@@ -2831,7 +2665,7 @@
init_net_event_win32(&s->listen_handle, FD_ACCEPT, s->sd, 0);
}
return &s->listen_handle;
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
return s->sd;
#endif
}
@@ -2841,9 +2675,7 @@
*/
const char *
-print_sockaddr_ex(const struct sockaddr *sa,
- const char *separator,
- const unsigned int flags,
+print_sockaddr_ex(const struct sockaddr *sa, const char *separator, const unsigned int flags,
struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc(128, gc);
@@ -2861,7 +2693,7 @@
buf_puts(&out, "[AF_INET]");
}
salen = sizeof(struct sockaddr_in);
- addr_is_defined = ((struct sockaddr_in *) sa)->sin_addr.s_addr != 0;
+ addr_is_defined = ((struct sockaddr_in *)sa)->sin_addr.s_addr != 0;
break;
case AF_INET6:
@@ -2870,7 +2702,7 @@
buf_puts(&out, "[AF_INET6]");
}
salen = sizeof(struct sockaddr_in6);
- addr_is_defined = !IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *) sa)->sin6_addr);
+ addr_is_defined = !IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)sa)->sin6_addr);
break;
case AF_UNSPEC:
@@ -2887,10 +2719,10 @@
ASSERT(0);
}
- status = getnameinfo(sa, salen, hostaddr, sizeof(hostaddr),
- servname, sizeof(servname), NI_NUMERICHOST | NI_NUMERICSERV);
+ status = getnameinfo(sa, salen, hostaddr, sizeof(hostaddr), servname, sizeof(servname),
+ NI_NUMERICHOST | NI_NUMERICSERV);
- if (status!=0)
+ if (status != 0)
{
buf_printf(&out, "[nameinfo() err: %s]", gai_strerror(status));
return BSTR(&out);
@@ -2924,7 +2756,7 @@
const char *
print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
{
- return print_link_socket_actual_ex(act, ":", PS_SHOW_PORT|PS_SHOW_PKTINFO, gc);
+ return print_link_socket_actual_ex(act, ":", PS_SHOW_PORT | PS_SHOW_PKTINFO, gc);
}
#ifndef IF_NAMESIZE
@@ -2932,10 +2764,8 @@
#endif
const char *
-print_link_socket_actual_ex(const struct link_socket_actual *act,
- const char *separator,
- const unsigned int flags,
- struct gc_arena *gc)
+print_link_socket_actual_ex(const struct link_socket_actual *act, const char *separator,
+ const unsigned int flags, struct gc_arena *gc)
{
if (act)
{
@@ -2959,12 +2789,11 @@
#elif defined(IP_RECVDSTADDR)
sa.addr.in4.sin_addr = act->pi.in4;
ifname[0] = 0;
-#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
+#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif
buf_printf(&out, " (via %s%%%s)",
- print_sockaddr_ex(&sa.addr.sa, separator, 0, gc),
- ifname);
+ print_sockaddr_ex(&sa.addr.sa, separator, 0, gc), ifname);
}
break;
@@ -2976,8 +2805,9 @@
sin6.sin6_family = AF_INET6;
sin6.sin6_addr = act->pi.in6.ipi6_addr;
if_indextoname(act->pi.in6.ipi6_ifindex, ifname);
- if (getnameinfo((struct sockaddr *)&sin6, sizeof(struct sockaddr_in6),
- buf, sizeof(buf), NULL, 0, NI_NUMERICHOST) == 0)
+ if (getnameinfo((struct sockaddr *)&sin6, sizeof(struct sockaddr_in6), buf,
+ sizeof(buf), NULL, 0, NI_NUMERICHOST)
+ == 0)
{
buf_printf(&out, " (via %s%%%s)", buf, ifname);
}
@@ -3027,8 +2857,7 @@
{
char *out = gc_malloc(INET6_ADDRSTRLEN, true, gc);
- if (memcmp(&a6, &in6addr_any, sizeof(a6)) != 0
- || !(flags & IA_EMPTY_IF_UNDEF))
+ if (memcmp(&a6, &in6addr_any, sizeof(a6)) != 0 || !(flags & IA_EMPTY_IF_UNDEF))
{
inet_ntop(AF_INET6, &a6, out, INET6_ADDRSTRLEN);
}
@@ -3050,30 +2879,31 @@
* (add in steps of 8 bits, taking overflow into next round)
*/
struct in6_addr
-add_in6_addr( struct in6_addr base, uint32_t add )
+add_in6_addr(struct in6_addr base, uint32_t add)
{
int i;
- for (i = 15; i>=0 && add > 0; i--)
+ for (i = 15; i >= 0 && add > 0; i--)
{
register int carry;
register uint32_t h;
- h = (unsigned char) base.s6_addr[i];
- base.s6_addr[i] = (h+add) & UINT8_MAX;
+ h = (unsigned char)base.s6_addr[i];
+ base.s6_addr[i] = (h + add) & UINT8_MAX;
/* using explicit carry for the 8-bit additions will catch
* 8-bit and(!) 32-bit overruns nicely
*/
- carry = ((h & 0xff) + (add & 0xff)) >> 8;
- add = (add>>8) + carry;
+ carry = ((h & 0xff) + (add & 0xff)) >> 8;
+ add = (add >> 8) + carry;
}
return base;
}
/* set environmental variables for ip/port in *addr */
void
-setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvpn_sockaddr *addr, const unsigned int flags)
+setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvpn_sockaddr *addr,
+ const unsigned int flags)
{
char name_buf[256];
@@ -3101,11 +2931,10 @@
break;
case AF_INET6:
- if (IN6_IS_ADDR_V4MAPPED( &addr->addr.in6.sin6_addr ))
+ if (IN6_IS_ADDR_V4MAPPED(&addr->addr.in6.sin6_addr))
{
struct in_addr ia;
- memcpy(&ia.s_addr, &addr->addr.in6.sin6_addr.s6_addr[12],
- sizeof(ia.s_addr));
+ memcpy(&ia.s_addr, &addr->addr.in6.sin6_addr.s6_addr[12], sizeof(ia.s_addr));
snprintf(name_buf, sizeof(name_buf), "%s_ip", name_prefix);
inet_ntop(AF_INET, &ia, buf, sizeof(buf));
}
@@ -3126,7 +2955,8 @@
}
void
-setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
+setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr,
+ const unsigned int flags)
{
if (addr || !(flags & SA_SET_IF_NONZERO))
{
@@ -3139,9 +2969,7 @@
}
void
-setenv_in6_addr(struct env_set *es,
- const char *name_prefix,
- const struct in6_addr *addr,
+setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr,
const unsigned int flags)
{
if (!IN6_IS_ADDR_UNSPECIFIED(addr) || !(flags & SA_SET_IF_NONZERO))
@@ -3155,10 +2983,8 @@
}
void
-setenv_link_socket_actual(struct env_set *es,
- const char *name_prefix,
- const struct link_socket_actual *act,
- const unsigned int flags)
+setenv_link_socket_actual(struct env_set *es, const char *name_prefix,
+ const struct link_socket_actual *act, const unsigned int flags)
{
setenv_sockaddr(es, name_prefix, &act->dest, flags);
}
@@ -3167,7 +2993,8 @@
* Convert protocol names between index and ascii form.
*/
-struct proto_names {
+struct proto_names
+{
const char *short_form;
const char *display_form;
sa_family_t proto_af;
@@ -3176,22 +3003,22 @@
/* Indexed by PROTO_x */
static const struct proto_names proto_names[] = {
- {"proto-uninitialized", "proto-NONE", AF_UNSPEC, PROTO_NONE},
+ { "proto-uninitialized", "proto-NONE", AF_UNSPEC, PROTO_NONE },
/* try IPv4 and IPv6 (client), bind dual-stack (server) */
- {"udp", "UDP", AF_UNSPEC, PROTO_UDP},
- {"tcp-server", "TCP_SERVER", AF_UNSPEC, PROTO_TCP_SERVER},
- {"tcp-client", "TCP_CLIENT", AF_UNSPEC, PROTO_TCP_CLIENT},
- {"tcp", "TCP", AF_UNSPEC, PROTO_TCP},
+ { "udp", "UDP", AF_UNSPEC, PROTO_UDP },
+ { "tcp-server", "TCP_SERVER", AF_UNSPEC, PROTO_TCP_SERVER },
+ { "tcp-client", "TCP_CLIENT", AF_UNSPEC, PROTO_TCP_CLIENT },
+ { "tcp", "TCP", AF_UNSPEC, PROTO_TCP },
/* force IPv4 */
- {"udp4", "UDPv4", AF_INET, PROTO_UDP},
- {"tcp4-server", "TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER},
- {"tcp4-client", "TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT},
- {"tcp4", "TCPv4", AF_INET, PROTO_TCP},
+ { "udp4", "UDPv4", AF_INET, PROTO_UDP },
+ { "tcp4-server", "TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER },
+ { "tcp4-client", "TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT },
+ { "tcp4", "TCPv4", AF_INET, PROTO_TCP },
/* force IPv6 */
- {"udp6", "UDPv6", AF_INET6, PROTO_UDP},
- {"tcp6-server", "TCPv6_SERVER", AF_INET6, PROTO_TCP_SERVER},
- {"tcp6-client", "TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT},
- {"tcp6", "TCPv6", AF_INET6, PROTO_TCP},
+ { "udp6", "UDPv6", AF_INET6, PROTO_UDP },
+ { "tcp6-server", "TCPv6_SERVER", AF_INET6, PROTO_TCP_SERVER },
+ { "tcp6-client", "TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT },
+ { "tcp6", "TCPv6", AF_INET6, PROTO_TCP },
};
int
@@ -3262,9 +3089,11 @@
{
switch (af)
{
- case AF_INET: return "AF_INET";
+ case AF_INET:
+ return "AF_INET";
- case AF_INET6: return "AF_INET6";
+ case AF_INET6:
+ return "AF_INET6";
}
return "AF_UNSPEC";
}
@@ -3290,13 +3119,11 @@
return "UDPv4";
}
- if ( (remote && proto == PROTO_TCP_CLIENT)
- || (!remote && proto == PROTO_TCP_SERVER))
+ if ((remote && proto == PROTO_TCP_CLIENT) || (!remote && proto == PROTO_TCP_SERVER))
{
return "TCPv4_SERVER";
}
- if ( (remote && proto == PROTO_TCP_SERVER)
- || (!remote && proto == PROTO_TCP_CLIENT))
+ if ((remote && proto == PROTO_TCP_SERVER) || (!remote && proto == PROTO_TCP_CLIENT))
{
return "TCPv4_CLIENT";
}
@@ -3312,9 +3139,9 @@
void
bad_address_length(int actual, int expected)
{
- msg(M_FATAL, "ERROR: received strange incoming packet with an address length of %d -- we only accept address lengths of %d.",
- actual,
- expected);
+ msg(M_FATAL,
+ "ERROR: received strange incoming packet with an address length of %d -- we only accept address lengths of %d.",
+ actual, expected);
}
/*
@@ -3322,8 +3149,7 @@
*/
int
-link_socket_read_tcp(struct link_socket *sock,
- struct buffer *buf)
+link_socket_read_tcp(struct link_socket *sock, struct buffer *buf)
{
int len = 0;
@@ -3336,9 +3162,9 @@
*/
if (sock->sd == SOCKET_UNDEFINED)
{
- msg(M_INFO, "BUG: link_socket_read_tcp(): sock->sd==-1, reset client instance" );
- sock->stream_reset = true; /* reset client instance */
- return buf->len = 0; /* nothing to read */
+ msg(M_INFO, "BUG: link_socket_read_tcp(): sock->sd==-1, reset client instance");
+ sock->stream_reset = true; /* reset client instance */
+ return buf->len = 0; /* nothing to read */
}
#ifdef _WIN32
@@ -3381,24 +3207,23 @@
* both IPv4 and IPv6 destination addresses, plus padding (see RFC 2292)
*/
#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
-#define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof(struct in6_pktinfo)), \
- CMSG_SPACE(sizeof(struct in_pktinfo)) )
+#define PKTINFO_BUF_SIZE \
+ max_int(CMSG_SPACE(sizeof(struct in6_pktinfo)), CMSG_SPACE(sizeof(struct in_pktinfo)))
#else
-#define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof(struct in6_pktinfo)), \
- CMSG_SPACE(sizeof(struct in_addr)) )
+#define PKTINFO_BUF_SIZE \
+ max_int(CMSG_SPACE(sizeof(struct in6_pktinfo)), CMSG_SPACE(sizeof(struct in_addr)))
#endif
static socklen_t
-link_socket_read_udp_posix_recvmsg(struct link_socket *sock,
- struct buffer *buf,
+link_socket_read_udp_posix_recvmsg(struct link_socket *sock, struct buffer *buf,
struct link_socket_actual *from)
{
struct iovec iov;
uint8_t pktinfo_buf[PKTINFO_BUF_SIZE];
- struct msghdr mesg = {0};
+ struct msghdr mesg = { 0 };
socklen_t fromlen = sizeof(from->dest.addr);
- ASSERT(sock->sd >= 0); /* can't happen */
+ ASSERT(sock->sd >= 0); /* can't happen */
iov.iov_base = BPTR(buf);
iov.iov_len = buf_forward_capacity_total(buf);
@@ -3414,43 +3239,40 @@
struct cmsghdr *cmsg;
fromlen = mesg.msg_namelen;
cmsg = CMSG_FIRSTHDR(&mesg);
- if (cmsg != NULL
- && CMSG_NXTHDR(&mesg, cmsg) == NULL
+ if (cmsg != NULL && CMSG_NXTHDR(&mesg, cmsg) == NULL
#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- && cmsg->cmsg_level == SOL_IP
- && cmsg->cmsg_type == IP_PKTINFO
- && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_pktinfo)) )
+ && cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_PKTINFO
+ && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_pktinfo)))
#elif defined(IP_RECVDSTADDR)
- && cmsg->cmsg_level == IPPROTO_IP
- && cmsg->cmsg_type == IP_RECVDSTADDR
- && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_addr)) )
-#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
+ && cmsg->cmsg_level == IPPROTO_IP && cmsg->cmsg_type == IP_RECVDSTADDR
+ && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_addr)))
+#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif
{
#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA(cmsg);
+ struct in_pktinfo *pkti = (struct in_pktinfo *)CMSG_DATA(cmsg);
from->pi.in4.ipi_ifindex = pkti->ipi_ifindex;
from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst;
#elif defined(IP_RECVDSTADDR)
- from->pi.in4 = *(struct in_addr *) CMSG_DATA(cmsg);
-#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
+ from->pi.in4 = *(struct in_addr *)CMSG_DATA(cmsg);
+#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif
}
- else if (cmsg != NULL
- && CMSG_NXTHDR(&mesg, cmsg) == NULL
- && cmsg->cmsg_level == IPPROTO_IPV6
- && cmsg->cmsg_type == IPV6_PKTINFO
- && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in6_pktinfo)) )
+ else if (cmsg != NULL && CMSG_NXTHDR(&mesg, cmsg) == NULL
+ && cmsg->cmsg_level == IPPROTO_IPV6 && cmsg->cmsg_type == IPV6_PKTINFO
+ && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in6_pktinfo)))
{
- struct in6_pktinfo *pkti6 = (struct in6_pktinfo *) CMSG_DATA(cmsg);
+ struct in6_pktinfo *pkti6 = (struct in6_pktinfo *)CMSG_DATA(cmsg);
from->pi.in6.ipi6_ifindex = pkti6->ipi6_ifindex;
from->pi.in6.ipi6_addr = pkti6->ipi6_addr;
}
else if (cmsg != NULL)
{
- msg(M_WARN, "CMSG received that cannot be parsed (cmsg_level=%d, cmsg_type=%d, cmsg=len=%d)", (int)cmsg->cmsg_level, (int)cmsg->cmsg_type, (int)cmsg->cmsg_len );
+ msg(M_WARN,
+ "CMSG received that cannot be parsed (cmsg_level=%d, cmsg_type=%d, cmsg=len=%d)",
+ (int)cmsg->cmsg_level, (int)cmsg->cmsg_type, (int)cmsg->cmsg_len);
}
}
@@ -3459,15 +3281,14 @@
#endif /* if ENABLE_IP_PKTINFO */
int
-link_socket_read_udp_posix(struct link_socket *sock,
- struct buffer *buf,
+link_socket_read_udp_posix(struct link_socket *sock, struct buffer *buf,
struct link_socket_actual *from)
{
socklen_t fromlen = sizeof(from->dest.addr);
socklen_t expectedlen = af_addr_size(sock->info.af);
addr_zero_host(&from->dest);
- ASSERT(sock->sd >= 0); /* can't happen */
+ ASSERT(sock->sd >= 0); /* can't happen */
#if ENABLE_IP_PKTINFO
/* Both PROTO_UDPv4 and PROTO_UDPv6 */
@@ -3478,8 +3299,8 @@
else
#endif
{
- buf->len = recvfrom(sock->sd, BPTR(buf), buf_forward_capacity(buf), 0,
- &from->dest.addr.sa, &fromlen);
+ buf->len = recvfrom(sock->sd, BPTR(buf), buf_forward_capacity(buf), 0, &from->dest.addr.sa,
+ &fromlen);
}
/* FIXME: won't do anything when sock->info.af == AF_UNSPEC */
if (buf->len >= 0 && expectedlen && fromlen != expectedlen)
@@ -3496,9 +3317,7 @@
*/
ssize_t
-link_socket_write_tcp(struct link_socket *sock,
- struct buffer *buf,
- struct link_socket_actual *to)
+link_socket_write_tcp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
{
packet_size_type len = BLEN(buf);
dmsg(D_STREAM_DEBUG, "STREAM: WRITE %d offset=%d", (int)len, buf->offset);
@@ -3515,8 +3334,7 @@
#if ENABLE_IP_PKTINFO
ssize_t
-link_socket_write_udp_posix_sendmsg(struct link_socket *sock,
- struct buffer *buf,
+link_socket_write_udp_posix_sendmsg(struct link_socket *sock, struct buffer *buf,
struct link_socket_actual *to)
{
struct iovec iov;
@@ -3544,19 +3362,19 @@
cmsg->cmsg_type = IP_PKTINFO;
{
struct in_pktinfo *pkti;
- pkti = (struct in_pktinfo *) CMSG_DATA(cmsg);
+ pkti = (struct in_pktinfo *)CMSG_DATA(cmsg);
pkti->ipi_ifindex = to->pi.in4.ipi_ifindex;
pkti->ipi_spec_dst = to->pi.in4.ipi_spec_dst;
pkti->ipi_addr.s_addr = 0;
}
#elif defined(IP_RECVDSTADDR)
- ASSERT( CMSG_SPACE(sizeof(struct in_addr)) <= sizeof(pktinfo_buf) );
+ ASSERT(CMSG_SPACE(sizeof(struct in_addr)) <= sizeof(pktinfo_buf));
mesg.msg_controllen = CMSG_SPACE(sizeof(struct in_addr));
cmsg = CMSG_FIRSTHDR(&mesg);
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
cmsg->cmsg_level = IPPROTO_IP;
cmsg->cmsg_type = IP_RECVDSTADDR;
- *(struct in_addr *) CMSG_DATA(cmsg) = to->pi.in4;
+ *(struct in_addr *)CMSG_DATA(cmsg) = to->pi.in4;
#else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */
@@ -3569,7 +3387,7 @@
mesg.msg_name = &to->dest.addr.sa;
mesg.msg_namelen = sizeof(struct sockaddr_in6);
- ASSERT( CMSG_SPACE(sizeof(struct in6_pktinfo)) <= sizeof(pktinfo_buf) );
+ ASSERT(CMSG_SPACE(sizeof(struct in6_pktinfo)) <= sizeof(pktinfo_buf));
mesg.msg_control = pktinfo_buf;
mesg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
mesg.msg_flags = 0;
@@ -3578,13 +3396,14 @@
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_PKTINFO;
- pkti6 = (struct in6_pktinfo *) CMSG_DATA(cmsg);
+ pkti6 = (struct in6_pktinfo *)CMSG_DATA(cmsg);
pkti6->ipi6_ifindex = to->pi.in6.ipi6_ifindex;
pkti6->ipi6_addr = to->pi.in6.ipi6_addr;
break;
}
- default: ASSERT(0);
+ default:
+ ASSERT(0);
}
return sendmsg(sock->sd, &mesg, 0);
}
@@ -3643,8 +3462,8 @@
if (socket_is_dco_win(sock))
{
- status = ReadFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len,
- &sock->reads.size, &sock->reads.overlapped);
+ status = ReadFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len, &sock->reads.size,
+ &sock->reads.overlapped);
/* Readfile status is inverted from WSARecv */
status = !status;
}
@@ -3652,28 +3471,15 @@
{
sock->reads.addr_defined = true;
sock->reads.addrlen = sizeof(sock->reads.addr6);
- status = WSARecvFrom(
- sock->sd,
- wsabuf,
- 1,
- &sock->reads.size,
- &sock->reads.flags,
- (struct sockaddr *) &sock->reads.addr,
- &sock->reads.addrlen,
- &sock->reads.overlapped,
- NULL);
+ status = WSARecvFrom(sock->sd, wsabuf, 1, &sock->reads.size, &sock->reads.flags,
+ (struct sockaddr *)&sock->reads.addr, &sock->reads.addrlen,
+ &sock->reads.overlapped, NULL);
}
else if (proto_is_tcp(sock->info.proto))
{
sock->reads.addr_defined = false;
- status = WSARecv(
- sock->sd,
- wsabuf,
- 1,
- &sock->reads.size,
- &sock->reads.flags,
- &sock->reads.overlapped,
- NULL);
+ status = WSARecv(sock->sd, wsabuf, 1, &sock->reads.size, &sock->reads.flags,
+ &sock->reads.overlapped, NULL);
}
else
{
@@ -3696,8 +3502,7 @@
sock->reads.status = 0;
dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive immediate return [%d,%d]",
- (int) wsabuf[0].len,
- (int) sock->reads.size);
+ (int)wsabuf[0].len, (int)sock->reads.size);
}
else
{
@@ -3706,8 +3511,7 @@
{
sock->reads.iostate = IOSTATE_QUEUED;
sock->reads.status = status;
- dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive queued [%d]",
- (int) wsabuf[0].len);
+ dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive queued [%d]", (int)wsabuf[0].len);
}
else /* error occurred */
{
@@ -3715,8 +3519,7 @@
ASSERT(SetEvent(sock->reads.overlapped.hEvent));
sock->reads.iostate = IOSTATE_IMMEDIATE_RETURN;
sock->reads.status = status;
- dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive error [%d]: %s",
- (int) wsabuf[0].len,
+ dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive error [%d]: %s", (int)wsabuf[0].len,
strerror_win32(status, &gc));
gc_free(&gc);
}
@@ -3748,12 +3551,11 @@
if (socket_is_dco_win(sock))
{
- status = WriteFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len,
- &sock->writes.size, &sock->writes.overlapped);
+ status = WriteFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len, &sock->writes.size,
+ &sock->writes.overlapped);
/* WriteFile status is inverted from WSASendTo */
status = !status;
-
}
else if (proto_is_udp(sock->info.proto))
{
@@ -3770,30 +3572,17 @@
sock->writes.addrlen = sizeof(sock->writes.addr);
}
- status = WSASendTo(
- sock->sd,
- wsabuf,
- 1,
- &sock->writes.size,
- sock->writes.flags,
- (struct sockaddr *) &sock->writes.addr,
- sock->writes.addrlen,
- &sock->writes.overlapped,
- NULL);
+ status = WSASendTo(sock->sd, wsabuf, 1, &sock->writes.size, sock->writes.flags,
+ (struct sockaddr *)&sock->writes.addr, sock->writes.addrlen,
+ &sock->writes.overlapped, NULL);
}
else if (proto_is_tcp(sock->info.proto))
{
/* destination address for TCP writes was established on connection initiation */
sock->writes.addr_defined = false;
- status = WSASend(
- sock->sd,
- wsabuf,
- 1,
- &sock->writes.size,
- sock->writes.flags,
- &sock->writes.overlapped,
- NULL);
+ status = WSASend(sock->sd, wsabuf, 1, &sock->writes.size, sock->writes.flags,
+ &sock->writes.overlapped, NULL);
}
else
{
@@ -3810,9 +3599,8 @@
sock->writes.status = 0;
- dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send immediate return [%d,%d]",
- (int) wsabuf[0].len,
- (int) sock->writes.size);
+ dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send immediate return [%d,%d]", (int)wsabuf[0].len,
+ (int)sock->writes.size);
}
else
{
@@ -3822,8 +3610,7 @@
{
sock->writes.iostate = IOSTATE_QUEUED;
sock->writes.status = status;
- dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send queued [%d]",
- (int) wsabuf[0].len);
+ dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send queued [%d]", (int)wsabuf[0].len);
}
else /* error occurred */
{
@@ -3832,8 +3619,7 @@
sock->writes.iostate = IOSTATE_IMMEDIATE_RETURN;
sock->writes.status = status;
- dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send error [%d]: %s",
- (int) wsabuf[0].len,
+ dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send error [%d]: %s", (int)wsabuf[0].len,
strerror_win32(status, &gc));
gc_free(&gc);
@@ -3905,7 +3691,9 @@
sa_len = sizeof(struct sockaddr_in);
if (buf_len(buf) < sa_len)
{
- msg(M_FATAL, "ERROR: received incoming packet with too short length of %d -- must be at least %d.", buf_len(buf), sa_len);
+ msg(M_FATAL,
+ "ERROR: received incoming packet with too short length of %d -- must be at least %d.",
+ buf_len(buf), sa_len);
}
memcpy(dst, sa, sa_len);
buf_advance(buf, sa_len);
@@ -3915,14 +3703,17 @@
sa_len = sizeof(struct sockaddr_in6);
if (buf_len(buf) < sa_len)
{
- msg(M_FATAL, "ERROR: received incoming packet with too short length of %d -- must be at least %d.", buf_len(buf), sa_len);
+ msg(M_FATAL,
+ "ERROR: received incoming packet with too short length of %d -- must be at least %d.",
+ buf_len(buf), sa_len);
}
memcpy(dst, sa, sa_len);
buf_advance(buf, sa_len);
break;
default:
- msg(M_FATAL, "ERROR: received incoming packet with invalid address family %d.", sa->sa_family);
+ msg(M_FATAL, "ERROR: received incoming packet with invalid address family %d.",
+ sa->sa_family);
}
return sa_len;
@@ -3930,9 +3721,7 @@
/* Returns the number of bytes successfully read */
int
-sockethandle_finalize(sockethandle_t sh,
- struct overlapped_io *io,
- struct buffer *buf,
+sockethandle_finalize(sockethandle_t sh, struct overlapped_io *io, struct buffer *buf,
struct link_socket_actual *from)
{
int ret = -1;
@@ -4025,10 +3814,7 @@
*/
unsigned int
-socket_set(struct link_socket *s,
- struct event_set *es,
- unsigned int rwflags,
- void *arg,
+socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg,
unsigned int *persistent)
{
if (s)
@@ -4108,20 +3894,15 @@
}
void
-socket_bind_unix(socket_descriptor_t sd,
- struct sockaddr_un *local,
- const char *prefix)
+socket_bind_unix(socket_descriptor_t sd, struct sockaddr_un *local, const char *prefix)
{
struct gc_arena gc = gc_new();
const mode_t orig_umask = umask(0);
- if (bind(sd, (struct sockaddr *) local, sizeof(struct sockaddr_un)))
+ if (bind(sd, (struct sockaddr *)local, sizeof(struct sockaddr_un)))
{
- msg(M_FATAL | M_ERRNO,
- "%s: Socket bind[%d] failed on unix domain socket %s",
- prefix,
- (int)sd,
- sockaddr_unix_name(local, "NULL"));
+ msg(M_FATAL | M_ERRNO, "%s: Socket bind[%d] failed on unix domain socket %s", prefix,
+ (int)sd, sockaddr_unix_name(local, "NULL"));
}
umask(orig_umask);
@@ -4129,14 +3910,13 @@
}
socket_descriptor_t
-socket_accept_unix(socket_descriptor_t sd,
- struct sockaddr_un *remote)
+socket_accept_unix(socket_descriptor_t sd, struct sockaddr_un *remote)
{
socklen_t remote_len = sizeof(struct sockaddr_un);
socket_descriptor_t ret;
CLEAR(*remote);
- ret = accept(sd, (struct sockaddr *) remote, &remote_len);
+ ret = accept(sd, (struct sockaddr *)remote, &remote_len);
if (ret >= 0)
{
/* set socket file descriptor to not pass across execs, so that
@@ -4147,10 +3927,9 @@
}
int
-socket_connect_unix(socket_descriptor_t sd,
- struct sockaddr_un *remote)
+socket_connect_unix(socket_descriptor_t sd, struct sockaddr_un *remote)
{
- int status = connect(sd, (struct sockaddr *) remote, sizeof(struct sockaddr_un));
+ int status = connect(sd, (struct sockaddr *)remote, sizeof(struct sockaddr_un));
if (status)
{
status = openvpn_errno();
@@ -64,7 +64,8 @@
struct openvpn_sockaddr
{
/*int dummy;*/ /* add offset to force a bug if sa not explicitly dereferenced */
- union {
+ union
+ {
struct sockaddr sa;
struct sockaddr_in in4;
struct sockaddr_in6 in6;
@@ -72,7 +73,8 @@
};
/* struct to hold preresolved host names */
-struct cached_dns_entry {
+struct cached_dns_entry
+{
const char *hostname;
const char *servname;
int ai_family;
@@ -88,7 +90,8 @@
struct openvpn_sockaddr dest;
#if ENABLE_IP_PKTINFO
- union {
+ union
+ {
#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
struct in_pktinfo in4;
#elif defined(IP_RECVDSTADDR)
@@ -103,9 +106,9 @@
struct link_socket_addr
{
struct addrinfo *bind_local;
- struct addrinfo *remote_list; /* complete remote list */
- struct addrinfo *current_remote; /* remote used in the
- * current connection attempt */
+ struct addrinfo *remote_list; /* complete remote list */
+ struct addrinfo *current_remote; /* remote used in the
+ * current connection attempt */
struct link_socket_actual actual; /* reply to this address */
};
@@ -116,10 +119,10 @@
const char *ipchange_command;
const struct plugin_list *plugins;
bool remote_float;
- int proto; /* Protocol (PROTO_x defined below) */
- sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/
+ int proto; /* Protocol (PROTO_x defined below) */
+ sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/
bool bind_ipv6_only;
- int mtu_changed; /* Set to true when mtu value is changed */
+ int mtu_changed; /* Set to true when mtu value is changed */
};
/*
@@ -135,7 +138,7 @@
struct buffer buf;
struct buffer next;
- int len; /* -1 if not yet known */
+ int len; /* -1 if not yet known */
bool error; /* if true, fatal TCP error has occurred,
* requiring that connection be restarted */
@@ -163,10 +166,8 @@
* @param sbs new sizes.
* @param reduce_size apply the new size even if smaller than current one
*/
-void
-socket_set_buffers(socket_descriptor_t fd,
- const struct socket_buffer_size *sbs,
- bool reduce_size);
+void socket_set_buffers(socket_descriptor_t fd, const struct socket_buffer_size *sbs,
+ bool reduce_size);
/*
* This is the main socket structure used by OpenVPN. The SOCKET_
@@ -177,10 +178,10 @@
{
struct link_socket_info info;
- struct event_arg ev_arg; /**< this struct will store a pointer to either mi or
- * link_socket, depending on the event type, to keep
- * it accessible it's placed within the same struct
- * it points to. */
+ struct event_arg ev_arg; /**< this struct will store a pointer to either mi or
+ * link_socket, depending on the event type, to keep
+ * it accessible it's placed within the same struct
+ * it points to. */
socket_descriptor_t sd;
socket_descriptor_t ctrl_sd; /* only used for UDP over Socks */
@@ -205,9 +206,9 @@
struct cached_dns_entry *dns_cache;
bool bind_local;
-#define LS_MODE_DEFAULT 0
-#define LS_MODE_TCP_LISTEN 1
-#define LS_MODE_TCP_ACCEPT_FROM 2
+#define LS_MODE_DEFAULT 0
+#define LS_MODE_TCP_LISTEN 1
+#define LS_MODE_TCP_ACCEPT_FROM 2
int mode;
int resolve_retry_seconds;
@@ -215,15 +216,15 @@
struct socket_buffer_size socket_buffer_sizes;
- int mtu; /* OS discovered MTU, or 0 if unknown */
+ int mtu; /* OS discovered MTU, or 0 if unknown */
-#define SF_USE_IP_PKTINFO (1<<0)
-#define SF_TCP_NODELAY (1<<1)
-#define SF_PORT_SHARE (1<<2)
-#define SF_HOST_RANDOMIZE (1<<3)
-#define SF_GETADDRINFO_DGRAM (1<<4)
-#define SF_DCO_WIN (1<<5)
-#define SF_PREPEND_SA (1<<6)
+#define SF_USE_IP_PKTINFO (1 << 0)
+#define SF_TCP_NODELAY (1 << 1)
+#define SF_PORT_SHARE (1 << 2)
+#define SF_HOST_RANDOMIZE (1 << 3)
+#define SF_GETADDRINFO_DGRAM (1 << 4)
+#define SF_DCO_WIN (1 << 5)
+#define SF_PREPEND_SA (1 << 6)
unsigned int sockflags;
int mark;
const char *bind_dev;
@@ -277,12 +278,13 @@
int socket_recv_queue(struct link_socket *sock, int maxsize);
-int socket_send_queue(struct link_socket *sock,
- struct buffer *buf,
+int socket_send_queue(struct link_socket *sock, struct buffer *buf,
const struct link_socket_actual *to);
-typedef struct {
- union {
+typedef struct
+{
+ union
+ {
SOCKET s;
HANDLE h;
};
@@ -290,17 +292,15 @@
bool prepend_sa; /* are incoming packets prepended with sockaddr? */
} sockethandle_t;
-int sockethandle_finalize(sockethandle_t sh,
- struct overlapped_io *io,
- struct buffer *buf,
+int sockethandle_finalize(sockethandle_t sh, struct overlapped_io *io, struct buffer *buf,
struct link_socket_actual *from);
static inline BOOL
SocketHandleGetOverlappedResult(sockethandle_t sh, struct overlapped_io *io)
{
- return sh.is_handle ?
- GetOverlappedResult(sh.h, &io->overlapped, &io->size, FALSE) :
- WSAGetOverlappedResult(sh.s, &io->overlapped, &io->size, FALSE, &io->flags);
+ return sh.is_handle
+ ? GetOverlappedResult(sh.h, &io->overlapped, &io->size, FALSE)
+ : WSAGetOverlappedResult(sh.s, &io->overlapped, &io->size, FALSE, &io->flags);
}
static inline int
@@ -321,7 +321,7 @@
sh.is_handle ? SetLastError(ERROR_INVALID_FUNCTION) : WSASetLastError(WSAEINVAL);
}
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
#define openvpn_close_socket(s) close(s)
@@ -329,29 +329,19 @@
struct link_socket *link_socket_new(void);
-void socket_bind(socket_descriptor_t sd,
- struct addrinfo *local,
- int af_family,
- const char *prefix,
+void socket_bind(socket_descriptor_t sd, struct addrinfo *local, int af_family, const char *prefix,
bool ipv6only);
-int openvpn_connect(socket_descriptor_t sd,
- const struct sockaddr *remote,
- int connect_timeout,
+int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout,
volatile int *signal_received);
-
/*
* Initialize link_socket object.
*/
-void
-link_socket_init_phase1(struct context *c,
- int sock_index,
- int mode);
+void link_socket_init_phase1(struct context *c, int sock_index, int mode);
-void link_socket_init_phase2(struct context *c,
- struct link_socket *sock);
+void link_socket_init_phase2(struct context *c, struct link_socket *sock);
void do_preresolve(struct context *c);
@@ -359,75 +349,57 @@
void sd_close(socket_descriptor_t *sd);
-#define PS_SHOW_PORT_IF_DEFINED (1<<0)
-#define PS_SHOW_PORT (1<<1)
-#define PS_SHOW_PKTINFO (1<<2)
-#define PS_DONT_SHOW_ADDR (1<<3)
-#define PS_DONT_SHOW_FAMILY (1<<4)
+#define PS_SHOW_PORT_IF_DEFINED (1 << 0)
+#define PS_SHOW_PORT (1 << 1)
+#define PS_SHOW_PKTINFO (1 << 2)
+#define PS_DONT_SHOW_ADDR (1 << 3)
+#define PS_DONT_SHOW_FAMILY (1 << 4)
-const char *print_sockaddr_ex(const struct sockaddr *addr,
- const char *separator,
- const unsigned int flags,
- struct gc_arena *gc);
+const char *print_sockaddr_ex(const struct sockaddr *addr, const char *separator,
+ const unsigned int flags, struct gc_arena *gc);
-static inline
-const char *
-print_openvpn_sockaddr(const struct openvpn_sockaddr *addr,
- struct gc_arena *gc)
+static inline const char *
+print_openvpn_sockaddr(const struct openvpn_sockaddr *addr, struct gc_arena *gc)
{
return print_sockaddr_ex(&addr->addr.sa, ":", PS_SHOW_PORT, gc);
}
-static inline
-const char *
-print_sockaddr(const struct sockaddr *addr,
- struct gc_arena *gc)
+static inline const char *
+print_sockaddr(const struct sockaddr *addr, struct gc_arena *gc)
{
return print_sockaddr_ex(addr, ":", PS_SHOW_PORT, gc);
}
+const char *print_link_socket_actual_ex(const struct link_socket_actual *act, const char *separator,
+ const unsigned int flags, struct gc_arena *gc);
-const char *print_link_socket_actual_ex(const struct link_socket_actual *act,
- const char *separator,
- const unsigned int flags,
- struct gc_arena *gc);
-
-const char *print_link_socket_actual(const struct link_socket_actual *act,
- struct gc_arena *gc);
+const char *print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc);
-#define IA_EMPTY_IF_UNDEF (1<<0)
-#define IA_NET_ORDER (1<<1)
+#define IA_EMPTY_IF_UNDEF (1 << 0)
+#define IA_NET_ORDER (1 << 1)
const char *print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc);
const char *print_in6_addr(struct in6_addr addr6, unsigned int flags, struct gc_arena *gc);
const char *print_in_port_t(in_port_t port, struct gc_arena *gc);
-struct in6_addr add_in6_addr( struct in6_addr base, uint32_t add );
+struct in6_addr add_in6_addr(struct in6_addr base, uint32_t add);
-#define SA_IP_PORT (1<<0)
-#define SA_SET_IF_NONZERO (1<<1)
-void setenv_sockaddr(struct env_set *es,
- const char *name_prefix,
- const struct openvpn_sockaddr *addr,
- const unsigned int flags);
+#define SA_IP_PORT (1 << 0)
+#define SA_SET_IF_NONZERO (1 << 1)
+void setenv_sockaddr(struct env_set *es, const char *name_prefix,
+ const struct openvpn_sockaddr *addr, const unsigned int flags);
-void setenv_in_addr_t(struct env_set *es,
- const char *name_prefix,
- in_addr_t addr,
+void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr,
const unsigned int flags);
-void setenv_in6_addr(struct env_set *es,
- const char *name_prefix,
- const struct in6_addr *addr,
+void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr,
const unsigned int flags);
-void setenv_link_socket_actual(struct env_set *es,
- const char *name_prefix,
- const struct link_socket_actual *act,
- const unsigned int flags);
+void setenv_link_socket_actual(struct env_set *es, const char *name_prefix,
+ const struct link_socket_actual *act, const unsigned int flags);
void bad_address_length(int actual, int expected);
@@ -437,20 +409,16 @@
#define IPV4_INVALID_ADDR 0xffffffff
in_addr_t link_socket_current_remote(const struct link_socket_info *info);
-const struct in6_addr *link_socket_current_remote_ipv6
- (const struct link_socket_info *info);
+const struct in6_addr *link_socket_current_remote_ipv6(const struct link_socket_info *info);
void link_socket_connection_initiated(struct link_socket_info *info,
const struct link_socket_actual *addr,
- const char *common_name,
- struct env_set *es);
+ const char *common_name, struct env_set *es);
-void link_socket_bad_incoming_addr(struct buffer *buf,
- const struct link_socket_info *info,
+void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info,
const struct link_socket_actual *from_addr);
-void set_actual_address(struct link_socket_actual *actual,
- struct addrinfo *ai);
+void set_actual_address(struct link_socket_actual *actual, struct addrinfo *ai);
void link_socket_bad_outgoing_addr(void);
@@ -465,9 +433,9 @@
*/
/* return values of openvpn_inet_aton */
-#define OIA_HOSTNAME 0
-#define OIA_IP 1
-#define OIA_ERROR -1
+#define OIA_HOSTNAME 0
+#define OIA_IP 1
+#define OIA_ERROR -1
int openvpn_inet_aton(const char *dotted_quad, struct in_addr *addr);
/* integrity validation on pulled options */
@@ -481,23 +449,18 @@
socket_descriptor_t create_socket_tcp(struct addrinfo *);
-socket_descriptor_t socket_do_accept(socket_descriptor_t sd,
- struct link_socket_actual *act,
+socket_descriptor_t socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act,
const bool nowait);
#if UNIX_SOCK_SUPPORT
socket_descriptor_t create_socket_unix(void);
-void socket_bind_unix(socket_descriptor_t sd,
- struct sockaddr_un *local,
- const char *prefix);
+void socket_bind_unix(socket_descriptor_t sd, struct sockaddr_un *local, const char *prefix);
-socket_descriptor_t socket_accept_unix(socket_descriptor_t sd,
- struct sockaddr_un *remote);
+socket_descriptor_t socket_accept_unix(socket_descriptor_t sd, struct sockaddr_un *remote);
-int socket_connect_unix(socket_descriptor_t sd,
- struct sockaddr_un *remote);
+int socket_connect_unix(socket_descriptor_t sd, struct sockaddr_un *remote);
void sockaddr_unix_init(struct sockaddr_un *local, const char *path);
@@ -513,20 +476,20 @@
* DNS resolution
*/
-#define GETADDR_RESOLVE (1<<0)
-#define GETADDR_FATAL (1<<1)
-#define GETADDR_HOST_ORDER (1<<2)
-#define GETADDR_MENTION_RESOLVE_RETRY (1<<3)
-#define GETADDR_FATAL_ON_SIGNAL (1<<4)
-#define GETADDR_WARN_ON_SIGNAL (1<<5)
-#define GETADDR_MSG_VIRT_OUT (1<<6)
-#define GETADDR_TRY_ONCE (1<<7)
-#define GETADDR_UPDATE_MANAGEMENT_STATE (1<<8)
-#define GETADDR_RANDOMIZE (1<<9)
-#define GETADDR_PASSIVE (1<<10)
-#define GETADDR_DATAGRAM (1<<11)
+#define GETADDR_RESOLVE (1 << 0)
+#define GETADDR_FATAL (1 << 1)
+#define GETADDR_HOST_ORDER (1 << 2)
+#define GETADDR_MENTION_RESOLVE_RETRY (1 << 3)
+#define GETADDR_FATAL_ON_SIGNAL (1 << 4)
+#define GETADDR_WARN_ON_SIGNAL (1 << 5)
+#define GETADDR_MSG_VIRT_OUT (1 << 6)
+#define GETADDR_TRY_ONCE (1 << 7)
+#define GETADDR_UPDATE_MANAGEMENT_STATE (1 << 8)
+#define GETADDR_RANDOMIZE (1 << 9)
+#define GETADDR_PASSIVE (1 << 10)
+#define GETADDR_DATAGRAM (1 << 11)
-#define GETADDR_CACHE_MASK (GETADDR_DATAGRAM|GETADDR_PASSIVE)
+#define GETADDR_CACHE_MASK (GETADDR_DATAGRAM | GETADDR_PASSIVE)
/**
* Translate an IPv4 addr or hostname from string form to in_addr_t
@@ -534,24 +497,17 @@
* In case of resolve error, it will try again for
* resolve_retry_seconds seconds.
*/
-in_addr_t getaddr(unsigned int flags,
- const char *hostname,
- int resolve_retry_seconds,
- bool *succeeded,
- struct signal_info *sig_info);
+in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds,
+ bool *succeeded, struct signal_info *sig_info);
/**
* Translate an IPv6 addr or hostname from string form to in6_addr
*/
-bool get_ipv6_addr(const char *hostname, struct in6_addr *network,
- unsigned int *netbits, int msglevel);
+bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits,
+ int msglevel);
-int openvpn_getaddrinfo(unsigned int flags,
- const char *hostname,
- const char *servname,
- int resolve_retry_seconds,
- struct signal_info *sig_info,
- int ai_family,
+int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname,
+ int resolve_retry_seconds, struct signal_info *sig_info, int ai_family,
struct addrinfo **res);
/*
@@ -562,8 +518,9 @@
* Use enum's instead of #define to allow for easier
* optional proto support
*/
-enum proto_num {
- PROTO_NONE, /* catch for uninitialized */
+enum proto_num
+{
+ PROTO_NONE, /* catch for uninitialized */
PROTO_UDP,
PROTO_TCP,
PROTO_TCP_SERVER,
@@ -665,11 +622,14 @@
}
switch (addr->addr.sa.sa_family)
{
- case AF_INET: return addr->addr.in4.sin_addr.s_addr != 0;
+ case AF_INET:
+ return addr->addr.in4.sin_addr.s_addr != 0;
- case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(&addr->addr.in6.sin6_addr);
+ case AF_INET6:
+ return !IN6_IS_ADDR_UNSPECIFIED(&addr->addr.in6.sin6_addr);
- default: return 0;
+ default:
+ return 0;
}
}
@@ -705,17 +665,21 @@
switch (lsa->dest.addr.sa.sa_family)
{
#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- case AF_INET: return lsa->pi.in4.ipi_spec_dst.s_addr != 0;
+ case AF_INET:
+ return lsa->pi.in4.ipi_spec_dst.s_addr != 0;
#elif defined(IP_RECVDSTADDR)
- case AF_INET: return lsa->pi.in4.s_addr != 0;
+ case AF_INET:
+ return lsa->pi.in4.s_addr != 0;
#endif
- case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(&lsa->pi.in6.ipi6_addr);
+ case AF_INET6:
+ return !IN6_IS_ADDR_UNSPECIFIED(&lsa->pi.in6.ipi6_addr);
- default: return 0;
+ default:
+ return 0;
}
-#else /* if ENABLE_IP_PKTINFO */
+#else /* if ENABLE_IP_PKTINFO */
ASSERT(0);
#endif
return false;
@@ -751,14 +715,16 @@
switch (a1->addr.sa.sa_family)
{
case AF_INET:
- if (a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr)
+ if (a1->addr.in4.sin_addr.s_addr
+ == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr)
{
return true;
}
break;
case AF_INET6:
- if (IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6 *) curele->ai_addr)->sin6_addr))
+ if (IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr,
+ &((struct sockaddr_in6 *)curele->ai_addr)->sin6_addr))
{
return true;
}
@@ -781,7 +747,8 @@
{
case AF_INET:
if (curele->ai_family == AF_INET
- && a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr
+ && a1->addr.in4.sin_addr.s_addr
+ == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr
&& a1->addr.in4.sin_port == ((struct sockaddr_in *)curele->ai_addr)->sin_port)
{
return true;
@@ -790,8 +757,10 @@
case AF_INET6:
if (curele->ai_family == AF_INET6
- && IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6 *) curele->ai_addr)->sin6_addr)
- && a1->addr.in6.sin6_port == ((struct sockaddr_in6 *) curele->ai_addr)->sin6_port)
+ && IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr,
+ &((struct sockaddr_in6 *)curele->ai_addr)->sin6_addr)
+ && a1->addr.in6.sin6_port
+ == ((struct sockaddr_in6 *)curele->ai_addr)->sin6_port)
{
return true;
}
@@ -805,7 +774,6 @@
}
-
static inline bool
addr_port_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2)
{
@@ -824,24 +792,19 @@
}
static inline bool
-addr_match_proto(const struct openvpn_sockaddr *a1,
- const struct openvpn_sockaddr *a2,
+addr_match_proto(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2,
const int proto)
{
- return link_socket_proto_connection_oriented(proto)
- ? addr_match(a1, a2)
- : addr_port_match(a1, a2);
+ return link_socket_proto_connection_oriented(proto) ? addr_match(a1, a2)
+ : addr_port_match(a1, a2);
}
static inline bool
-addrlist_match_proto(const struct openvpn_sockaddr *a1,
- struct addrinfo *addr_list,
- const int proto)
+addrlist_match_proto(const struct openvpn_sockaddr *a1, struct addrinfo *addr_list, const int proto)
{
- return link_socket_proto_connection_oriented(proto)
- ? addrlist_match(a1, addr_list)
- : addrlist_port_match(a1, addr_list);
+ return link_socket_proto_connection_oriented(proto) ? addrlist_match(a1, addr_list)
+ : addrlist_port_match(a1, addr_list);
}
static inline void
@@ -864,9 +827,11 @@
{
switch (af)
{
- case AF_INET: return sizeof(struct sockaddr_in);
+ case AF_INET:
+ return sizeof(struct sockaddr_in);
- case AF_INET6: return sizeof(struct sockaddr_in6);
+ case AF_INET6:
+ return sizeof(struct sockaddr_in6);
default:
#if 0
@@ -889,8 +854,7 @@
static inline bool
socket_foreign_protocol_detected(const struct link_socket *sock)
{
- return link_socket_connection_oriented(sock)
- && sock->stream_buf.port_share_state == PS_FOREIGN;
+ return link_socket_connection_oriented(sock) && sock->stream_buf.port_share_state == PS_FOREIGN;
}
static inline const struct buffer *
@@ -931,8 +895,7 @@
}
static inline bool
-link_socket_verify_incoming_addr(struct buffer *buf,
- const struct link_socket_info *info,
+link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info,
const struct link_socket_actual *from_addr)
{
if (buf->len > 0)
@@ -959,8 +922,7 @@
}
static inline void
-link_socket_get_outgoing_addr(struct buffer *buf,
- const struct link_socket_info *info,
+link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info,
struct link_socket_actual **act)
{
if (buf->len > 0)
@@ -980,23 +942,18 @@
}
static inline void
-link_socket_set_outgoing_addr(struct link_socket_info *info,
- const struct link_socket_actual *act,
- const char *common_name,
- struct env_set *es)
+link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act,
+ const char *common_name, struct env_set *es)
{
struct link_socket_addr *lsa = info->lsa;
if (
/* new or changed address? */
(!info->connection_established
- || !addr_match_proto(&act->dest, &lsa->actual.dest, info->proto)
- )
+ || !addr_match_proto(&act->dest, &lsa->actual.dest, info->proto))
&&
/* address undef or address == remote or --float */
(info->remote_float
- || (!lsa->remote_list || addrlist_match_proto(&act->dest, lsa->remote_list, info->proto))
- )
- )
+ || (!lsa->remote_list || addrlist_match_proto(&act->dest, lsa->remote_list, info->proto))))
{
link_socket_connection_initiated(info, act, common_name, es);
}
@@ -1032,14 +989,12 @@
* Socket Read Routines
*/
-int link_socket_read_tcp(struct link_socket *sock,
- struct buffer *buf);
+int link_socket_read_tcp(struct link_socket *sock, struct buffer *buf);
#ifdef _WIN32
static inline int
-link_socket_read_udp_win32(struct link_socket *sock,
- struct buffer *buf,
+link_socket_read_udp_win32(struct link_socket *sock, struct buffer *buf,
struct link_socket_actual *from)
{
sockethandle_t sh = { .s = sock->sd };
@@ -1054,17 +1009,14 @@
#else /* ifdef _WIN32 */
-int link_socket_read_udp_posix(struct link_socket *sock,
- struct buffer *buf,
+int link_socket_read_udp_posix(struct link_socket *sock, struct buffer *buf,
struct link_socket_actual *from);
#endif /* ifdef _WIN32 */
/* read a TCP or UDP packet from link */
static inline int
-link_socket_read(struct link_socket *sock,
- struct buffer *buf,
- struct link_socket_actual *from)
+link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
{
if (proto_is_udp(sock->info.proto) || socket_is_dco_win(sock))
/* unified UDPv4 and UDPv6, for DCO-WIN the kernel
@@ -1096,16 +1048,13 @@
* Socket Write routines
*/
-ssize_t link_socket_write_tcp(struct link_socket *sock,
- struct buffer *buf,
+ssize_t link_socket_write_tcp(struct link_socket *sock, struct buffer *buf,
struct link_socket_actual *to);
#ifdef _WIN32
static inline int
-link_socket_write_win32(struct link_socket *sock,
- struct buffer *buf,
- struct link_socket_actual *to)
+link_socket_write_win32(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
{
int err = 0;
int status = 0;
@@ -1144,16 +1093,14 @@
}
}
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
-ssize_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock,
- struct buffer *buf,
+ssize_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, struct buffer *buf,
struct link_socket_actual *to);
static inline ssize_t
-link_socket_write_udp_posix(struct link_socket *sock,
- struct buffer *buf,
+link_socket_write_udp_posix(struct link_socket *sock, struct buffer *buf,
struct link_socket_actual *to)
{
#if ENABLE_IP_PKTINFO
@@ -1164,14 +1111,12 @@
}
else
#endif
- return sendto(sock->sd, BPTR(buf), BLEN(buf), 0,
- (struct sockaddr *) &to->dest.addr.sa,
- (socklen_t) af_addr_size(to->dest.addr.sa.sa_family));
+ return sendto(sock->sd, BPTR(buf), BLEN(buf), 0, (struct sockaddr *)&to->dest.addr.sa,
+ (socklen_t)af_addr_size(to->dest.addr.sa.sa_family));
}
static inline ssize_t
-link_socket_write_tcp_posix(struct link_socket *sock,
- struct buffer *buf)
+link_socket_write_tcp_posix(struct link_socket *sock, struct buffer *buf)
{
return send(sock->sd, BPTR(buf), BLEN(buf), MSG_NOSIGNAL);
}
@@ -1179,9 +1124,7 @@
#endif /* ifdef _WIN32 */
static inline ssize_t
-link_socket_write_udp(struct link_socket *sock,
- struct buffer *buf,
- struct link_socket_actual *to)
+link_socket_write_udp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
{
#ifdef _WIN32
return link_socket_write_win32(sock, buf, to);
@@ -1192,9 +1135,7 @@
/* write a TCP or UDP packet to link */
static inline ssize_t
-link_socket_write(struct link_socket *sock,
- struct buffer *buf,
- struct link_socket_actual *to)
+link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
{
if (proto_is_udp(sock->info.proto) || socket_is_dco_win(sock))
{
@@ -1222,7 +1163,7 @@
{
if (sock && ipbuf)
{
- struct openvpn_iphdr *iph = (struct openvpn_iphdr *) BPTR(ipbuf);
+ struct openvpn_iphdr *iph = (struct openvpn_iphdr *)BPTR(ipbuf);
sock->ptos = iph->tos;
sock->ptos_defined = true;
}
@@ -1266,17 +1207,11 @@
event_t socket_listen_event_handle(struct link_socket *sock);
-unsigned int
-socket_set(struct link_socket *sock,
- struct event_set *es,
- unsigned int rwflags,
- void *arg,
- unsigned int *persistent);
+unsigned int socket_set(struct link_socket *sock, struct event_set *es, unsigned int rwflags,
+ void *arg, unsigned int *persistent);
static inline void
-socket_set_listen_persistent(struct link_socket *sock,
- struct event_set *es,
- void *arg)
+socket_set_listen_persistent(struct link_socket *sock, struct event_set *es, void *arg)
{
if (sock && !sock->listen_persistent_queued)
{
@@ -45,12 +45,10 @@
#include "memdbg.h"
-#define UP_TYPE_SOCKS "SOCKS Proxy"
+#define UP_TYPE_SOCKS "SOCKS Proxy"
struct socks_proxy_info *
-socks_proxy_new(const char *server,
- const char *port,
- const char *authfile)
+socks_proxy_new(const char *server, const char *port, const char *authfile)
{
struct socks_proxy_info *p;
@@ -83,8 +81,7 @@
}
static bool
-socks_username_password_auth(struct socks_proxy_info *p,
- socket_descriptor_t sd,
+socks_username_password_auth(struct socks_proxy_info *p, socket_descriptor_t sd,
struct event_timeout *server_poll_timeout,
volatile int *signal_received)
{
@@ -102,24 +99,23 @@
goto cleanup;
}
- if ( (strlen(creds.username) > 255) || (strlen(creds.password) > 255) )
+ if ((strlen(creds.username) > 255) || (strlen(creds.password) > 255))
{
- msg(M_NONFATAL,
- "SOCKS username and/or password exceeds 255 characters. "
- "Authentication not possible.");
+ msg(M_NONFATAL, "SOCKS username and/or password exceeds 255 characters. "
+ "Authentication not possible.");
goto cleanup;
}
- int sret = snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s",
- (int) strlen(creds.username), creds.username,
- (int) strlen(creds.password), creds.password);
+ int sret = snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int)strlen(creds.username),
+ creds.username, (int)strlen(creds.password), creds.password);
ASSERT(sret <= sizeof(to_send));
size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);
if (size != strlen(to_send))
{
- msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port write failed on send()");
+ msg(D_LINK_ERRORS | M_ERRNO,
+ "socks_username_password_auth: TCP port write failed on send()");
goto cleanup;
}
@@ -147,14 +143,16 @@
/* timeout? */
if (status == 0)
{
- msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read timeout expired");
+ msg(D_LINK_ERRORS | M_ERRNO,
+ "socks_username_password_auth: TCP port read timeout expired");
goto cleanup;
}
/* error */
if (status < 0)
{
- msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on select()");
+ msg(D_LINK_ERRORS | M_ERRNO,
+ "socks_username_password_auth: TCP port read failed on select()");
goto cleanup;
}
@@ -164,7 +162,8 @@
/* error? */
if (size != 1)
{
- msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on recv()");
+ msg(D_LINK_ERRORS | M_ERRNO,
+ "socks_username_password_auth: TCP port read failed on recv()");
goto cleanup;
}
@@ -187,10 +186,8 @@
}
static bool
-socks_handshake(struct socks_proxy_info *p,
- socket_descriptor_t sd,
- struct event_timeout *server_poll_timeout,
- volatile int *signal_received)
+socks_handshake(struct socks_proxy_info *p, socket_descriptor_t sd,
+ struct event_timeout *server_poll_timeout, volatile int *signal_received)
{
char buf[2];
int len = 0;
@@ -201,7 +198,6 @@
if (p->authfile[0])
{
method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
-
}
size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL);
if (size != sizeof(method_sel))
@@ -282,7 +278,8 @@
case 2: /* login/password */
if (!p->authfile[0])
{
- msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were "
+ msg(D_LINK_ERRORS,
+ "socks_handshake: server asked for username/login auth but we were "
"not provided any credentials");
return false;
}
@@ -303,15 +300,13 @@
}
static bool
-recv_socks_reply(socket_descriptor_t sd,
- struct openvpn_sockaddr *addr,
- struct event_timeout *server_poll_timeout,
- volatile int *signal_received)
+recv_socks_reply(socket_descriptor_t sd, struct openvpn_sockaddr *addr,
+ struct event_timeout *server_poll_timeout, volatile int *signal_received)
{
char atyp = '\0';
int alen = 0;
int len = 0;
- char buf[270]; /* 4 + alen(max 256) + 2 */
+ char buf[270]; /* 4 + alen(max 256) + 2 */
if (addr != NULL)
{
@@ -379,18 +374,18 @@
{
switch (atyp)
{
- case '\x01': /* IP V4 */
+ case '\x01': /* IP V4 */
alen = 4;
break;
- case '\x03': /* DOMAINNAME */
+ case '\x03': /* DOMAINNAME */
/* RFC 1928, section 5: 1 byte length, <n> bytes name,
* so the total "address length" is (length+1)
*/
- alen = (unsigned char) c + 1;
+ alen = (unsigned char)c + 1;
break;
- case '\x04': /* IP V6 */
+ case '\x04': /* IP V6 */
alen = 16;
break;
@@ -421,8 +416,7 @@
memcpy(&addr->addr.in4.sin_addr, buf + 4, sizeof(addr->addr.in4.sin_addr));
memcpy(&addr->addr.in4.sin_port, buf + 8, sizeof(addr->addr.in4.sin_port));
struct gc_arena gc = gc_new();
- msg(M_INFO, "SOCKS proxy wants us to send UDP to %s",
- print_openvpn_sockaddr(addr, &gc));
+ msg(M_INFO, "SOCKS proxy wants us to send UDP to %s", print_openvpn_sockaddr(addr, &gc));
gc_free(&gc);
}
@@ -435,12 +429,12 @@
{
int port = 0;
port = atoi(servname);
- if (port >0 && port < 65536)
+ if (port > 0 && port < 65536)
{
return port;
}
- struct servent *service;
+ struct servent *service;
service = getservbyname(servname, NULL);
if (service)
{
@@ -452,9 +446,9 @@
void
establish_socks_proxy_passthru(struct socks_proxy_info *p,
- socket_descriptor_t sd, /* already open to proxy */
- const char *host, /* openvpn server remote */
- const char *servname, /* openvpn server port */
+ socket_descriptor_t sd, /* already open to proxy */
+ const char *host, /* openvpn server remote */
+ const char *servname, /* openvpn server port */
struct event_timeout *server_poll_timeout,
struct signal_info *sig_info)
{
@@ -467,32 +461,34 @@
}
/* format Socks CONNECT message */
- buf[0] = '\x05'; /* VER = 5 */
- buf[1] = '\x01'; /* CMD = 1 (CONNECT) */
- buf[2] = '\x00'; /* RSV */
- buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */
+ buf[0] = '\x05'; /* VER = 5 */
+ buf[1] = '\x01'; /* CMD = 1 (CONNECT) */
+ buf[2] = '\x00'; /* RSV */
+ buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */
len = strlen(host);
len = (5 + len + 2 > sizeof(buf)) ? (sizeof(buf) - 5 - 2) : len;
- buf[4] = (char) len;
+ buf[4] = (char)len;
memcpy(buf + 5, host, len);
int port = port_from_servname(servname);
- if (port ==0)
+ if (port == 0)
{
- msg(D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number", servname);
+ msg(D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number",
+ servname);
goto error;
}
- buf[5 + len] = (char) (port >> 8);
- buf[5 + len + 1] = (char) (port & 0xff);
+ buf[5 + len] = (char)(port >> 8);
+ buf[5 + len + 1] = (char)(port & 0xff);
{
const ssize_t size = send(sd, buf, 5 + len + 2, MSG_NOSIGNAL);
if ((int)size != 5 + (int)len + 2)
{
- msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()");
+ msg(D_LINK_ERRORS | M_ERRNO,
+ "establish_socks_proxy_passthru: TCP port write failed on send()");
goto error;
}
}
@@ -514,7 +510,7 @@
void
establish_socks_proxy_udpassoc(struct socks_proxy_info *p,
- socket_descriptor_t ctrl_sd, /* already open to proxy */
+ socket_descriptor_t ctrl_sd, /* already open to proxy */
struct openvpn_sockaddr *relay_addr,
struct event_timeout *server_poll_timeout,
struct signal_info *sig_info)
@@ -528,12 +524,12 @@
/* send Socks UDP ASSOCIATE message */
/* VER = 5, CMD = 3 (UDP ASSOCIATE), RSV = 0, ATYP = 1 (IP V4),
* BND.ADDR = 0, BND.PORT = 0 */
- const ssize_t size = send(ctrl_sd,
- "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00",
- 10, MSG_NOSIGNAL);
+ const ssize_t size =
+ send(ctrl_sd, "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00", 10, MSG_NOSIGNAL);
if (size != 10)
{
- msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()");
+ msg(D_LINK_ERRORS | M_ERRNO,
+ "establish_socks_proxy_passthru: TCP port write failed on send()");
goto error;
}
}
@@ -560,8 +556,7 @@
* Run after UDP read.
*/
void
-socks_process_incoming_udp(struct buffer *buf,
- struct link_socket_actual *from)
+socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
{
int atyp;
@@ -577,7 +572,7 @@
}
atyp = buf_read_u8(buf);
- if (atyp != 1) /* ATYP == 1 (IP V4) */
+ if (atyp != 1) /* ATYP == 1 (IP V4) */
{
goto error;
}
@@ -599,8 +594,7 @@
* Returns the size of the header.
*/
int
-socks_process_outgoing_udp(struct buffer *buf,
- const struct link_socket_actual *to)
+socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
{
/*
* Get a 10 byte subset buffer prepended to buf --
@@ -612,8 +606,8 @@
/* crash if not enough headroom in buf */
ASSERT(buf_defined(&head));
- buf_write_u16(&head, 0); /* RSV = 0 */
- buf_write_u8(&head, 0); /* FRAG = 0 */
+ buf_write_u16(&head, 0); /* RSV = 0 */
+ buf_write_u8(&head, 0); /* FRAG = 0 */
buf_write_u8(&head, '\x01'); /* ATYP = 1 (IP V4) */
buf_write(&head, &to->dest.addr.in4.sin_addr, sizeof(to->dest.addr.in4.sin_addr));
buf_write(&head, &to->dest.addr.in4.sin_port, sizeof(to->dest.addr.in4.sin_port));
@@ -33,7 +33,8 @@
struct openvpn_sockaddr;
struct link_socket_actual;
-struct socks_proxy_info {
+struct socks_proxy_info
+{
bool defined;
char server[128];
@@ -41,29 +42,26 @@
char authfile[256];
};
-struct socks_proxy_info *socks_proxy_new(const char *server,
- const char *port,
+struct socks_proxy_info *socks_proxy_new(const char *server, const char *port,
const char *authfile);
void socks_proxy_close(struct socks_proxy_info *sp);
void establish_socks_proxy_passthru(struct socks_proxy_info *p,
- socket_descriptor_t sd, /* already open to proxy */
- const char *host, /* openvpn server remote */
- const char *servname, /* openvpn server port */
+ socket_descriptor_t sd, /* already open to proxy */
+ const char *host, /* openvpn server remote */
+ const char *servname, /* openvpn server port */
struct event_timeout *server_poll_timeout,
struct signal_info *sig_info);
void establish_socks_proxy_udpassoc(struct socks_proxy_info *p,
- socket_descriptor_t ctrl_sd, /* already open to proxy */
+ socket_descriptor_t ctrl_sd, /* already open to proxy */
struct openvpn_sockaddr *relay_addr,
struct event_timeout *server_poll_timeout,
struct signal_info *sig_info);
-void socks_process_incoming_udp(struct buffer *buf,
- struct link_socket_actual *from);
+void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from);
-int socks_process_outgoing_udp(struct buffer *buf,
- const struct link_socket_actual *to);
+int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to);
#endif /* ifndef SOCKS_H */
@@ -74,20 +74,20 @@
static int tls_packets_generated; /* GLOBAL */
static int tls_packets_sent; /* GLOBAL */
-#define INCR_SENT ++tls_packets_sent
-#define INCR_GENERATED ++tls_packets_generated
-#define INCR_SUCCESS ++tls_handshake_success
-#define INCR_ERROR ++tls_handshake_error
+#define INCR_SENT ++tls_packets_sent
+#define INCR_GENERATED ++tls_packets_generated
+#define INCR_SUCCESS ++tls_handshake_success
+#define INCR_ERROR ++tls_handshake_error
void
show_tls_performance_stats(void)
{
msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
- (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
+ (double)tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
tls_handshake_success, tls_handshake_error,
- (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
+ (double)(tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
}
-#else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
+#else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
#define INCR_SENT
#define INCR_GENERATED
@@ -111,7 +111,7 @@
if (*reneg_bytes == -1) /* Not user-specified */
{
msg(M_WARN, "WARNING: cipher with small block size in use, "
- "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
+ "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
*reneg_bytes = 64 * 1024 * 1024;
}
}
@@ -129,9 +129,10 @@
/* set limit to 7/8 of the limit so the renegotiation can succeed before
* we go over the limit */
- limit = limit/8 * 7;
+ limit = limit / 8 * 7;
- msg(D_SHOW_KEYS, "Note: AEAD cipher %s will trigger a renegotiation"
+ msg(D_SHOW_KEYS,
+ "Note: AEAD cipher %s will trigger a renegotiation"
" at a sum of %" PRIi64 " blocks and packets.",
ciphername, limit);
return limit;
@@ -152,8 +153,7 @@
overhead += 10;
/* tls-auth and tls-crypt */
- overhead += max_int(tls_crypt_buf_overhead(),
- packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE);
+ overhead += max_int(tls_crypt_buf_overhead(), packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE);
/* TCP length field and opcode */
overhead += 3;
@@ -217,8 +217,7 @@
/* Add the typical UDP overhead for an IPv6 UDP packet. TCP+IPv6 has a
* larger overhead but the risk of a TCP connection getting dropped because
* we try to send a too large packet is basically zero */
- overhead += datagram_overhead(session->untrusted_addr.dest.addr.sa.sa_family,
- PROTO_UDP);
+ overhead += datagram_overhead(session->untrusted_addr.dest.addr.sa.sa_family, PROTO_UDP);
return overhead;
}
@@ -252,7 +251,8 @@
unprotect_user_pass(&passbuf);
if (!strlen(passbuf.password))
{
- get_user_pass(&passbuf, auth_file, UP_TYPE_PRIVATE_KEY, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY);
+ get_user_pass(&passbuf, auth_file, UP_TYPE_PRIVATE_KEY,
+ GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY);
}
}
@@ -291,8 +291,7 @@
}
void
-auth_user_pass_setup(const char *auth_file, bool is_inline,
- const struct static_challenge_info *sci)
+auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
{
unsigned int flags = GET_USER_PASS_MANAGEMENT;
@@ -308,11 +307,7 @@
if (auth_challenge) /* dynamic challenge/response */
{
flags |= GET_USER_PASS_DYNAMIC_CHALLENGE;
- get_user_pass_cr(&auth_user_pass,
- auth_file,
- UP_TYPE_AUTH,
- flags,
- auth_challenge);
+ get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, auth_challenge);
}
else if (sci) /* static challenge response */
{
@@ -325,11 +320,7 @@
{
flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT;
}
- get_user_pass_cr(&auth_user_pass,
- auth_file,
- UP_TYPE_AUTH,
- flags,
- sci->challenge_text);
+ get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, sci->challenge_text);
}
else
#endif /* ifdef ENABLE_MANAGEMENT */
@@ -468,11 +459,10 @@
* @param crl_file_inline True if crl_file is an inline CRL.
*/
static void
-tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
- bool crl_file_inline)
+tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
{
/* if something goes wrong with stat(), we'll store 0 as mtime */
- platform_stat_t crl_stat = {0};
+ platform_stat_t crl_stat = { 0 };
/*
* an inline CRL can't change at runtime, therefore there is no need to
@@ -536,11 +526,10 @@
if (options->dh_file)
{
- tls_ctx_load_dh_params(new_ctx, options->dh_file,
- options->dh_file_inline);
+ tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline);
}
}
- else /* if client */
+ else /* if client */
{
tls_ctx_client_new(new_ctx);
}
@@ -567,8 +556,9 @@
if (options->pkcs12_file)
{
- if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file,
- options->pkcs12_file_inline, !options->ca_file))
+ if (0
+ != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, options->pkcs12_file_inline,
+ !options->ca_file))
{
goto err;
}
@@ -593,8 +583,7 @@
#ifdef ENABLE_MANAGEMENT
else if (options->management_flags & MF_EXTERNAL_CERT)
{
- char *cert = management_query_cert(management,
- options->management_certificate);
+ char *cert = management_query_cert(management, options->management_certificate);
tls_ctx_load_cert_file(new_ctx, cert, true);
free(cert);
}
@@ -606,8 +595,9 @@
if (options->priv_key_file)
{
- if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
- options->priv_key_file_inline))
+ if (0
+ != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
+ options->priv_key_file_inline))
{
goto err;
}
@@ -625,15 +615,16 @@
if (options->ca_file || options->ca_path)
{
- tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
- options->ca_path, options->tls_server);
+ tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, options->ca_path,
+ options->tls_server);
}
/* Load extra certificates that are part of our own certificate
* chain but shouldn't be included in the verify chain */
if (options->extra_certs_file)
{
- tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline);
+ tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file,
+ options->extra_certs_file_inline);
}
/* Check certificate notBefore and notAfter */
@@ -777,9 +768,8 @@
for (int i = 0; i < KEY_SCAN_SIZE; ++i)
{
struct key_state *ks = get_key_scan(multi, i);
- buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i,
- state_name(ks->state), ks_auth_name(ks->authenticated),
- ks->key_id,
+ buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i, state_name(ks->state),
+ ks_auth_name(ks->authenticated), ks->key_id,
session_id_print(&ks->session_id_remote, gc));
}
@@ -832,8 +822,7 @@
* Build TLS object that reads/writes ciphertext
* to/from memory BIOs.
*/
- key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
- session);
+ key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session);
/* Set control-channel initiation mode */
ks->initial_opcode = session->initial_opcode;
@@ -869,14 +858,12 @@
session->opt->frame.buf.headroom, TLS_RELIABLE_N_SEND_BUFFERS,
ks->key_id ? false : session->opt->xmit_hold);
reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
- session->opt->frame.buf.headroom, TLS_RELIABLE_N_REC_BUFFERS,
- false);
+ session->opt->frame.buf.headroom, TLS_RELIABLE_N_REC_BUFFERS, false);
reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout);
/* init packet ID tracker */
- packet_id_init(&ks->crypto_options.packet_id,
- session->opt->replay_window, session->opt->replay_time, "SSL",
- ks->key_id);
+ packet_id_init(&ks->crypto_options.packet_id, session->opt->replay_window,
+ session->opt->replay_time, "SSL", ks->key_id);
ks->crypto_options.pid_persist = NULL;
@@ -888,11 +875,10 @@
* Attempt CRL reload before TLS negotiation. Won't be performed if
* the file was not modified since the last reload
*/
- if (session->opt->crl_file
- && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
+ if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
{
- tls_ctx_reload_crl(&session->opt->ssl_ctx,
- session->opt->crl_file, session->opt->crl_file_inline);
+ tls_ctx_reload_crl(&session->opt->ssl_ctx, session->opt->crl_file,
+ session->opt->crl_file_inline);
}
}
@@ -963,7 +949,7 @@
#ifdef ENABLE_MANAGEMENT
|| management_enable_def_auth(management)
#endif
- );
+ );
}
@@ -1012,8 +998,8 @@
}
else
{
- session->initial_opcode = session->opt->tls_crypt_v2 ?
- P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2;
+ session->initial_opcode = session->opt->tls_crypt_v2 ? P_CONTROL_HARD_RESET_CLIENT_V3
+ : P_CONTROL_HARD_RESET_CLIENT_V2;
}
/* Initialize control channel authentication parameters */
@@ -1021,10 +1007,8 @@
session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
/* initialize packet ID replay window for --tls-auth */
- packet_id_init(&session->tls_wrap.opt.packet_id,
- session->opt->replay_window,
- session->opt->replay_time,
- "TLS_WRAP", session->key_id);
+ packet_id_init(&session->tls_wrap.opt.packet_id, session->opt->replay_window,
+ session->opt->replay_time, "TLS_WRAP", session->key_id);
/* If we are using tls-crypt-v2 we manipulate the packet id to be (ab)used
* to indicate early protocol negotiation */
@@ -1035,8 +1019,7 @@
}
/* load most recent packet-id to replay protect on --tls-auth */
- packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist,
- &session->tls_wrap.opt.packet_id);
+ packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist, &session->tls_wrap.opt.packet_id);
key_state_init(session, &session->key[KS_PRIMARY]);
@@ -1094,9 +1077,7 @@
move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
{
msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
- session_index_name(dest),
- session_index_name(src),
- reinit_src);
+ session_index_name(dest), session_index_name(src), reinit_src);
ASSERT(src != dest);
ASSERT(src >= 0 && src < TM_SIZE);
ASSERT(dest >= 0 && dest < TM_SIZE);
@@ -1200,8 +1181,7 @@
*/
struct tls_auth_standalone *
-tls_auth_standalone_init(struct tls_options *tls_options,
- struct gc_arena *gc)
+tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
{
struct tls_auth_standalone *tas;
@@ -1242,9 +1222,7 @@
* sets.
*/
void
-tls_multi_init_set_options(struct tls_multi *multi,
- const char *local,
- const char *remote)
+tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
{
/* initialize options string */
multi->opt.local_options = local;
@@ -1290,8 +1268,7 @@
*/
static void
-key_source_print(const struct key_source *k,
- const char *prefix)
+key_source_print(const struct key_source *k, const char *prefix)
{
struct gc_arena gc = gc_new();
@@ -1299,17 +1276,11 @@
VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
- dmsg(D_SHOW_KEY_SOURCE,
- "%s pre_master: %s",
- prefix,
+ dmsg(D_SHOW_KEY_SOURCE, "%s pre_master: %s", prefix,
format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
- dmsg(D_SHOW_KEY_SOURCE,
- "%s random1: %s",
- prefix,
+ dmsg(D_SHOW_KEY_SOURCE, "%s random1: %s", prefix,
format_hex(k->random1, sizeof(k->random1), 0, &gc));
- dmsg(D_SHOW_KEY_SOURCE,
- "%s random2: %s",
- prefix,
+ dmsg(D_SHOW_KEY_SOURCE, "%s random2: %s", prefix,
format_hex(k->random2, sizeof(k->random2), 0, &gc));
gc_free(&gc);
@@ -1323,24 +1294,15 @@
}
static bool
-openvpn_PRF(const uint8_t *secret,
- int secret_len,
- const char *label,
- const uint8_t *client_seed,
- int client_seed_len,
- const uint8_t *server_seed,
- int server_seed_len,
- const struct session_id *client_sid,
- const struct session_id *server_sid,
- uint8_t *output,
- int output_len)
+openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed,
+ int client_seed_len, const uint8_t *server_seed, int server_seed_len,
+ const struct session_id *client_sid, const struct session_id *server_sid,
+ uint8_t *output, int output_len)
{
/* concatenate seed components */
- struct buffer seed = alloc_buf(strlen(label)
- + client_seed_len
- + server_seed_len
- + SID_SIZE * 2);
+ struct buffer seed =
+ alloc_buf(strlen(label) + client_seed_len + server_seed_len + SID_SIZE * 2);
ASSERT(buf_write(&seed, label, strlen(label)));
ASSERT(buf_write(&seed, client_seed, client_seed_len));
@@ -1356,8 +1318,7 @@
}
/* compute PRF */
- bool ret = ssl_tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len,
- output, output_len);
+ bool ret = ssl_tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len);
buf_clear(&seed);
free_buf(&seed);
@@ -1367,11 +1328,8 @@
}
static void
-init_epoch_keys(struct key_state *ks,
- struct tls_multi *multi,
- const struct key_type *key_type,
- bool server,
- struct key2 *key2)
+init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
+ bool server, struct key2 *key2)
{
/* For now we hardcode this to be 16 for the software based data channel
* DCO based implementations/HW implementation might adjust this number
@@ -1402,19 +1360,15 @@
* b) They let userspace do the key derivation and pass all the individual
* keys to the DCO layer.
* */
- epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count);
+ epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count);
secure_memzero(&e1_send, sizeof(e1_send));
secure_memzero(&e1_recv, sizeof(e1_recv));
}
static void
-init_key_contexts(struct key_state *ks,
- struct tls_multi *multi,
- const struct key_type *key_type,
- bool server,
- struct key2 *key2,
- bool dco_enabled)
+init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
+ bool server, struct key2 *key2, bool dco_enabled)
{
struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
@@ -1428,12 +1382,10 @@
msg(M_FATAL, "FATAL: DCO does not support --auth");
}
- int ret = init_key_dco_bi(multi, ks, key2, key_direction,
- key_type->cipher, server);
+ int ret = init_key_dco_bi(multi, ks, key2, key_direction, key_type->cipher, server);
if (ret < 0)
{
- msg(M_FATAL, "Impossible to install key material in DCO: %s",
- strerror(-ret));
+ msg(M_FATAL, "Impossible to install key material in DCO: %s", strerror(-ret));
}
/* encrypt/decrypt context are unused with DCO */
@@ -1445,7 +1397,8 @@
{
if (!cipher_kt_mode_aead(key_type->cipher))
{
- msg(M_FATAL, "AEAD cipher (currently %s) "
+ msg(M_FATAL,
+ "AEAD cipher (currently %s) "
"required for epoch data format.",
cipher_kt_name(key_type->cipher));
}
@@ -1461,8 +1414,8 @@
generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
{
if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL,
- strlen(EXPORT_KEY_DATA_LABEL),
- key2->keys, sizeof(key2->keys)))
+ strlen(EXPORT_KEY_DATA_LABEL), key2->keys,
+ sizeof(key2->keys)))
{
return false;
}
@@ -1479,42 +1432,28 @@
const struct key_state *ks = &session->key[KS_PRIMARY];
const struct key_source2 *key_src = ks->key_src;
- const struct session_id *client_sid = session->opt->server ?
- &ks->session_id_remote : &session->session_id;
- const struct session_id *server_sid = !session->opt->server ?
- &ks->session_id_remote : &session->session_id;
+ const struct session_id *client_sid =
+ session->opt->server ? &ks->session_id_remote : &session->session_id;
+ const struct session_id *server_sid =
+ !session->opt->server ? &ks->session_id_remote : &session->session_id;
/* debugging print of source key material */
key_source2_print(key_src);
/* compute master secret */
- if (!openvpn_PRF(key_src->client.pre_master,
- sizeof(key_src->client.pre_master),
- KEY_EXPANSION_ID " master secret",
- key_src->client.random1,
- sizeof(key_src->client.random1),
- key_src->server.random1,
- sizeof(key_src->server.random1),
- NULL,
- NULL,
- master,
- sizeof(master)))
+ if (!openvpn_PRF(key_src->client.pre_master, sizeof(key_src->client.pre_master),
+ KEY_EXPANSION_ID " master secret", key_src->client.random1,
+ sizeof(key_src->client.random1), key_src->server.random1,
+ sizeof(key_src->server.random1), NULL, NULL, master, sizeof(master)))
{
return false;
}
/* compute key expansion */
- if (!openvpn_PRF(master,
- sizeof(master),
- KEY_EXPANSION_ID " key expansion",
- key_src->client.random2,
- sizeof(key_src->client.random2),
- key_src->server.random2,
- sizeof(key_src->server.random2),
- client_sid,
- server_sid,
- (uint8_t *)key2->keys,
- sizeof(key2->keys)))
+ if (!openvpn_PRF(master, sizeof(master), KEY_EXPANSION_ID " key expansion",
+ key_src->client.random2, sizeof(key_src->client.random2),
+ key_src->server.random2, sizeof(key_src->server.random2), client_sid,
+ server_sid, (uint8_t *)key2->keys, sizeof(key2->keys)))
{
return false;
}
@@ -1530,8 +1469,7 @@
* master key.
*/
static bool
-generate_key_expansion(struct tls_multi *multi, struct key_state *ks,
- struct tls_session *session)
+generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session)
{
struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
bool ret = false;
@@ -1558,17 +1496,16 @@
if (!generate_key_expansion_openvpn_prf(session, &key2))
{
msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
- "might not support the old TLS 1.0 PRF calculation anymore or "
- "the policy does not allow it (e.g. running in FIPS mode). "
- "The peer did not announce support for the modern TLS Export "
- "feature that replaces the TLS 1.0 PRF (requires OpenVPN "
- "2.6.x or higher)");
+ "might not support the old TLS 1.0 PRF calculation anymore or "
+ "the policy does not allow it (e.g. running in FIPS mode). "
+ "The peer did not announce support for the modern TLS Export "
+ "feature that replaces the TLS 1.0 PRF (requires OpenVPN "
+ "2.6.x or higher)");
goto exit;
}
}
- key2_print(&key2, &session->opt->key_type,
- "Master Encrypt", "Master Decrypt");
+ key2_print(&key2, &session->opt->key_type, "Master Encrypt", "Master Decrypt");
/* check for weak keys */
for (int i = 0; i < 2; ++i)
@@ -1580,8 +1517,7 @@
}
}
- init_key_contexts(ks, multi, &session->opt->key_type, server, &key2,
- session->opt->dco_enabled);
+ init_key_contexts(ks, multi, &session->opt->key_type, server, &key2, session->opt->dco_enabled);
ret = true;
exit:
@@ -1597,11 +1533,10 @@
* can thus be called only once per session.
*/
bool
-tls_session_generate_data_channel_keys(struct tls_multi *multi,
- struct tls_session *session)
+tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
{
bool ret = false;
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
if (ks->authenticated <= KS_AUTH_FALSE)
{
@@ -1616,8 +1551,7 @@
msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
goto cleanup;
}
- tls_limit_reneg_bytes(session->opt->key_type.cipher,
- &session->opt->renegotiate_bytes);
+ tls_limit_reneg_bytes(session->opt->key_type.cipher, &session->opt->renegotiate_bytes);
session->opt->aead_usage_limit = tls_get_limit_aead(session->opt->key_type.cipher);
@@ -1631,23 +1565,18 @@
}
bool
-tls_session_update_crypto_params_do_work(struct tls_multi *multi,
- struct tls_session *session,
- struct options *options,
- struct frame *frame,
- struct frame *frame_fragment,
- struct link_socket_info *lsi,
+tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session,
+ struct options *options, struct frame *frame,
+ struct frame *frame_fragment, struct link_socket_info *lsi,
dco_context_t *dco)
{
if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized)
{
/* keys already generated, nothing to do */
return true;
-
}
- init_key_type(&session->opt->key_type, options->ciphername,
- options->authname, true, true);
+ init_key_type(&session->opt->key_type, options->ciphername, options->authname, true, true);
bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
@@ -1691,10 +1620,8 @@
* mssfix are set to update in-kernel config */
if (options->ping_send_timeout || frame->mss_fix)
{
- int ret = dco_set_peer(dco, multi->dco_peer_id,
- options->ping_send_timeout,
- options->ping_rec_timeout,
- frame->mss_fix);
+ int ret = dco_set_peer(dco, multi->dco_peer_id, options->ping_send_timeout,
+ options->ping_rec_timeout, frame->mss_fix);
if (ret < 0)
{
msg(D_DCO, "Cannot set DCO peer parameters for peer (id=%u): %s",
@@ -1707,11 +1634,9 @@
}
bool
-tls_session_update_crypto_params(struct tls_multi *multi,
- struct tls_session *session,
+tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session,
struct options *options, struct frame *frame,
- struct frame *frame_fragment,
- struct link_socket_info *lsi,
+ struct frame *frame_fragment, struct link_socket_info *lsi,
dco_context_t *dco)
{
if (!check_session_cipher(session, options))
@@ -1722,19 +1647,18 @@
/* Import crypto settings that might be set by pull/push */
session->opt->crypto_flags |= options->imported_protocol_flags;
- return tls_session_update_crypto_params_do_work(multi, session, options,
- frame, frame_fragment, lsi, dco);
+ return tls_session_update_crypto_params_do_work(multi, session, options, frame, frame_fragment,
+ lsi, dco);
}
static bool
-random_bytes_to_buf(struct buffer *buf,
- uint8_t *out,
- int outlen)
+random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
{
if (!rand_bytes(out, outlen))
{
- msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
+ msg(M_FATAL,
+ "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
}
if (!buf_write(buf, out, outlen))
{
@@ -1744,9 +1668,7 @@
}
static bool
-key_source2_randomize_write(struct key_source2 *k2,
- struct buffer *buf,
- bool server)
+key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
{
struct key_source *k = &k2->client;
if (server)
@@ -1777,9 +1699,7 @@
}
static int
-key_source2_read(struct key_source2 *k2,
- struct buffer *buf,
- bool server)
+key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
{
struct key_source *k = &k2->client;
@@ -1829,10 +1749,10 @@
static void
key_state_soft_reset(struct tls_session *session)
{
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
- ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
+ ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
key_state_free(ks_lame, false);
*ks_lame = *ks;
@@ -1905,7 +1825,7 @@
{
return -len;
}
- str[len-1] = '\0';
+ str[len - 1] = '\0';
return len;
}
@@ -1919,14 +1839,14 @@
{
return NULL;
}
- str = (char *) malloc(len);
+ str = (char *)malloc(len);
check_malloc_return(str);
if (!buf_read(buf, str, len))
{
free(str);
return NULL;
}
- str[len-1] = '\0';
+ str[len - 1] = '\0';
return str;
}
@@ -2019,7 +1939,6 @@
if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
&& tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
{
-
buf_printf(&out, "IV_NCP=2\n");
}
}
@@ -2058,7 +1977,7 @@
{
buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
}
- buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() );
+ buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version());
#if defined(_WIN32)
buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc));
#else
@@ -2080,8 +1999,7 @@
|| strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0)
&& session->opt->push_peer_info_detail > 2)
|| (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0)
- || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0)
- )
+ || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0))
&& buf_safe(&out, strlen(e->string) + 1))
{
buf_printf(&out, "%s\n", e->string);
@@ -2128,7 +2046,7 @@
static bool
key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
{
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
ASSERT(buf_init(buf, 0));
@@ -2163,7 +2081,7 @@
}
else
#endif
- if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
+ if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
{
goto error;
}
@@ -2174,8 +2092,7 @@
{
#ifdef ENABLE_MANAGEMENT
auth_user_pass_setup(session->opt->auth_user_pass_file,
- session->opt->auth_user_pass_file_inline,
- session->opt->sci);
+ session->opt->auth_user_pass_file_inline, session->opt->sci);
#else
auth_user_pass_setup(session->opt->auth_user_pass_file,
session->opt->auth_user_pass_file_inline, NULL);
@@ -2228,8 +2145,7 @@
goto error;
}
- if (session->opt->server && session->opt->mode != MODE_SERVER
- && ks->key_id == 0)
+ if (session->opt->server && session->opt->mode != MODE_SERVER && ks->key_id == 0)
{
/* tls-server option set and not P2MP server, so we
* are a P2P client running in tls-server mode */
@@ -2253,18 +2169,16 @@
struct gc_arena gc = gc_new();
unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc);
- if (key_state_export_keying_material(session,
- session->opt->ekm_label,
- session->opt->ekm_label_size,
- ekm, session->opt->ekm_size))
+ if (key_state_export_keying_material(session, session->opt->ekm_label,
+ session->opt->ekm_label_size, ekm,
+ session->opt->ekm_size))
{
unsigned int len = (size * 2) + 2;
const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc);
setenv_str(session->opt->es, "exported_keying_material", key);
- dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s",
- __func__, key);
+ dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", __func__, key);
secure_memzero(ekm, size);
}
else
@@ -2283,7 +2197,7 @@
static bool
key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
{
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
struct gc_arena gc = gc_new();
char *options;
@@ -2295,8 +2209,7 @@
/* discard leading uint32 */
if (!buf_advance(buf, 4))
{
- msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
- buf->len);
+ msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", buf->len);
goto error;
}
@@ -2304,8 +2217,7 @@
int key_method_flags = buf_read_u8(buf);
if ((key_method_flags & KEY_METHOD_MASK) != 2)
{
- msg(D_TLS_ERRORS,
- "TLS ERROR: Unknown key_method/flags=%d received from remote host",
+ msg(D_TLS_ERRORS, "TLS ERROR: Unknown key_method/flags=%d received from remote host",
key_method_flags);
goto error;
}
@@ -2313,7 +2225,8 @@
/* get key source material (not actual keys yet) */
if (!key_source2_read(ks->key_src, buf, session->opt->server))
{
- msg(D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
+ msg(D_TLS_ERRORS,
+ "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
goto error;
}
@@ -2343,13 +2256,11 @@
}
free(multi->remote_ciphername);
- multi->remote_ciphername =
- options_string_extract_option(options, "cipher", NULL);
+ multi->remote_ciphername = options_string_extract_option(options, "cipher", NULL);
multi->remote_usescomp = strstr(options, ",comp-lzo,");
/* In OCC we send '[null-cipher]' instead 'none' */
- if (multi->remote_ciphername
- && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
+ if (multi->remote_ciphername && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
{
free(multi->remote_ciphername);
multi->remote_ciphername = string_alloc("none", NULL);
@@ -2357,10 +2268,10 @@
if (username_len < 0 || password_len < 0)
{
- msg(D_TLS_ERRORS, "TLS Error: Username (%d) or password (%d) too long",
- abs(username_len), abs(password_len));
+ msg(D_TLS_ERRORS, "TLS Error: Username (%d) or password (%d) too long", abs(username_len),
+ abs(password_len));
auth_set_client_reason(multi, "Username or password is too long. "
- "Maximum length is 128 bytes");
+ "Maximum length is 128 bytes");
/* treat the same as failed username/password and do not error
* out (goto error) to sent an AUTH_FAILED back to the client */
@@ -2386,8 +2297,7 @@
/* Session verification should have occurred during TLS negotiation*/
if (!session->verified)
{
- msg(D_TLS_ERRORS,
- "TLS Error: Certificate verification failed (key-method 2)");
+ msg(D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 2)");
goto error;
}
ks->authenticated = KS_AUTH_TRUE;
@@ -2410,7 +2320,7 @@
if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp)
{
msg(D_PUSH, "Note: 'compress migrate' detected remote peer "
- "with compression enabled.");
+ "with compression enabled.");
remote_options = options_string_compat_lzo(remote_options, &gc);
}
#endif
@@ -2419,7 +2329,8 @@
if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
{
- msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");
+ msg(D_TLS_ERRORS,
+ "Option inconsistency warnings triggering disconnect due to --opt-verify");
ks->authenticated = KS_AUTH_FALSE;
}
}
@@ -2435,7 +2346,9 @@
{
export_user_keying_material(session);
- if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
+ if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL,
+ session->opt->es)
+ != OPENVPN_PLUGIN_FUNC_SUCCESS)
{
ks->authenticated = KS_AUTH_FALSE;
}
@@ -2485,8 +2398,8 @@
* @return if the state change was succesful
*/
static bool
-session_move_pre_start(const struct tls_session *session,
- struct key_state *ks, bool skip_initial_send)
+session_move_pre_start(const struct tls_session *session, struct key_state *ks,
+ bool skip_initial_send)
{
struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
if (!buf)
@@ -2519,17 +2432,10 @@
#ifdef ENABLE_MANAGEMENT
if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1)
{
- management_set_state(management,
- OPENVPN_STATE_WAIT,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL);
+ management_set_state(management, OPENVPN_STATE_WAIT, NULL, NULL, NULL, NULL, NULL);
}
#endif
return true;
-
}
/**
@@ -2538,8 +2444,7 @@
*/
static void
session_move_active(struct tls_multi *multi, struct tls_session *session,
- struct link_socket_info *to_link_socket_info,
- struct key_state *ks)
+ struct link_socket_info *to_link_socket_info, struct key_state *ks)
{
dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
@@ -2554,8 +2459,8 @@
INCR_SUCCESS;
/* Set outgoing address for data channel packets */
- link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr,
- session->common_name, session->opt->es);
+ link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name,
+ session->opt->es);
/* Check if we need to advance the tls_multi state machine */
if (multi->multi_state == CAS_NOT_CONNECTED)
@@ -2581,8 +2486,7 @@
}
bool
-session_skip_to_pre_start(struct tls_session *session,
- struct tls_pre_decrypt_state *state,
+session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state,
struct link_socket_actual *from)
{
struct key_state *ks = &session->key[KS_PRIMARY];
@@ -2656,8 +2560,7 @@
* Returns false if an error is encountered that should abort the session.
*/
static bool
-read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks,
- bool *continue_tls_process)
+read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
{
int status = 0;
if (buf->len)
@@ -2665,8 +2568,7 @@
status = key_state_write_ciphertext(&ks->ks_ssl, buf);
if (status == -1)
{
- msg(D_TLS_ERRORS,
- "TLS Error: Incoming Ciphertext -> TLS object write error");
+ msg(D_TLS_ERRORS, "TLS Error: Incoming Ciphertext -> TLS object write error");
return false;
}
}
@@ -2686,14 +2588,13 @@
static bool
control_packet_needs_wkc(const struct key_state *ks)
{
- return (ks->crypto_options.flags & CO_RESEND_WKC)
- && (ks->send_reliable->packet_id == 1);
+ return (ks->crypto_options.flags & CO_RESEND_WKC) && (ks->send_reliable->packet_id == 1);
}
static bool
-read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf,
- interval_t *wakeup, bool *continue_tls_process)
+read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup,
+ bool *continue_tls_process)
{
ASSERT(buf_init(buf, 0));
@@ -2748,7 +2649,8 @@
* if we have a large wrapped client key. */
if (maxlen < 16)
{
- msg(D_TLS_ERRORS, "Warning: --max-packet-size (%d) setting too low. "
+ msg(D_TLS_ERRORS,
+ "Warning: --max-packet-size (%d) setting too low. "
"Sending minimum sized packet.",
session->opt->frame.tun_mtu);
maxlen = 16;
@@ -2765,8 +2667,7 @@
if (status == -1)
{
- msg(D_TLS_ERRORS,
- "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
+ msg(D_TLS_ERRORS, "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
gc_free(&gc);
return false;
}
@@ -2822,12 +2723,9 @@
}
static bool
-tls_process_state(struct tls_multi *multi,
- struct tls_session *session,
- struct buffer *to_link,
+tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
struct link_socket_actual **to_link_addr,
- struct link_socket_info *to_link_socket_info,
- interval_t *wakeup)
+ struct link_socket_info *to_link_socket_info, interval_t *wakeup)
{
/* This variable indicates if we should call this method
* again to process more incoming/outgoing TLS state/data
@@ -2836,7 +2734,7 @@
* should only be done after the outer loop (sending packets etc.)
* has run once more */
bool continue_tls_process = false;
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
/* Initial handshake */
if (ks->state == S_INITIAL)
@@ -2886,8 +2784,7 @@
struct buffer b = *buf;
INCR_SENT;
- write_control_auth(session, ks, &b, to_link_addr, opcode,
- CONTROL_SEND_ACK_MAX, true);
+ write_control_auth(session, ks, &b, to_link_addr, opcode, CONTROL_SEND_ACK_MAX, true);
*to_link = b;
dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
@@ -2943,8 +2840,9 @@
/* Send Key */
buf = &ks->plaintext_write_buf;
- if (!buf->len && ((ks->state == S_START && !session->opt->server)
- || (ks->state == S_GOT_KEY && session->opt->server)))
+ if (!buf->len
+ && ((ks->state == S_START && !session->opt->server)
+ || (ks->state == S_GOT_KEY && session->opt->server)))
{
if (!key_method_2_write(buf, multi, session))
{
@@ -2979,8 +2877,7 @@
int status = key_state_write_plaintext(&ks->ks_ssl, buf);
if (status == -1)
{
- msg(D_TLS_ERRORS,
- "TLS ERROR: Outgoing Plaintext -> TLS object write error");
+ msg(D_TLS_ERRORS, "TLS ERROR: Outgoing Plaintext -> TLS object write error");
goto error;
}
if (status == 1)
@@ -3027,15 +2924,13 @@
}
/* Byte limit */
- if (session->opt->renegotiate_bytes > 0
- && ks->n_bytes >= session->opt->renegotiate_bytes)
+ if (session->opt->renegotiate_bytes > 0 && ks->n_bytes >= session->opt->renegotiate_bytes)
{
return true;
}
/* Packet limit */
- if (session->opt->renegotiate_packets
- && ks->n_packets >= session->opt->renegotiate_packets)
+ if (session->opt->renegotiate_packets && ks->n_packets >= session->opt->renegotiate_packets)
{
return true;
}
@@ -3102,14 +2997,11 @@
* want to send to our peer.
*/
static bool
-tls_process(struct tls_multi *multi,
- struct tls_session *session,
- struct buffer *to_link,
- struct link_socket_actual **to_link_addr,
- struct link_socket_info *to_link_socket_info,
+tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
+ struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info,
interval_t *wakeup)
{
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
/* Make sure we were initialized and that we're not in an error state */
@@ -3118,21 +3010,18 @@
ASSERT(session_id_defined(&session->session_id));
/* Should we trigger a soft reset? -- new key, keeps old key for a while */
- if (ks->state >= S_GENERATED_KEYS
- && should_trigger_renegotiation(session, ks))
+ if (ks->state >= S_GENERATED_KEYS && should_trigger_renegotiation(session, ks))
{
- msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format
- "/%" PRIi64 " pkts=" counter_format "/%" PRIi64
- " aead_limit_send=%" PRIu64 "/%" PRIu64
- " aead_limit_recv=%" PRIu64 "/%" PRIu64,
- (int) (now - ks->established), session->opt->renegotiate_seconds,
- ks->n_bytes, session->opt->renegotiate_bytes,
- ks->n_packets, session->opt->renegotiate_packets,
+ msg(D_TLS_DEBUG_LOW,
+ "TLS: soft reset sec=%d/%d bytes=" counter_format "/%" PRIi64 " pkts=" counter_format
+ "/%" PRIi64 " aead_limit_send=%" PRIu64 "/%" PRIu64 " aead_limit_recv=%" PRIu64
+ "/%" PRIu64,
+ (int)(now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes,
+ session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets,
ks->crypto_options.key_ctx_bi.encrypt.plaintext_blocks + ks->n_packets,
session->opt->aead_usage_limit,
ks->crypto_options.key_ctx_bi.decrypt.plaintext_blocks + ks->n_packets,
- session->opt->aead_usage_limit
- );
+ session->opt->aead_usage_limit);
key_state_soft_reset(session);
}
@@ -3149,19 +3038,15 @@
update_time();
dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
- continue_tls_process,
- state_name(ks->state),
- state_name(ks_lame->state),
- to_link->len,
+ continue_tls_process, state_name(ks->state), state_name(ks_lame->state), to_link->len,
*wakeup);
- continue_tls_process = tls_process_state(multi, session, to_link, to_link_addr,
- to_link_socket_info, wakeup);
+ continue_tls_process =
+ tls_process_state(multi, session, to_link, to_link_addr, to_link_socket_info, wakeup);
if (ks->state == S_ERROR)
{
return false;
}
-
}
update_time();
@@ -3192,8 +3077,7 @@
{
struct buffer buf = ks->ack_write_buf;
ASSERT(buf_init(&buf, multi->opt.frame.buf.headroom));
- write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1,
- RELIABLE_ACK_SIZE, false);
+ write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false);
*to_link = buf;
dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
}
@@ -3202,8 +3086,7 @@
/* When should we wake up again? */
if (ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
{
- compute_earliest_wakeup(wakeup,
- reliable_send_timeout(ks->send_reliable));
+ compute_earliest_wakeup(wakeup, reliable_send_timeout(ks->send_reliable));
if (ks->must_negotiate)
{
@@ -3213,8 +3096,7 @@
if (ks->established && session->opt->renegotiate_seconds)
{
- compute_earliest_wakeup(wakeup,
- ks->established + session->opt->renegotiate_seconds - now);
+ compute_earliest_wakeup(wakeup, ks->established + session->opt->renegotiate_seconds - now);
}
dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
@@ -3260,7 +3142,7 @@
if (session->tls_wrap.work.data == dataptr)
{
msg(M_INFO, "Warning buffer of freed TLS session is "
- "still in use (tls_wrap.work.data)");
+ "still in use (tls_wrap.work.data)");
goto used;
}
@@ -3278,7 +3160,8 @@
*/
if (!ks->send_reliable)
{
- msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL "
+ msg(M_FATAL,
+ "ERROR: session->key[%d]->send_reliable is NULL "
"while key state is %s. Exiting.",
i, state_name(ks->state));
}
@@ -3287,7 +3170,8 @@
{
if (ks->send_reliable->array[j].buf.data == dataptr)
{
- msg(M_INFO, "Warning buffer of freed TLS session is still in"
+ msg(M_INFO,
+ "Warning buffer of freed TLS session is still in"
" use (session->key[%d].send_reliable->array[%d])",
i, j);
@@ -3310,11 +3194,9 @@
*/
int
-tls_multi_process(struct tls_multi *multi,
- struct buffer *to_link,
+tls_multi_process(struct tls_multi *multi, struct buffer *to_link,
struct link_socket_actual **to_link_addr,
- struct link_socket_info *to_link_socket_info,
- interval_t *wakeup)
+ struct link_socket_info *to_link_socket_info, interval_t *wakeup)
{
struct gc_arena gc = gc_new();
int active = TLSMP_INACTIVE;
@@ -3338,29 +3220,26 @@
/* set initial remote address. This triggers connecting with that
* session. So we only do that if the TM_ACTIVE session is not
* established */
- if (i == TM_INITIAL && ks->state == S_INITIAL
- && get_primary_key(multi)->state <= S_INITIAL
+ if (i == TM_INITIAL && ks->state == S_INITIAL && get_primary_key(multi)->state <= S_INITIAL
&& link_socket_actual_defined(&to_link_socket_info->lsa->actual))
{
ks->remote_addr = to_link_socket_info->lsa->actual;
}
dmsg(D_TLS_DEBUG,
- "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s",
- i,
- state_name(ks->state),
- session_id_print(&session->session_id, &gc),
+ "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s", i,
+ state_name(ks->state), session_id_print(&session->session_id, &gc),
session_id_print(&ks->session_id_remote, &gc),
print_link_socket_actual(&ks->remote_addr, &gc));
- if ((ks->state >= S_INITIAL || ks->state == S_ERROR_PRE) && link_socket_actual_defined(&ks->remote_addr))
+ if ((ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
+ && link_socket_actual_defined(&ks->remote_addr))
{
struct link_socket_actual *tla = NULL;
update_time();
- if (tls_process(multi, session, to_link, &tla,
- to_link_socket_info, wakeup))
+ if (tls_process(multi, session, to_link, &tla, to_link_socket_info, wakeup))
{
active = TLSMP_ACTIVE;
}
@@ -3386,14 +3265,12 @@
{
++multi->n_soft_errors;
- if (i == TM_ACTIVE
- || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE))
+ if (i == TM_ACTIVE || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE))
{
error = true;
}
- if (i == TM_ACTIVE
- && ks_lame->state >= S_GENERATED_KEYS
+ if (i == TM_ACTIVE && ks_lame->state >= S_GENERATED_KEYS
&& !multi->opt.single_session)
{
move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
@@ -3425,8 +3302,8 @@
if (ks->state == S_ACTIVE && ks->authenticated == KS_AUTH_TRUE)
{
/* Session is now fully authenticated.
- * tls_session_generate_data_channel_keys will move ks->state
- * from S_ACTIVE to S_GENERATED_KEYS */
+ * tls_session_generate_data_channel_keys will move ks->state
+ * from S_ACTIVE to S_GENERATED_KEYS */
if (!tls_session_generate_data_channel_keys(multi, session))
{
msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
@@ -3471,7 +3348,8 @@
{
move_session(multi, TM_ACTIVE, TM_INITIAL, true);
tas = tls_authentication_status(multi);
- msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: initial untrusted "
+ msg(D_TLS_DEBUG_LOW,
+ "TLS: tls_multi_process: initial untrusted "
"session promoted to %strusted",
tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
@@ -3528,8 +3406,8 @@
* try to generate a sensible error message and print it
*/
static void
-print_key_id_not_found_reason(struct tls_multi *multi,
- const struct link_socket_actual *from, int key_id)
+print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from,
+ int key_id)
{
struct gc_arena gc = gc_new();
const char *source = print_link_socket_actual(from, &gc);
@@ -3547,17 +3425,14 @@
* session but has not generated keys. */
if (ks->state >= S_INITIAL && ks->state < S_GENERATED_KEYS)
{
- msg(D_MULTI_DROPPED,
- "Key %s [%d] not initialized (yet), dropping packet.",
- source, key_id);
+ msg(D_MULTI_DROPPED, "Key %s [%d] not initialized (yet), dropping packet.", source,
+ key_id);
gc_free(&gc);
return;
}
if (ks->state >= S_ACTIVE && ks->authenticated != KS_AUTH_TRUE)
{
- msg(D_MULTI_DROPPED,
- "Key %s [%d] not authorized%s, dropping packet.",
- source, key_id,
+ msg(D_MULTI_DROPPED, "Key %s [%d] not authorized%s, dropping packet.", source, key_id,
(ks->authenticated == KS_AUTH_DEFERRED) ? " (deferred)" : "");
gc_free(&gc);
return;
@@ -3567,8 +3442,7 @@
msg(D_TLS_ERRORS,
"TLS Error: local/remote TLS keys are out of sync: %s "
"(received key id: %d, known key ids: %s)",
- source, key_id,
- print_key_id(multi, &gc));
+ source, key_id, print_key_id(multi, &gc));
gc_free(&gc);
}
@@ -3580,11 +3454,8 @@
* AEAD ciphers to the start of the authenticated data.
*/
static inline void
-handle_data_channel_packet(struct tls_multi *multi,
- const struct link_socket_actual *from,
- struct buffer *buf,
- struct crypto_options **opt,
- bool floated,
+handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from,
+ struct buffer *buf, struct crypto_options **opt, bool floated,
const uint8_t **ad_start)
{
struct gc_arena gc = gc_new();
@@ -3630,7 +3501,8 @@
{
if (buf->len < 4)
{
- msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
+ msg(D_TLS_ERRORS,
+ "Protocol error: received P_DATA_V2 from %s but length is < 4",
print_link_socket_actual(from, &gc));
++multi->n_soft_errors;
goto done;
@@ -3640,9 +3512,8 @@
++ks->n_packets;
ks->n_bytes += buf->len;
- dmsg(D_TLS_KEYSELECT,
- "TLS: tls_pre_decrypt, key_id=%d, IP=%s",
- key_id, print_link_socket_actual(from, &gc));
+ dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_decrypt, key_id=%d, IP=%s", key_id,
+ print_link_socket_actual(from, &gc));
gc_free(&gc);
return;
}
@@ -3683,14 +3554,9 @@
*/
bool
-tls_pre_decrypt(struct tls_multi *multi,
- const struct link_socket_actual *from,
- struct buffer *buf,
- struct crypto_options **opt,
- bool floated,
- const uint8_t **ad_start)
+tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf,
+ struct crypto_options **opt, bool floated, const uint8_t **ad_start)
{
-
if (buf->len <= 0)
{
buf->len = 0;
@@ -3717,18 +3583,16 @@
/* control channel packet */
bool do_burst = false;
bool new_link = false;
- struct session_id sid; /* remote session ID */
+ struct session_id sid; /* remote session ID */
/* verify legal opcode */
if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
{
- if (op == P_CONTROL_HARD_RESET_CLIENT_V1
- || op == P_CONTROL_HARD_RESET_SERVER_V1)
+ if (op == P_CONTROL_HARD_RESET_CLIENT_V1 || op == P_CONTROL_HARD_RESET_SERVER_V1)
{
msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1");
}
- msg(D_TLS_ERRORS,
- "TLS Error: unknown opcode received from %s op=%d",
+ msg(D_TLS_ERRORS, "TLS Error: unknown opcode received from %s op=%d",
print_link_socket_actual(from, &gc), op);
goto error;
}
@@ -3737,8 +3601,8 @@
if (is_hard_reset_method2(op))
{
/* verify client -> server or server -> client connection */
- if (((op == P_CONTROL_HARD_RESET_CLIENT_V2
- || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server)
+ if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_CLIENT_V3)
+ && !multi->opt.server)
|| ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
{
msg(D_TLS_ERRORS,
@@ -3751,8 +3615,8 @@
/*
* Authenticate Packet
*/
- dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
- packet_opcode_name(op), print_link_socket_actual(from, &gc));
+ dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", packet_opcode_name(op),
+ print_link_socket_actual(from, &gc));
/* get remote session-id */
{
@@ -3760,8 +3624,7 @@
buf_advance(&tmp, 1);
if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
{
- msg(D_TLS_ERRORS,
- "TLS Error: session-id not found in packet from %s",
+ msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s",
print_link_socket_actual(from, &gc));
goto error;
}
@@ -3774,29 +3637,25 @@
struct tls_session *session = &multi->session[i];
struct key_state *ks = &session->key[KS_PRIMARY];
- dmsg(D_TLS_DEBUG,
- "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
- i,
- state_name(ks->state),
- session_id_print(&session->session_id, &gc),
- session_id_print(&sid, &gc),
- print_link_socket_actual(from, &gc),
- session_id_print(&ks->session_id_remote, &gc),
- print_link_socket_actual(&ks->remote_addr, &gc));
+ dmsg(
+ D_TLS_DEBUG,
+ "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
+ i, state_name(ks->state), session_id_print(&session->session_id, &gc),
+ session_id_print(&sid, &gc), print_link_socket_actual(from, &gc),
+ session_id_print(&ks->session_id_remote, &gc),
+ print_link_socket_actual(&ks->remote_addr, &gc));
if (session_id_equal(&ks->session_id_remote, &sid))
/* found a match */
{
if (i == TM_LAME_DUCK)
{
- msg(D_TLS_ERRORS,
- "TLS ERROR: received control packet with stale session-id=%s",
+ msg(D_TLS_ERRORS, "TLS ERROR: received control packet with stale session-id=%s",
session_id_print(&sid, &gc));
goto error;
}
- dmsg(D_TLS_DEBUG,
- "TLS: found match, session[%d], sid=%s",
- i, session_id_print(&sid, &gc));
+ dmsg(D_TLS_DEBUG, "TLS: found match, session[%d], sid=%s", i,
+ session_id_print(&sid, &gc));
break;
}
}
@@ -3827,8 +3686,8 @@
goto error;
}
- if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
- session->opt, true))
+ if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from, session->opt,
+ true))
{
goto error;
}
@@ -3836,13 +3695,7 @@
#ifdef ENABLE_MANAGEMENT
if (management)
{
- management_set_state(management,
- OPENVPN_STATE_AUTH,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL);
+ management_set_state(management, OPENVPN_STATE_AUTH, NULL, NULL, NULL, NULL, NULL);
}
#endif
@@ -3852,10 +3705,8 @@
*
* Without --tls-auth, we leave authentication entirely up to TLS.
*/
- msg(D_TLS_DEBUG_LOW,
- "TLS: Initial packet from %s, sid=%s",
- print_link_socket_actual(from, &gc),
- session_id_print(&sid, &gc));
+ msg(D_TLS_DEBUG_LOW, "TLS: Initial packet from %s, sid=%s",
+ print_link_socket_actual(from, &gc), session_id_print(&sid, &gc));
do_burst = true;
new_link = true;
@@ -3872,11 +3723,8 @@
*/
if (i != TM_ACTIVE && i != TM_INITIAL)
{
- msg(D_TLS_ERRORS,
- "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
- print_link_socket_actual(from, &gc),
- i,
- packet_opcode_name(op));
+ msg(D_TLS_ERRORS, "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
+ print_link_socket_actual(from, &gc), i, packet_opcode_name(op));
goto error;
}
@@ -3897,17 +3745,16 @@
*/
if (op == P_CONTROL_SOFT_RESET_V1 && ks->state >= S_GENERATED_KEYS)
{
- if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id),
- from, session->opt, false))
+ if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
+ session->opt, false))
{
goto error;
}
key_state_soft_reset(session);
- dmsg(D_TLS_DEBUG,
- "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s",
- i, session_id_print(&sid, &gc));
+ dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", i,
+ session_id_print(&sid, &gc));
}
else
{
@@ -3928,8 +3775,8 @@
do_burst = true;
}
- if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id),
- from, session->opt, initial_packet))
+ if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
+ session->opt, initial_packet))
{
/* if an initial packet in read_control_auth, we rather
* error out than anything else */
@@ -3940,9 +3787,8 @@
goto error;
}
- dmsg(D_TLS_DEBUG,
- "TLS: received control channel packet s#=%d sid=%s",
- i, session_id_print(&sid, &gc));
+ dmsg(D_TLS_DEBUG, "TLS: received control channel packet s#=%d sid=%s", i,
+ session_id_print(&sid, &gc));
}
}
@@ -3994,9 +3840,8 @@
/* Check key_id */
if (ks->key_id != key_id)
{
- msg(D_TLS_ERRORS,
- "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s",
- ks->key_id, key_id, print_key_id(multi, &gc));
+ msg(D_TLS_ERRORS, "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", ks->key_id,
+ key_id, print_key_id(multi, &gc));
goto error;
}
@@ -4010,8 +3855,7 @@
if (!reliable_ack_read(&send_ack, buf, &session->session_id))
{
- msg(D_TLS_ERRORS,
- "TLS Error: reading acknowledgement record from packet");
+ msg(D_TLS_ERRORS, "TLS Error: reading acknowledgement record from packet");
goto error;
}
reliable_send_purge(ks->send_reliable, &send_ack);
@@ -4034,14 +3878,14 @@
ASSERT(in);
if (!buf_copy(in, buf))
{
- msg(D_MULTI_DROPPED,
- "Incoming control channel packet too big, dropping.");
+ msg(D_MULTI_DROPPED, "Incoming control channel packet too big, dropping.");
goto error;
}
reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
}
- /* Process outgoing acknowledgment for packet just received, even if it's a replay */
+ /* Process outgoing acknowledgment for packet just received, even if it's a replay
+ */
reliable_ack_acknowledge_packet_id(ks->rec_ack, id);
}
}
@@ -4090,8 +3934,7 @@
/* Choose the key with which to encrypt a data packet */
void
-tls_pre_encrypt(struct tls_multi *multi,
- struct buffer *buf, struct crypto_options **opt)
+tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
{
multi->save_ks = NULL;
if (buf->len <= 0)
@@ -4146,8 +3989,7 @@
ASSERT(ks);
- peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24
- | (multi->peer_id & 0xFFFFFF));
+ peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 | (multi->peer_id & 0xFFFFFF));
ASSERT(buf_write_prepend(buf, &peer, 4));
}
@@ -4172,9 +4014,7 @@
*/
bool
-tls_send_payload(struct key_state *ks,
- const uint8_t *data,
- int size)
+tls_send_payload(struct key_state *ks, const uint8_t *data, int size)
{
bool ret = false;
@@ -4206,8 +4046,7 @@
}
bool
-tls_rec_payload(struct tls_multi *multi,
- struct buffer *buf)
+tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
{
bool ret = false;
@@ -4260,8 +4099,7 @@
}
void
-show_available_tls_ciphers(const char *cipher_list,
- const char *cipher_list_tls13,
+show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13,
const char *tls_cert_profile)
{
printf("Available TLS Ciphers, listed in order of preference:\n");
@@ -4278,8 +4116,7 @@
printf("\n"
"Be aware that that whether a cipher suite in this list can actually work\n"
"depends on the specific setup of both peers. See the man page entries of\n"
- "--tls-cipher and --show-tls for more details.\n\n"
- );
+ "--tls-cipher and --show-tls for more details.\n\n");
}
/*
@@ -4385,7 +4222,8 @@
}
if (flags & PD_VERBOSE)
{
- buf_printf(&out, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
+ buf_printf(&out, " tls_crypt_hmac=%s",
+ format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
}
/*
* Remainder is encrypted and optional wKc
@@ -57,9 +57,10 @@
/*
* Various timeouts
*/
-#define TLS_MULTI_REFRESH 15 /* call tls_multi_process once every n seconds */
-#define TLS_MULTI_HORIZON 2 /* call tls_multi_process frequently for n seconds after
- * every packet sent/received action */
+#define TLS_MULTI_REFRESH 15 /* call tls_multi_process once every n seconds */
+#define TLS_MULTI_HORIZON \
+ 2 /* call tls_multi_process frequently for n seconds after \
+ * every packet sent/received action */
/*
* Buffer sizes (also see mtu.h).
@@ -77,49 +78,49 @@
* as reserved for this reason */
/** Support P_DATA_V2 */
-#define IV_PROTO_DATA_V2 (1<<1)
+#define IV_PROTO_DATA_V2 (1 << 1)
/** Assume client will send a push request and server does not need
* to wait for a push-request to send a push-reply */
-#define IV_PROTO_REQUEST_PUSH (1<<2)
+#define IV_PROTO_REQUEST_PUSH (1 << 2)
/** Supports key derivation via TLS key material exporter [RFC5705] */
-#define IV_PROTO_TLS_KEY_EXPORT (1<<3)
+#define IV_PROTO_TLS_KEY_EXPORT (1 << 3)
/** Supports signaling keywords with AUTH_PENDING, e.g. timeout=xy */
-#define IV_PROTO_AUTH_PENDING_KW (1<<4)
+#define IV_PROTO_AUTH_PENDING_KW (1 << 4)
/** Support doing NCP in P2P mode. This mode works by both peers looking at
* each other's IV_ variables and deterministically deciding both on the same
* result. */
-#define IV_PROTO_NCP_P2P (1<<5)
+#define IV_PROTO_NCP_P2P (1 << 5)
/** Supports the --dns option introduced in version 2.6. Not sent anymore. */
-#define IV_PROTO_DNS_OPTION (1<<6)
+#define IV_PROTO_DNS_OPTION (1 << 6)
/** Support for explicit exit notify via control channel
* This also includes support for the protocol-flags pushed option */
-#define IV_PROTO_CC_EXIT_NOTIFY (1<<7)
+#define IV_PROTO_CC_EXIT_NOTIFY (1 << 7)
/** Support for AUTH_FAIL,TEMP messages */
-#define IV_PROTO_AUTH_FAIL_TEMP (1<<8)
+#define IV_PROTO_AUTH_FAIL_TEMP (1 << 8)
/** Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key) */
-#define IV_PROTO_DYN_TLS_CRYPT (1<<9)
+#define IV_PROTO_DYN_TLS_CRYPT (1 << 9)
/** Support the extended packet id and epoch format for data channel packets */
-#define IV_PROTO_DATA_EPOCH (1<<10)
+#define IV_PROTO_DATA_EPOCH (1 << 10)
/** Supports the --dns option after all the incompatible changes */
-#define IV_PROTO_DNS_OPTION_V2 (1<<11)
+#define IV_PROTO_DNS_OPTION_V2 (1 << 11)
/** Supports push-update */
-#define IV_PROTO_PUSH_UPDATE (1<<12)
+#define IV_PROTO_PUSH_UPDATE (1 << 12)
/* Default field in X509 to be username */
#define X509_USERNAME_FIELD_DEFAULT "CN"
-#define KEY_METHOD_2 2
+#define KEY_METHOD_2 2
/* key method taken from lower 4 bits */
#define KEY_METHOD_MASK 0x0F
@@ -206,9 +207,7 @@
* Used to verify compatibility of local and remote option
* sets.
*/
-void tls_multi_init_set_options(struct tls_multi *multi,
- const char *local,
- const char *remote);
+void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote);
/**
* Cleanup a \c tls_multi structure and free associated memory
@@ -228,9 +227,9 @@
/** @} addtogroup control_processor */
-#define TLSMP_INACTIVE 0
-#define TLSMP_ACTIVE 1
-#define TLSMP_KILL 2
+#define TLSMP_INACTIVE 0
+#define TLSMP_ACTIVE 1
+#define TLSMP_KILL 2
#define TLSMP_RECONNECT 3
/*
@@ -239,11 +238,9 @@
* Basically decides if we should call tls_process for
* the active or untrusted sessions.
*/
-int tls_multi_process(struct tls_multi *multi,
- struct buffer *to_link,
+int tls_multi_process(struct tls_multi *multi, struct buffer *to_link,
struct link_socket_actual **to_link_addr,
- struct link_socket_info *to_link_socket_info,
- interval_t *wakeup);
+ struct link_socket_info *to_link_socket_info, interval_t *wakeup);
/**************************************************************************/
@@ -299,11 +296,8 @@
* @li False if the packet is a data channel packet, or if an error
* occurred during processing of a control channel packet.
*/
-bool tls_pre_decrypt(struct tls_multi *multi,
- const struct link_socket_actual *from,
- struct buffer *buf,
- struct crypto_options **opt,
- bool floated,
+bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from,
+ struct buffer *buf, struct crypto_options **opt, bool floated,
const uint8_t **ad_start);
@@ -325,8 +319,7 @@
* @param buf - The buffer containing the outgoing packet.
* @param opt - Returns a crypto options structure with the security parameters.
*/
-void tls_pre_encrypt(struct tls_multi *multi,
- struct buffer *buf, struct crypto_options **opt);
+void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt);
/**
* Selects the primary encryption that should be used to encrypt data of an
@@ -351,8 +344,7 @@
*
* @ingroup data_crypto
*/
-void
-tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf);
+void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf);
/**
* Prepend an OpenVPN data channel P_DATA_V2 header to the packet. The
@@ -370,8 +362,7 @@
*
* @ingroup data_crypto
*/
-void
-tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf);
+void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf);
/**
* Perform some accounting for the key state used.
@@ -435,15 +426,12 @@
/*
* Send a payload over the TLS control channel
*/
-bool tls_send_payload(struct key_state *ks,
- const uint8_t *data,
- int size);
+bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size);
/*
* Receive a payload through the TLS control channel
*/
-bool tls_rec_payload(struct tls_multi *multi,
- struct buffer *buf);
+bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf);
/**
* Updates remote address in TLS sessions.
@@ -451,8 +439,7 @@
* @param multi - Tunnel to update
* @param addr - new address
*/
-void tls_update_remote_addr(struct tls_multi *multi,
- const struct link_socket_actual *addr);
+void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr);
/**
* Update TLS session crypto parameters (cipher and auth) and derive data
@@ -472,12 +459,9 @@
*
* @return true if updating succeeded or keys are already generated, false otherwise.
*/
-bool tls_session_update_crypto_params(struct tls_multi *multi,
- struct tls_session *session,
- struct options *options,
- struct frame *frame,
- struct frame *frame_fragment,
- struct link_socket_info *lsi,
+bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session,
+ struct options *options, struct frame *frame,
+ struct frame *frame_fragment, struct link_socket_info *lsi,
dco_context_t *dco);
/*
@@ -536,14 +520,12 @@
* protocol_dump() flags
*/
#define PD_TLS_AUTH_HMAC_SIZE_MASK 0xFF
-#define PD_SHOW_DATA (1<<8)
-#define PD_TLS (1<<9)
-#define PD_VERBOSE (1<<10)
-#define PD_TLS_CRYPT (1<<11)
+#define PD_SHOW_DATA (1 << 8)
+#define PD_TLS (1 << 9)
+#define PD_VERBOSE (1 << 10)
+#define PD_TLS_CRYPT (1 << 11)
-const char *protocol_dump(struct buffer *buffer,
- unsigned int flags,
- struct gc_arena *gc);
+const char *protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc);
/*
* debugging code
@@ -569,10 +551,8 @@
* @param cipher_list_tls13 list of allowed TLS 1.3+ cipher, or NULL
* @param tls_cert_profile TLS certificate crypto profile name.
*/
-void
-show_available_tls_ciphers(const char *cipher_list,
- const char *cipher_list_tls13,
- const char *tls_cert_profile);
+void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13,
+ const char *tls_cert_profile);
/**
@@ -581,25 +561,19 @@
* This erases the source material used to generate the data channel keys, and
* can thus be called only once per session.
*/
-bool
-tls_session_generate_data_channel_keys(struct tls_multi *multi,
- struct tls_session *session);
+bool tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session);
-void
-tls_session_soft_reset(struct tls_multi *multi);
+void tls_session_soft_reset(struct tls_multi *multi);
/**
* Load ovpn.xkey provider used for external key signing
*/
-void
-load_xkey_provider(void);
+void load_xkey_provider(void);
/* Special method to skip the three way handshake RESET stages. This is
* used by the HMAC code when seeing a packet that matches the previous
* HMAC based stateless server state */
-bool
-session_skip_to_pre_start(struct tls_session *session,
- struct tls_pre_decrypt_state *state,
- struct link_socket_actual *from);
+bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state,
+ struct link_socket_actual *from);
#endif /* ifndef OPENVPN_SSL_H */
@@ -101,11 +101,11 @@
* if a parse error should be flagged.
*/
#define TLS_VER_BAD -1
-#define TLS_VER_UNSPEC 0 /* default */
-#define TLS_VER_1_0 1
-#define TLS_VER_1_1 2
-#define TLS_VER_1_2 3
-#define TLS_VER_1_3 4
+#define TLS_VER_UNSPEC 0 /* default */
+#define TLS_VER_1_0 1
+#define TLS_VER_1_1 2
+#define TLS_VER_1_2 3
+#define TLS_VER_1_3 4
int tls_version_parse(const char *vstr, const char *extra);
/**
@@ -218,8 +218,7 @@
* of inline files.
* @param dh_file_inline True if dh_file is an inline file.
*/
-void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
- bool dh_file_inline);
+void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline);
/**
* Load Elliptic Curve Parameters, and load them into the library-specific
@@ -228,8 +227,7 @@
* @param ctx TLS context to use
* @param curve_name The name of the elliptic curve to load.
*/
-void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
- );
+void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name);
/**
* Load PKCS #12 file for key, cert and (optionally) CA certs, and add to
@@ -246,8 +244,8 @@
* @return 1 if an error occurred, 0 if parsing was
* successful.
*/
-int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
- bool pkcs12_file_inline, bool load_ca_file);
+int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline,
+ bool load_ca_file);
/**
* Use Windows cryptoapi for key and cert, and add to library-specific TLS
@@ -271,8 +269,7 @@
* of inline files.
* @param cert_file_inline True if cert_file is an inline file.
*/
-void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
- bool cert_file_inline);
+void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline);
/**
* Load private key file into the given TLS context.
@@ -318,8 +315,8 @@
* connection and should use the CA for verifying
* client certificates
*/
-void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
- bool ca_file_inline, const char *ca_path, bool tls_server);
+void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline,
+ const char *ca_path, bool tls_server);
/**
* Load extra certificate authority certificates from the given file or path.
@@ -334,8 +331,7 @@
* @param extra_certs_file_inline True if extra_certs_file is an inline
* file.
*/
-void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx,
- const char *extra_certs_file,
+void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file,
bool extra_certs_file_inline);
#ifdef ENABLE_CRYPTO_MBEDTLS
@@ -364,15 +360,14 @@
* @param is_server Initialise a server?
* @param session The session associated with the given key_state
*/
-void key_state_ssl_init(struct key_state_ssl *ks_ssl,
- const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session);
+void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx,
+ bool is_server, struct tls_session *session);
/**
* Sets a TLS session to be shutdown state, so the TLS library will generate
* a shutdown alert.
*/
-void
-key_state_ssl_shutdown(struct key_state_ssl *ks_ssl);
+void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl);
/**
* Free the SSL channel part of the given key state.
@@ -389,12 +384,12 @@
* an array containing the inline CRL.
* @param crl_inline True if crl_file is an inline CRL.
*/
-void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
- const char *crl_file, bool crl_inline);
+void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
+ bool crl_inline);
-#define EXPORT_KEY_DATA_LABEL "EXPORTER-OpenVPN-datakeys"
-#define EXPORT_P2P_PEERID_LABEL "EXPORTER-OpenVPN-p2p-peerid"
-#define EXPORT_DYNAMIC_TLS_CRYPT_LABEL "EXPORTER-OpenVPN-dynamic-tls-crypt"
+#define EXPORT_KEY_DATA_LABEL "EXPORTER-OpenVPN-datakeys"
+#define EXPORT_P2P_PEERID_LABEL "EXPORTER-OpenVPN-p2p-peerid"
+#define EXPORT_DYNAMIC_TLS_CRYPT_LABEL "EXPORTER-OpenVPN-dynamic-tls-crypt"
/**
* Keying Material Exporters [RFC 5705] allows additional keying material to be
* derived from existing TLS channel. This exported keying material can then be
@@ -407,10 +402,8 @@
* @param ekm_size The size of ekm, in bytes
* @returns true if exporting succeeded, false otherwise
*/
-bool
-key_state_export_keying_material(struct tls_session *session,
- const char *label, size_t label_size,
- void *ekm, size_t ekm_size);
+bool key_state_export_keying_material(struct tls_session *session, const char *label,
+ size_t label_size, void *ekm, size_t ekm_size);
/**************************************************************************/
/** @addtogroup control_tls
@@ -453,8 +446,7 @@
* again later to retry.
* - \c -1: An error occurred.
*/
-int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl,
- const uint8_t *data, int len);
+int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len);
/**
* Extract ciphertext data from the TLS module.
@@ -499,8 +491,7 @@
* again later to retry.
* - \c -1: An error occurred.
*/
-int key_state_write_ciphertext(struct key_state_ssl *ks_ssl,
- struct buffer *buf);
+int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf);
/**
* Extract plaintext data from the TLS module.
@@ -548,10 +539,8 @@
* @param tls13 Select if <=TLS1.2 or TLS1.3+ ciphers
* should be shown
*/
-void
-show_available_tls_ciphers_list(const char *cipher_list,
- const char *tls_cert_profile,
- bool tls13);
+void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile,
+ bool tls13);
/**
* Show the available elliptic curves in the crypto library
@@ -117,15 +117,16 @@
* \ref key_generation "data channel key generation".
* @ingroup control_processor
*/
-struct key_source {
- uint8_t pre_master[48]; /**< Random used for master secret
- * generation, provided only by client
- * OpenVPN peer. */
- uint8_t random1[32]; /**< Seed used for master secret
- * generation, provided by both client
- * and server. */
- uint8_t random2[32]; /**< Seed used for key expansion, provided
- * by both client and server. */
+struct key_source
+{
+ uint8_t pre_master[48]; /**< Random used for master secret
+ * generation, provided only by client
+ * OpenVPN peer. */
+ uint8_t random1[32]; /**< Seed used for master secret
+ * generation, provided by both client
+ * and server. */
+ uint8_t random2[32]; /**< Seed used for key expansion, provided
+ * by both client and server. */
};
@@ -134,9 +135,10 @@
* 2 \ref key_generation "data channel key generation".
* @ingroup control_processor
*/
-struct key_source2 {
- struct key_source client; /**< Random provided by client. */
- struct key_source server; /**< Random provided by server. */
+struct key_source2
+{
+ struct key_source client; /**< Random provided by client. */
+ struct key_source server; /**< Random provided by server. */
};
@@ -147,15 +149,16 @@
* being set to KS_AUTH_TRUE or KS_AUTH_FALSE
* Only KS_AUTH_TRUE is fully authenticated
*/
-enum ks_auth_state {
- KS_AUTH_FALSE, /**< Key state is not authenticated */
- KS_AUTH_DEFERRED, /**< Key state authentication is being deferred,
- * by async auth */
- KS_AUTH_TRUE /**< Key state is authenticated. TLS and user/pass
- * succeeded. This includes AUTH_PENDING/OOB
- * authentication as those hold the
- * connection artificially in KS_AUTH_DEFERRED
- */
+enum ks_auth_state
+{
+ KS_AUTH_FALSE, /**< Key state is not authenticated */
+ KS_AUTH_DEFERRED, /**< Key state authentication is being deferred,
+ * by async auth */
+ KS_AUTH_TRUE /**< Key state is authenticated. TLS and user/pass
+ * succeeded. This includes AUTH_PENDING/OOB
+ * authentication as those hold the
+ * connection artificially in KS_AUTH_DEFERRED
+ */
};
struct auth_deferred_status
@@ -168,14 +171,16 @@
/* key_state_test_auth_control_file return values, these specify the
* current status of a deferred authentication */
-enum auth_deferred_result {
- ACF_PENDING, /**< deferred auth still pending */
- ACF_SUCCEEDED, /**< deferred auth has suceeded */
- ACF_DISABLED, /**< deferred auth is not used */
- ACF_FAILED /**< deferred auth has failed */
+enum auth_deferred_result
+{
+ ACF_PENDING, /**< deferred auth still pending */
+ ACF_SUCCEEDED, /**< deferred auth has suceeded */
+ ACF_DISABLED, /**< deferred auth is not used */
+ ACF_FAILED /**< deferred auth has failed */
};
-enum dco_key_status {
+enum dco_key_status
+{
DCO_NOT_INSTALLED,
DCO_INSTALLED_PRIMARY,
DCO_INSTALLED_SECONDARY
@@ -219,34 +224,34 @@
struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */
- time_t initial; /* when we created this session */
- time_t established; /* when our state went S_ACTIVE */
- time_t must_negotiate; /* key negotiation times out if not finished before this time */
- time_t must_die; /* this object is destroyed at this time */
- time_t peer_last_packet; /* Last time we received a packet in this control session */
+ time_t initial; /* when we created this session */
+ time_t established; /* when our state went S_ACTIVE */
+ time_t must_negotiate; /* key negotiation times out if not finished before this time */
+ time_t must_die; /* this object is destroyed at this time */
+ time_t peer_last_packet; /* Last time we received a packet in this control session */
- int initial_opcode; /* our initial P_ opcode */
- struct session_id session_id_remote; /* peer's random session ID */
+ int initial_opcode; /* our initial P_ opcode */
+ struct session_id session_id_remote; /* peer's random session ID */
struct link_socket_actual remote_addr; /* peer's IP addr */
- struct crypto_options crypto_options;/* data channel crypto options */
+ struct crypto_options crypto_options; /* data channel crypto options */
- struct key_source2 *key_src; /* source entropy for key expansion */
+ struct key_source2 *key_src; /* source entropy for key expansion */
struct buffer plaintext_read_buf;
struct buffer plaintext_write_buf;
struct buffer ack_write_buf;
struct reliable *send_reliable; /* holds a copy of outgoing packets until ACK received */
- struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */
- struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */
- struct reliable_ack *lru_acks; /* keeps the most recently acked packages*/
+ struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */
+ struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */
+ struct reliable_ack *lru_acks; /* keeps the most recently acked packages*/
/** Holds outgoing message for the control channel until ks->state reaches
* S_ACTIVE */
struct buffer_list *paybuf;
- counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */
- counter_type n_packets; /* how many packets sent/recvd since last key exchange */
+ counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */
+ counter_type n_packets; /* how many packets sent/recvd since last key exchange */
/*
* If bad username/password, TLS connection will come up but 'authenticated' will be false.
@@ -269,19 +274,20 @@
/** Control channel wrapping (--tls-auth/--tls-crypt) context */
struct tls_wrap_ctx
{
- enum {
- TLS_WRAP_NONE = 0, /**< No control channel wrapping */
- TLS_WRAP_AUTH, /**< Control channel authentication */
- TLS_WRAP_CRYPT, /**< Control channel encryption and authentication */
- } mode; /**< Control channel wrapping mode */
- struct crypto_options opt; /**< Crypto state */
- struct buffer work; /**< Work buffer (only for --tls-crypt) */
- struct key_ctx tls_crypt_v2_server_key; /**< Decrypts client keys */
- const struct buffer *tls_crypt_v2_wkc; /**< Wrapped client key,
- * sent to server */
- struct buffer tls_crypt_v2_metadata; /**< Received from client */
- bool cleanup_key_ctx; /**< opt.key_ctx_bi is owned by
- * this context */
+ enum
+ {
+ TLS_WRAP_NONE = 0, /**< No control channel wrapping */
+ TLS_WRAP_AUTH, /**< Control channel authentication */
+ TLS_WRAP_CRYPT, /**< Control channel encryption and authentication */
+ } mode; /**< Control channel wrapping mode */
+ struct crypto_options opt; /**< Crypto state */
+ struct buffer work; /**< Work buffer (only for --tls-crypt) */
+ struct key_ctx tls_crypt_v2_server_key; /**< Decrypts client keys */
+ const struct buffer *tls_crypt_v2_wkc; /**< Wrapped client key,
+ * sent to server */
+ struct buffer tls_crypt_v2_metadata; /**< Received from client */
+ bool cleanup_key_ctx; /**< opt.key_ctx_bi is owned by
+ * this context */
/** original key data to be xored in to the key for dynamic tls-crypt.
*
* We keep the original key data to ensure that the newly generated key
@@ -363,8 +369,8 @@
/* struct crypto_option flags */
unsigned int crypto_flags;
- int replay_window; /* --replay-window parm */
- int replay_time; /* --replay-window parm */
+ int replay_window; /* --replay-window parm */
+ int replay_time; /* --replay-window parm */
const char *config_ciphername;
const char *config_ncp_ciphers;
@@ -392,9 +398,9 @@
const char *auth_user_pass_file;
bool auth_user_pass_file_inline;
- bool auth_token_generate; /**< Generate auth-tokens on successful
- * user/pass auth,seet via
- * options->auth_token_generate. */
+ bool auth_token_generate; /**< Generate auth-tokens on successful
+ * user/pass auth,seet via
+ * options->auth_token_generate. */
bool auth_token_call_auth; /**< always call normal authentication */
unsigned int auth_token_lifetime;
unsigned int auth_token_renewal;
@@ -415,17 +421,17 @@
#endif
/* configuration file SSL-related boolean and low-permutation options */
-#define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0)
-#define SSLF_CLIENT_CERT_OPTIONAL (1<<1)
-#define SSLF_USERNAME_AS_COMMON_NAME (1<<2)
-#define SSLF_AUTH_USER_PASS_OPTIONAL (1<<3)
-#define SSLF_OPT_VERIFY (1<<4)
-#define SSLF_CRL_VERIFY_DIR (1<<5)
+#define SSLF_CLIENT_CERT_NOT_REQUIRED (1 << 0)
+#define SSLF_CLIENT_CERT_OPTIONAL (1 << 1)
+#define SSLF_USERNAME_AS_COMMON_NAME (1 << 2)
+#define SSLF_AUTH_USER_PASS_OPTIONAL (1 << 3)
+#define SSLF_OPT_VERIFY (1 << 4)
+#define SSLF_CRL_VERIFY_DIR (1 << 5)
#define SSLF_TLS_VERSION_MIN_SHIFT 6
-#define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */
+#define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */
#define SSLF_TLS_VERSION_MAX_SHIFT 10
-#define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */
-#define SSLF_TLS_DEBUG_ENABLED (1<<14)
+#define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */
+#define SSLF_TLS_DEBUG_ENABLED (1 << 14)
unsigned int ssl_flags;
#ifdef ENABLE_MANAGEMENT
@@ -456,10 +462,11 @@
* This is the index of \c tls_session.key
*
* @{ */
-#define KS_PRIMARY 0 /**< Primary %key state index. */
-#define KS_LAME_DUCK 1 /**< %Key state index that will retire
- * soon. */
-#define KS_SIZE 2 /**< Size of the \c tls_session.key array. */
+#define KS_PRIMARY 0 /**< Primary %key state index. */
+#define KS_LAME_DUCK \
+ 1 /**< %Key state index that will retire \
+ * soon. */
+#define KS_SIZE 2 /**< Size of the \c tls_session.key array. */
/** @} name Index of key_state objects within a tls_session structure */
/** @} addtogroup control_processor */
@@ -494,7 +501,7 @@
* tls_wrap_reneg.mode is TLS_WRAP_CRYPT, otherwise ignore it */
struct tls_wrap_ctx tls_wrap_reneg;
- int initial_opcode; /* our initial P_ opcode */
+ int initial_opcode; /* our initial P_ opcode */
struct session_id session_id; /* our random session ID */
/**
@@ -510,7 +517,7 @@
struct cert_hash_set *cert_hash_set;
- bool verified; /* true if peer certificate was verified against CA */
+ bool verified; /* true if peer certificate was verified against CA */
/* not-yet-authenticated incoming client */
struct link_socket_actual untrusted_addr;
@@ -535,12 +542,14 @@
* is being negotiated.
*
* @{ */
-#define TM_ACTIVE 0 /**< Active \c tls_session. */
-#define TM_INITIAL 1 /**< As yet un-trusted \c tls_session
- * being negotiated. */
-#define TM_LAME_DUCK 2 /**< Old \c tls_session. */
-#define TM_SIZE 3 /**< Size of the \c tls_multi.session
- * array. */
+#define TM_ACTIVE 0 /**< Active \c tls_session. */
+#define TM_INITIAL \
+ 1 /**< As yet un-trusted \c tls_session \
+ * being negotiated. */
+#define TM_LAME_DUCK 2 /**< Old \c tls_session. */
+#define TM_SIZE \
+ 3 /**< Size of the \c tls_multi.session \
+ * array. */
/** @} name Index of tls_session objects within a tls_multi structure */
/** @} addtogroup control_processor */
@@ -612,7 +621,7 @@
* used by tls_pre_encrypt to communicate the encrypt key
* to tls_post_encrypt()
*/
- struct key_state *save_ks; /* temporary pointer used between pre/post routines */
+ struct key_state *save_ks; /* temporary pointer used between pre/post routines */
/*
* Used to return outgoing address from
@@ -620,8 +629,8 @@
*/
struct link_socket_actual to_link_addr;
- int n_sessions; /**< Number of sessions negotiated thus
- * far. */
+ int n_sessions; /**< Number of sessions negotiated thus
+ * far. */
enum multi_status multi_state;
/*
@@ -692,8 +701,8 @@
uint32_t peer_id;
bool use_peer_id;
- char *remote_ciphername; /**< cipher specified in peer's config file */
- bool remote_usescomp; /**< remote announced comp-lzo in OCC string */
+ char *remote_ciphername; /**< cipher specified in peer's config file */
+ bool remote_usescomp; /**< remote announced comp-lzo in OCC string */
/*
* Our session objects.
@@ -52,35 +52,28 @@
#include <mbedtls/version.h>
#if MBEDTLS_VERSION_NUMBER >= 0x02040000
- #include <mbedtls/net_sockets.h>
+#include <mbedtls/net_sockets.h>
#else
- #include <mbedtls/net.h>
+#include <mbedtls/net.h>
#endif
#include <mbedtls/oid.h>
#include <mbedtls/pem.h>
-static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy =
-{
+static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy = {
/* Hashes from SHA-1 and above */
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 )
- |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 )
- |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 )
- |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 )
- |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 )
- |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160)
+ | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256)
+ | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
0xFFFFFFF, /* Any PK alg */
0xFFFFFFF, /* Any curve */
1024, /* RSA-1024 and larger */
};
-static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred =
-{
+static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred = {
/* SHA-2 and above */
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 )
- |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 )
- |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 )
- |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256)
+ | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
0xFFFFFFF, /* Any PK alg */
0xFFFFFFF, /* Any curve */
2048, /* RSA-2048 and larger */
@@ -184,9 +177,8 @@
* Mbed TLS stores this callback in the mbedtls_ssl_config struct and it
* is used in the mbedtls_ssl_contexts set up from that config. */
int
-mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms,
- const unsigned char *kb, size_t maclen,
- size_t keylen, size_t ivlen,
+mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, const unsigned char *kb,
+ size_t maclen, size_t keylen, size_t ivlen,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type)
@@ -195,8 +187,8 @@
struct key_state_ssl *ks_ssl = &session->key[KS_PRIMARY].ks_ssl;
struct tls_key_cache *cache = &ks_ssl->tls_key_cache;
- static_assert(sizeof(ks_ssl->ctx->session->master)
- == sizeof(cache->master_secret), "master size mismatch");
+ static_assert(sizeof(ks_ssl->ctx->session->master) == sizeof(cache->master_secret),
+ "master size mismatch");
memcpy(cache->client_server_random, client_random, 32);
memcpy(cache->client_server_random + 32, server_random, 32);
@@ -218,10 +210,8 @@
* mbedtls_ssl_config. It is placed in the mbedtls_ssl_context after it
* has been set up. */
void
-mbedtls_ssl_export_keys_cb(void *p_expkey,
- mbedtls_ssl_key_export_type type,
- const unsigned char *secret,
- size_t secret_len,
+mbedtls_ssl_export_keys_cb(void *p_expkey, mbedtls_ssl_key_export_type type,
+ const unsigned char *secret, size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type)
@@ -241,8 +231,7 @@
* a different value, something is wrong with mbed TLS. */
if (secret_len != sizeof(cache->master_secret))
{
- msg(M_FATAL,
- "ERROR: Incorrect TLS 1.2 master secret length: Got %zu, expected %zu",
+ msg(M_FATAL, "ERROR: Incorrect TLS 1.2 master secret length: Got %zu, expected %zu",
secret_len, sizeof(cache->master_secret));
}
@@ -257,8 +246,7 @@
bool
-key_state_export_keying_material(struct tls_session *session,
- const char *label, size_t label_size,
+key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size,
void *ekm, size_t ekm_size)
{
ASSERT(strlen(label) == label_size);
@@ -267,7 +255,8 @@
/* Our version of mbed TLS has a built-in TLS-Exporter. */
mbedtls_ssl_context *ctx = session->key[KS_PRIMARY].ks_ssl.ctx;
- if (mbed_ok(mbedtls_ssl_export_keying_material(ctx, ekm, ekm_size, label, label_size, NULL, 0, 0)))
+ if (mbed_ok(
+ mbedtls_ssl_export_keying_material(ctx, ekm, ekm_size, label, label_size, NULL, 0, 0)))
{
return true;
}
@@ -287,10 +276,8 @@
}
int ret = mbedtls_ssl_tls_prf(cache->tls_prf_type, cache->master_secret,
- sizeof(cache->master_secret),
- label, cache->client_server_random,
- sizeof(cache->client_server_random),
- ekm, ekm_size);
+ sizeof(cache->master_secret), label, cache->client_server_random,
+ sizeof(cache->client_server_random), ekm, ekm_size);
if (mbed_ok(ret))
{
@@ -301,7 +288,7 @@
secure_memzero(ekm, session->opt->ekm_size);
return false;
}
-#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
+#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
}
bool
@@ -324,7 +311,8 @@
if (0 != strcmp(cipher_name, pair->iana_name))
{
/* Deprecated name found, notify user */
- msg(M_WARN, "Deprecated cipher suite name '%s', please use IANA name '%s'", pair->openssl_name, pair->iana_name);
+ msg(M_WARN, "Deprecated cipher suite name '%s', please use IANA name '%s'",
+ pair->openssl_name, pair->iana_name);
}
return pair->iana_name;
@@ -339,8 +327,10 @@
return;
}
- msg(M_WARN, "mbed TLS does not support setting tls-ciphersuites. "
- "Ignoring TLS 1.3 cipher list: %s", ciphers);
+ msg(M_WARN,
+ "mbed TLS does not support setting tls-ciphersuites. "
+ "Ignoring TLS 1.3 cipher list: %s",
+ ciphers);
}
void
@@ -359,7 +349,7 @@
int cipher_count = get_num_elements(ciphers, ':');
/* Allocate an array for them */
- ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count+1)
+ ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count + 1)
/* Parse allowed ciphers, getting IDs */
int i = 0;
@@ -368,8 +358,7 @@
token = strtok(tmp_ciphers, ":");
while (token)
{
- ctx->allowed_ciphers[i] = mbedtls_ssl_get_ciphersuite_id(
- tls_translate_cipher_name(token));
+ ctx->allowed_ciphers[i] = mbedtls_ssl_get_ciphersuite_id(tls_translate_cipher_name(token));
if (0 != ctx->allowed_ciphers[i])
{
i++;
@@ -382,8 +371,7 @@
void
tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
{
- if (!profile || 0 == strcmp(profile, "legacy")
- || 0 == strcmp(profile, "insecure"))
+ if (!profile || 0 == strcmp(profile, "legacy") || 0 == strcmp(profile, "insecure"))
{
ctx->cert_profile = openvpn_x509_crt_profile_legacy;
}
@@ -418,8 +406,7 @@
const char *token;
while ((token = strsep(&tmp_groups, ":")))
{
- const mbedtls_ecp_curve_info *ci =
- mbedtls_ecp_curve_info_from_name(token);
+ const mbedtls_ecp_curve_info *ci = mbedtls_ecp_curve_info_from_name(token);
if (!ci)
{
msg(M_WARN, "Warning unknown curve/group specified: %s", token);
@@ -461,13 +448,11 @@
}
void
-tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
- bool dh_inline)
+tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_inline)
{
if (dh_inline)
{
- if (!mbed_ok(mbedtls_dhm_parse_dhm(ctx->dhm_ctx,
- (const unsigned char *) dh_file,
+ if (!mbed_ok(mbedtls_dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *)dh_file,
strlen(dh_file) + 1)))
{
msg(M_FATAL, "Cannot read inline DH parameters");
@@ -482,24 +467,23 @@
}
msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with " counter_format " bit key",
- (counter_type) mbedtls_dhm_get_bitlen(ctx->dhm_ctx));
+ (counter_type)mbedtls_dhm_get_bitlen(ctx->dhm_ctx));
}
void
-tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
- )
+tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
{
if (NULL != curve_name)
{
msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an "
- "ECDH curve with --ecdh-curve, using default curves. Use "
- "--tls-groups to specify curves.");
+ "ECDH curve with --ecdh-curve, using default curves. Use "
+ "--tls-groups to specify curves.");
}
}
int
-tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
- bool pkcs12_file_inline, bool load_ca_file)
+tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline,
+ bool load_ca_file)
{
msg(M_FATAL, "PKCS #12 files not yet supported for mbed TLS.");
return 0;
@@ -514,8 +498,7 @@
#endif /* _WIN32 */
void
-tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
- bool cert_inline)
+tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_inline)
{
ASSERT(NULL != ctx);
@@ -526,8 +509,7 @@
if (cert_inline)
{
- if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain,
- (const unsigned char *)cert_file,
+ if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)cert_file,
strlen(cert_file) + 1)))
{
msg(M_FATAL, "Cannot load inline certificate file");
@@ -543,8 +525,7 @@
}
int
-tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
- bool priv_key_inline)
+tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_inline)
{
int status;
ASSERT(NULL != ctx);
@@ -556,40 +537,29 @@
if (priv_key_inline)
{
- status = mbedtls_compat_pk_parse_key(ctx->priv_key,
- (const unsigned char *) priv_key_file,
+ status = mbedtls_compat_pk_parse_key(ctx->priv_key, (const unsigned char *)priv_key_file,
strlen(priv_key_file) + 1, NULL, 0,
- mbedtls_ctr_drbg_random,
- rand_ctx_get());
+ mbedtls_ctr_drbg_random, rand_ctx_get());
if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status)
{
- char passbuf[512] = {0};
+ char passbuf[512] = { 0 };
pem_password_callback(passbuf, 512, 0, NULL);
- status = mbedtls_compat_pk_parse_key(ctx->priv_key,
- (const unsigned char *) priv_key_file,
- strlen(priv_key_file) + 1,
- (unsigned char *) passbuf,
- strlen(passbuf),
- mbedtls_ctr_drbg_random,
- rand_ctx_get());
+ status = mbedtls_compat_pk_parse_key(
+ ctx->priv_key, (const unsigned char *)priv_key_file, strlen(priv_key_file) + 1,
+ (unsigned char *)passbuf, strlen(passbuf), mbedtls_ctr_drbg_random, rand_ctx_get());
}
}
else
{
- status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key,
- priv_key_file,
- NULL,
- mbedtls_ctr_drbg_random,
- rand_ctx_get());
+ status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL,
+ mbedtls_ctr_drbg_random, rand_ctx_get());
if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status)
{
- char passbuf[512] = {0};
+ char passbuf[512] = { 0 };
pem_password_callback(passbuf, 512, 0, NULL);
- status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key,
- priv_key_file, passbuf,
- mbedtls_ctr_drbg_random,
- rand_ctx_get());
+ status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, priv_key_file, passbuf,
+ mbedtls_ctr_drbg_random, rand_ctx_get());
}
}
if (!mbed_ok(status))
@@ -605,10 +575,8 @@
return 1;
}
- if (!mbed_ok(mbedtls_compat_pk_check_pair(&ctx->crt_chain->pk,
- ctx->priv_key,
- mbedtls_ctr_drbg_random,
- rand_ctx_get())))
+ if (!mbed_ok(mbedtls_compat_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key,
+ mbedtls_ctr_drbg_random, rand_ctx_get())))
{
msg(M_WARN, "Private key does not match the certificate");
return 1;
@@ -636,13 +604,12 @@
* @return 0 on success, non-zero mbed TLS error code on failure.
*/
static inline int
-external_pkcs1_sign( void *ctx_voidptr,
- int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+external_pkcs1_sign(void *ctx_voidptr, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
#if MBEDTLS_VERSION_NUMBER < 0x03020100
- int mode,
+ int mode,
#endif
- mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash,
- unsigned char *sig )
+ mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash,
+ unsigned char *sig)
{
struct external_context *const ctx = ctx_voidptr;
int rv;
@@ -670,23 +637,22 @@
*/
if (md_alg != MBEDTLS_MD_NONE)
{
- const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
if (md_info == NULL)
{
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+ return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
}
- if (!mbed_ok(mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size )))
+ if (!mbed_ok(mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size)))
{
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+ return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
}
- hashlen = mbedtls_md_get_size( md_info );
+ hashlen = mbedtls_md_get_size(md_info);
asn_len = 10 + oid_size;
}
- if ((SIZE_MAX - hashlen) < asn_len
- || ctx->signature_length < (asn_len + hashlen))
+ if ((SIZE_MAX - hashlen) < asn_len || ctx->signature_length < (asn_len + hashlen))
{
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@@ -705,12 +671,12 @@
* Digest ::= OCTET STRING
*/
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
- *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
+ *p++ = (unsigned char)(0x08 + oid_size + hashlen);
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
- *p++ = (unsigned char) ( 0x04 + oid_size );
+ *p++ = (unsigned char)(0x04 + oid_size);
*p++ = MBEDTLS_ASN1_OID;
*p++ = oid_size & 0xFF;
- memcpy( p, oid, oid_size );
+ memcpy(p, oid, oid_size);
p += oid_size;
*p++ = MBEDTLS_ASN1_NULL;
*p++ = 0x00;
@@ -725,8 +691,7 @@
memcpy(p, hash, hashlen);
/* Call external signature function */
- if (!ctx->sign(ctx->sign_ctx, to_sign, asn_len + hashlen, sig,
- ctx->signature_length))
+ if (!ctx->sign(ctx->sign_ctx, to_sign, asn_len + hashlen, sig, ctx->signature_length))
{
rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
goto done;
@@ -748,8 +713,8 @@
}
int
-tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
- external_sign_func sign_func, void *sign_ctx)
+tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, external_sign_func sign_func,
+ void *sign_ctx)
{
ASSERT(NULL != ctx);
@@ -762,7 +727,7 @@
if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
{
msg(M_WARN, "ERROR: external key with mbed TLS requires a "
- "certificate with an RSA key.");
+ "certificate with an RSA key.");
return 1;
}
@@ -771,8 +736,8 @@
ctx->external_key.sign_ctx = sign_ctx;
ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context);
- if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, &ctx->external_key,
- NULL, external_pkcs1_sign, external_key_len)))
+ if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, &ctx->external_key, NULL,
+ external_pkcs1_sign, external_key_len)))
{
return 1;
}
@@ -783,8 +748,7 @@
#ifdef ENABLE_MANAGEMENT
/** Query the management interface for a signature, see external_sign_func. */
static bool
-management_sign_func(void *sign_ctx, const void *src, size_t src_len,
- void *dst, size_t dst_len)
+management_sign_func(void *sign_ctx, const void *src, size_t src_len, void *dst, size_t dst_len)
{
bool ret = false;
char *src_b64 = NULL;
@@ -799,8 +763,7 @@
* We only support RSA external keys and PKCS1 signatures at the moment
* in mbed TLS, so the signature parameter is hardcoded to this encoding
*/
- if (!(dst_b64 = management_query_pk_sig(management, src_b64,
- "RSA_PKCS1_PADDING")))
+ if (!(dst_b64 = management_query_pk_sig(management, src_b64, "RSA_PKCS1_PADDING")))
{
goto cleanup;
}
@@ -827,8 +790,8 @@
#endif /* ifdef ENABLE_MANAGEMENT */
void
-tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
- bool ca_inline, const char *ca_path, bool tls_server)
+tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_inline, const char *ca_path,
+ bool tls_server)
{
if (ca_path)
{
@@ -837,8 +800,7 @@
if (ca_file && ca_inline)
{
- if (!mbed_ok(mbedtls_x509_crt_parse(ctx->ca_chain,
- (const unsigned char *) ca_file,
+ if (!mbed_ok(mbedtls_x509_crt_parse(ctx->ca_chain, (const unsigned char *)ca_file,
strlen(ca_file) + 1)))
{
msg(M_FATAL, "Cannot load inline CA certificates");
@@ -867,8 +829,7 @@
if (extra_certs_inline)
{
- if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain,
- (const unsigned char *) extra_certs_file,
+ if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)extra_certs_file,
strlen(extra_certs_file) + 1)))
{
msg(M_FATAL, "Cannot load inline extra-certs file");
@@ -916,7 +877,7 @@
}
static int
-endless_buf_read( endless_buffer *in, unsigned char *out, size_t out_len )
+endless_buf_read(endless_buffer *in, unsigned char *out, size_t out_len)
{
size_t read_len = 0;
@@ -931,8 +892,7 @@
if (block_len <= out_len - read_len)
{
buffer_entry *cur_entry = in->first_block;
- memcpy(out + read_len, cur_entry->data + in->data_start,
- block_len);
+ memcpy(out + read_len, cur_entry->data + in->data_start, block_len);
read_len += block_len;
@@ -948,8 +908,7 @@
}
else
{
- memcpy(out + read_len, in->first_block->data + in->data_start,
- out_len - read_len);
+ memcpy(out + read_len, in->first_block->data + in->data_start, out_len - read_len);
in->data_start += out_len - read_len;
read_len = out_len;
}
@@ -959,7 +918,7 @@
}
static int
-endless_buf_write( endless_buffer *out, const unsigned char *in, size_t len )
+endless_buf_write(endless_buffer *out, const unsigned char *in, size_t len)
{
buffer_entry *new_block = malloc(sizeof(buffer_entry));
if (NULL == new_block)
@@ -995,22 +954,21 @@
}
static int
-ssl_bio_read( void *ctx, unsigned char *out, size_t out_len)
+ssl_bio_read(void *ctx, unsigned char *out, size_t out_len)
{
- bio_ctx *my_ctx = (bio_ctx *) ctx;
+ bio_ctx *my_ctx = (bio_ctx *)ctx;
return endless_buf_read(&my_ctx->in, out, out_len);
}
static int
-ssl_bio_write( void *ctx, const unsigned char *in, size_t in_len)
+ssl_bio_write(void *ctx, const unsigned char *in, size_t in_len)
{
- bio_ctx *my_ctx = (bio_ctx *) ctx;
+ bio_ctx *my_ctx = (bio_ctx *)ctx;
return endless_buf_write(&my_ctx->out, in, in_len);
}
static void
-my_debug( void *ctx, int level, const char *file, int line,
- const char *str )
+my_debug(void *ctx, int level, const char *file, int line, const char *str)
{
int my_loglevel = (level < 3) ? D_TLS_DEBUG_MED : D_TLS_DEBUG;
msg(my_loglevel, "mbed TLS msg (%s:%d): %s", file, line, str);
@@ -1022,8 +980,8 @@
void
tls_ctx_personalise_random(struct tls_root_ctx *ctx)
{
- static char old_sha256_hash[32] = {0};
- unsigned char sha256_hash[32] = {0};
+ static char old_sha256_hash[32] = { 0 };
+ unsigned char sha256_hash[32] = { 0 };
mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get();
if (NULL != ctx->crt_chain)
@@ -1055,7 +1013,7 @@
#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
return TLS_VER_1_2;
#else
- #error mbedtls is compiled without support for TLS 1.2 or 1.3
+#error mbedtls is compiled without support for TLS 1.2 or 1.3
#endif
}
@@ -1088,8 +1046,7 @@
}
void
-backend_tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file,
- bool crl_inline)
+backend_tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file, bool crl_inline)
{
ASSERT(crl_file);
@@ -1101,8 +1058,7 @@
if (crl_inline)
{
- if (!mbed_ok(mbedtls_x509_crl_parse(ctx->crl,
- (const unsigned char *)crl_file,
+ if (!mbed_ok(mbedtls_x509_crl_parse(ctx->crl, (const unsigned char *)crl_file,
strlen(crl_file) + 1)))
{
msg(M_WARN, "CRL: cannot parse inline CRL");
@@ -1124,8 +1080,7 @@
}
void
-key_state_ssl_init(struct key_state_ssl *ks_ssl,
- const struct tls_root_ctx *ssl_ctx, bool is_server,
+key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server,
struct tls_session *session)
{
ASSERT(NULL != ssl_ctx);
@@ -1135,8 +1090,8 @@
/* Initialise SSL config */
ALLOC_OBJ_CLEAR(ks_ssl->ssl_config, mbedtls_ssl_config);
mbedtls_ssl_config_init(ks_ssl->ssl_config);
- mbedtls_ssl_config_defaults(ks_ssl->ssl_config, ssl_ctx->endpoint,
- MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
+ mbedtls_ssl_config_defaults(ks_ssl->ssl_config, ssl_ctx->endpoint, MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT);
#ifdef MBEDTLS_DEBUG_C
/* We only want to have mbed TLS generate debug level logging when we would
* also display it.
@@ -1152,8 +1107,7 @@
}
#endif
mbedtls_ssl_conf_dbg(ks_ssl->ssl_config, my_debug, NULL);
- mbedtls_ssl_conf_rng(ks_ssl->ssl_config, mbedtls_ctr_drbg_random,
- rand_ctx_get());
+ mbedtls_ssl_conf_rng(ks_ssl->ssl_config, mbedtls_ctr_drbg_random, rand_ctx_get());
mbedtls_ssl_conf_cert_profile(ks_ssl->ssl_config, &ssl_ctx->cert_profile);
@@ -1168,8 +1122,8 @@
}
/* Disable TLS renegotiations if the mbedtls library supports that feature.
- * OpenVPN's renegotiation creates new SSL sessions and does not depend on
- * this feature and TLS renegotiations have been problematic in the past. */
+ * OpenVPN's renegotiation creates new SSL sessions and does not depend on
+ * this feature and TLS renegotiations have been problematic in the past. */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
#endif /* MBEDTLS_SSL_RENEGOTIATION */
@@ -1186,12 +1140,10 @@
/* Initialise authentication information */
if (is_server)
{
- mbed_ok(mbedtls_ssl_conf_dh_param_ctx(ks_ssl->ssl_config,
- ssl_ctx->dhm_ctx));
+ mbed_ok(mbedtls_ssl_conf_dh_param_ctx(ks_ssl->ssl_config, ssl_ctx->dhm_ctx));
}
- mbed_ok(mbedtls_ssl_conf_own_cert(ks_ssl->ssl_config, ssl_ctx->crt_chain,
- ssl_ctx->priv_key));
+ mbed_ok(mbedtls_ssl_conf_own_cert(ks_ssl->ssl_config, ssl_ctx->crt_chain, ssl_ctx->priv_key));
/* Initialise SSL verification */
if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
@@ -1210,8 +1162,7 @@
/* Initialize minimum TLS version */
{
const int configured_tls_version_min =
- (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
- &SSLF_TLS_VERSION_MIN_MASK;
+ (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
/* default to TLS 1.2 */
mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2;
@@ -1227,8 +1178,7 @@
/* Initialize maximum TLS version */
{
const int configured_tls_version_max =
- (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
- &SSLF_TLS_VERSION_MAX_MASK;
+ (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_UNKNOWN;
@@ -1245,10 +1195,10 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) \
+ && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
- mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
- mbedtls_ssl_export_keys_cb, session);
+ mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session);
#endif
/* Initialise SSL context */
@@ -1267,8 +1217,7 @@
/* Initialise BIOs */
ALLOC_OBJ_CLEAR(ks_ssl->bio_ctx, bio_ctx);
- mbedtls_ssl_set_bio(ks_ssl->ctx, ks_ssl->bio_ctx, ssl_bio_write,
- ssl_bio_read, NULL);
+ mbedtls_ssl_set_bio(ks_ssl->ctx, ks_ssl->bio_ctx, ssl_bio_write, ssl_bio_read, NULL);
}
@@ -1317,7 +1266,7 @@
if (1 == retval)
{
- memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */
+ memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */
buf->len = 0;
}
@@ -1350,16 +1299,14 @@
{
return 0;
}
- mbed_log_err(D_TLS_ERRORS, retval,
- "TLS ERROR: write tls_write_plaintext_const error");
+ mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_plaintext_const error");
return -1;
}
if (retval != len)
{
- msg(D_TLS_ERRORS,
- "TLS ERROR: write tls_write_plaintext_const incomplete %d/%d",
- retval, len);
+ msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_plaintext_const incomplete %d/%d", retval,
+ len);
perf_pop();
return -1;
}
@@ -1446,15 +1393,14 @@
{
return 0;
}
- mbed_log_err(D_TLS_ERRORS, retval,
- "TLS ERROR: write tls_write_ciphertext error");
+ mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_ciphertext error");
return -1;
}
if (retval != buf->len)
{
- msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_ciphertext incomplete %d/%d",
- retval, buf->len);
+ msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_ciphertext incomplete %d/%d", retval,
+ buf->len);
perf_pop();
return -1;
}
@@ -1462,7 +1408,7 @@
/* successful write */
dmsg(D_HANDSHAKE_VERBOSE, "write tls_write_ciphertext %d bytes", retval);
- memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */
+ memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */
buf->len = 0;
perf_pop();
@@ -1534,25 +1480,20 @@
char s2[256];
s1[0] = s2[0] = 0;
- snprintf(s1, sizeof(s1), "%s %s, cipher %s",
- prefix,
- mbedtls_ssl_get_version(ks_ssl->ctx),
+ snprintf(s1, sizeof(s1), "%s %s, cipher %s", prefix, mbedtls_ssl_get_version(ks_ssl->ctx),
mbedtls_ssl_get_ciphersuite(ks_ssl->ctx));
cert = mbedtls_ssl_get_peer_cert(ks_ssl->ctx);
if (cert != NULL)
{
- snprintf(s2, sizeof(s2), ", %u bit key",
- (unsigned int) mbedtls_pk_get_bitlen(&cert->pk));
+ snprintf(s2, sizeof(s2), ", %u bit key", (unsigned int)mbedtls_pk_get_bitlen(&cert->pk));
}
msg(D_HANDSHAKE, "%s%s", s1, s2);
}
void
-show_available_tls_ciphers_list(const char *cipher_list,
- const char *tls_cert_profile,
- bool tls13)
+show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
{
if (tls13)
{
@@ -1603,8 +1544,8 @@
{
static char mbedtls_version[30];
unsigned int pv = mbedtls_version_get_number();
- snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d",
- (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
+ snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", (pv >> 24) & 0xff,
+ (pv >> 16) & 0xff, (pv >> 8) & 0xff);
return mbedtls_version;
}
@@ -43,19 +43,22 @@
typedef struct _buffer_entry buffer_entry;
-struct _buffer_entry {
+struct _buffer_entry
+{
size_t length;
uint8_t *data;
buffer_entry *next_block;
};
-typedef struct {
+typedef struct
+{
size_t data_start;
buffer_entry *first_block;
buffer_entry *last_block;
} endless_buffer;
-typedef struct {
+typedef struct
+{
endless_buffer in;
endless_buffer out;
} bio_ctx;
@@ -73,12 +76,12 @@
*
* @return true if signing succeeded, false otherwise.
*/
-typedef bool (*external_sign_func)(
- void *sign_ctx, const void *src, size_t src_size,
- void *dst, size_t dst_size);
+typedef bool (*external_sign_func)(void *sign_ctx, const void *src, size_t src_size, void *dst,
+ size_t dst_size);
/** Context used by external_pkcs1_sign() */
-struct external_context {
+struct external_context
+{
size_t signature_length;
external_sign_func sign;
void *sign_ctx;
@@ -91,13 +94,16 @@
*
* The constants 64 and 48 are inherent to TLS 1.2. For TLS 1.3, it is not
* possible to obtain the exporter master secret from mbed TLS. */
-struct tls_key_cache {
+struct tls_key_cache
+{
unsigned char client_server_random[64];
mbedtls_tls_prf_types tls_prf_type;
unsigned char master_secret[48];
};
-#else /* !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
-struct tls_key_cache { };
+#else /* !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
+struct tls_key_cache
+{
+};
#endif
/**
@@ -106,30 +112,32 @@
*
* Either \c priv_key_pkcs11 or \c priv_key must be filled in.
*/
-struct tls_root_ctx {
- bool initialised; /**< True if the context has been initialised */
+struct tls_root_ctx
+{
+ bool initialised; /**< True if the context has been initialised */
- int endpoint; /**< Whether or not this is a server or a client */
+ int endpoint; /**< Whether or not this is a server or a client */
- mbedtls_dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */
- mbedtls_x509_crt *crt_chain; /**< Local Certificate chain */
- mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */
- mbedtls_pk_context *priv_key; /**< Local private key */
- mbedtls_x509_crl *crl; /**< Certificate Revocation List */
- time_t crl_last_mtime; /**< CRL last modification time */
- off_t crl_last_size; /**< size of last loaded CRL */
+ mbedtls_dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */
+ mbedtls_x509_crt *crt_chain; /**< Local Certificate chain */
+ mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */
+ mbedtls_pk_context *priv_key; /**< Local private key */
+ mbedtls_x509_crl *crl; /**< Certificate Revocation List */
+ time_t crl_last_mtime; /**< CRL last modification time */
+ off_t crl_last_size; /**< size of last loaded CRL */
#ifdef ENABLE_PKCS11
- pkcs11h_certificate_t pkcs11_cert; /**< PKCS11 certificate */
+ pkcs11h_certificate_t pkcs11_cert; /**< PKCS11 certificate */
#endif
- struct external_context external_key; /**< External key context */
- int *allowed_ciphers; /**< List of allowed ciphers for this connection */
- mbedtls_compat_group_id *groups; /**< List of allowed groups for this connection */
+ struct external_context external_key; /**< External key context */
+ int *allowed_ciphers; /**< List of allowed ciphers for this connection */
+ mbedtls_compat_group_id *groups; /**< List of allowed groups for this connection */
mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */
};
-struct key_state_ssl {
- mbedtls_ssl_config *ssl_config; /**< mbedTLS global ssl config */
- mbedtls_ssl_context *ctx; /**< mbedTLS connection context */
+struct key_state_ssl
+{
+ mbedtls_ssl_config *ssl_config; /**< mbedTLS global ssl config */
+ mbedtls_ssl_context *ctx; /**< mbedTLS connection context */
bio_ctx *bio_ctx;
struct tls_key_cache tls_key_cache;
@@ -145,8 +153,7 @@
*
* @return 0 if successful, 1 if an error occurred.
*/
-int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
- external_sign_func sign_func,
+int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, external_sign_func sign_func,
void *sign_ctx);
static inline void
@@ -82,8 +82,7 @@
{
return false;
}
- else if (tls_peer_info_ncp_ver(peer_info) >= 2
- || strstr(peer_info, "IV_CIPHERS="))
+ else if (tls_peer_info_ncp_ver(peer_info) >= 2 || strstr(peer_info, "IV_CIPHERS="))
{
return true;
}
@@ -98,7 +97,7 @@
{
bool error_found = false;
- struct buffer new_list = alloc_buf(MAX_NCP_CIPHERS_LENGTH);
+ struct buffer new_list = alloc_buf(MAX_NCP_CIPHERS_LENGTH);
char *const tmp_ciphers = string_alloc(list, NULL);
const char *token = strtok(tmp_ciphers, ":");
@@ -126,22 +125,23 @@
if (nonecipher)
{
msg(M_WARN, "WARNING: cipher 'none' specified for --data-ciphers. "
- "This allows negotiation of NO encryption and "
- "tunnelled data WILL then be transmitted in clear text "
- "over the network! "
- "PLEASE DO RECONSIDER THIS SETTING!");
+ "This allows negotiation of NO encryption and "
+ "tunnelled data WILL then be transmitted in clear text "
+ "over the network! "
+ "PLEASE DO RECONSIDER THIS SETTING!");
}
if (!nonecipher && !cipher_valid(token))
{
msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token);
error_found = error_found || !optional;
}
- else if (!nonecipher && !cipher_kt_mode_aead(token)
- && !cipher_kt_mode_cbc(token)
+ else if (!nonecipher && !cipher_kt_mode_aead(token) && !cipher_kt_mode_cbc(token)
&& !cipher_kt_mode_ofb_cfb(token))
{
- msg(M_WARN, "Unsupported %scipher algorithm '%s'. It does not use "
- "CFB, OFB, CBC, or a supported AEAD mode", optstr, token);
+ msg(M_WARN,
+ "Unsupported %scipher algorithm '%s'. It does not use "
+ "CFB, OFB, CBC, or a supported AEAD mode",
+ optstr, token);
error_found = error_found || !optional;
}
else
@@ -154,7 +154,7 @@
ovpn_cipher_name = "none";
}
- if (buf_len(&new_list)> 0)
+ if (buf_len(&new_list) > 0)
{
/* The next if condition ensure there is always space for
* a :
@@ -163,11 +163,10 @@
}
/* Ensure buffer has capacity for cipher name + : + \0 */
- if (!(buf_forward_capacity(&new_list) >
- strlen(ovpn_cipher_name) + 2))
+ if (!(buf_forward_capacity(&new_list) > strlen(ovpn_cipher_name) + 2))
{
msg(M_WARN, "Length of --data-ciphers is over the "
- "limit of 127 chars");
+ "limit of 127 chars");
error_found = true;
}
else
@@ -179,7 +178,6 @@
}
-
char *ret = NULL;
if (!error_found && buf_len(&new_list) > 0)
{
@@ -200,8 +198,7 @@
size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(ciphername) + 1;
char *ncp_ciphers = gc_malloc(newlen, false, &o->gc);
- ASSERT(snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers,
- ciphername));
+ ASSERT(snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers, ciphername));
o->ncp_ciphers = ncp_ciphers;
}
@@ -233,7 +230,7 @@
{
return iv_ciphers;
}
- else if (tls_peer_info_ncp_ver(peer_info)>=2)
+ else if (tls_peer_info_ncp_ver(peer_info) >= 2)
{
/* If the peer announces IV_NCP=2 then it supports the AES GCM
* ciphers */
@@ -246,8 +243,8 @@
}
char *
-ncp_get_best_cipher(const char *server_list, const char *peer_info,
- const char *remote_cipher, struct gc_arena *gc)
+ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher,
+ struct gc_arena *gc)
{
/*
* The gc of the parameter is tied to the VPN session, create a
@@ -262,8 +259,7 @@
/* non-NCP clients without OCC? "assume nothing" */
/* For client doing the newer version of NCP (that send IV_CIPHERS)
* we cannot assume that they will accept remote_cipher */
- if (remote_cipher == NULL
- || (peer_info && strstr(peer_info, "IV_CIPHERS=")))
+ if (remote_cipher == NULL || (peer_info && strstr(peer_info, "IV_CIPHERS=")))
{
remote_cipher = "";
}
@@ -273,8 +269,7 @@
const char *token;
while ((token = strsep(&tmp_ciphers, ":")))
{
- if (tls_item_in_cipher_list(token, peer_ncp_list)
- || streq(token, remote_cipher))
+ if (tls_item_in_cipher_list(token, peer_ncp_list) || streq(token, remote_cipher))
{
break;
}
@@ -302,8 +297,7 @@
static bool
tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
{
- if (remote_ciphername
- && tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
+ if (remote_ciphername && tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
{
o->ciphername = string_alloc(remote_ciphername, &o->gc);
msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername);
@@ -338,29 +332,27 @@
/* We failed negotiation, give appropriate error message */
if (c->c2.tls_multi->remote_ciphername)
{
- msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to negotiate "
+ msg(D_TLS_ERRORS,
+ "OPTIONS ERROR: failed to negotiate "
"cipher with server. Add the server's "
"cipher ('%s') to --data-ciphers (currently '%s'), e.g."
"--data-ciphers %s:%s if you want to connect to this server.",
- c->c2.tls_multi->remote_ciphername,
- c->options.ncp_ciphers_conf, c->options.ncp_ciphers_conf,
- c->c2.tls_multi->remote_ciphername);
+ c->c2.tls_multi->remote_ciphername, c->options.ncp_ciphers_conf,
+ c->options.ncp_ciphers_conf, c->c2.tls_multi->remote_ciphername);
return false;
-
}
else
{
msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to negotiate "
- "cipher with server. Configure "
- "--data-ciphers-fallback if you want to connect "
- "to this server.");
+ "cipher with server. Configure "
+ "--data-ciphers-fallback if you want to connect "
+ "to this server.");
return false;
}
}
const char *
-get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
- struct gc_arena *gc)
+get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc)
{
/* we use a local gc arena to keep the temporary strings needed by strsep */
struct gc_arena gc_local = gc_new();
@@ -410,8 +402,7 @@
}
static void
-p2p_ncp_set_options(struct tls_multi *multi, struct tls_session *session,
- const char *common_cipher)
+p2p_ncp_set_options(struct tls_multi *multi, struct tls_session *session, const char *common_cipher)
{
/* will return 0 if peer_info is null */
const unsigned int iv_proto_peer = extract_iv_proto(multi->peer_info);
@@ -433,8 +424,8 @@
session->opt->crypto_flags |= CO_USE_CC_EXIT_NOTIFY;
}
- if (session->opt->data_epoch_supported && (iv_proto_peer & IV_PROTO_DATA_EPOCH)
- && common_cipher && cipher_kt_mode_aead(common_cipher))
+ if (session->opt->data_epoch_supported && (iv_proto_peer & IV_PROTO_DATA_EPOCH) && common_cipher
+ && cipher_kt_mode_aead(common_cipher))
{
session->opt->crypto_flags |= CO_EPOCH_DATA_KEY_FORMAT;
}
@@ -457,20 +448,18 @@
uint8_t peerid[3];
if (!key_state_export_keying_material(session, EXPORT_P2P_PEERID_LABEL,
- strlen(EXPORT_P2P_PEERID_LABEL),
- &peerid, 3))
+ strlen(EXPORT_P2P_PEERID_LABEL), &peerid, 3))
{
/* Non DCO setup might still work but also this should never
* happen or very likely the TLS encryption key exporter will
* also fail */
msg(M_NONFATAL, "TLS key export for P2P peer id failed. "
- "Continuing anyway, expect problems");
+ "Continuing anyway, expect problems");
}
else
{
multi->peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2];
}
-
}
}
if (iv_proto_peer & IV_PROTO_DYN_TLS_CRYPT)
@@ -511,12 +500,11 @@
common_cipher = BSTR(&out);
}
- msg(D_TLS_DEBUG_LOW, "P2P mode NCP negotiation result: "
+ msg(D_TLS_DEBUG_LOW,
+ "P2P mode NCP negotiation result: "
"TLS_export=%d, DATA_v2=%d, peer-id %d, epoch=%d, cipher=%s",
- (bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT),
- multi->use_peer_id,
- multi->peer_id,
- (bool)(session->opt->crypto_flags & CO_EPOCH_DATA_KEY_FORMAT),
+ (bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT), multi->use_peer_id,
+ multi->peer_id, (bool)(session->opt->crypto_flags & CO_EPOCH_DATA_KEY_FORMAT),
common_cipher);
gc_free(&gc);
@@ -526,16 +514,15 @@
bool
check_session_cipher(struct tls_session *session, struct options *options)
{
- bool cipher_allowed_as_fallback = options->enable_ncp_fallback
- && streq(options->ciphername, session->opt->config_ciphername);
+ bool cipher_allowed_as_fallback =
+ options->enable_ncp_fallback && streq(options->ciphername, session->opt->config_ciphername);
if (!session->opt->server && !cipher_allowed_as_fallback
&& !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
{
struct gc_arena gc = gc_new();
msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s%s",
- options->ciphername, options->ncp_ciphers_conf,
- ncp_expanded_ciphers(options, &gc));
+ options->ciphername, options->ncp_ciphers_conf, ncp_expanded_ciphers(options, &gc));
/* undo cipher push, abort connection setup */
options->ciphername = session->opt->config_ciphername;
gc_free(&gc);
@@ -576,7 +563,7 @@
const char *after_default = def + strlen(search);
buf_write(&ncp_ciphers_buf, after_default, strlen(after_default));
- o->ncp_ciphers = (char *) ncp_ciphers;
+ o->ncp_ciphers = (char *)ncp_ciphers;
}
/**
@@ -587,8 +574,8 @@
void
options_postprocess_setdefault_ncpciphers(struct options *o)
{
- bool default_in_cipher_list = o->ncp_ciphers
- && tls_item_in_cipher_list("DEFAULT", o->ncp_ciphers);
+ bool default_in_cipher_list =
+ o->ncp_ciphers && tls_item_in_cipher_list("DEFAULT", o->ncp_ciphers);
/* preserve the values that the user put into the configuration */
o->ncp_ciphers_conf = o->ncp_ciphers;
@@ -38,8 +38,7 @@
* Returns whether the client supports NCP either by
* announcing IV_NCP>=2 or the IV_CIPHERS list
*/
-bool
-tls_peer_supports_ncp(const char *peer_info);
+bool tls_peer_supports_ncp(const char *peer_info);
/* forward declaration to break include dependency loop */
struct context;
@@ -50,8 +49,7 @@
*
* @return Wether the client NCP process suceeded or failed
*/
-bool
-check_pull_client_ncp(struct context *c, int found);
+bool check_pull_client_ncp(struct context *c, int found);
/**
* Iterates through the ciphers in server_list and return the first
@@ -73,9 +71,8 @@
* @returns NULL if no common cipher is available, otherwise the best common
* cipher
*/
-char *
-ncp_get_best_cipher(const char *server_list, const char *peer_info,
- const char *remote_cipher, struct gc_arena *gc);
+char *ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher,
+ struct gc_arena *gc);
/**
@@ -86,8 +83,7 @@
* or allocated via gc. If no information is available an empty string
* ("") is returned.
*/
-const char *
-tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc);
+const char *tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc);
/**
* Check whether the ciphers in the supplied list are supported.
@@ -102,8 +98,7 @@
* is short than MAX_NCP_CIPHERS_LENGTH. NULL
* otherwise.
*/
-char *
-mutate_ncp_cipher_list(const char *list, struct gc_arena *gc);
+char *mutate_ncp_cipher_list(const char *list, struct gc_arena *gc);
/**
* Appends the cipher specified by the ciphernamer parameter to to
@@ -147,17 +142,15 @@
* @param gc gc arena that will be used to allocate the returned cipher
* @return common cipher if one exist.
*/
-const char *
-get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
- struct gc_arena *gc);
+const char *get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
+ struct gc_arena *gc);
/**
* Checks if the cipher is allowed, otherwise returns false and reset the
* cipher to the config cipher.
*/
-bool
-check_session_cipher(struct tls_session *session, struct options *options);
+bool check_session_cipher(struct tls_session *session, struct options *options);
/**
* Checks for availability of Chacha20-Poly1305 and sets
@@ -167,8 +160,7 @@
* If DEFAULT is in the ncp_cipher string, it will be replaced
* by the default cipher string as defined above.
*/
-void
-options_postprocess_setdefault_ncpciphers(struct options *o);
+void options_postprocess_setdefault_ncpciphers(struct options *o);
/** returns the o->ncp_ciphers in brackets, e.g.
* (AES-256-GCM:CHACHA20-POLY1305) if o->ncp_ciphers_conf
@@ -176,6 +168,5 @@
*
* The returned string will be allocated in the passed \c gc
*/
-const char *
-ncp_expanded_ciphers(struct options *o, struct gc_arena *gc);
+const char *ncp_expanded_ciphers(struct options *o, struct gc_arena *gc);
#endif /* ifndef OPENVPN_SSL_NCP_H */
@@ -113,7 +113,7 @@
if (ERR_peek_error() != 0)
{
crypto_msg(M_WARN, "Warning: TLS server context initialisation "
- "has warnings.");
+ "has warnings.");
}
}
@@ -131,7 +131,7 @@
if (ERR_peek_error() != 0)
{
crypto_msg(M_WARN, "Warning: TLS client context initialisation "
- "has warnings.");
+ "has warnings.");
}
}
@@ -152,15 +152,13 @@
}
bool
-key_state_export_keying_material(struct tls_session *session,
- const char *label, size_t label_size,
+key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size,
void *ekm, size_t ekm_size)
{
SSL *ssl = session->key[KS_PRIMARY].ks_ssl.ssl;
- if (SSL_export_keying_material(ssl, ekm, ekm_size, label,
- label_size, NULL, 0, 0) == 1)
+ if (SSL_export_keying_material(ssl, ekm, ekm_size, label, label_size, NULL, 0, 0) == 1)
{
return true;
}
@@ -184,16 +182,15 @@
if (where & SSL_CB_LOOP)
{
dmsg(D_HANDSHAKE_VERBOSE, "SSL state (%s): %s",
- where & SSL_ST_CONNECT ? "connect" :
- where &SSL_ST_ACCEPT ? "accept" :
- "undefined", SSL_state_string_long(s));
+ where & SSL_ST_CONNECT ? "connect"
+ : where & SSL_ST_ACCEPT ? "accept"
+ : "undefined",
+ SSL_state_string_long(s));
}
else if (where & SSL_CB_ALERT)
{
- dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s",
- where & SSL_CB_READ ? "Received" : "Sent",
- SSL_alert_type_string_long(ret),
- SSL_alert_desc_string_long(ret));
+ dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s", where & SSL_CB_READ ? "Received" : "Sent",
+ SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
}
}
@@ -232,7 +229,7 @@
return TLS_VER_1_2;
#elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
return TLS_VER_1_1;
-#else /* if defined(TLS1_3_VERSION) */
+#else /* if defined(TLS1_3_VERSION) */
return TLS_VER_1_0;
#endif
}
@@ -278,10 +275,10 @@
static bool
tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
- int tls_ver_min = openssl_tls_version(
- (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK);
- int tls_ver_max = openssl_tls_version(
- (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK);
+ int tls_ver_min =
+ openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK);
+ int tls_ver_max =
+ openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK);
if (!tls_ver_min)
{
@@ -372,7 +369,8 @@
for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
{
end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
- cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
+ cipher_pair =
+ tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
if (NULL == cipher_pair)
{
@@ -393,11 +391,13 @@
current_cipher_len = strlen(current_cipher);
if (end_of_cipher - begin_of_cipher == current_cipher_len
- && 0 != memcmp(&ciphers[begin_of_cipher], cipher_pair->iana_name,
- end_of_cipher - begin_of_cipher))
+ && 0
+ != memcmp(&ciphers[begin_of_cipher], cipher_pair->iana_name,
+ end_of_cipher - begin_of_cipher))
{
/* Non-IANA name used, show warning */
- msg(M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name);
+ msg(M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'",
+ cipher_pair->openssl_name, cipher_pair->iana_name);
}
}
@@ -405,8 +405,7 @@
if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len
|| (len - 1) < (openssl_ciphers_len + current_cipher_len))
{
- msg(M_FATAL,
- "Failed to set restricted TLS cipher list, too long (>%d).",
+ msg(M_FATAL, "Failed to set restricted TLS cipher list, too long (>%d).",
(int)(len - 1));
}
@@ -421,7 +420,7 @@
if (openssl_ciphers_len > 0)
{
- openssl_ciphers[openssl_ciphers_len-1] = '\0';
+ openssl_ciphers[openssl_ciphers_len - 1] = '\0';
}
}
@@ -431,17 +430,18 @@
if (ciphers == NULL)
{
/* Use sane default TLS cipher list */
- if (!SSL_CTX_set_cipher_list(ctx->ctx,
- /* Use openssl's default list as a basis */
- "DEFAULT"
- /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */
- ":!EXP:!LOW:!MEDIUM"
- /* Disable static (EC)DH keys (no forward secrecy) */
- ":!kDH:!kECDH"
- /* Disable DSA private keys */
- ":!DSS"
- /* Disable unsupported TLS modes */
- ":!PSK:!SRP:!kRSA"))
+ if (!SSL_CTX_set_cipher_list(
+ ctx->ctx,
+ /* Use openssl's default list as a basis */
+ "DEFAULT"
+ /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */
+ ":!EXP:!LOW:!MEDIUM"
+ /* Disable static (EC)DH keys (no forward secrecy) */
+ ":!kDH:!kECDH"
+ /* Disable DSA private keys */
+ ":!DSS"
+ /* Disable unsupported TLS modes */
+ ":!PSK:!SRP:!kRSA"))
{
crypto_msg(M_FATAL, "Failed to set default TLS cipher list.");
}
@@ -461,8 +461,7 @@
}
static void
-convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len,
- const char *ciphers)
+convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
{
/*
* OpenSSL (and official IANA) cipher names have _ in them. We
@@ -471,9 +470,8 @@
*/
if (strlen(ciphers) >= (len - 1))
{
- msg(M_FATAL,
- "Failed to set restricted TLS 1.3 cipher list, too long (>%d).",
- (int) (len - 1));
+ msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list, too long (>%d).",
+ (int)(len - 1));
}
strncpy(openssl_ciphers, ciphers, len);
@@ -498,20 +496,19 @@
}
#if !defined(TLS1_3_VERSION)
- crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
+ crypto_msg(M_WARN,
+ "Not compiled with OpenSSL 1.1.1 or higher. "
"Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
ciphers);
#else
ASSERT(NULL != ctx);
char openssl_ciphers[4096];
- convert_tls13_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers),
- ciphers);
+ convert_tls13_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers), ciphers);
if (!SSL_CTX_set_ciphersuites(ctx->ctx, openssl_ciphers))
{
- crypto_msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list: %s",
- openssl_ciphers);
+ crypto_msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list: %s", openssl_ciphers);
}
#endif
}
@@ -520,7 +517,7 @@
tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
{
#if OPENSSL_VERSION_NUMBER > 0x10100000L \
- && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL)
+ && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL)
/* OpenSSL does not have certificate profiles, but a complex set of
* callbacks that we could try to implement to achieve something similar.
* For now, use OpenSSL's security levels to achieve similar (but not equal)
@@ -549,8 +546,10 @@
#else /* if OPENSSL_VERSION_NUMBER > 0x10100000L */
if (profile)
{
- msg(M_WARN, "WARNING: OpenSSL 1.1.0 and LibreSSL do not support "
- "--tls-cert-profile, ignoring user-set profile: '%s'", profile);
+ msg(M_WARN,
+ "WARNING: OpenSSL 1.1.0 and LibreSSL do not support "
+ "--tls-cert-profile, ignoring user-set profile: '%s'",
+ profile);
}
#endif /* if OPENSSL_VERSION_NUMBER > 0x10100000L */
}
@@ -602,15 +601,13 @@
if (!SSL_CTX_set1_groups(ctx->ctx, glist, glistlen))
{
- crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
- groups);
+ crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", groups);
}
gc_free(&gc);
#else /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
{
- crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
- groups);
+ crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", groups);
}
#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
}
@@ -652,8 +649,7 @@
}
void
-tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
- bool dh_file_inline)
+tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
{
BIO *bio;
@@ -689,8 +685,7 @@
crypto_msg(M_FATAL, "SSL_CTX_set0_tmp_dh_pkey");
}
- msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
- 8 * EVP_PKEY_get_size(dh));
+ msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", 8 * EVP_PKEY_get_size(dh));
#else /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
@@ -705,8 +700,7 @@
crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh");
}
- msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
- 8 * DH_size(dh));
+ msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", 8 * DH_size(dh));
DH_free(dh);
#endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
@@ -719,8 +713,8 @@
if (curve_name != NULL)
{
msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an "
- "ECDH curve with --ecdh-curve, using default curves. Use "
- "--tls-groups to specify groups.");
+ "ECDH curve with --ecdh-curve, using default curves. Use "
+ "--tls-groups to specify groups.");
}
#elif !defined(OPENSSL_NO_EC)
int nid = NID_undef;
@@ -753,10 +747,9 @@
{
/* Creating key failed, fall back on sane default */
ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
- const char *source = (NULL == curve_name) ?
- "extract curve from certificate" : "use supplied curve";
- msg(D_TLS_DEBUG_LOW,
- "Failed to %s (%s), using secp384r1 instead.", source, sname);
+ const char *source =
+ (NULL == curve_name) ? "extract curve from certificate" : "use supplied curve";
+ msg(D_TLS_DEBUG_LOW, "Failed to %s (%s), using secp384r1 instead.", source, sname);
sname = OBJ_nid2sn(NID_secp384r1);
}
@@ -770,7 +763,7 @@
EC_KEY_free(ecdh);
#else /* ifndef OPENSSL_NO_EC */
msg(D_LOW, "Your OpenSSL library was built without elliptic curve support."
- " Skipping ECDH parameter loading.");
+ " Skipping ECDH parameter loading.");
#endif /* OPENSSL_NO_EC */
}
@@ -794,7 +787,8 @@
{
struct user_pass up;
CLEAR(up);
- get_user_pass(&up, NULL, "PKCS#11 token", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY);
+ get_user_pass(&up, NULL, "PKCS#11 token",
+ GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY);
UI_set_result(ui, uis, up.password);
purge_user_pass(&up, true);
}
@@ -845,12 +839,11 @@
{
return NULL;
}
- pkey = PEM_read_bio_PrivateKey(in, NULL,
- SSL_CTX_get_default_passwd_cb(ssl_ctx),
+ pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ssl_ctx),
SSL_CTX_get_default_passwd_cb_userdata(ssl_ctx));
BIO_free(in);
-#else /* defined(HAVE_OPENSSL_STORE_API) */
+#else /* defined(HAVE_OPENSSL_STORE_API) */
OSSL_STORE_CTX *store_ctx = NULL;
OSSL_STORE_INFO *info = NULL;
@@ -863,8 +856,7 @@
}
UI_method_set_reader(ui_method, ui_reader);
- store_ctx = OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, ssl_ctx,
- NULL, NULL, NULL);
+ store_ctx = OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, ssl_ctx, NULL, NULL, NULL);
if (!store_ctx)
{
goto end;
@@ -904,8 +896,8 @@
}
int
-tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
- bool pkcs12_file_inline, bool load_ca_file)
+tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline,
+ bool load_ca_file)
{
FILE *fp;
EVP_PKEY *pkey;
@@ -920,8 +912,7 @@
if (pkcs12_file_inline)
{
BIO *b64 = BIO_new(BIO_f_base64());
- BIO *bio = BIO_new_mem_buf((void *) pkcs12_file,
- (int) strlen(pkcs12_file));
+ BIO *bio = BIO_new_mem_buf((void *)pkcs12_file, (int)strlen(pkcs12_file));
ASSERT(b64 && bio);
BIO_push(b64, bio);
p12 = d2i_PKCS12_bio(b64, NULL);
@@ -956,7 +947,7 @@
if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
{
crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password "
- "or unsupported/legacy encryption");
+ "or unsupported/legacy encryption");
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
{
@@ -1002,11 +993,13 @@
X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx);
if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i)))
{
- crypto_msg(M_FATAL, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
+ crypto_msg(M_FATAL,
+ "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
}
if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i)))
{
- crypto_msg(M_FATAL, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+ crypto_msg(M_FATAL,
+ "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
}
}
}
@@ -1024,7 +1017,9 @@
{
if (!SSL_CTX_add_extra_chain_cert(ctx->ctx, sk_X509_value(ca, i)))
{
- crypto_msg(M_FATAL, "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)");
+ crypto_msg(
+ M_FATAL,
+ "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)");
}
}
}
@@ -1041,7 +1036,8 @@
/* Load Certificate and Private Key */
if (!SSL_CTX_use_CryptoAPI_certificate(ctx->ctx, cryptoapi_cert))
{
- crypto_msg(M_FATAL, "Cannot load certificate \"%s\" from Microsoft Certificate Store", cryptoapi_cert);
+ crypto_msg(M_FATAL, "Cannot load certificate \"%s\" from Microsoft Certificate Store",
+ cryptoapi_cert);
}
}
#endif /* ENABLE_CRYPTOAPI */
@@ -1059,8 +1055,7 @@
* is found in the buffer. If loading more certificates is
* optional, break without raising an error
*/
- if (optional
- && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE)
+ if (optional && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE)
{
/* remove that error from error stack */
(void)ERR_get_error();
@@ -1109,8 +1104,8 @@
}
UI_method_set_reader(ui_method, ui_reader);
- store_ctx = OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, tls_ctx->ctx,
- NULL, NULL, NULL);
+ store_ctx =
+ OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, tls_ctx->ctx, NULL, NULL, NULL);
if (!store_ctx)
{
goto end;
@@ -1187,14 +1182,13 @@
UI_destroy_method(ui_method);
OSSL_STORE_INFO_free(info);
OSSL_STORE_close(store_ctx);
-#else /* defined(HAVE_OPENSSL_STORE_API */
+#else /* defined(HAVE_OPENSSL_STORE_API */
ASSERT(0);
#endif /* defined(HAVE_OPENSSL_STORE_API */
}
static void
-tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file,
- bool cert_file_inline)
+tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
{
BIO *in = NULL;
X509 *x = NULL;
@@ -1204,11 +1198,11 @@
if (cert_file_inline)
{
- in = BIO_new_mem_buf((char *) cert_file, -1);
+ in = BIO_new_mem_buf((char *)cert_file, -1);
}
else
{
- in = BIO_new_file((char *) cert_file, "r");
+ in = BIO_new_file((char *)cert_file, "r");
}
if (in == NULL)
@@ -1217,8 +1211,7 @@
goto end;
}
- x = PEM_read_bio_X509(in, NULL,
- SSL_CTX_get_default_passwd_cb(ctx->ctx),
+ x = PEM_read_bio_X509(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx),
SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
if (x == NULL)
{
@@ -1255,8 +1248,7 @@
}
void
-tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
- bool cert_file_inline)
+tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
{
if (cert_uri_supported() && !cert_file_inline)
{
@@ -1283,13 +1275,12 @@
if (priv_key_file_inline)
{
- in = BIO_new_mem_buf((char *) priv_key_file, -1);
+ in = BIO_new_mem_buf((char *)priv_key_file, -1);
if (in == NULL)
{
goto end;
}
- pkey = PEM_read_bio_PrivateKey(in, NULL,
- SSL_CTX_get_default_passwd_cb(ctx->ctx),
+ pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx),
SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
}
else
@@ -1324,8 +1315,7 @@
}
void
-backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
- bool crl_inline)
+backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
{
BIO *in = NULL;
@@ -1354,7 +1344,7 @@
if (crl_inline)
{
- in = BIO_new_mem_buf((char *) crl_file, -1);
+ in = BIO_new_mem_buf((char *)crl_file, -1);
}
else
{
@@ -1363,8 +1353,7 @@
if (in == NULL)
{
- msg(M_WARN, "CRL: cannot read: %s",
- print_key_filename(crl_file, crl_inline));
+ msg(M_WARN, "CRL: cannot read: %s", print_key_filename(crl_file, crl_inline));
goto end;
}
@@ -1477,9 +1466,8 @@
* @return signature length or -1 on error.
*/
static int
-get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen,
- unsigned char *sig, unsigned int siglen,
- const char *algorithm)
+get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, unsigned char *sig,
+ unsigned int siglen, const char *algorithm)
{
char *in_b64 = NULL;
char *out_b64 = NULL;
@@ -1490,7 +1478,6 @@
if (management && bencret > 0)
{
out_b64 = management_query_pk_sig(management, in_b64, algorithm);
-
}
if (out_b64)
{
@@ -1504,8 +1491,7 @@
/* sign arbitrary data */
static int
-rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
- int padding)
+rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
{
unsigned int len = RSA_size(rsa);
int ret = -1;
@@ -1533,8 +1519,7 @@
ASSERT(NULL != pub_rsa);
/* allocate custom RSA method object */
- rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method",
- RSA_METHOD_FLAG_NO_CHECK);
+ rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", RSA_METHOD_FLAG_NO_CHECK);
check_malloc_return(rsa_meth);
RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc);
RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec);
@@ -1594,7 +1579,7 @@
{
/* release the method structure */
const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec);
- EC_KEY_METHOD_free((EC_KEY_METHOD *) ec_meth);
+ EC_KEY_METHOD_free((EC_KEY_METHOD *)ec_meth);
}
/* EC_KEY_METHOD callback: sign().
@@ -1633,8 +1618,8 @@
* struct or NULL on error.
*/
static ECDSA_SIG *
-ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv,
- const BIGNUM *in_r, EC_KEY *ec)
+ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, const BIGNUM *in_r,
+ EC_KEY *ec)
{
ECDSA_SIG *ecsig = NULL;
unsigned int len = ECDSA_size(ec);
@@ -1732,8 +1717,7 @@
#ifdef HAVE_XKEY_PROVIDER
EVP_PKEY *privkey = xkey_load_management_key(tls_libctx, pkey);
- if (!privkey
- || !SSL_CTX_use_PrivateKey(ctx->ctx, privkey))
+ if (!privkey || !SSL_CTX_use_PrivateKey(ctx->ctx, privkey))
{
EVP_PKEY_free(privkey);
goto cleanup;
@@ -1742,7 +1726,7 @@
#else /* ifdef HAVE_XKEY_PROVIDER */
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
-#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
if (EVP_PKEY_is_a(pkey, "RSA"))
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
{
@@ -1754,7 +1738,7 @@
#if !defined(OPENSSL_NO_EC)
#if OPENSSL_VERSION_NUMBER < 0x30000000L
else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
-#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
else if (EVP_PKEY_is_a(pkey, "EC"))
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
{
@@ -1796,8 +1780,8 @@
}
void
-tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
- bool ca_file_inline, const char *ca_path, bool tls_server)
+tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline,
+ const char *ca_path, bool tls_server)
{
STACK_OF(X509_INFO) *info_stack = NULL;
STACK_OF(X509_NAME) *cert_names = NULL;
@@ -1892,8 +1876,7 @@
{
crypto_msg(M_WARN,
"Cannot load CA certificate file %s (entry %d did not validate)",
- print_key_filename(ca_file, ca_file_inline),
- added);
+ print_key_filename(ca_file, ca_file_inline), added);
}
prev = cnum;
}
@@ -1909,8 +1892,7 @@
if (!added)
{
- crypto_msg(M_FATAL,
- "Cannot load CA certificate file %s (no entries were read)",
+ crypto_msg(M_FATAL, "Cannot load CA certificate file %s (no entries were read)",
print_key_filename(ca_file, ca_file_inline));
}
@@ -1918,10 +1900,10 @@
{
if (cnum != added)
{
- crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d "
+ crypto_msg(M_FATAL,
+ "Cannot load CA certificate file %s (only %d "
"of %d entries were valid X509 names)",
- print_key_filename(ca_file, ca_file_inline), cnum,
- added);
+ print_key_filename(ca_file, ca_file_inline), cnum, added);
}
}
@@ -1961,9 +1943,7 @@
if (in == NULL)
{
crypto_msg(M_FATAL, "Cannot load extra-certs file: %s",
- print_key_filename(extra_certs_file,
- extra_certs_file_inline));
-
+ print_key_filename(extra_certs_file, extra_certs_file_inline));
}
else
{
@@ -1988,10 +1968,10 @@
#warning BIO_DEBUG defined
-static FILE *biofp; /* GLOBAL */
-static bool biofp_toggle; /* GLOBAL */
-static time_t biofp_last_open; /* GLOBAL */
-static const int biofp_reopen_interval = 600; /* GLOBAL */
+static FILE *biofp; /* GLOBAL */
+static bool biofp_toggle; /* GLOBAL */
+static time_t biofp_last_open; /* GLOBAL */
+static const int biofp_reopen_interval = 600; /* GLOBAL */
static void
close_biofp(void)
@@ -2031,8 +2011,8 @@
if (len > 0)
{
open_biofp();
- fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n",
- mode, desc, (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc));
+ fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n", mode, desc,
+ (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc));
fflush(biofp);
}
gc_free(&gc);
@@ -2042,8 +2022,8 @@
bio_debug_oc(const char *mode, BIO *bio)
{
open_biofp();
- fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n",
- mode, (int64_t)time(NULL), (ptr_type)bio);
+ fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n", mode, (int64_t)time(NULL),
+ (ptr_type)bio);
fflush(biofp);
}
@@ -2082,13 +2062,12 @@
}
else if (i != size)
{
- crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s incomplete %d/%d",
- desc, i, size);
+ crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s incomplete %d/%d", desc, i, size);
ret = -1;
ERR_clear_error();
}
else
- { /* successful write */
+ { /* successful write */
dmsg(D_HANDSHAKE_VERBOSE, "BIO write %s %d bytes", desc, i);
ret = 1;
}
@@ -2104,9 +2083,9 @@
static void
bio_write_post(const int status, struct buffer *buf)
{
- if (status == 1) /* success status return from bio_write? */
+ if (status == 1) /* success status return from bio_write? */
{
- memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */
+ memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */
buf->len = 0;
}
}
@@ -2132,7 +2111,7 @@
*/
int i = BIO_read(bio, BPTR(buf), len);
- VALGRIND_MAKE_READABLE((void *) &i, sizeof(i));
+ VALGRIND_MAKE_READABLE((void *)&i, sizeof(i));
#ifdef BIO_DEBUG
bio_debug_data("read", bio, BPTR(buf), i, desc);
@@ -2154,17 +2133,18 @@
buf->len = 0;
}
else
- { /* successful read */
+ { /* successful read */
dmsg(D_HANDSHAKE_VERBOSE, "BIO read %s %d bytes", desc, i);
buf->len = i;
ret = 1;
- VALGRIND_MAKE_READABLE((void *) BPTR(buf), BLEN(buf));
+ VALGRIND_MAKE_READABLE((void *)BPTR(buf), BLEN(buf));
}
return ret;
}
void
-key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
+key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server,
+ struct tls_session *session)
{
ASSERT(NULL != ssl_ctx);
ASSERT(ks_ssl);
@@ -2232,8 +2212,7 @@
ASSERT(NULL != ks_ssl);
- ret = bio_write(ks_ssl->ssl_bio, BPTR(buf), BLEN(buf),
- "tls_write_plaintext");
+ ret = bio_write(ks_ssl->ssl_bio, BPTR(buf), BLEN(buf), "tls_write_plaintext");
bio_write_post(ret, buf);
perf_pop();
@@ -2337,7 +2316,7 @@
type = OBJ_nid2sn(typeid);
/* OpenSSL reports rsaEncryption, dsaEncryption and
- * id-ecPublicKey, map these values to nicer ones */
+ * id-ecPublicKey, map these values to nicer ones */
if (typeid == EVP_PKEY_RSA)
{
type = "RSA";
@@ -2355,7 +2334,7 @@
{
type = "unknown type";
}
-#else /* OpenSSL >= 3 */
+#else /* OpenSSL >= 3 */
type = EVP_PKEY_get0_type_name(pkey);
if (type == NULL)
{
@@ -2364,8 +2343,7 @@
#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
}
- snprintf(buf, buflen, "%d bits %s%s",
- EVP_PKEY_bits(pkey), type, curve);
+ snprintf(buf, buflen, "%d bits %s%s", EVP_PKEY_bits(pkey), type, curve);
}
/**
@@ -2385,12 +2363,10 @@
int signature_nid = X509_get_signature_nid(cert);
if (signature_nid != 0)
{
- snprintf(sig, sizeof(sig), ", signature: %s",
- OBJ_nid2sn(signature_nid));
+ snprintf(sig, sizeof(sig), ", signature: %s", OBJ_nid2sn(signature_nid));
}
- snprintf(buf, buflen, ", peer certificate: %s%s",
- pkeybuf, sig);
+ snprintf(buf, buflen, ", peer certificate: %s%s", pkeybuf, sig);
EVP_PKEY_free(pkey);
}
@@ -2408,8 +2384,7 @@
char pkeybuf[128] = { 0 };
print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
- snprintf(buf, buflen, ", peer temporary key: %s",
- pkeybuf);
+ snprintf(buf, buflen, ", peer temporary key: %s", pkeybuf);
EVP_PKEY_free(pkey);
}
@@ -2471,8 +2446,7 @@
|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
/* LibreSSL 3.7.x and 3.8.x implement this function but do not export it
* and fail linking with an unresolved symbol */
- if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid)
- && peer_sig_type_nid != NID_undef)
+ if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid) && peer_sig_type_nid != NID_undef)
{
peer_sig_type = get_sigtype(peer_sig_type_nid);
}
@@ -2483,8 +2457,7 @@
return;
}
- snprintf(buf, buflen, ", peer signing digest/type: %s %s",
- peer_sig, peer_sig_type);
+ snprintf(buf, buflen, ", peer signing digest/type: %s %s", peer_sig, peer_sig_type);
}
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -2522,11 +2495,8 @@
s1[0] = s2[0] = s3[0] = s4[0] = s5[0] = 0;
ciph = SSL_get_current_cipher(ks_ssl->ssl);
- snprintf(s1, sizeof(s1), "%s %s, cipher %s %s",
- prefix,
- SSL_get_version(ks_ssl->ssl),
- SSL_CIPHER_get_version(ciph),
- SSL_CIPHER_get_name(ciph));
+ snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, SSL_get_version(ks_ssl->ssl),
+ SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
X509 *cert = SSL_get_peer_certificate(ks_ssl->ssl);
if (cert)
@@ -2544,9 +2514,7 @@
}
void
-show_available_tls_ciphers_list(const char *cipher_list,
- const char *tls_cert_profile,
- bool tls13)
+show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
{
struct tls_root_ctx tls_ctx;
@@ -2559,8 +2527,7 @@
#if defined(TLS1_3_VERSION)
if (tls13)
{
- SSL_CTX_set_min_proto_version(tls_ctx.ctx,
- openssl_tls_version(TLS_VER_1_3));
+ SSL_CTX_set_min_proto_version(tls_ctx.ctx, openssl_tls_version(TLS_VER_1_3));
tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list);
}
else
@@ -2599,8 +2566,7 @@
else if (NULL == pair)
{
/* No translation found, print warning */
- printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n",
- cipher_name);
+ printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name);
}
else
{
@@ -2638,7 +2604,7 @@
for (n = 0; n < crv_len; n++)
{
const char *sname;
- sname = OBJ_nid2sn(curves[n].nid);
+ sname = OBJ_nid2sn(curves[n].nid);
if (sname == NULL)
{
sname = "";
@@ -2654,7 +2620,7 @@
free(curves);
#else /* ifndef OPENSSL_NO_EC */
msg(M_WARN, "Your OpenSSL library was built without elliptic curve support. "
- "No curves available.");
+ "No curves available.");
#endif /* ifndef OPENSSL_NO_EC */
}
@@ -2678,7 +2644,7 @@
static int
provider_unload(OSSL_PROVIDER *prov, void *unused)
{
- (void) unused;
+ (void)unused;
OSSL_PROVIDER_unload(prov);
return 1;
}
@@ -2716,7 +2682,7 @@
if (!OSSL_PROVIDER_load(tls_libctx, "ovpn.xkey"))
{
msg(M_NONFATAL, "ERROR: failed loading external key provider: "
- "Signing with external keys will not work.");
+ "Signing with external keys will not work.");
}
}
@@ -36,17 +36,19 @@
* Structure that wraps the TLS context. Contents differ depending on the
* SSL library used.
*/
-struct tls_root_ctx {
+struct tls_root_ctx
+{
SSL_CTX *ctx;
time_t crl_last_mtime;
off_t crl_last_size;
};
-struct key_state_ssl {
- SSL *ssl; /* SSL object -- new obj created for each new key */
- BIO *ssl_bio; /* read/write plaintext from here */
- BIO *ct_in; /* write ciphertext to here */
- BIO *ct_out; /* read ciphertext from here */
+struct key_state_ssl
+{
+ SSL *ssl; /* SSL object -- new obj created for each new key */
+ BIO *ssl_bio; /* read/write plaintext from here */
+ BIO *ct_in; /* write ciphertext to here */
+ BIO *ct_out; /* read ciphertext from here */
};
/**
@@ -61,8 +61,7 @@
{
ASSERT(co);
- const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt :
- &co->key_ctx_bi.encrypt);
+ const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt);
ASSERT(ctx->hmac);
{
@@ -120,8 +119,7 @@
tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf,
struct session_id *session_id)
{
- if (ctx->mode == TLS_WRAP_AUTH
- || ctx->mode == TLS_WRAP_NONE)
+ if (ctx->mode == TLS_WRAP_AUTH || ctx->mode == TLS_WRAP_NONE)
{
ASSERT(session_id_write_prepend(session_id, buf));
ASSERT(buf_write_prepend(buf, &header, sizeof(header)));
@@ -148,8 +146,7 @@
if ((header >> P_OPCODE_SHIFT) == P_CONTROL_HARD_RESET_CLIENT_V3
|| (header >> P_OPCODE_SHIFT) == P_CONTROL_WKC_V1)
{
- if (!buf_copy(&ctx->work,
- ctx->tls_crypt_v2_wkc))
+ if (!buf_copy(&ctx->work, ctx->tls_crypt_v2_wkc))
{
msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key");
buf->len = 0;
@@ -164,12 +161,8 @@
}
void
-write_control_auth(struct tls_session *session,
- struct key_state *ks,
- struct buffer *buf,
- struct link_socket_actual **to_link_addr,
- int opcode,
- int max_ack,
+write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf,
+ struct link_socket_actual **to_link_addr, int opcode, int max_ack,
bool prepend_ack)
{
uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
@@ -184,34 +177,30 @@
}
ASSERT(link_socket_actual_defined(&ks->remote_addr));
- ASSERT(reliable_ack_write
- (ks->rec_ack, ks->lru_acks, buf, &ks->session_id_remote,
- max_ack, prepend_ack));
+ ASSERT(reliable_ack_write(ks->rec_ack, ks->lru_acks, buf, &ks->session_id_remote, max_ack,
+ prepend_ack));
msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode));
- tls_wrap_control(tls_session_get_tls_wrap(session, ks->key_id), header, buf, &session->session_id);
+ tls_wrap_control(tls_session_get_tls_wrap(session, ks->key_id), header, buf,
+ &session->session_id);
*to_link_addr = &ks->remote_addr;
}
bool
-read_control_auth(struct buffer *buf,
- struct tls_wrap_ctx *ctx,
- const struct link_socket_actual *from,
- const struct tls_options *opt,
+read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx,
+ const struct link_socket_actual *from, const struct tls_options *opt,
bool initial_packet)
{
struct gc_arena gc = gc_new();
bool ret = false;
const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT;
- if ((opcode == P_CONTROL_HARD_RESET_CLIENT_V3
- || opcode == P_CONTROL_WKC_V1)
+ if ((opcode == P_CONTROL_HARD_RESET_CLIENT_V3 || opcode == P_CONTROL_WKC_V1)
&& !tls_crypt_v2_extract_client_key(buf, ctx, opt, initial_packet))
{
- msg(D_TLS_ERRORS,
- "TLS Error: can not extract tls-crypt-v2 client key from %s",
+ msg(D_TLS_ERRORS, "TLS Error: can not extract tls-crypt-v2 client key from %s",
print_link_socket_actual(from, &gc));
goto cleanup;
}
@@ -223,8 +212,7 @@
/* move the hmac record to the front of the packet */
if (!swap_hmac(buf, &ctx->opt, true))
{
- msg(D_TLS_ERRORS,
- "TLS Error: cannot locate HMAC in incoming packet from %s",
+ msg(D_TLS_ERRORS, "TLS Error: cannot locate HMAC in incoming packet from %s",
print_link_socket_actual(from, &gc));
gc_free(&gc);
return false;
@@ -235,12 +223,10 @@
openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
if (!buf->len)
{
- msg(D_TLS_ERRORS,
- "TLS Error: incoming packet authentication failed from %s",
+ msg(D_TLS_ERRORS, "TLS Error: incoming packet authentication failed from %s",
print_link_socket_actual(from, &gc));
goto cleanup;
}
-
}
else if (ctx->mode == TLS_WRAP_CRYPT)
{
@@ -304,17 +290,14 @@
* on the UDP port listener in --mode server mode.
*/
enum first_packet_verdict
-tls_pre_decrypt_lite(const struct tls_auth_standalone *tas,
- struct tls_pre_decrypt_state *state,
- const struct link_socket_actual *from,
- const struct buffer *buf)
+tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state,
+ const struct link_socket_actual *from, const struct buffer *buf)
{
struct gc_arena gc = gc_new();
/* A packet needs to have at least an opcode and session id */
if (buf->len < (1 + SID_SIZE))
{
- dmsg(D_TLS_STATE_ERRORS,
- "TLS State Error: Too short packet (length %d) received from %s",
+ dmsg(D_TLS_STATE_ERRORS, "TLS State Error: Too short packet (length %d) received from %s",
buf->len, print_link_socket_actual(from, &gc));
goto error;
}
@@ -328,27 +311,21 @@
* scrutinize carefully */
/* Allow only the reset packet or the first packet of the actual handshake. */
- if (op != P_CONTROL_HARD_RESET_CLIENT_V2
- && op != P_CONTROL_HARD_RESET_CLIENT_V3
- && op != P_CONTROL_V1
- && op != P_CONTROL_WKC_V1
- && op != P_ACK_V1)
+ if (op != P_CONTROL_HARD_RESET_CLIENT_V2 && op != P_CONTROL_HARD_RESET_CLIENT_V3
+ && op != P_CONTROL_V1 && op != P_CONTROL_WKC_V1 && op != P_ACK_V1)
{
/*
* This can occur due to bogus data or DoS packets.
*/
- dmsg(D_TLS_STATE_ERRORS,
- "TLS State Error: No TLS state for client %s, opcode=%d",
- print_link_socket_actual(from, &gc),
- op);
+ dmsg(D_TLS_STATE_ERRORS, "TLS State Error: No TLS state for client %s, opcode=%d",
+ print_link_socket_actual(from, &gc), op);
goto error;
}
if (key_id != 0)
{
dmsg(D_TLS_STATE_ERRORS,
- "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
- key_id,
+ "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected", key_id,
print_link_socket_actual(from, &gc));
goto error;
}
@@ -360,8 +337,7 @@
if (!session_id_read(&state->peer_session_id, &tmp)
|| !session_id_defined(&state->peer_session_id))
{
- msg(D_TLS_ERRORS,
- "TLS Error: session-id not found in packet from %s",
+ msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s",
print_link_socket_actual(from, &gc));
goto error;
}
@@ -372,8 +348,7 @@
/* HMAC test and unwrapping the encrypted part of the control message
* into newbuf or just setting newbuf to point to the start of control
* message */
- bool status = read_control_auth(&state->newbuf, &state->tls_wrap_tmp,
- from, NULL, true);
+ bool status = read_control_auth(&state->newbuf, &state->tls_wrap_tmp, from, NULL, true);
if (!status)
{
@@ -425,11 +400,8 @@
struct buffer
-tls_reset_standalone(struct tls_wrap_ctx *ctx,
- struct tls_auth_standalone *tas,
- struct session_id *own_sid,
- struct session_id *remote_sid,
- uint8_t header,
+tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas,
+ struct session_id *own_sid, struct session_id *remote_sid, uint8_t header,
bool request_resend_wkc)
{
/* Copy buffer here to point at the same data but allow tls_wrap_control
@@ -484,12 +456,11 @@
}
struct session_id
-calculate_session_id_hmac(struct session_id client_sid,
- const struct openvpn_sockaddr *from,
- hmac_ctx_t *hmac,
- int handwindow, int offset)
+calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from,
+ hmac_ctx_t *hmac, int handwindow, int offset)
{
- union {
+ union
+ {
uint8_t hmac_result[SHA256_DIGEST_LENGTH];
struct session_id sid;
} result;
@@ -497,23 +468,22 @@
/* Get the valid time quantisation for our hmac,
* we divide time by handwindow/2 and allow the previous
* and future session time if specified by offset */
- uint32_t session_id_time = ntohl(now/((handwindow+1)/2) + offset);
+ uint32_t session_id_time = ntohl(now / ((handwindow + 1) / 2) + offset);
hmac_ctx_reset(hmac);
/* We do not care about endian here since it does not need to be
* portable */
- hmac_ctx_update(hmac, (const uint8_t *) &session_id_time,
- sizeof(session_id_time));
+ hmac_ctx_update(hmac, (const uint8_t *)&session_id_time, sizeof(session_id_time));
/* add client IP and port */
switch (from->addr.sa.sa_family)
{
case AF_INET:
- hmac_ctx_update(hmac, (const uint8_t *) &from->addr.in4, sizeof(struct sockaddr_in));
+ hmac_ctx_update(hmac, (const uint8_t *)&from->addr.in4, sizeof(struct sockaddr_in));
break;
case AF_INET6:
- hmac_ctx_update(hmac, (const uint8_t *) &from->addr.in6, sizeof(struct sockaddr_in6));
+ hmac_ctx_update(hmac, (const uint8_t *)&from->addr.in6, sizeof(struct sockaddr_in6));
break;
}
@@ -526,10 +496,8 @@
}
bool
-check_session_id_hmac(struct tls_pre_decrypt_state *state,
- const struct openvpn_sockaddr *from,
- hmac_ctx_t *hmac,
- int handwindow)
+check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from,
+ hmac_ctx_t *hmac, int handwindow)
{
if (!from)
{
@@ -574,7 +542,7 @@
}
/* include the NUL byte and ensure NUL termination */
- cmdlen += 1;
+ cmdlen += 1;
/* Construct a buffer that only holds the current command and
* its closing NUL byte */
@@ -35,40 +35,40 @@
#include "ssl_common.h"
/* packet opcode (high 5 bits) and key-id (low 3 bits) are combined in one byte */
-#define P_KEY_ID_MASK 0x07
-#define P_OPCODE_SHIFT 3
+#define P_KEY_ID_MASK 0x07
+#define P_OPCODE_SHIFT 3
/* packet opcodes -- the V1 is intended to allow protocol changes in the future */
-#define P_CONTROL_HARD_RESET_CLIENT_V1 1 /* initial key from client, forget previous state */
-#define P_CONTROL_HARD_RESET_SERVER_V1 2 /* initial key from server, forget previous state */
-#define P_CONTROL_SOFT_RESET_V1 3 /* new key, graceful transition from old to new key */
-#define P_CONTROL_V1 4 /* control channel packet (usually TLS ciphertext) */
-#define P_ACK_V1 5 /* acknowledgement for packets received */
-#define P_DATA_V1 6 /* data channel packet */
-#define P_DATA_V2 9 /* data channel packet with peer-id */
+#define P_CONTROL_HARD_RESET_CLIENT_V1 1 /* initial key from client, forget previous state */
+#define P_CONTROL_HARD_RESET_SERVER_V1 2 /* initial key from server, forget previous state */
+#define P_CONTROL_SOFT_RESET_V1 3 /* new key, graceful transition from old to new key */
+#define P_CONTROL_V1 4 /* control channel packet (usually TLS ciphertext) */
+#define P_ACK_V1 5 /* acknowledgement for packets received */
+#define P_DATA_V1 6 /* data channel packet */
+#define P_DATA_V2 9 /* data channel packet with peer-id */
/* indicates key_method >= 2 */
-#define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */
-#define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */
+#define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */
+#define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */
/* indicates key_method >= 2 and client-specific tls-crypt key */
-#define P_CONTROL_HARD_RESET_CLIENT_V3 10 /* initial key from client, forget previous state */
+#define P_CONTROL_HARD_RESET_CLIENT_V3 10 /* initial key from client, forget previous state */
/* Variant of P_CONTROL_V1 but with appended wrapped key
* like P_CONTROL_HARD_RESET_CLIENT_V3 */
-#define P_CONTROL_WKC_V1 11
+#define P_CONTROL_WKC_V1 11
/* define the range of legal opcodes
* Since we do no longer support key-method 1 we consider
* the v1 op codes invalid */
-#define P_FIRST_OPCODE 3
-#define P_LAST_OPCODE 11
+#define P_FIRST_OPCODE 3
+#define P_LAST_OPCODE 11
/*
* Define number of buffers for send and receive in the reliability layer.
*/
-#define TLS_RELIABLE_N_SEND_BUFFERS 6 /* also window size for reliability layer */
-#define TLS_RELIABLE_N_REC_BUFFERS 12
+#define TLS_RELIABLE_N_SEND_BUFFERS 6 /* also window size for reliability layer */
+#define TLS_RELIABLE_N_REC_BUFFERS 12
/*
* Used in --mode server mode to check tls-auth signature on initial
@@ -81,7 +81,8 @@
struct frame frame;
};
-enum first_packet_verdict {
+enum first_packet_verdict
+{
/** This packet is a valid reset packet from the peer (all but tls-crypt-v2) */
VERDICT_VALID_RESET_V2,
/** This is a valid v3 reset (tls-crypt-v2) */
@@ -101,7 +102,8 @@
* struct that stores the temporary data for the tls lite decrypt
* functions
*/
-struct tls_pre_decrypt_state {
+struct tls_pre_decrypt_state
+{
struct tls_wrap_ctx tls_wrap_tmp;
struct buffer newbuf;
struct session_id peer_session_id;
@@ -144,11 +146,10 @@
* @li False if the packet is not valid, did not pass the HMAC firewall
* test, or some other error occurred.
*/
-enum first_packet_verdict
-tls_pre_decrypt_lite(const struct tls_auth_standalone *tas,
- struct tls_pre_decrypt_state *state,
- const struct link_socket_actual *from,
- const struct buffer *buf);
+enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas,
+ struct tls_pre_decrypt_state *state,
+ const struct link_socket_actual *from,
+ const struct buffer *buf);
/* Creates an SHA256 HMAC context with a random key that is used for the
* session id.
@@ -170,11 +171,9 @@
* @param offset offset to 'now' to use
* @return the expected server session id
*/
-struct session_id
-calculate_session_id_hmac(struct session_id client_sid,
- const struct openvpn_sockaddr *from,
- hmac_ctx_t *hmac,
- int handwindow, int offset);
+struct session_id calculate_session_id_hmac(struct session_id client_sid,
+ const struct openvpn_sockaddr *from, hmac_ctx_t *hmac,
+ int handwindow, int offset);
/**
* Checks if a control packet has a correct HMAC server session id
@@ -185,24 +184,15 @@
* @param handwindow the quantisation of the current time
* @return the expected server session id
*/
-bool
-check_session_id_hmac(struct tls_pre_decrypt_state *state,
- const struct openvpn_sockaddr *from,
- hmac_ctx_t *hmac,
- int handwindow);
+bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from,
+ hmac_ctx_t *hmac, int handwindow);
/*
* Write a control channel authentication record.
*/
-void
-write_control_auth(struct tls_session *session,
- struct key_state *ks,
- struct buffer *buf,
- struct link_socket_actual **to_link_addr,
- int opcode,
- int max_ack,
- bool prepend_ack);
-
+void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf,
+ struct link_socket_actual **to_link_addr, int opcode, int max_ack,
+ bool prepend_ack);
/**
@@ -214,12 +204,9 @@
* @param initial_packet whether this is the initial packet for the connection
* @return if the packet was successfully processed
*/
-bool
-read_control_auth(struct buffer *buf,
- struct tls_wrap_ctx *ctx,
- const struct link_socket_actual *from,
- const struct tls_options *opt,
- bool initial_packet);
+bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx,
+ const struct link_socket_actual *from, const struct tls_options *opt,
+ bool initial_packet);
/**
@@ -227,13 +214,9 @@
* from the tls pre decrypt state.
*
*/
-struct buffer
-tls_reset_standalone(struct tls_wrap_ctx *ctx,
- struct tls_auth_standalone *tas,
- struct session_id *own_sid,
- struct session_id *remote_sid,
- uint8_t header,
- bool request_resend_wkc);
+struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas,
+ struct session_id *own_sid, struct session_id *remote_sid,
+ uint8_t header, bool request_resend_wkc);
/**
@@ -246,8 +229,7 @@
* with length 0 if there is no message or the message has
* invalid characters.
*/
-struct buffer
-extract_command_buffer(struct buffer *buf, struct gc_arena *gc);
+struct buffer extract_command_buffer(struct buffer *buf, struct gc_arena *gc);
static inline const char *
packet_opcode_name(int op)
@@ -323,14 +305,14 @@
* but the network time part of the packet id takes care of that. And
* this is also a rather theoretical scenario as it still needs more than
* 2^31 control channel packets to happen */
-#define EARLY_NEG_MASK 0xff000000
-#define EARLY_NEG_START 0x0f000000
+#define EARLY_NEG_MASK 0xff000000
+#define EARLY_NEG_START 0x0f000000
/* Early negotiation that part of the server response in the RESET_V2 packet.
* Since clients that announce early negotiation support will treat the payload
* of reset packets special and parse it as TLV messages.
* as TLV (type, length, value) */
-#define TLV_TYPE_EARLY_NEG_FLAGS 0x0001
-#define EARLY_NEG_FLAG_RESEND_WKC 0x0001
+#define TLV_TYPE_EARLY_NEG_FLAGS 0x0001
+#define EARLY_NEG_FLAG_RESEND_WKC 0x0001
#endif /* ifndef SSL_PKT_H */
@@ -28,8 +28,7 @@
#include "ssl_util.h"
char *
-extract_var_peer_info(const char *peer_info, const char *var,
- struct gc_arena *gc)
+extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc)
{
if (!peer_info)
{
@@ -77,8 +76,10 @@
options_string_compat_lzo(const char *options, struct gc_arena *gc)
{
/* Example string without and with comp-lzo, i.e. input/output of this function */
- /* w/o comp: 'V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server' */
- /* comp-lzo: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,auth SHA1,keysize 128,key-method 2,tls-server' */
+ /* w/o comp: 'V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize
+ * 128,key-method 2,tls-server' */
+ /* comp-lzo: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,auth SHA1,keysize
+ * 128,key-method 2,tls-server' */
/* Note: since this function is used only in a very limited scope it makes
* assumptions how the string looks. Since we locally generated the string
@@ -118,146 +119,156 @@
* SSL/TLS Cipher suite name translation table
*/
static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
- {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
- {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
- {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
- {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
- {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
- {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
- {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
- {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
- {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
- {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
- {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
- {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
- {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
- {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
- {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
- {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
- {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
- {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
- {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
- {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
- {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
- {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
- {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
- {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
- {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
- {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
- {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
- {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
- {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
- {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
- {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
- {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
- {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
- {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
- {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
- {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
- {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
- {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
- {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
- {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
- {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
- {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
- {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
- {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
- {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
- {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
- {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
- {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
- {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
- {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
- {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
- {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
- {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
- {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
- {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
- {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
- {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
- {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
- {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
- {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
- {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
- {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
- {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
- {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
- {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
- {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
- {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
- {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
- {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
- {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
- {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
- {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
- {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
- {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
- {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
- {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
- {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
- {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
- {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
- {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
- {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
- {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
- {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
- {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
- {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
- {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
- {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
- {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
- {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
- {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
- {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
- {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
- {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
- {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
- {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
- {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
- {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
- {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
- {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
- {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
- {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
- {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
- {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
- {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
- {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
- {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
- {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
- {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
- {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
- {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
- {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
- {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
- {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
- {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
- {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
- {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
- {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
- {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
- {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
- {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
- {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
- {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
- {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
- {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
+ { "ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA" },
+ { "AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256" },
+ { "AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256" },
+ { "AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA" },
+ { "AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384" },
+ { "AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256" },
+ { "AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA" },
+ { "CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256" },
+ { "CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" },
+ { "CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256" },
+ { "CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA" },
+ { "DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA" },
+ { "DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA" },
+ { "DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA" },
+ { "DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256" },
+ { "DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256" },
+ { "DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA" },
+ { "DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384" },
+ { "DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256" },
+ { "DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA" },
+ { "DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256" },
+ { "DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA" },
+ { "DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256" },
+ { "DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA" },
+ { "DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA" },
+ { "DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" },
+ { "DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" },
+ { "DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA" },
+ { "DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" },
+ { "DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" },
+ { "DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA" },
+ { "DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256" },
+ { "DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA" },
+ { "DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256" },
+ { "DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA" },
+ { "DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256" },
+ { "DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA" },
+ { "DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA" },
+ { "ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256" },
+ { "ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256" },
+ { "ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA" },
+ { "ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384" },
+ { "ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256" },
+ { "ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384" },
+ { "ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA" },
+ { "ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256" },
+ { "ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA" },
+ { "ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256" },
+ { "ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA" },
+ { "ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA" },
+ { "ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA" },
+ { "ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA" },
+ { "ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" },
+ { "ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" },
+ { "ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384" },
+ { "ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA" },
+ { "ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" },
+ { "ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256" },
+ { "ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384" },
+ { "ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA" },
+ { "ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256" },
+ { "ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA" },
+ { "ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256" },
+ { "ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA" },
+ { "ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" },
+ { "ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA" },
+ { "ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA" },
+ { "ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA" },
+ { "ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" },
+ { "ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" },
+ { "ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384" },
+ { "ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" },
+ { "ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" },
+ { "ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256" },
+ { "ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" },
+ { "ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" },
+ { "ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256" },
+ { "ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA" },
+ { "ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256" },
+ { "ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA" },
+ { "ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" },
+ { "ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA" },
+ { "ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA" },
+ { "ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA" },
+ { "ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256" },
+ { "ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256" },
+ { "ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384" },
+ { "ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA" },
+ { "ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384" },
+ { "ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256" },
+ { "ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384" },
+ { "ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA" },
+ { "ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256" },
+ { "ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA" },
+ { "ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256" },
+ { "ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA" },
+ { "ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA" },
+ { "ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA" },
+ { "ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA" },
+ { "EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA" },
+ { "EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA" },
+ { "EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA" },
+ { "EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA" },
+ { "EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA" },
+ { "EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA" },
+ { "EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA" },
+ { "EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5" },
+ { "EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5" },
+ { "NULL-MD5", "TLS-RSA-WITH-NULL-MD5" },
+ { "NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256" },
+ { "NULL-SHA", "TLS-RSA-WITH-NULL-SHA" },
+ { "PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA" },
+ { "PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA" },
+ { "PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA" },
+ { "PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA" },
+ { "RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5" },
+ { "RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA" },
+ { "SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA" },
+ { "SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA" },
+ { "SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA" },
+ { "SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA" },
+ { "SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA" },
+ { "SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA" },
+ { "SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA" },
#ifdef ENABLE_CRYPTO_OPENSSL
/* OpenSSL-specific group names */
- {"DEFAULT", "DEFAULT"},
- {"ALL", "ALL"},
- {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
- {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
- {"LOW", "LOW"}, {"!LOW", "!LOW"},
- {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
- {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
- {"EDH", "EDH"}, {"!EDH", "!EDH"},
- {"EXP", "EXP"}, {"!EXP", "!EXP"},
- {"RSA", "RSA"}, {"!RSA", "!RSA"},
- {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
- {"SRP", "SRP"}, {"!SRP", "!SRP"},
+ { "DEFAULT", "DEFAULT" },
+ { "ALL", "ALL" },
+ { "HIGH", "HIGH" },
+ { "!HIGH", "!HIGH" },
+ { "MEDIUM", "MEDIUM" },
+ { "!MEDIUM", "!MEDIUM" },
+ { "LOW", "LOW" },
+ { "!LOW", "!LOW" },
+ { "ECDH", "ECDH" },
+ { "!ECDH", "!ECDH" },
+ { "ECDSA", "ECDSA" },
+ { "!ECDSA", "!ECDSA" },
+ { "EDH", "EDH" },
+ { "!EDH", "!EDH" },
+ { "EXP", "EXP" },
+ { "!EXP", "!EXP" },
+ { "RSA", "RSA" },
+ { "!RSA", "!RSA" },
+ { "kRSA", "kRSA" },
+ { "!kRSA", "!kRSA" },
+ { "SRP", "SRP" },
+ { "!SRP", "!SRP" },
#endif
- {NULL, NULL}
+ { NULL, NULL }
};
const tls_cipher_name_pair *
@@ -43,8 +43,7 @@
* @return The content of the variable as NULL terminated string or NULL if the
* variable cannot be found.
*/
-char *extract_var_peer_info(const char *peer_info, const char *var,
- struct gc_arena *gc);
+char *extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc);
/**
* Extracts the IV_PROTO variable and returns its value or 0
@@ -74,7 +73,11 @@
* @param cipher_name Can be either OpenSSL or IANA cipher name
* @return tls_cipher_name_pair* if found, NULL otherwise
*/
-typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair;
+typedef struct
+{
+ const char *openssl_name;
+ const char *iana_name;
+} tls_cipher_name_pair;
const tls_cipher_name_pair *tls_get_cipher_name_pair(const char *cipher_name, size_t len);
/**
@@ -88,7 +91,6 @@
* @param delimiter the delimiter to count, typically ':'
* @return occrrences of delimiter + 1
*/
-int
-get_num_elements(const char *string, char delimiter);
+int get_num_elements(const char *string, char delimiter);
#endif /* ifndef SSL_UTIL_H_ */
@@ -149,11 +149,12 @@
/* If the username has been overridden, we accept both the original
* username and the changed username */
if (strcmp(username, multi->locked_username) != 0
- && (!multi->locked_original_username || strcmp(username, multi->locked_original_username) != 0))
+ && (!multi->locked_original_username
+ || strcmp(username, multi->locked_original_username) != 0))
{
- msg(D_TLS_ERRORS, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled",
- multi->locked_username,
- username);
+ msg(D_TLS_ERRORS,
+ "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled",
+ multi->locked_username, username);
/* disable the tunnel */
tls_deauthenticate(multi);
@@ -239,8 +240,8 @@
{
continue;
}
- else if (ch1 && ch2 && !memcmp(ch1->sha256_hash, ch2->sha256_hash,
- sizeof(ch1->sha256_hash)))
+ else if (ch1 && ch2
+ && !memcmp(ch1->sha256_hash, ch2->sha256_hash, sizeof(ch1->sha256_hash)))
{
continue;
}
@@ -275,8 +276,7 @@
if (ch)
{
ALLOC_OBJ(dest->ch[i], struct cert_hash);
- memcpy(dest->ch[i]->sha256_hash, ch->sha256_hash,
- sizeof(dest->ch[i]->sha256_hash));
+ memcpy(dest->ch[i]->sha256_hash, ch->sha256_hash, sizeof(dest->ch[i]->sha256_hash));
}
}
}
@@ -320,22 +320,21 @@
* @param subject the peer's extracted common name
*/
static result_t
-verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert,
- const char *subject, const char *common_name)
+verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, const char *subject,
+ const char *common_name)
{
/* verify certificate nsCertType */
if (opt->ns_cert_type != NS_CERT_CHECK_NONE)
{
if (SUCCESS == x509_verify_ns_cert_type(peer_cert, opt->ns_cert_type))
{
- msg(D_HANDSHAKE, "VERIFY OK: nsCertType=%s",
- print_nsCertType(opt->ns_cert_type));
+ msg(D_HANDSHAKE, "VERIFY OK: nsCertType=%s", print_nsCertType(opt->ns_cert_type));
}
else
{
- msg(D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s",
- subject, print_nsCertType(opt->ns_cert_type));
- return FAILURE; /* Reject connection */
+ msg(D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s", subject,
+ print_nsCertType(opt->ns_cert_type));
+ return FAILURE; /* Reject connection */
}
}
@@ -349,7 +348,7 @@
else
{
msg(D_HANDSHAKE, "VERIFY KU ERROR");
- return FAILURE; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
@@ -363,28 +362,27 @@
else
{
msg(D_HANDSHAKE, "VERIFY EKU ERROR");
- return FAILURE; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
/* verify X509 name or username against --verify-x509-[user]name */
if (opt->verify_x509_type != VERIFY_X509_NONE)
{
- if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN
- && strcmp(opt->verify_x509_name, subject) == 0)
- || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN
- && strcmp(opt->verify_x509_name, common_name) == 0)
- || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX
- && strncmp(opt->verify_x509_name, common_name,
- strlen(opt->verify_x509_name)) == 0) )
+ if ((opt->verify_x509_type == VERIFY_X509_SUBJECT_DN
+ && strcmp(opt->verify_x509_name, subject) == 0)
+ || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN
+ && strcmp(opt->verify_x509_name, common_name) == 0)
+ || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX
+ && strncmp(opt->verify_x509_name, common_name, strlen(opt->verify_x509_name)) == 0))
{
msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
}
else
{
- msg(D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
- subject, opt->verify_x509_name);
- return FAILURE; /* Reject connection */
+ msg(D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", subject,
+ opt->verify_x509_name);
+ return FAILURE; /* Reject connection */
}
}
@@ -397,8 +395,7 @@
*/
static void
verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert_depth,
- const char *subject,
- const struct x509_track *x509_track)
+ const char *subject, const struct x509_track *x509_track)
{
char envname[64];
char *serial = NULL;
@@ -424,13 +421,10 @@
struct buffer sha256 = x509_get_sha256_fingerprint(peer_cert, &gc);
snprintf(envname, sizeof(envname), "tls_digest_%d", cert_depth);
- setenv_str(es, envname,
- format_hex_ex(BPTR(&sha1), BLEN(&sha1), 0, 1, ":", &gc));
+ setenv_str(es, envname, format_hex_ex(BPTR(&sha1), BLEN(&sha1), 0, 1, ":", &gc));
- snprintf(envname, sizeof(envname), "tls_digest_sha256_%d",
- cert_depth);
- setenv_str(es, envname,
- format_hex_ex(BPTR(&sha256), BLEN(&sha256), 0, 1, ":", &gc));
+ snprintf(envname, sizeof(envname), "tls_digest_sha256_%d", cert_depth);
+ setenv_str(es, envname, format_hex_ex(BPTR(&sha256), BLEN(&sha256), 0, 1, ":", &gc));
}
/* export serial number as environmental variable */
@@ -474,8 +468,8 @@
* call --tls-verify plug-in(s)
*/
static result_t
-verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
- int cert_depth, openvpn_x509_cert_t *cert, char *subject)
+verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, int cert_depth,
+ openvpn_x509_cert_t *cert, char *subject)
{
if (plugin_defined(plugins, OPENVPN_PLUGIN_TLS_VERIFY))
{
@@ -484,20 +478,19 @@
argv_printf(&argv, "%d %s", cert_depth, subject);
- ret = plugin_call_ssl(plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert);
+ ret =
+ plugin_call_ssl(plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert);
argv_free(&argv);
if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
{
- msg(D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
- cert_depth, subject);
+ msg(D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", cert_depth, subject);
}
else
{
- msg(D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
- cert_depth, subject);
- return FAILURE; /* Reject connection */
+ msg(D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", cert_depth, subject);
+ return FAILURE; /* Reject connection */
}
}
return SUCCESS;
@@ -507,8 +500,8 @@
* run --tls-verify script
*/
static result_t
-verify_cert_call_command(const char *verify_command, struct env_set *es,
- int cert_depth, char *subject)
+verify_cert_call_command(const char *verify_command, struct env_set *es, int cert_depth,
+ char *subject)
{
int ret;
struct gc_arena gc = gc_new();
@@ -527,22 +520,20 @@
if (ret)
{
- msg(D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
- cert_depth, subject);
+ msg(D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s", cert_depth, subject);
return SUCCESS;
}
- msg(D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s",
- cert_depth, subject);
- return FAILURE; /* Reject connection */
+ msg(D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s", cert_depth, subject);
+ return FAILURE; /* Reject connection */
}
/*
* check peer cert against CRL directory
*/
static result_t
-verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert,
- const char *subject, int cert_depth)
+verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert, const char *subject,
+ int cert_depth)
{
result_t ret = FAILURE;
char fn[256];
@@ -552,8 +543,8 @@
char *serial = backend_x509_get_serial(cert, &gc);
if (!serial)
{
- msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial number is not available",
- cert_depth, subject);
+ msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial number is not available", cert_depth,
+ subject);
goto cleanup;
}
@@ -565,8 +556,8 @@
fd = platform_open(fn, O_RDONLY, 0);
if (fd >= 0)
{
- msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial=%s is revoked",
- cert_depth, subject, serial);
+ msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial=%s is revoked", cert_depth, subject,
+ serial);
goto cleanup;
}
@@ -600,8 +591,10 @@
char *subject = x509_get_subject(cert, &gc);
if (!subject)
{
- msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 "
- "subject string from certificate", cert_depth);
+ msg(D_TLS_ERRORS,
+ "VERIFY ERROR: depth=%d, could not extract X509 "
+ "subject string from certificate",
+ cert_depth);
goto cleanup;
}
@@ -613,19 +606,19 @@
struct buffer buf = alloc_buf_gc(256, &gc);
for (int i = 0; opt->x509_username_field[i] != NULL; i++)
{
- char username[TLS_USERNAME_LEN+1] = {0}; /* null-terminated */
+ char username[TLS_USERNAME_LEN + 1] = { 0 }; /* null-terminated */
- if (SUCCESS != backend_x509_get_username(username, sizeof(username),
- opt->x509_username_field[i], cert))
+ if (SUCCESS
+ != backend_x509_get_username(username, sizeof(username), opt->x509_username_field[i],
+ cert))
{
if (!cert_depth)
{
- msg(D_TLS_ERRORS, "VERIFY ERROR: could not extract %s from X509 "
+ msg(D_TLS_ERRORS,
+ "VERIFY ERROR: could not extract %s from X509 "
"subject string ('%s') -- note that the field length is "
"limited to %d characters",
- opt->x509_username_field[i],
- subject,
- TLS_USERNAME_LEN);
+ opt->x509_username_field[i], subject, TLS_USERNAME_LEN);
goto cleanup;
}
break;
@@ -634,11 +627,11 @@
{
if (!cert_depth)
{
- msg(D_TLS_ERRORS, "VERIFY ERROR: could not append %s from X509 "
+ msg(D_TLS_ERRORS,
+ "VERIFY ERROR: could not append %s from X509 "
"certificate -- note that the username length is "
"limited to %d characters",
- opt->x509_username_field[i],
- buf.capacity - 1);
+ opt->x509_username_field[i], buf.capacity - 1);
goto cleanup;
}
break;
@@ -648,8 +641,10 @@
char *common_name = BSTR(&buf);
if (!common_name)
{
- msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 "
- "username string from certificate", cert_depth);
+ msg(D_TLS_ERRORS,
+ "VERIFY ERROR: depth=%d, could not extract X509 "
+ "username string from certificate",
+ cert_depth);
goto cleanup;
}
@@ -659,13 +654,15 @@
/* warn if cert chain is too deep */
if (cert_depth >= MAX_CERT_DEPTH)
{
- msg(D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", cert_depth, MAX_CERT_DEPTH);
- goto cleanup; /* Reject connection */
+ msg(D_TLS_ERRORS,
+ "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d",
+ cert_depth, MAX_CERT_DEPTH);
+ goto cleanup; /* Reject connection */
}
if (cert_depth == opt->verify_hash_depth && opt->verify_hash)
{
- struct buffer cert_fp = {0};
+ struct buffer cert_fp = { 0 };
switch (opt->verify_hash_algo)
{
@@ -683,8 +680,10 @@
* value in an enumerated type. So if this unlikely scenario
* happens, consider this a failure
*/
- msg(M_WARN, "Unexpected invalid algorithm used with "
- "--verify-hash (%i)", opt->verify_hash_algo);
+ msg(M_WARN,
+ "Unexpected invalid algorithm used with "
+ "--verify-hash (%i)",
+ opt->verify_hash_algo);
ret = FAILURE;
goto cleanup;
}
@@ -693,8 +692,7 @@
while (current_hash)
{
- if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash,
- BLEN(&cert_fp)) == 0)
+ if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash, BLEN(&cert_fp)) == 0)
{
break;
}
@@ -703,11 +701,12 @@
if (!current_hash)
{
- const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp),
- 0, 1, ":", &gc);
- msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint "
+ const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), 0, 1, ":", &gc);
+ msg(D_TLS_ERRORS,
+ "TLS Error: --tls-verify/--peer-fingerprint "
"certificate hash verification failed. (got certificate "
- "fingerprint: %s)", hex_fp);
+ "fingerprint: %s)",
+ hex_fp);
goto cleanup;
}
}
@@ -722,14 +721,14 @@
if (opt->export_peer_cert_dir)
{
- pem_export_fname = platform_create_temp_file(opt->export_peer_cert_dir,
- "pef", &gc);
+ pem_export_fname = platform_create_temp_file(opt->export_peer_cert_dir, "pef", &gc);
- if (!pem_export_fname
- || !verify_cert_cert_export_env(opt->es, cert, pem_export_fname))
+ if (!pem_export_fname || !verify_cert_cert_export_env(opt->es, cert, pem_export_fname))
{
- msg(D_TLS_ERRORS, "TLS Error: Failed to export certificate for "
- "--tls-export-cert in %s", opt->export_peer_cert_dir);
+ msg(D_TLS_ERRORS,
+ "TLS Error: Failed to export certificate for "
+ "--tls-export-cert in %s",
+ opt->export_peer_cert_dir);
goto cleanup;
}
}
@@ -752,8 +751,8 @@
}
/* run --tls-verify script */
- if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command,
- opt->es, cert_depth, subject))
+ if (opt->verify_command
+ && SUCCESS != verify_cert_call_command(opt->verify_command, opt->es, cert_depth, subject))
{
goto cleanup;
}
@@ -786,7 +785,7 @@
verify_cert_cert_delete_env(opt->es, pem_export_fname);
if (ret != SUCCESS)
{
- tls_clear_error(); /* always? */
+ tls_clear_error(); /* always? */
session->verified = false; /* double sure? */
}
@@ -796,9 +795,9 @@
}
/* ***************************************************************************
-* Functions for the management of deferred authentication when using
-* user/password authentication.
-*************************************************************************** */
+ * Functions for the management of deferred authentication when using
+ * user/password authentication.
+ *************************************************************************** */
void
auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
@@ -884,15 +883,13 @@
* @returns false The file had an invlaid format or another error occured
*/
static bool
-key_state_check_auth_pending_file(struct auth_deferred_status *ads,
- struct tls_multi *multi,
+key_state_check_auth_pending_file(struct auth_deferred_status *ads, struct tls_multi *multi,
struct tls_session *session)
{
bool ret = true;
if (ads->auth_pending_file)
{
- struct buffer_list *lines = buffer_list_file(ads->auth_pending_file,
- 1024);
+ struct buffer_list *lines = buffer_list_file(ads->auth_pending_file, 1024);
if (lines && lines->head)
{
/* Must have at least three lines. further lines are ignored for
@@ -900,7 +897,7 @@
if (!lines->head || !lines->head->next || !lines->head->next->next)
{
msg(M_WARN, "auth pending control file is not at least "
- "three lines long.");
+ "three lines long.");
buffer_list_free(lines);
return false;
}
@@ -927,10 +924,13 @@
char buf[128];
snprintf(buf, sizeof(buf),
"Authentication failed, required pending auth "
- "method '%s' not supported", pending_method);
+ "method '%s' not supported",
+ pending_method);
auth_set_client_reason(multi, buf);
- msg(M_INFO, "Client does not supported auth pending method "
- "'%s'", pending_method);
+ msg(M_INFO,
+ "Client does not supported auth pending method "
+ "'%s'",
+ pending_method);
ret = false;
}
else
@@ -975,8 +975,7 @@
* @return true if file creation was successful
*/
static bool
-key_state_gen_auth_control_files(struct auth_deferred_status *ads,
- const struct tls_options *opt)
+key_state_gen_auth_control_files(struct auth_deferred_status *ads, const struct tls_options *opt)
{
struct gc_arena gc = gc_new();
@@ -1017,7 +1016,6 @@
{
ret = BSTR(&reason);
}
-
}
return ret;
}
@@ -1088,8 +1086,7 @@
#endif
ASSERT(auth_plugin < 4 && auth_script < 4 && auth_man < 4);
- if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED
- || auth_man == ACF_FAILED)
+ if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED || auth_man == ACF_FAILED)
{
ks->authenticated = KS_AUTH_FALSE;
return;
@@ -1122,7 +1119,7 @@
* with no caching (0) here as well to have the same super quick initial
* reaction.
*/
-static time_t cache_intervals[] = {0, 0, 0, 0, 0, 1, 1, 2, 2, 4, 8};
+static time_t cache_intervals[] = { 0, 0, 0, 0, 0, 1, 1, 2, 2, 4, 8 };
/**
* uses cache_intervals times to determine if we should update the
@@ -1189,8 +1186,10 @@
{
struct gc_arena gc = gc_new();
const struct key_state *ks = get_primary_key(multi);
- const char *plugin_message = key_state_check_auth_failed_message_file(&ks->plugin_auth, &gc);
- const char *script_message = key_state_check_auth_failed_message_file(&ks->script_auth, &gc);
+ const char *plugin_message =
+ key_state_check_auth_failed_message_file(&ks->plugin_auth, &gc);
+ const char *script_message =
+ key_state_check_auth_failed_message_file(&ks->script_auth, &gc);
if (plugin_message)
{
@@ -1234,7 +1233,8 @@
* to indicate auth failure/success.
*/
bool
-tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
+tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth,
+ const char *client_reason)
{
bool ret = false;
if (multi)
@@ -1270,8 +1270,7 @@
* Check if the script/plugin left a message in the auth failed message
* file and relay it to the user */
static void
-check_for_client_reason(struct tls_multi *multi,
- struct auth_deferred_status *status)
+check_for_client_reason(struct tls_multi *multi, struct auth_deferred_status *status)
{
struct gc_arena gc = gc_new();
const char *msg = key_state_check_auth_failed_message_file(status, &gc);
@@ -1292,7 +1291,7 @@
struct argv argv = argv_new();
const char *tmp_file = "";
int retval = OPENVPN_PLUGIN_FUNC_ERROR;
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
/* Set environmental variables prior to calling script */
setenv_str(session->opt->es, "script_type", "user-pass-verify");
@@ -1304,8 +1303,7 @@
{
struct status_output *so;
- tmp_file = platform_create_temp_file(session->opt->tmp_dir, "up",
- &gc);
+ tmp_file = platform_create_temp_file(session->opt->tmp_dir, "up", &gc);
if (tmp_file)
{
so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
@@ -1330,15 +1328,17 @@
/* pre-create files for deferred auth control */
if (!key_state_gen_auth_control_files(&ks->script_auth, session->opt))
{
- msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
- "could not create deferred auth control file", __func__);
+ msg(D_TLS_ERRORS,
+ "TLS Auth Error (%s): "
+ "could not create deferred auth control file",
+ __func__);
retval = OPENVPN_PLUGIN_FUNC_ERROR;
goto error;
}
/* call command */
- int script_ret = openvpn_run_script(&argv, session->opt->es, S_EXITCODE,
- "--auth-user-pass-verify");
+ int script_ret =
+ openvpn_run_script(&argv, session->opt->es, S_EXITCODE, "--auth-user-pass-verify");
switch (script_ret)
{
case 0:
@@ -1358,13 +1358,11 @@
{
/* Check if we the plugin has written the pending auth control
* file and send the pending auth to the client */
- if (!key_state_check_auth_pending_file(&ks->script_auth,
- multi, session))
+ if (!key_state_check_auth_pending_file(&ks->script_auth, multi, session))
{
retval = OPENVPN_PLUGIN_FUNC_ERROR;
key_state_rm_auth_control_files(&ks->script_auth);
}
-
}
else
{
@@ -1395,8 +1393,8 @@
struct tls_session *session = &multi->session[TM_ACTIVE];
setenv_str(session->opt->es, "crresponse", cr_response);
- plugin_call(session->opt->plugins, OPENVPN_PLUGIN_CLIENT_CRRESPONSE, NULL,
- NULL, session->opt->es);
+ plugin_call(session->opt->plugins, OPENVPN_PLUGIN_CLIENT_CRRESPONSE, NULL, NULL,
+ session->opt->es);
setenv_del(session->opt->es, "crresponse");
}
@@ -1405,7 +1403,6 @@
void
verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
{
-
struct tls_session *session = &multi->session[TM_ACTIVE];
if (!session->opt->client_crresponse_script)
@@ -1425,8 +1422,7 @@
if (tmp_file)
{
- struct status_output *so = status_open(tmp_file, 0, -1, NULL,
- STATUS_OUTPUT_WRITE);
+ struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
status_printf(so, "%s", cr_response);
if (!status_close(so))
{
@@ -1463,7 +1459,7 @@
const struct user_pass *up)
{
int retval = OPENVPN_PLUGIN_FUNC_ERROR;
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
/* set password in private env space */
setenv_str(session->opt->es, "password", up->password);
@@ -1471,13 +1467,16 @@
/* generate filename for deferred auth control file */
if (!key_state_gen_auth_control_files(&ks->plugin_auth, session->opt))
{
- msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
- "could not create deferred auth control file", __func__);
+ msg(D_TLS_ERRORS,
+ "TLS Auth Error (%s): "
+ "could not create deferred auth control file",
+ __func__);
return retval;
}
/* call command */
- retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es);
+ retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL,
+ session->opt->es);
if (retval == OPENVPN_PLUGIN_FUNC_DEFERRED)
{
@@ -1516,18 +1515,18 @@
#define KMDA_DEF 3
static int
-verify_user_pass_management(struct tls_session *session,
- const struct user_pass *up)
+verify_user_pass_management(struct tls_session *session, const struct user_pass *up)
{
int retval = KMDA_ERROR;
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
/* set username/password in private env space */
setenv_str(session->opt->es, "password", up->password);
if (management)
{
- management_notify_client_needing_auth(management, ks->mda_key_id, session->opt->mda_context, session->opt->es);
+ management_notify_client_needing_auth(management, ks->mda_key_id, session->opt->mda_context,
+ session->opt->es);
}
setenv_del(session->opt->es, "password");
@@ -1539,8 +1538,7 @@
#endif /* ifdef ENABLE_MANAGEMENT */
static bool
-set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi,
- struct tls_session *session)
+set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
{
/* Is username defined? */
if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username))
@@ -1576,7 +1574,8 @@
msg(D_TLS_ERRORS,
"TLS Auth Error: --username-as-common name specified and "
"username is longer than the maximum permitted Common Name "
- "length of %d characters", TLS_USERNAME_LEN);
+ "length of %d characters",
+ TLS_USERNAME_LEN);
return false;
}
else
@@ -1592,10 +1591,9 @@
* result of the username/password verification
*/
void
-verify_user_pass(struct user_pass *up, struct tls_multi *multi,
- struct tls_session *session)
+verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
{
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
ASSERT(up && !up->protected);
@@ -1623,9 +1621,10 @@
if (multi->locked_original_username
&& strncmp(up->username, multi->locked_original_username, sizeof(up->username)) == 0)
{
- msg(D_MULTI_LOW, "TLS: Replacing client provided username '%s' with "
- "username from override-user '%s'", up->username,
- multi->locked_username);
+ msg(D_MULTI_LOW,
+ "TLS: Replacing client provided username '%s' with "
+ "username from override-user '%s'",
+ up->username, multi->locked_username);
strncpy(up->username, multi->locked_username, sizeof(up->username));
}
@@ -1661,7 +1660,8 @@
* We do not want the EXPIRED or EMPTY USER flags here so check
* for equality with AUTH_TOKEN_HMAC_OK
*/
- msg(M_WARN, "TLS: Username/auth-token authentication "
+ msg(M_WARN,
+ "TLS: Username/auth-token authentication "
"succeeded for username '%s'",
up->username);
skip_auth = true;
@@ -1670,8 +1670,10 @@
{
wipe_auth_token(multi);
ks->authenticated = KS_AUTH_FALSE;
- msg(M_WARN, "TLS: Username/auth-token authentication "
- "failed for username '%s'", up->username);
+ msg(M_WARN,
+ "TLS: Username/auth-token authentication "
+ "failed for username '%s'",
+ up->username);
return;
}
}
@@ -1716,14 +1718,14 @@
bool plugin_ok = plugin_status == OPENVPN_PLUGIN_FUNC_SUCCESS
|| plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
- bool script_ok = script_status == OPENVPN_PLUGIN_FUNC_SUCCESS
- || script_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
+ bool script_ok = script_status == OPENVPN_PLUGIN_FUNC_SUCCESS
+ || script_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
if (script_ok && plugin_ok && tls_lock_username(multi, up->username)
#ifdef ENABLE_MANAGEMENT
&& man_def_auth != KMDA_ERROR
#endif
- )
+ )
{
ks->authenticated = KS_AUTH_TRUE;
if (plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED
@@ -1757,8 +1759,7 @@
* to store the auth-token in multi->auth_token, so
* the initial timestamp and session id can be extracted from it
*/
- if (!multi->auth_token
- && (ks->auth_token_state_flags & AUTH_TOKEN_HMAC_OK)
+ if (!multi->auth_token && (ks->auth_token_state_flags & AUTH_TOKEN_HMAC_OK)
&& !(ks->auth_token_state_flags & AUTH_TOKEN_EXPIRED))
{
multi->auth_token = strdup(up->password);
@@ -1772,8 +1773,7 @@
}
msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s",
- (ks->authenticated == KS_AUTH_DEFERRED) ? "deferred" : "succeeded",
- up->username,
+ (ks->authenticated == KS_AUTH_DEFERRED) ? "deferred" : "succeeded", up->username,
(session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : "");
}
else
@@ -1786,7 +1786,7 @@
void
verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
{
- struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
/* While it shouldn't really happen, don't allow the common name to be NULL */
if (!session->common_name)
@@ -1800,9 +1800,9 @@
const char *cn = session->common_name;
if (cn && strcmp(cn, multi->locked_cn))
{
- msg(D_TLS_ERRORS, "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled",
- multi->locked_cn,
- cn);
+ msg(D_TLS_ERRORS,
+ "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled",
+ multi->locked_cn, cn);
/* change the common name back to its original value and disable the tunnel */
set_common_name(session, multi->locked_cn);
@@ -1816,7 +1816,8 @@
const struct cert_hash_set *chs = session->cert_hash_set;
if (chs && !cert_hash_compare(chs, multi->locked_cert_hash_set))
{
- msg(D_TLS_ERRORS, "TLS Auth Error: TLS object CN=%s client-provided SSL certs unexpectedly changed during mid-session reauth",
+ msg(D_TLS_ERRORS,
+ "TLS Auth Error: TLS object CN=%s client-provided SSL certs unexpectedly changed during mid-session reauth",
session->common_name);
/* disable the tunnel */
@@ -1830,15 +1831,14 @@
struct gc_arena gc = gc_new();
const char *cn = session->common_name;
- const char *path = platform_gen_path(session->opt->client_config_dir_exclusive,
- cn, &gc);
+ const char *path = platform_gen_path(session->opt->client_config_dir_exclusive, cn, &gc);
if (!cn || !strcmp(cn, CCD_DEFAULT) || !platform_test_file(path))
{
ks->authenticated = KS_AUTH_FALSE;
wipe_auth_token(multi);
- msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
- session->common_name,
- path ? path : "UNDEF");
+ msg(D_TLS_ERRORS,
+ "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
+ session->common_name, path ? path : "UNDEF");
}
gc_free(&gc);
@@ -1852,8 +1852,7 @@
while (item)
{
struct env_item *next = item->next;
- if (item->string
- && 0 == strncmp("X509_", item->string, strlen("X509_")))
+ if (item->string && 0 == strncmp("X509_", item->string, strlen("X509_")))
{
env_set_del(es, item->string);
}
@@ -54,25 +54,27 @@
#define TLS_USERNAME_LEN 64
/** Structure containing the hash for a single certificate */
-struct cert_hash {
- unsigned char sha256_hash[256/8];
+struct cert_hash
+{
+ unsigned char sha256_hash[256 / 8];
};
/** Structure containing the hashes for a full certificate chain */
-struct cert_hash_set {
+struct cert_hash_set
+{
struct cert_hash *ch[MAX_CERT_DEPTH]; /**< Array of certificate hashes */
};
-#define VERIFY_X509_NONE 0
-#define VERIFY_X509_SUBJECT_DN 1
-#define VERIFY_X509_SUBJECT_RDN 2
-#define VERIFY_X509_SUBJECT_RDN_PREFIX 3
+#define VERIFY_X509_NONE 0
+#define VERIFY_X509_SUBJECT_DN 1
+#define VERIFY_X509_SUBJECT_RDN 2
+#define VERIFY_X509_SUBJECT_RDN_PREFIX 3
enum tls_auth_status
{
- TLS_AUTHENTICATION_SUCCEEDED=0,
- TLS_AUTHENTICATION_FAILED=1,
- TLS_AUTHENTICATION_DEFERRED=2
+ TLS_AUTHENTICATION_SUCCEEDED = 0,
+ TLS_AUTHENTICATION_FAILED = 1,
+ TLS_AUTHENTICATION_DEFERRED = 2
};
/**
@@ -91,8 +93,7 @@
*
* @return Current authentication status of the tls_multi
*/
-enum tls_auth_status
-tls_authentication_status(struct tls_multi *multi);
+enum tls_auth_status tls_authentication_status(struct tls_multi *multi);
/** Check whether the \a ks \c key_state has finished the key exchange part
* of the OpenVPN hand shake. This is that the key_method_2read/write
@@ -155,8 +156,7 @@
* @param session The session to set the common name for
* @param common_name The name to set the common name to
*/
-void
-set_common_name(struct tls_session *session, const char *common_name);
+void set_common_name(struct tls_session *session, const char *common_name);
/**
* Returns the username field for the given tunnel
@@ -187,8 +187,7 @@
* @param session The current TLS session
*
*/
-void verify_user_pass(struct user_pass *up, struct tls_multi *multi,
- struct tls_session *session);
+void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session);
/**
@@ -203,8 +202,7 @@
* @return true if name is under limit or username-as-common-name
* is not active
*/
-bool ssl_verify_username_length(struct tls_session *session,
- const char *username);
+bool ssl_verify_username_length(struct tls_session *session, const char *username);
/**
* Runs the --client-crresponse script if one is defined.
@@ -214,8 +212,7 @@
* the files for the deferred auth like the management commands.
*
*/
-void
-verify_crresponse_script(struct tls_multi *multi, const char *cr_response);
+void verify_crresponse_script(struct tls_multi *multi, const char *cr_response);
/**
* Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
@@ -224,8 +221,7 @@
* that it does not directly participate in the authentication but rather
* should set the files for the deferred auth like the management commands.
*/
-void
-verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response);
+void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response);
/**
* Perform final authentication checks, including locking of the cn, the allowed
@@ -242,7 +238,7 @@
{
const struct x509_track *next;
const char *name;
-#define XT_FULL_CHAIN (1<<0)
+#define XT_FULL_CHAIN (1 << 0)
unsigned int flags;
int nid;
};
@@ -251,11 +247,11 @@
* Certificate checking for verify_nsCertType
*/
/** Do not perform Netscape certificate type verification */
-#define NS_CERT_CHECK_NONE (0)
+#define NS_CERT_CHECK_NONE (0)
/** Do not perform Netscape certificate type verification */
-#define NS_CERT_CHECK_SERVER (1<<0)
+#define NS_CERT_CHECK_SERVER (1 << 0)
/** Do not perform Netscape certificate type verification */
-#define NS_CERT_CHECK_CLIENT (1<<1)
+#define NS_CERT_CHECK_CLIENT (1 << 1)
/** Require keyUsage to be present in cert (0xFFFF is an invalid KU value) */
#define OPENVPN_KU_REQUIRED (0xFFFF)
@@ -264,7 +260,8 @@
* TODO: document
*/
#ifdef ENABLE_MANAGEMENT
-bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason);
+bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth,
+ const char *client_reason);
#endif
@@ -32,7 +32,11 @@
/**
* Result of verification function
*/
-typedef enum { SUCCESS = 0, FAILURE = 1 } result_t;
+typedef enum
+{
+ SUCCESS = 0,
+ FAILURE = 1
+} result_t;
/*
* Backend support functions.
@@ -94,8 +98,7 @@
*
* @return a string containing the certificate fingerprint
*/
-struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert,
- struct gc_arena *gc);
+struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc);
/**
* Retrieve the certificate's SHA256 fingerprint.
@@ -105,8 +108,7 @@
*
* @return a string containing the certificate fingerprint
*/
-struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert,
- struct gc_arena *gc);
+struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc);
/*
* Retrieve the certificate's username from the specified field.
@@ -121,8 +123,8 @@
*
* @return \c FAILURE, \c or SUCCESS
*/
-result_t backend_x509_get_username(char *common_name, int cn_len,
- char *x509_username_field, openvpn_x509_cert_t *peer_cert);
+result_t backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field,
+ openvpn_x509_cert_t *peer_cert);
#ifdef ENABLE_X509ALTUSERNAME
/**
@@ -157,8 +159,7 @@
* @return String representation of the certificate's serial number
* in hex notation, or NULL on error.
*/
-char *backend_x509_get_serial_hex(openvpn_x509_cert_t *cert,
- struct gc_arena *gc);
+char *backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc);
/*
* Write the certificate to the file in PEM format.
@@ -168,8 +169,7 @@
*
* @return \c FAILURE, \c or SUCCESS
*/
-result_t backend_x509_write_pem(openvpn_x509_cert_t *cert,
- const char *filename);
+result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename);
/*
* Save X509 fields to environment, using the naming convention:
@@ -193,8 +193,8 @@
* @param gc Garbage collection arena for temp data
*
*/
-void x509_track_add(const struct x509_track **ll_head, const char *name,
- int msglevel, struct gc_arena *gc);
+void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel,
+ struct gc_arena *gc);
/*
* Save X509 fields to environment, using the naming convention:
@@ -216,8 +216,8 @@
* @param cert_depth Depth of the certificate
* @param cert Certificate to set the environment for
*/
-void x509_setenv_track(const struct x509_track *xt, struct env_set *es,
- const int depth, openvpn_x509_cert_t *x509);
+void x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth,
+ openvpn_x509_cert_t *x509);
/*
* Check X.509 Netscape certificate type field, if available.
@@ -46,10 +46,9 @@
#define MAX_SUBJECT_LENGTH 256
int
-verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth,
- uint32_t *flags)
+verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags)
{
- struct tls_session *session = (struct tls_session *) session_obj;
+ struct tls_session *session = (struct tls_session *)session_obj;
struct gc_arena gc = gc_new();
ASSERT(cert);
@@ -71,8 +70,7 @@
* Clearing these flags relies on verify_cert will later rejecting a
* certificate that has no matching fingerprint.
*/
- uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
- | MBEDTLS_X509_BADCERT_EXPIRED
+ uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED | MBEDTLS_X509_BADCERT_EXPIRED
| MBEDTLS_X509_BADCERT_FUTURE;
*flags = *flags & ~flags_ignore;
}
@@ -85,9 +83,10 @@
char *subject = x509_get_subject(cert, &gc);
char *serial = backend_x509_get_serial(cert, &gc);
- ret = mbedtls_x509_crt_verify_info(errstr, sizeof(errstr)-1, "", *flags);
- if (ret <= 0 && !snprintf(errstr, sizeof(errstr),
- "Could not retrieve error string, flags=%" PRIx32, *flags))
+ ret = mbedtls_x509_crt_verify_info(errstr, sizeof(errstr) - 1, "", *flags);
+ if (ret <= 0
+ && !snprintf(errstr, sizeof(errstr), "Could not retrieve error string, flags=%" PRIx32,
+ *flags))
{
errstr[0] = '\0';
}
@@ -98,13 +97,15 @@
if (subject)
{
- msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s, serial=%s: %s",
- cert_depth, subject, serial ? serial : "<not available>", errstr);
+ msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s, serial=%s: %s", cert_depth,
+ subject, serial ? serial : "<not available>", errstr);
}
else
{
- msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, (could not extract X509 "
- "subject string from certificate): %s", cert_depth, errstr);
+ msg(D_TLS_ERRORS,
+ "VERIFY ERROR: depth=%d, (could not extract X509 "
+ "subject string from certificate): %s",
+ cert_depth, errstr);
}
/* Leave flags set to non-zero to indicate that the cert is not ok */
@@ -127,20 +128,18 @@
#endif
result_t
-backend_x509_get_username(char *cn, int cn_len,
- char *x509_username_field, mbedtls_x509_crt *cert)
+backend_x509_get_username(char *cn, int cn_len, char *x509_username_field, mbedtls_x509_crt *cert)
{
mbedtls_x509_name *name;
- ASSERT( cn != NULL );
+ ASSERT(cn != NULL);
name = &cert->subject;
/* Find common name */
while (name != NULL)
{
- if (0 == memcmp(name->oid.p, MBEDTLS_OID_AT_CN,
- MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN)))
+ if (0 == memcmp(name->oid.p, MBEDTLS_OID_AT_CN, MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN)))
{
break;
}
@@ -157,13 +156,13 @@
/* Found, extract CN */
if (cn_len > name->val.len)
{
- memcpy( cn, name->val.p, name->val.len );
+ memcpy(cn, name->val.p, name->val.len);
cn[name->val.len] = '\0';
}
else
{
- memcpy( cn, name->val.p, cn_len);
- cn[cn_len-1] = '\0';
+ memcpy(cn, name->val.p, cn_len);
+ cn[cn_len - 1] = '\0';
}
return SUCCESS;
@@ -178,8 +177,7 @@
/* Transform asn1 integer serial into mbed TLS MPI */
mbedtls_mpi_init(&serial_mpi);
- if (!mbed_ok(mbedtls_mpi_read_binary(&serial_mpi, cert->serial.p,
- cert->serial.len)))
+ if (!mbed_ok(mbedtls_mpi_read_binary(&serial_mpi, cert->serial.p, cert->serial.len)))
{
msg(M_WARN, "Failed to retrieve serial from certificate.");
goto end;
@@ -210,7 +208,7 @@
buf = gc_malloc(len, true, gc);
- if (mbedtls_x509_serial_gets(buf, len-1, &cert->serial) < 0)
+ if (mbedtls_x509_serial_gets(buf, len - 1, &cert->serial) < 0)
{
buf = NULL;
}
@@ -234,7 +232,7 @@
struct buffer der = {};
buf_set_read(&der, cert->raw.p, cert->raw.len);
- if (!crypto_pem_encode("CERTIFICATE", &pem, &der, &gc))
+ if (!crypto_pem_encode("CERTIFICATE", &pem, &der, &gc))
{
goto err;
}
@@ -247,15 +245,13 @@
gc_free(&gc);
return SUCCESS;
err:
- msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s",
- filename);
+ msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", filename);
gc_free(&gc);
return FAILURE;
}
static struct buffer
-x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert,
- struct gc_arena *gc)
+x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, struct gc_arena *gc)
{
const size_t md_size = mbedtls_md_get_size(md_info);
struct buffer fingerprint = alloc_buf_gc(md_size, gc);
@@ -267,26 +263,24 @@
struct buffer
x509_get_sha1_fingerprint(mbedtls_x509_crt *cert, struct gc_arena *gc)
{
- return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
- cert, gc);
+ return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), cert, gc);
}
struct buffer
x509_get_sha256_fingerprint(mbedtls_x509_crt *cert, struct gc_arena *gc)
{
- return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
- cert, gc);
+ return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), cert, gc);
}
char *
x509_get_subject(mbedtls_x509_crt *cert, struct gc_arena *gc)
{
- char tmp_subject[MAX_SUBJECT_LENGTH] = {0};
+ char tmp_subject[MAX_SUBJECT_LENGTH] = { 0 };
char *subject = NULL;
int ret = 0;
- ret = mbedtls_x509_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject );
+ ret = mbedtls_x509_dn_gets(tmp_subject, MAX_SUBJECT_LENGTH - 1, &cert->subject);
if (ret > 0)
{
/* Allocate the required space for the subject */
@@ -305,7 +299,7 @@
string_mod(value, CC_ANY, CC_CRLF, '?');
msg(D_X509_ATTR, "X509 ATTRIBUTE name='%s' value='%s' depth=%d", name, value, depth);
name_expand_size = 64 + strlen(name);
- name_expand = (char *) malloc(name_expand_size);
+ name_expand = (char *)malloc(name_expand_size);
check_malloc_return(name_expand);
snprintf(name_expand, name_expand_size, "X509_%d_%s", depth, name);
setenv_str(es, name_expand, value);
@@ -318,8 +312,7 @@
size_t i;
char *val;
- if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING
- || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING
+ if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING
|| orig->tag == MBEDTLS_ASN1_IA5_STRING))
{
/* Only support C-string compatible types */
@@ -333,15 +326,15 @@
return string_alloc("ERROR: embedded null value", gc);
}
}
- val = gc_malloc(orig->len+1, false, gc);
+ val = gc_malloc(orig->len + 1, false, gc);
memcpy(val, orig->p, orig->len);
val[orig->len] = '\0';
return val;
}
static void
-do_setenv_name(struct env_set *es, const struct x509_track *xt,
- const mbedtls_x509_crt *cert, int depth, struct gc_arena *gc)
+do_setenv_name(struct env_set *es, const struct x509_track *xt, const mbedtls_x509_crt *cert,
+ int depth, struct gc_arena *gc)
{
const mbedtls_x509_name *xn;
for (xn = &cert->subject; xn != NULL; xn = xn->next)
@@ -357,7 +350,8 @@
}
void
-x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
+x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel,
+ struct gc_arena *gc)
{
struct x509_track *xt;
ALLOC_OBJ_CLEAR_GC(xt, struct x509_track, gc);
@@ -372,8 +366,8 @@
}
void
-x509_setenv_track(const struct x509_track *xt, struct env_set *es,
- const int depth, mbedtls_x509_crt *cert)
+x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth,
+ mbedtls_x509_crt *cert)
{
struct gc_arena gc = gc_new();
while (xt)
@@ -395,8 +389,8 @@
cert_hash = x509_get_sha256_fingerprint(cert, &gc);
}
- fingerprint = format_hex_ex(BPTR(&cert_hash),
- BLEN(&cert_hash), 0, 1 | FHE_CAPS, ":", &gc);
+ fingerprint =
+ format_hex_ex(BPTR(&cert_hash), BLEN(&cert_hash), 0, 1 | FHE_CAPS, ":", &gc);
do_setenv_x509(es, xt->name, fingerprint, depth);
}
else
@@ -426,29 +420,27 @@
while (name != NULL)
{
- char name_expand[64+8];
+ char name_expand[64 + 8];
const char *shortname;
- if (0 == mbedtls_oid_get_attr_short_name(&name->oid, &shortname) )
+ if (0 == mbedtls_oid_get_attr_short_name(&name->oid, &shortname))
{
- snprintf(name_expand, sizeof(name_expand), "X509_%d_%s",
- cert_depth, shortname);
+ snprintf(name_expand, sizeof(name_expand), "X509_%d_%s", cert_depth, shortname);
}
else
{
- snprintf(name_expand, sizeof(name_expand), "X509_%d_\?\?",
- cert_depth);
+ snprintf(name_expand, sizeof(name_expand), "X509_%d_\?\?", cert_depth);
}
for (i = 0; i < name->val.len; i++)
{
- if (i >= (int) sizeof( s ) - 1)
+ if (i >= (int)sizeof(s) - 1)
{
break;
}
c = name->val.p[i];
- if (c < 32 || c == 127 || ( c > 128 && c < 160 ) )
+ if (c < 32 || c == 127 || (c > 128 && c < 160))
{
s[i] = '?';
}
@@ -482,15 +474,13 @@
}
result_t
-x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku,
- int expected_len)
+x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, int expected_len)
{
msg(D_HANDSHAKE, "Validating certificate key usage");
if (!mbedtls_x509_crt_has_ext_type(cert, MBEDTLS_X509_EXT_KEY_USAGE))
{
- msg(D_TLS_ERRORS,
- "ERROR: Certificate does not have key usage extension");
+ msg(D_TLS_ERRORS, "ERROR: Certificate does not have key usage extension");
return FAILURE;
}
@@ -501,10 +491,9 @@
}
result_t fFound = FAILURE;
- for (size_t i = 0; SUCCESS != fFound && i<expected_len; i++)
+ for (size_t i = 0; SUCCESS != fFound && i < expected_len; i++)
{
- if (expected_ku[i] != 0
- && 0 == mbedtls_x509_crt_check_key_usage(cert, expected_ku[i]))
+ if (expected_ku[i] != 0 && 0 == mbedtls_x509_crt_check_key_usage(cert, expected_ku[i]))
{
fFound = SUCCESS;
}
@@ -542,10 +531,10 @@
char oid_num_str[1024];
const char *oid_str;
- if (0 == mbedtls_oid_get_extended_key_usage( oid, &oid_str ))
+ if (0 == mbedtls_oid_get_extended_key_usage(oid, &oid_str))
{
- msg(D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s",
- oid_str, expected_oid);
+ msg(D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", oid_str,
+ expected_oid);
if (!strcmp(expected_oid, oid_str))
{
fFound = SUCCESS;
@@ -553,11 +542,10 @@
}
}
- if (0 < mbedtls_oid_get_numeric_string( oid_num_str,
- sizeof(oid_num_str), oid))
+ if (0 < mbedtls_oid_get_numeric_string(oid_num_str, sizeof(oid_num_str), oid))
{
- msg(D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s",
- oid_num_str, expected_oid);
+ msg(D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", oid_num_str,
+ expected_oid);
if (!strcmp(expected_oid, oid_num_str))
{
fFound = SUCCESS;
@@ -69,8 +69,7 @@
*
* @return The return value is 0 unless a fatal error occurred.
*/
-int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth,
- uint32_t *flags);
+int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags);
/** @} name Function for authenticating a new connection from a remote OpenVPN peer */
@@ -57,7 +57,7 @@
/* get the tls_session pointer */
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
ASSERT(ssl);
- session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index);
+ session = (struct tls_session *)SSL_get_ex_data(ssl, mydata_index);
ASSERT(session);
X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
@@ -81,8 +81,7 @@
{
msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s",
X509_STORE_CTX_get_error_depth(ctx),
- X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
- subject);
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject);
ret = 1;
goto cleanup;
}
@@ -90,8 +89,8 @@
/* Remote site specified a certificate, but it's not correct */
msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s, serial=%s",
X509_STORE_CTX_get_error_depth(ctx),
- X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
- subject, serial ? serial : "<not available>");
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject,
+ serial ? serial : "<not available>");
ERR_clear_error();
@@ -120,8 +119,7 @@
return nid == NID_subject_alt_name || nid == NID_issuer_alt_name;
}
-static
-bool
+static bool
extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
{
bool retval = false;
@@ -129,8 +127,7 @@
if (!x509_username_field_ext_supported(fieldname))
{
- msg(D_TLS_ERRORS,
- "ERROR: --x509-username-field 'ext:%s' not supported", fieldname);
+ msg(D_TLS_ERRORS, "ERROR: --x509-username-field 'ext:%s' not supported", fieldname);
return false;
}
@@ -148,10 +145,10 @@
numalts = sk_GENERAL_NAME_num(extensions);
/* loop through all alternatives */
- for (i = 0; i<numalts; i++)
+ for (i = 0; i < numalts; i++)
{
/* get a handle to alternative name number i */
- const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i );
+ const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i);
switch (name->type)
{
@@ -174,8 +171,8 @@
break;
default:
- msg(D_TLS_DEBUG, "%s: ignoring general name field type %i",
- __func__, name->type);
+ msg(D_TLS_DEBUG, "%s: ignoring general name field type %i", __func__,
+ name->type);
break;
}
}
@@ -198,8 +195,7 @@
* to contain result is grounds for error).
*/
static result_t
-extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out,
- int size)
+extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, int size)
{
int lastpos = -1;
int tmp = -1;
@@ -256,13 +252,12 @@
}
result_t
-backend_x509_get_username(char *common_name, int cn_len,
- char *x509_username_field, X509 *peer_cert)
+backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field, X509 *peer_cert)
{
#ifdef ENABLE_X509ALTUSERNAME
if (strncmp("ext:", x509_username_field, 4) == 0)
{
- if (!extract_x509_extension(peer_cert, x509_username_field+4, common_name, cn_len))
+ if (!extract_x509_extension(peer_cert, x509_username_field + 4, common_name, cn_len))
{
return FAILURE;
}
@@ -271,10 +266,9 @@
{
ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
struct gc_arena gc = gc_new();
- char *serial = format_hex_ex(asn1_i->data, asn1_i->length,
- 0, 1 | FHE_CAPS, NULL, &gc);
+ char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc);
- if (!serial || cn_len <= strlen(serial)+2)
+ if (!serial || cn_len <= strlen(serial) + 2)
{
gc_free(&gc);
return FAILURE;
@@ -284,11 +278,12 @@
}
else
#endif /* ifdef ENABLE_X509ALTUSERNAME */
- if (FAILURE == extract_x509_field_ssl(X509_get_subject_name(peer_cert),
- x509_username_field, common_name, cn_len))
- {
- return FAILURE;
- }
+ if (FAILURE
+ == extract_x509_field_ssl(X509_get_subject_name(peer_cert), x509_username_field,
+ common_name, cn_len))
+ {
+ return FAILURE;
+ }
return SUCCESS;
}
@@ -338,8 +333,7 @@
return SUCCESS;
err:
BIO_free(out);
- crypto_msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s",
- filename);
+ crypto_msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", filename);
return FAILURE;
}
@@ -376,9 +370,9 @@
goto err;
}
- X509_NAME_print_ex(subject_bio, X509_get_subject_name(cert),
- 0, XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN
- |ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_ESC_CTRL);
+ X509_NAME_print_ex(subject_bio, X509_get_subject_name(cert), 0,
+ XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN | ASN1_STRFLGS_UTF8_CONVERT
+ | ASN1_STRFLGS_ESC_CTRL);
if (BIO_eof(subject_bio))
{
@@ -420,7 +414,8 @@
*/
void
-x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
+x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel,
+ struct gc_arena *gc)
{
struct x509_track *xt;
ALLOC_OBJ_CLEAR_GC(xt, struct x509_track, gc);
@@ -452,7 +447,7 @@
string_mod(value, CC_ANY, CC_CRLF, '?');
msg(D_X509_ATTR, "X509 ATTRIBUTE name='%s' value='%s' depth=%d", name, value, depth);
name_expand_size = 64 + strlen(name);
- name_expand = (char *) malloc(name_expand_size);
+ name_expand = (char *)malloc(name_expand_size);
check_malloc_return(name_expand);
snprintf(name_expand, name_expand_size, "X509_%d_%s", depth, name);
setenv_str(es, name_expand, value);
@@ -487,8 +482,7 @@
fp_buf = x509_get_sha256_fingerprint(x509, &gc);
}
- fp_str = format_hex_ex(BPTR(&fp_buf), BLEN(&fp_buf), 0,
- 1 | FHE_CAPS, ":", &gc);
+ fp_str = format_hex_ex(BPTR(&fp_buf), BLEN(&fp_buf), 0, 1 | FHE_CAPS, ":", &gc);
do_setenv_x509(es, xt->name, fp_str, depth);
}
break;
@@ -595,10 +589,9 @@
continue;
}
name_expand_size = 64 + strlen(objbuf);
- name_expand = (char *) malloc(name_expand_size);
+ name_expand = (char *)malloc(name_expand_size);
check_malloc_return(name_expand);
- snprintf(name_expand, name_expand_size, "X509_%d_%s", cert_depth,
- objbuf);
+ snprintf(name_expand, name_expand_size, "X509_%d_%s", cert_depth, objbuf);
string_mod(name_expand, CC_PRINT, CC_CRLF, '_');
string_mod((char *)buf, CC_PRINT, CC_CRLF, '_');
setenv_str_incr(es, name_expand, (char *)buf);
@@ -620,8 +613,8 @@
* Unfortunately, X509_check_purpose() does some weird thing that
* prevent it to take a const argument
*/
- result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ?
- SUCCESS : FAILURE;
+ result_t result =
+ X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ? SUCCESS : FAILURE;
/*
* old versions of OpenSSL allow us to make the less strict check we used to
@@ -636,7 +629,7 @@
if (result == SUCCESS)
{
msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose "
- "cannot be verified (check may fail in the future)");
+ "cannot be verified (check may fail in the future)");
}
ASN1_BIT_STRING_free(ns);
}
@@ -648,8 +641,8 @@
* Unfortunately, X509_check_purpose() does some weird thing that
* prevent it to take a const argument
*/
- result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ?
- SUCCESS : FAILURE;
+ result_t result =
+ X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ? SUCCESS : FAILURE;
/*
* old versions of OpenSSL allow us to make the less strict check we used to
@@ -664,7 +657,7 @@
if (result == SUCCESS)
{
msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "
- "cannot be verified (check may fail in the future)");
+ "cannot be verified (check may fail in the future)");
}
ASN1_BIT_STRING_free(ns);
}
@@ -675,8 +668,7 @@
}
result_t
-x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku,
- int expected_len)
+x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_len)
{
ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL);
@@ -722,8 +714,7 @@
if (fFound != SUCCESS)
{
- msg(D_TLS_ERRORS,
- "ERROR: Certificate has key usage %04x, expected one of:", nku);
+ msg(D_TLS_ERRORS, "ERROR: Certificate has key usage %04x, expected one of:", nku);
for (size_t i = 0; i < expected_len && expected_ku[i]; i++)
{
msg(D_TLS_ERRORS, " * %04x", expected_ku[i]);
@@ -741,8 +732,7 @@
EXTENDED_KEY_USAGE *eku = NULL;
result_t fFound = FAILURE;
- if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i(x509, NID_ext_key_usage,
- NULL, NULL)) == NULL)
+ if ((eku = (EXTENDED_KEY_USAGE *)X509_get_ext_d2i(x509, NID_ext_key_usage, NULL, NULL)) == NULL)
{
msg(D_HANDSHAKE, "Certificate does not have extended key usage extension");
}
@@ -758,8 +748,8 @@
if (SUCCESS != fFound && OBJ_obj2txt(szOid, sizeof(szOid), oid, 0) != -1)
{
- msg(D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s",
- szOid, expected_oid);
+ msg(D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", szOid,
+ expected_oid);
if (!strcmp(expected_oid, szOid))
{
fFound = SUCCESS;
@@ -767,8 +757,8 @@
}
if (SUCCESS != fFound && OBJ_obj2txt(szOid, sizeof(szOid), oid, 1) != -1)
{
- msg(D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s",
- szOid, expected_oid);
+ msg(D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", szOid,
+ expected_oid);
if (!strcmp(expected_oid, szOid))
{
fFound = SUCCESS;
@@ -48,7 +48,7 @@
case STATUS_OUTPUT_READ:
return "READ";
- case STATUS_OUTPUT_READ|STATUS_OUTPUT_WRITE:
+ case STATUS_OUTPUT_READ | STATUS_OUTPUT_WRITE:
return "READ/WRITE";
default:
@@ -57,11 +57,8 @@
}
struct status_output *
-status_open(const char *filename,
- const int refresh_freq,
- const int msglevel,
- const struct virtual_output *vout,
- const unsigned int flags)
+status_open(const char *filename, const int refresh_freq, const int msglevel,
+ const struct virtual_output *vout, const unsigned int flags)
{
struct status_output *so = NULL;
if (filename || msglevel >= 0 || vout)
@@ -78,21 +75,16 @@
switch (so->flags)
{
case STATUS_OUTPUT_WRITE:
- so->fd = platform_open(filename,
- O_CREAT | O_TRUNC | O_WRONLY,
- S_IRUSR | S_IWUSR);
+ so->fd =
+ platform_open(filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR);
break;
case STATUS_OUTPUT_READ:
- so->fd = platform_open(filename,
- O_RDONLY,
- S_IRUSR | S_IWUSR);
+ so->fd = platform_open(filename, O_RDONLY, S_IRUSR | S_IWUSR);
break;
- case STATUS_OUTPUT_READ|STATUS_OUTPUT_WRITE:
- so->fd = platform_open(filename,
- O_CREAT | O_RDWR,
- S_IRUSR | S_IWUSR);
+ case STATUS_OUTPUT_READ | STATUS_OUTPUT_WRITE:
+ so->fd = platform_open(filename, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
break;
default:
@@ -167,10 +159,10 @@
}
#elif defined(HAVE_CHSIZE)
{
- const long off = (long) lseek(so->fd, (off_t)0, SEEK_CUR);
+ const long off = (long)lseek(so->fd, (off_t)0, SEEK_CUR);
chsize(so->fd, off);
}
-#else /* if defined(HAVE_FTRUNCATE) */
+#else /* if defined(HAVE_FTRUNCATE) */
#warning both ftruncate and chsize functions appear to be missing from this OS
#endif
@@ -222,7 +214,7 @@
{
if (so && (so->flags & STATUS_OUTPUT_WRITE))
{
- char buf[STATUS_PRINTF_MAXLEN+2]; /* leave extra bytes for CR, LF */
+ char buf[STATUS_PRINTF_MAXLEN + 2]; /* leave extra bytes for CR, LF */
va_list arglist;
int stat;
@@ -28,10 +28,11 @@
/*
* virtual function interface for status output
*/
-struct virtual_output {
+struct virtual_output
+{
void *arg;
unsigned int flags_default;
- void (*func) (void *arg, const unsigned int flags, const char *str);
+ void (*func)(void *arg, const unsigned int flags, const char *str);
};
static inline void
@@ -46,8 +47,8 @@
struct status_output
{
-#define STATUS_OUTPUT_READ (1<<0)
-#define STATUS_OUTPUT_WRITE (1<<1)
+#define STATUS_OUTPUT_READ (1 << 0)
+#define STATUS_OUTPUT_WRITE (1 << 1)
unsigned int flags;
char *filename;
@@ -62,11 +63,8 @@
bool errors;
};
-struct status_output *status_open(const char *filename,
- const int refresh_freq,
- const int msglevel,
- const struct virtual_output *vout,
- const unsigned int flags);
+struct status_output *status_open(const char *filename, const int refresh_freq, const int msglevel,
+ const struct virtual_output *vout, const unsigned int flags);
bool status_trigger(struct status_output *so);
@@ -79,12 +77,12 @@
void status_printf(struct status_output *so, const char *format, ...)
#ifdef __GNUC__
#if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format(gnu_printf, 2, 3)))
+ __attribute__((format(gnu_printf, 2, 3)))
#else
-__attribute__ ((format(__printf__, 2, 3)))
+ __attribute__((format(__printf__, 2, 3)))
#endif
#endif
-;
+ ;
bool status_read(struct status_output *so, struct buffer *buf);
@@ -28,20 +28,20 @@
/* branch prediction hints */
#if defined(__GNUC__)
-#define likely(x) __builtin_expect((x), 1)
-#define unlikely(x) __builtin_expect((x), 0)
+#define likely(x) __builtin_expect((x), 1)
+#define unlikely(x) __builtin_expect((x), 0)
#else
-#define likely(x) (x)
-#define unlikely(x) (x)
+#define likely(x) (x)
+#define unlikely(x) (x)
#endif
#ifdef _WIN32
#include <windows.h>
#include <winsock2.h>
#include <tlhelp32.h>
-#define sleep(x) Sleep((x)*1000)
-#define random rand
-#define srandom srand
+#define sleep(x) Sleep((x) * 1000)
+#define random rand
+#define srandom srand
#endif
#ifdef _MSC_VER /* Visual Studio */
@@ -51,7 +51,7 @@
#if defined(__APPLE__)
#if __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ >= 1070
-#define __APPLE_USE_RFC_3542 1
+#define __APPLE_USE_RFC_3542 1
#endif
#endif
@@ -166,10 +166,10 @@
#endif
#if defined(TARGET_HAIKU)
-#include <SupportDefs.h> /* uint32, etc */
-#include <net/if.h> /* ifconf etc */
-#include <sys/sockio.h> /* SIOCGRTTABLE, etc */
-#endif /* TARGET_HAIKU */
+#include <SupportDefs.h> /* uint32, etc */
+#include <net/if.h> /* ifconf etc */
+#include <sys/sockio.h> /* SIOCGRTTABLE, etc */
+#endif /* TARGET_HAIKU */
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
@@ -183,7 +183,7 @@
#include <net/if_tap.h>
#endif
-#if defined(TARGET_LINUX) || defined (TARGET_ANDROID)
+#if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
#ifdef HAVE_LINUX_IF_TUN_H
#include <linux/if_tun.h>
@@ -373,7 +373,9 @@
* Does this platform support linux-style IP_PKTINFO
* or bsd-style IP_RECVDSTADDR ?
*/
-#if ((defined(HAVE_IN_PKTINFO) && defined(IP_PKTINFO)) || defined(IP_RECVDSTADDR)) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG)
+#if ((defined(HAVE_IN_PKTINFO) && defined(IP_PKTINFO)) || defined(IP_RECVDSTADDR)) \
+ && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) \
+ && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG)
#define ENABLE_IP_PKTINFO 1
#else
#define ENABLE_IP_PKTINFO 0
@@ -422,10 +424,10 @@
* Directory separation char
*/
#ifdef _WIN32
-#define PATH_SEPARATOR '\\'
+#define PATH_SEPARATOR '\\'
#define PATH_SEPARATOR_STR "\\"
#else
-#define PATH_SEPARATOR '/'
+#define PATH_SEPARATOR '/'
#define PATH_SEPARATOR_STR "/"
#endif
@@ -434,11 +436,11 @@
*/
#ifdef _WIN32
#define SOCKET_UNDEFINED (INVALID_SOCKET)
-#define SOCKET_PRINTF "%" PRIxPTR
+#define SOCKET_PRINTF "%" PRIxPTR
typedef SOCKET socket_descriptor_t;
#else
#define SOCKET_UNDEFINED (-1)
-#define SOCKET_PRINTF "%d"
+#define SOCKET_PRINTF "%d"
typedef int socket_descriptor_t;
#endif
@@ -459,7 +461,9 @@
/*
* HTTPS port sharing capability
*/
-#if defined(ENABLE_PORT_SHARE) && defined(SCM_RIGHTS) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG)
+#if defined(ENABLE_PORT_SHARE) && defined(SCM_RIGHTS) && defined(HAVE_MSGHDR) \
+ && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) \
+ && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG)
#define PORT_SHARE 1
#else
#define PORT_SHARE 0
@@ -493,8 +497,7 @@
/*
* Do we have CryptoAPI capability?
*/
-#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) \
- && !defined(ENABLE_CRYPTO_WOLFSSL)
+#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_WOLFSSL)
#define ENABLE_CRYPTOAPI
#endif
@@ -521,8 +524,7 @@
/*
* Compression support
*/
-#if defined(ENABLE_LZO) || defined(ENABLE_LZ4) \
- || defined(ENABLE_COMP_STUB)
+#if defined(ENABLE_LZO) || defined(ENABLE_LZ4) || defined(ENABLE_COMP_STUB)
#define USE_COMP
#endif
@@ -40,9 +40,9 @@
const char *tls_crypt_v2_srv_pem_name = "OpenVPN tls-crypt-v2 server key";
/** Metadata contains user-specified data */
-static const uint8_t TLS_CRYPT_METADATA_TYPE_USER = 0x00;
+static const uint8_t TLS_CRYPT_METADATA_TYPE_USER = 0x00;
/** Metadata contains a 64-bit unix timestamp in network byte order */
-static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01;
+static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01;
static struct key_type
tls_crypt_kt(void)
@@ -57,11 +57,10 @@
}
void
-tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata,
- const char *key_file, bool key_inline, bool tls_server)
+tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file,
+ bool key_inline, bool tls_server)
{
- const int key_direction = tls_server ?
- KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
+ const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
struct key_type kt = tls_crypt_kt();
if (!kt.cipher || !kt.digest)
{
@@ -89,7 +88,6 @@
{
key->keys[k].hmac[j] = key->keys[k].hmac[j] ^ other->keys[k].hmac[j];
}
-
}
}
@@ -98,8 +96,8 @@
{
struct key2 rengokeys;
if (!key_state_export_keying_material(session, EXPORT_DYNAMIC_TLS_CRYPT_LABEL,
- strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL),
- rengokeys.keys, sizeof(rengokeys.keys)))
+ strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL), rengokeys.keys,
+ sizeof(rengokeys.keys)))
{
return false;
}
@@ -111,27 +109,23 @@
session->tls_wrap_reneg.work = alloc_buf(BUF_SIZE(&session->opt->frame));
session->tls_wrap_reneg.opt.pid_persist = NULL;
- packet_id_init(&session->tls_wrap_reneg.opt.packet_id,
- session->opt->replay_window,
- session->opt->replay_time,
- "TLS_WRAP_RENEG", session->key_id);
+ packet_id_init(&session->tls_wrap_reneg.opt.packet_id, session->opt->replay_window,
+ session->opt->replay_time, "TLS_WRAP_RENEG", session->key_id);
- if (session->tls_wrap.mode == TLS_WRAP_CRYPT
- || session->tls_wrap.mode == TLS_WRAP_AUTH)
+ if (session->tls_wrap.mode == TLS_WRAP_CRYPT || session->tls_wrap.mode == TLS_WRAP_AUTH)
{
xor_key2(&rengokeys, &session->tls_wrap.original_wrap_keydata);
}
- const int key_direction = session->opt->server ?
- KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
+ const int key_direction = session->opt->server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
struct key_direction_state kds;
key_direction_state_init(&kds, key_direction);
struct key_type kt = tls_crypt_kt();
- init_key_ctx_bi(&session->tls_wrap_reneg.opt.key_ctx_bi, &rengokeys, key_direction,
- &kt, "dynamic tls-crypt");
+ init_key_ctx_bi(&session->tls_wrap_reneg.opt.key_ctx_bi, &rengokeys, key_direction, &kt,
+ "dynamic tls-crypt");
secure_memzero(&rengokeys, sizeof(rengokeys));
return true;
@@ -139,8 +133,7 @@
bool
-tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
- struct crypto_options *opt)
+tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
{
const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
struct gc_arena gc;
@@ -149,12 +142,11 @@
ASSERT(ctx->cipher);
ASSERT(ctx->hmac);
ASSERT(packet_id_initialized(&opt->packet_id));
- ASSERT(hmac_ctx_size(ctx->hmac) == 256/8);
+ ASSERT(hmac_ctx_size(ctx->hmac) == 256 / 8);
gc_init(&gc);
- dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s",
- format_hex(BPTR(src), BLEN(src), 80, &gc));
+ dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s", format_hex(BPTR(src), BLEN(src), 80, &gc));
/* Get packet ID */
if (!packet_id_write(&opt->packet_id.send, dst, true, false))
@@ -163,15 +155,15 @@
goto err;
}
- dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s",
- format_hex(BPTR(dst), BLEN(dst), 0, &gc));
+ dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s", format_hex(BPTR(dst), BLEN(dst), 0, &gc));
/* Buffer overflow check */
if (!buf_safe(dst, BLEN(src) + TLS_CRYPT_BLOCK_SIZE + TLS_CRYPT_TAG_SIZE))
{
- msg(D_CRYPT_ERRORS, "TLS-CRYPT WRAP: buffer size error, "
- "sc=%d so=%d sl=%d dc=%d do=%d dl=%d", src->capacity, src->offset,
- src->len, dst->capacity, dst->offset, dst->len);
+ msg(D_CRYPT_ERRORS,
+ "TLS-CRYPT WRAP: buffer size error, "
+ "sc=%d so=%d sl=%d dc=%d do=%d dl=%d",
+ src->capacity, src->offset, src->len, dst->capacity, dst->offset, dst->len);
goto err;
}
@@ -195,15 +187,13 @@
/* Encrypt src */
{
int outlen = 0;
- ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen,
- BPTR(src), BLEN(src)));
+ ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen, BPTR(src), BLEN(src)));
ASSERT(buf_inc_len(dst, outlen));
ASSERT(cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen));
ASSERT(buf_inc_len(dst, outlen));
}
- dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s",
- format_hex(BPTR(dst), BLEN(dst), 80, &gc));
+ dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s", format_hex(BPTR(dst), BLEN(dst), 80, &gc));
gc_free(&gc);
return true;
@@ -216,8 +206,7 @@
}
bool
-tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
- struct crypto_options *opt)
+tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
{
static const char error_prefix[] = "tls-crypt unwrap error";
const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt;
@@ -228,11 +217,9 @@
ASSERT(opt);
ASSERT(src->len > 0);
ASSERT(ctx->cipher);
- ASSERT(packet_id_initialized(&opt->packet_id)
- || (opt->flags & CO_IGNORE_PACKET_ID));
+ ASSERT(packet_id_initialized(&opt->packet_id) || (opt->flags & CO_IGNORE_PACKET_ID));
- dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s",
- format_hex(BPTR(src), BLEN(src), 80, &gc));
+ dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s", format_hex(BPTR(src), BLEN(src), 80, &gc));
if (buf_len(src) < TLS_CRYPT_OFF_CT)
{
@@ -253,8 +240,8 @@
{
CRYPT_ERROR("cipher reset failed");
}
- if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen,
- BPTR(src) + TLS_CRYPT_OFF_CT, BLEN(src) - TLS_CRYPT_OFF_CT))
+ if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen, BPTR(src) + TLS_CRYPT_OFF_CT,
+ BLEN(src) - TLS_CRYPT_OFF_CT))
{
CRYPT_ERROR("cipher update failed");
}
@@ -283,10 +270,8 @@
if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
{
- dmsg(D_CRYPTO_DEBUG, "tag : %s",
- format_hex(tag, sizeof(tag_check), 0, &gc));
- dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
- format_hex(tag_check, sizeof(tag_check), 0, &gc));
+ dmsg(D_CRYPTO_DEBUG, "tag : %s", format_hex(tag, sizeof(tag_check), 0, &gc));
+ dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc));
CRYPT_ERROR("packet authentication failed");
}
}
@@ -315,30 +300,24 @@
}
static inline void
-tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2,
- bool tls_server)
+tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, bool tls_server)
{
- const int key_direction = tls_server ?
- KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
+ const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
struct key_type kt = tls_crypt_kt();
if (!kt.cipher || !kt.digest)
{
msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");
}
- init_key_ctx_bi(key, key2, key_direction, &kt,
- "Control Channel Encryption");
+ init_key_ctx_bi(key, key2, key_direction, &kt, "Control Channel Encryption");
}
void
tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key,
- struct buffer *wkc_buf, const char *key_file,
- bool key_inline)
+ struct buffer *wkc_buf, const char *key_file, bool key_inline)
{
- struct buffer client_key = alloc_buf(TLS_CRYPT_V2_CLIENT_KEY_LEN
- + TLS_CRYPT_V2_MAX_WKC_LEN);
+ struct buffer client_key = alloc_buf(TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_MAX_WKC_LEN);
- if (!read_pem_key_file(&client_key, tls_crypt_v2_cli_pem_name,
- key_file, key_inline))
+ if (!read_pem_key_file(&client_key, tls_crypt_v2_cli_pem_name, key_file, key_inline))
{
msg(M_FATAL, "ERROR: invalid tls-crypt-v2 client key format");
}
@@ -356,15 +335,14 @@
}
void
-tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt,
- const char *key_file, bool key_inline)
+tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file,
+ bool key_inline)
{
struct key srv_key;
struct buffer srv_key_buf;
buf_set_write(&srv_key_buf, (void *)&srv_key, sizeof(srv_key));
- if (!read_pem_key_file(&srv_key_buf, tls_crypt_v2_srv_pem_name,
- key_file, key_inline))
+ if (!read_pem_key_file(&srv_key_buf, tls_crypt_v2_srv_pem_name, key_file, key_inline))
{
msg(M_FATAL, "ERROR: invalid tls-crypt-v2 server key format");
}
@@ -383,14 +361,13 @@
}
static bool
-tls_crypt_v2_wrap_client_key(struct buffer *wkc,
- const struct key2 *src_key,
- const struct buffer *src_metadata,
- struct key_ctx *server_key, struct gc_arena *gc)
+tls_crypt_v2_wrap_client_key(struct buffer *wkc, const struct key2 *src_key,
+ const struct buffer *src_metadata, struct key_ctx *server_key,
+ struct gc_arena *gc)
{
cipher_ctx_t *cipher_ctx = server_key->cipher;
- struct buffer work = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN
- + cipher_ctx_block_size(cipher_ctx), gc);
+ struct buffer work =
+ alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN + cipher_ctx_block_size(cipher_ctx), gc);
/* Calculate auth tag and synthetic IV */
uint8_t *tag = buf_write_alloc(&work, TLS_CRYPT_TAG_SIZE);
@@ -399,8 +376,8 @@
msg(M_WARN, "ERROR: could not write tag");
return false;
}
- uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata)
- + TLS_CRYPT_V2_TAG_SIZE + sizeof(uint16_t));
+ uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata) + TLS_CRYPT_V2_TAG_SIZE
+ + sizeof(uint16_t));
hmac_ctx_t *hmac_ctx = server_key->hmac;
hmac_ctx_reset(hmac_ctx);
hmac_ctx_update(hmac_ctx, (void *)&net_len, sizeof(net_len));
@@ -408,16 +385,13 @@
hmac_ctx_update(hmac_ctx, BPTR(src_metadata), BLEN(src_metadata));
hmac_ctx_final(hmac_ctx, tag);
- dmsg(D_CRYPTO_DEBUG, "TLS-CRYPT WRAP TAG: %s",
- format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, gc));
+ dmsg(D_CRYPTO_DEBUG, "TLS-CRYPT WRAP TAG: %s", format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, gc));
/* Use the 128 most significant bits of the tag as IV */
ASSERT(cipher_ctx_reset(cipher_ctx, tag));
/* Overflow check (OpenSSL requires an extra block in the dst buffer) */
- if (buf_forward_capacity(&work) < (sizeof(src_key->keys)
- + BLEN(src_metadata)
- + sizeof(net_len)
+ if (buf_forward_capacity(&work) < (sizeof(src_key->keys) + BLEN(src_metadata) + sizeof(net_len)
+ cipher_ctx_block_size(cipher_ctx)))
{
msg(M_WARN, "ERROR: could not crypt: insufficient space in dst");
@@ -426,11 +400,11 @@
/* Encrypt */
int outlen = 0;
- ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
- (void *)src_key->keys, sizeof(src_key->keys)));
+ ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen, (void *)src_key->keys,
+ sizeof(src_key->keys)));
ASSERT(buf_inc_len(&work, outlen));
- ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
- BPTR(src_metadata), BLEN(src_metadata)));
+ ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen, BPTR(src_metadata),
+ BLEN(src_metadata)));
ASSERT(buf_inc_len(&work, outlen));
ASSERT(cipher_ctx_final(cipher_ctx, BEND(&work), &outlen));
ASSERT(buf_inc_len(&work, outlen));
@@ -441,8 +415,7 @@
static bool
tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
- struct buffer wrapped_client_key,
- struct key_ctx *server_key)
+ struct buffer wrapped_client_key, struct key_ctx *server_key)
{
const char *error_prefix = __func__;
bool ret = false;
@@ -454,9 +427,8 @@
struct buffer plaintext = { 0 };
dmsg(D_TLS_DEBUG_MED, "%s: unwrapping client key (len=%d): %s", __func__,
- BLEN(&wrapped_client_key), format_hex(BPTR(&wrapped_client_key),
- BLEN(&wrapped_client_key),
- 0, &gc));
+ BLEN(&wrapped_client_key),
+ format_hex(BPTR(&wrapped_client_key), BLEN(&wrapped_client_key), 0, &gc));
if (TLS_CRYPT_V2_MAX_WKC_LEN < BLEN(&wrapped_client_key))
{
@@ -471,13 +443,12 @@
{
CRYPT_ERROR("failed to read length");
}
- memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
- sizeof(net_len));
+ memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), sizeof(net_len));
if (ntohs(net_len) != BLEN(&wrapped_client_key))
{
- dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__,
- ntohs(net_len), BLEN(&wrapped_client_key));
+ dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__, ntohs(net_len),
+ BLEN(&wrapped_client_key));
CRYPT_ERROR("invalid length");
}
@@ -494,8 +465,7 @@
}
buf_set_write(&plaintext, plaintext_buf_data, sizeof(plaintext_buf_data));
int outlen = 0;
- if (!cipher_ctx_update(server_key->cipher, BPTR(&plaintext), &outlen,
- BPTR(&wrapped_client_key),
+ if (!cipher_ctx_update(server_key->cipher, BPTR(&plaintext), &outlen, BPTR(&wrapped_client_key),
BLEN(&wrapped_client_key)))
{
CRYPT_ERROR("could not decrypt client key");
@@ -512,19 +482,16 @@
uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
hmac_ctx_reset(server_key->hmac);
hmac_ctx_update(server_key->hmac, (void *)&net_len, sizeof(net_len));
- hmac_ctx_update(server_key->hmac, BPTR(&plaintext),
- BLEN(&plaintext));
+ hmac_ctx_update(server_key->hmac, BPTR(&plaintext), BLEN(&plaintext));
hmac_ctx_final(server_key->hmac, tag_check);
if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
{
- dmsg(D_CRYPTO_DEBUG, "tag : %s",
- format_hex(tag, sizeof(tag_check), 0, &gc));
- dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
- format_hex(tag_check, sizeof(tag_check), 0, &gc));
+ dmsg(D_CRYPTO_DEBUG, "tag : %s", format_hex(tag, sizeof(tag_check), 0, &gc));
+ dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc));
CRYPT_ERROR("client key authentication error");
msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for "
- "a different tls-crypt-v2 server key)");
+ "a different tls-crypt-v2 server key)");
}
if (buf_len(&plaintext) < sizeof(client_key->keys))
@@ -552,8 +519,7 @@
}
static bool
-tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
- const struct tls_options *opt)
+tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, const struct tls_options *opt)
{
bool ret = false;
struct gc_arena gc = gc_new();
@@ -566,8 +532,7 @@
goto cleanup;
}
- tmp_file = platform_create_temp_file(opt->tmp_dir, "tls_crypt_v2_metadata_",
- &gc);
+ tmp_file = platform_create_temp_file(opt->tmp_dir, "tls_crypt_v2_metadata_", &gc);
if (!tmp_file || !buffer_write_file(tmp_file, &metadata))
{
msg(M_WARN, "ERROR: could not write metadata to file");
@@ -575,8 +540,7 @@
}
char metadata_type_str[4] = { 0 }; /* Max value: 255 */
- snprintf(metadata_type_str, sizeof(metadata_type_str),
- "%i", (uint8_t) metadata_type);
+ snprintf(metadata_type_str, sizeof(metadata_type_str), "%i", (uint8_t)metadata_type);
struct env_set *es = env_set_create(NULL);
setenv_str(es, "script_type", "tls-crypt-v2-verify");
setenv_str(es, "metadata_type", metadata_type_str);
@@ -611,15 +575,12 @@
}
bool
-tls_crypt_v2_extract_client_key(struct buffer *buf,
- struct tls_wrap_ctx *ctx,
- const struct tls_options *opt,
- bool initial_packet)
+tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx,
+ const struct tls_options *opt, bool initial_packet)
{
if (!ctx->tls_crypt_v2_server_key.cipher)
{
- msg(D_TLS_ERRORS,
- "Client wants tls-crypt-v2, but no server key present.");
+ msg(D_TLS_ERRORS, "Client wants tls-crypt-v2, but no server key present.");
return false;
}
@@ -633,8 +594,7 @@
msg(D_TLS_ERRORS, "Can not read tls-crypt-v2 client key length");
return false;
}
- memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
- sizeof(net_len));
+ memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), sizeof(net_len));
uint16_t wkc_len = ntohs(net_len);
if (!buf_advance(&wrapped_client_key, BLEN(&wrapped_client_key) - wkc_len))
@@ -657,7 +617,7 @@
* basically transforming the CONTROL_WKC_V1 into a normal CONTROL_V1
* packet*/
msg(D_TLS_ERRORS, "control channel security already setup ignoring "
- "wrapped key part of packet.");
+ "wrapped key part of packet.");
/* Remove client key from buffer so tls-crypt code can unwrap message */
ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key))));
@@ -665,10 +625,8 @@
}
ctx->tls_crypt_v2_metadata = alloc_buf(TLS_CRYPT_V2_MAX_METADATA_LEN);
- if (!tls_crypt_v2_unwrap_client_key(&ctx->original_wrap_keydata,
- &ctx->tls_crypt_v2_metadata,
- wrapped_client_key,
- &ctx->tls_crypt_v2_server_key))
+ if (!tls_crypt_v2_unwrap_client_key(&ctx->original_wrap_keydata, &ctx->tls_crypt_v2_metadata,
+ wrapped_client_key, &ctx->tls_crypt_v2_server_key))
{
msg(D_TLS_ERRORS, "Can not unwrap tls-crypt-v2 client key");
secure_memzero(&ctx->original_wrap_keydata, sizeof(ctx->original_wrap_keydata));
@@ -680,8 +638,7 @@
ctx->cleanup_key_ctx = true;
ctx->opt.flags |= CO_PACKET_ID_LONG_FORM;
memset(&ctx->opt.key_ctx_bi, 0, sizeof(ctx->opt.key_ctx_bi));
- tls_crypt_v2_load_client_key(&ctx->opt.key_ctx_bi,
- &ctx->original_wrap_keydata, true);
+ tls_crypt_v2_load_client_key(&ctx->opt.key_ctx_bi, &ctx->original_wrap_keydata, true);
/* Remove client key from buffer so tls-crypt code can unwrap message */
ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key))));
@@ -701,16 +658,13 @@
}
void
-tls_crypt_v2_write_client_key_file(const char *filename,
- const char *b64_metadata,
- const char *server_key_file,
- bool server_key_inline)
+tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata,
+ const char *server_key_file, bool server_key_inline)
{
struct gc_arena gc = gc_new();
struct key_ctx server_key = { 0 };
struct buffer client_key_pem = { 0 };
- struct buffer dst = alloc_buf_gc(TLS_CRYPT_V2_CLIENT_KEY_LEN
- + TLS_CRYPT_V2_MAX_WKC_LEN, &gc);
+ struct buffer dst = alloc_buf_gc(TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_MAX_WKC_LEN, &gc);
struct key2 client_key = { .n = 2 };
if (!rand_bytes((void *)client_key.keys, sizeof(client_key.keys)))
@@ -726,8 +680,7 @@
size_t b64_length = strlen(b64_metadata);
metadata = alloc_buf_gc(OPENVPN_BASE64_DECODED_LENGTH(b64_length) + 1, &gc);
ASSERT(buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_USER, 1));
- int decoded_len = openvpn_base64_decode(b64_metadata, BEND(&metadata),
- BCAP(&metadata));
+ int decoded_len = openvpn_base64_decode(b64_metadata, BEND(&metadata), BCAP(&metadata));
if (decoded_len < 0)
{
msg(M_FATAL, "ERROR: failed to base64 decode provided metadata");
@@ -735,9 +688,8 @@
}
if (decoded_len > TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
{
- msg(M_FATAL,
- "ERROR: metadata too long (%d bytes, max %u bytes)",
- decoded_len, TLS_CRYPT_V2_MAX_METADATA_LEN - 1);
+ msg(M_FATAL, "ERROR: metadata too long (%d bytes, max %u bytes)", decoded_len,
+ TLS_CRYPT_V2_MAX_METADATA_LEN - 1);
goto cleanup;
}
ASSERT(buf_inc_len(&metadata, decoded_len));
@@ -750,18 +702,15 @@
ASSERT(buf_write(&metadata, ×tamp, sizeof(timestamp)));
}
- tls_crypt_v2_init_server_key(&server_key, true, server_key_file,
- server_key_inline);
- if (!tls_crypt_v2_wrap_client_key(&dst, &client_key, &metadata, &server_key,
- &gc))
+ tls_crypt_v2_init_server_key(&server_key, true, server_key_file, server_key_inline);
+ if (!tls_crypt_v2_wrap_client_key(&dst, &client_key, &metadata, &server_key, &gc))
{
msg(M_FATAL, "ERROR: could not wrap generated client key");
goto cleanup;
}
/* PEM-encode Kc || WKc */
- if (!crypto_pem_encode(tls_crypt_v2_cli_pem_name, &client_key_pem, &dst,
- &gc))
+ if (!crypto_pem_encode(tls_crypt_v2_cli_pem_name, &client_key_pem, &dst, &gc))
{
msg(M_FATAL, "ERROR: could not PEM-encode client key");
goto cleanup;
@@ -787,17 +736,15 @@
struct buffer test_wrapped_client_key;
struct key2 keydata;
msg(D_GENKEY, "Testing client-side key loading...");
- tls_crypt_v2_init_client_key(&test_client_key, &keydata, &test_wrapped_client_key,
- client_file, client_inline);
+ tls_crypt_v2_init_client_key(&test_client_key, &keydata, &test_wrapped_client_key, client_file,
+ client_inline);
free_key_ctx_bi(&test_client_key);
/* Sanity check: unwrap and load client key (as "server") */
- struct buffer test_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN,
- &gc);
+ struct buffer test_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, &gc);
struct key2 test_client_key2 = { 0 };
free_key_ctx(&server_key);
- tls_crypt_v2_init_server_key(&server_key, false, server_key_file,
- server_key_inline);
+ tls_crypt_v2_init_server_key(&server_key, false, server_key_file, server_key_inline);
msg(D_GENKEY, "Testing server-side key loading...");
ASSERT(tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata,
test_wrapped_client_key, &server_key));
@@ -85,21 +85,21 @@
#include "session_id.h"
#include "ssl_common.h"
-#define TLS_CRYPT_TAG_SIZE (256/8)
-#define TLS_CRYPT_PID_SIZE (sizeof(packet_id_type) + sizeof(net_time_t))
-#define TLS_CRYPT_BLOCK_SIZE (128/8)
+#define TLS_CRYPT_TAG_SIZE (256 / 8)
+#define TLS_CRYPT_PID_SIZE (sizeof(packet_id_type) + sizeof(net_time_t))
+#define TLS_CRYPT_BLOCK_SIZE (128 / 8)
#define TLS_CRYPT_OFF_PID (1 + SID_SIZE)
#define TLS_CRYPT_OFF_TAG (TLS_CRYPT_OFF_PID + TLS_CRYPT_PID_SIZE)
-#define TLS_CRYPT_OFF_CT (TLS_CRYPT_OFF_TAG + TLS_CRYPT_TAG_SIZE)
+#define TLS_CRYPT_OFF_CT (TLS_CRYPT_OFF_TAG + TLS_CRYPT_TAG_SIZE)
-#define TLS_CRYPT_V2_MAX_WKC_LEN (1024)
+#define TLS_CRYPT_V2_MAX_WKC_LEN (1024)
#define TLS_CRYPT_V2_CLIENT_KEY_LEN (2048 / 8)
#define TLS_CRYPT_V2_SERVER_KEY_LEN (sizeof(struct key))
-#define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE)
-#define TLS_CRYPT_V2_MAX_METADATA_LEN (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \
- - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
- + sizeof(uint16_t)))
+#define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE)
+#define TLS_CRYPT_V2_MAX_METADATA_LEN \
+ (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \
+ - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE + sizeof(uint16_t)))
/**
* Initialize a key_ctx_bi structure for use with @c --tls-crypt.
@@ -112,8 +112,8 @@
* otherwise.
* @param tls_server Must be set to true is this is a TLS server instance.
*/
-void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata,
- const char *key_file, bool key_inline, bool tls_server);
+void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file,
+ bool key_inline, bool tls_server);
/**
* Generates a TLS-Crypt key to be used with dynamic tls-crypt using the
@@ -124,8 +124,7 @@
* @param session session that will be used for the TLS EKM exporter
* @return true iff generating the key was successful
*/
-bool
-tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session);
+bool tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session);
/**
* Returns the maximum overhead (in bytes) added to the destination buffer by
@@ -144,8 +143,7 @@
*
* @returns true iff wrapping succeeded.
*/
-bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
- struct crypto_options *opt);
+bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt);
/**
* Unwrap a control channel packet (decrypts, authenticates and performs
@@ -158,8 +156,7 @@
* @returns true iff unwrapping succeeded (data authenticated correctly and was
* no replay).
*/
-bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
- struct crypto_options *opt);
+bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt);
/**
* Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
@@ -173,8 +170,8 @@
* otherwise.
*
*/
-void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt,
- const char *key_file, bool key_inline);
+void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file,
+ bool key_inline);
/**
* Initialize a tls-crypt-v2 client key.
@@ -191,10 +188,9 @@
* @param key_inline True if key_file contains an inline key, False
* otherwise.
*/
-void tls_crypt_v2_init_client_key(struct key_ctx_bi *key,
- struct key2 *original_key,
- struct buffer *wrapped_key_buf,
- const char *key_file, bool key_inline);
+void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key,
+ struct buffer *wrapped_key_buf, const char *key_file,
+ bool key_inline);
/**
* Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3
@@ -211,10 +207,8 @@
*
* @returns true if a key was successfully extracted.
*/
-bool tls_crypt_v2_extract_client_key(struct buffer *buf,
- struct tls_wrap_ctx *ctx,
- const struct tls_options *opt,
- bool initial_packet);
+bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx,
+ const struct tls_options *opt, bool initial_packet);
/**
* Generate a tls-crypt-v2 server key, and write to file.
@@ -233,8 +227,7 @@
* @param key_inline True if key_file contains an inline key, False
* otherwise.
*/
-void tls_crypt_v2_write_client_key_file(const char *filename,
- const char *b64_metadata,
+void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata,
const char *key_file, bool key_inline);
/** @} */
@@ -84,27 +84,25 @@
#ifdef _WIN32
-const static GUID GUID_DEVCLASS_NET = { 0x4d36e972L, 0xe325, 0x11ce, { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 } };
-const static GUID GUID_DEVINTERFACE_NET = { 0xcac88484, 0x7515, 0x4c03, { 0x82, 0xe6, 0x71, 0xa8, 0x7a, 0xba, 0xc3, 0x61 } };
+const static GUID GUID_DEVCLASS_NET = {
+ 0x4d36e972L, 0xe325, 0x11ce, { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 }
+};
+const static GUID GUID_DEVINTERFACE_NET = {
+ 0xcac88484, 0x7515, 0x4c03, { 0x82, 0xe6, 0x71, 0xa8, 0x7a, 0xba, 0xc3, 0x61 }
+};
-/* #define SIMULATE_DHCP_FAILED */ /* simulate bad DHCP negotiation */
+/* #define SIMULATE_DHCP_FAILED */ /* simulate bad DHCP negotiation */
-#define NI_TEST_FIRST (1<<0)
-#define NI_IP_NETMASK (1<<1)
-#define NI_OPTIONS (1<<2)
+#define NI_TEST_FIRST (1 << 0)
+#define NI_IP_NETMASK (1 << 1)
+#define NI_OPTIONS (1 << 2)
-static void netsh_ifconfig(const struct tuntap_options *to,
- DWORD adapter_index,
- const in_addr_t ip,
- const in_addr_t netmask,
- const unsigned int flags);
+static void netsh_ifconfig(const struct tuntap_options *to, DWORD adapter_index, const in_addr_t ip,
+ const in_addr_t netmask, const unsigned int flags);
-static void windows_set_mtu(const int iface_index,
- const short family,
- const int mtu);
+static void windows_set_mtu(const int iface_index, const short family, const int mtu);
-static void netsh_set_dns6_servers(const struct in6_addr *addr_list,
- const int addr_len,
+static void netsh_set_dns6_servers(const struct in6_addr *addr_list, const int addr_len,
DWORD adapter_index);
static void netsh_command(const struct argv *a, int n, int msglevel);
@@ -121,15 +119,10 @@
struct gc_arena gc = gc_new();
HANDLE pipe = tt->options.msg_channel;
- address_message_t addr = {
- .header = {
- (add ? msg_add_address : msg_del_address),
- sizeof(address_message_t),
- 0
- },
- .family = family,
- .iface = { .index = tt->adapter_index, .name = "" }
- };
+ address_message_t addr = { .header = { (add ? msg_add_address : msg_del_address),
+ sizeof(address_message_t), 0 },
+ .family = family,
+ .iface = { .index = tt->adapter_index, .name = "" } };
if (addr.iface.index == TUN_ADAPTER_INDEX_INVALID)
{
@@ -141,16 +134,14 @@
{
addr.address.ipv4.s_addr = htonl(tt->local);
addr.prefix_len = netmask_to_netbits2(tt->adapter_netmask);
- msg(D_IFCONFIG, "INET address service: %s %s/%d",
- add ? "add" : "remove",
+ msg(D_IFCONFIG, "INET address service: %s %s/%d", add ? "add" : "remove",
print_in_addr_t(tt->local, 0, &gc), addr.prefix_len);
}
else
{
addr.address.ipv6 = tt->local_ipv6;
addr.prefix_len = (tt->type == DEV_TYPE_TUN) ? 128 : tt->netbits_ipv6;
- msg(D_IFCONFIG, "INET6 address service: %s %s/%d",
- add ? "add" : "remove",
+ msg(D_IFCONFIG, "INET6 address service: %s %s/%d", add ? "add" : "remove",
print_in6_addr(tt->local_ipv6, 0, &gc), addr.prefix_len);
}
@@ -162,8 +153,8 @@
if (ack.error_number != NO_ERROR)
{
msg(M_WARN, "TUN: %s address failed using service: %s [status=%u if_index=%d]",
- (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc),
- ack.error_number, addr.iface.index);
+ (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number,
+ addr.iface.index);
goto out;
}
@@ -189,15 +180,11 @@
/* Use dns_cfg_msg with addr_len = 0 for setting only the DOMAIN */
dns_cfg_message_t dns = {
- .header = {
- (add ? msg_add_dns_cfg : msg_del_dns_cfg),
- sizeof(dns_cfg_message_t),
- 0
- },
+ .header = { (add ? msg_add_dns_cfg : msg_del_dns_cfg), sizeof(dns_cfg_message_t), 0 },
.iface = { .index = tt->adapter_index, .name = "" },
- .domains = "", /* set below */
- .family = AF_INET, /* unused */
- .addr_len = 0 /* add/delete only the domain, not DNS servers */
+ .domains = "", /* set below */
+ .family = AF_INET, /* unused */
+ .addr_len = 0 /* add/delete only the domain, not DNS servers */
};
/* interface name is required */
@@ -237,8 +224,8 @@
if (ack.error_number != NO_ERROR)
{
msg(M_WARN, "TUN: %s DNS domains failed using service: %s [status=%u if_name=%s]",
- (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc),
- ack.error_number, dns.iface.name);
+ (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number,
+ dns.iface.name);
goto out;
}
@@ -265,17 +252,12 @@
}
/* Use dns_cfg_msg with domain = "" for setting only the DNS servers */
- dns_cfg_message_t dns = {
- .header = {
- (add ? msg_add_dns_cfg : msg_del_dns_cfg),
- sizeof(dns_cfg_message_t),
- 0
- },
- .iface = { .index = tt->adapter_index, .name = "" },
- .domains = "",
- .family = family,
- .addr_len = addr_len
- };
+ dns_cfg_message_t dns = { .header = { (add ? msg_add_dns_cfg : msg_del_dns_cfg),
+ sizeof(dns_cfg_message_t), 0 },
+ .iface = { .index = tt->adapter_index, .name = "" },
+ .domains = "",
+ .family = family,
+ .addr_len = addr_len };
/* interface name is required */
strncpy(dns.iface.name, tt->actual_name, sizeof(dns.iface.name));
@@ -285,8 +267,8 @@
{
addr_len = _countof(dns.addr);
dns.addr_len = addr_len;
- msg(M_WARN, "Number of %s DNS addresses sent to service truncated to %d",
- ip_proto_name, addr_len);
+ msg(M_WARN, "Number of %s DNS addresses sent to service truncated to %d", ip_proto_name,
+ addr_len);
}
for (int i = 0; i < addr_len; ++i)
@@ -337,15 +319,10 @@
goto out;
}
- wins_cfg_message_t wins = {
- .header = {
- (add ? msg_add_wins_cfg : msg_del_wins_cfg),
- sizeof(wins_cfg_message_t),
- 0
- },
- .iface = {.index = tt->adapter_index, .name = "" },
- .addr_len = addr_len
- };
+ wins_cfg_message_t wins = { .header = { (add ? msg_add_wins_cfg : msg_del_wins_cfg),
+ sizeof(wins_cfg_message_t), 0 },
+ .iface = { .index = tt->adapter_index, .name = "" },
+ .addr_len = addr_len };
/* interface name is required */
strncpy(wins.iface.name, tt->actual_name, sizeof(wins.iface.name));
@@ -355,8 +332,7 @@
{
addr_len = _countof(wins.addr);
wins.addr_len = addr_len;
- msg(M_WARN, "Number of WINS addresses sent to service truncated to %d",
- addr_len);
+ msg(M_WARN, "Number of WINS addresses sent to service truncated to %d", addr_len);
}
for (int i = 0; i < addr_len; ++i)
@@ -375,8 +351,8 @@
if (ack.error_number != NO_ERROR)
{
msg(M_WARN, "TUN: %s WINS failed using service: %s [status=%u if_name=%s]",
- (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc),
- ack.error_number, wins.iface.name);
+ (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number,
+ wins.iface.name);
goto out;
}
@@ -394,20 +370,15 @@
struct gc_arena gc = gc_new();
HANDLE pipe = tt->options.msg_channel;
const char *family_name = (family == AF_INET6) ? "IPv6" : "IPv4";
- set_mtu_message_t mtu_msg = {
- .header = {
- msg_set_mtu,
- sizeof(set_mtu_message_t),
- 0
- },
- .iface = {.index = tt->adapter_index},
- .mtu = mtu,
- .family = family
- };
+ set_mtu_message_t mtu_msg = { .header = { msg_set_mtu, sizeof(set_mtu_message_t), 0 },
+ .iface = { .index = tt->adapter_index },
+ .mtu = mtu,
+ .family = family };
strncpynt(mtu_msg.iface.name, tt->actual_name, sizeof(mtu_msg.iface.name));
if (family == AF_INET6 && mtu < 1280)
{
- msg(M_INFO, "NOTE: IPv6 interface MTU < 1280 conflicts with IETF standards and might not work");
+ msg(M_INFO,
+ "NOTE: IPv6 interface MTU < 1280 conflicts with IETF standards and might not work");
}
if (!send_msg_iservice(pipe, &mtu_msg, sizeof(mtu_msg), &ack, "Set_mtu"))
@@ -418,11 +389,13 @@
if (ack.error_number != NO_ERROR)
{
msg(M_NONFATAL, "TUN: setting %s mtu using service failed: %s [status=%u if_index=%d]",
- family_name, strerror_win32(ack.error_number, &gc), ack.error_number, mtu_msg.iface.index);
+ family_name, strerror_win32(ack.error_number, &gc), ack.error_number,
+ mtu_msg.iface.index);
}
else
{
- msg(M_INFO, "%s MTU set to %d on interface %d using service", family_name, mtu, mtu_msg.iface.index);
+ msg(M_INFO, "%s MTU set to %d on interface %d using service", family_name, mtu,
+ mtu_msg.iface.index);
ret = true;
}
@@ -441,7 +414,8 @@
struct argv argv = argv_new();
argv_printf(&argv, "%s%s nicconfig where (InterfaceIndex=%ld) call SetDNSDomain '%s'",
- get_win_sys_path(), WMIC_PATH_SUFFIX, tt->adapter_index, add ? tt->options.domain : "");
+ get_win_sys_path(), WMIC_PATH_SUFFIX, tt->adapter_index,
+ add ? tt->options.domain : "");
exec_command("WMIC", &argv, 1, M_WARN);
argv_free(&argv);
@@ -479,12 +453,7 @@
}
create_adapter_message_t msg = {
- .header = {
- msg_create_adapter,
- sizeof(create_adapter_message_t),
- 0
- },
- .adapter_type = t
+ .header = { msg_create_adapter, sizeof(create_adapter_message_t), 0 }, .adapter_type = t
};
if (!send_msg_iservice(msg_channel, &msg, sizeof(msg), &ack, "create_adapter"))
@@ -495,7 +464,8 @@
if (ack.error_number != NO_ERROR)
{
msg(M_NONFATAL, "TUN: creating %s adapter using service failed: %s [status=%u]",
- print_tun_backend_driver(driver_type), strerror_win32(ack.error_number, &gc), ack.error_number);
+ print_tun_backend_driver(driver_type), strerror_win32(ack.error_number, &gc),
+ ack.error_number);
}
else
{
@@ -511,7 +481,8 @@
#endif /* ifdef _WIN32 */
#ifdef TARGET_SOLARIS
-static void solaris_error_close(struct tuntap *tt, const struct env_set *es, const char *actual, bool unplumb_inet6);
+static void solaris_error_close(struct tuntap *tt, const struct env_set *es, const char *actual,
+ bool unplumb_inet6);
#include <stropts.h>
#endif
@@ -582,10 +553,7 @@
* before the device is actually opened.
*/
const char *
-guess_tuntap_dev(const char *dev,
- const char *dev_type,
- const char *dev_node,
- struct gc_arena *gc)
+guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
{
#ifdef _WIN32
const int dt = dev_type_enum(dev, dev_type);
@@ -619,16 +587,17 @@
{
if (looks_like_netmask)
{
- msg(M_WARN, "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s",
- print_in_addr_t(addr, 0, &gc),
- ifconfig_warn_how_to_silence);
+ msg(M_WARN,
+ "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s",
+ print_in_addr_t(addr, 0, &gc), ifconfig_warn_how_to_silence);
}
}
else
{
if (!looks_like_netmask)
{
- msg(M_WARN, "WARNING: Since you are using subnet topology, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s",
+ msg(M_WARN,
+ "WARNING: Since you are using subnet topology, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s",
ifconfig_warn_how_to_silence);
}
}
@@ -640,10 +609,7 @@
* clash with ifconfig addresses or subnet.
*/
static void
-check_addr_clash(const char *name,
- int type,
- in_addr_t public,
- in_addr_t local,
+check_addr_clash(const char *name, int type, in_addr_t public, in_addr_t local,
in_addr_t remote_netmask)
{
struct gc_arena gc = gc_new();
@@ -660,7 +626,7 @@
if (type == DEV_TYPE_TUN)
{
const in_addr_t test_netmask = 0xFFFFFF00;
- const in_addr_t public_net = public &test_netmask;
+ const in_addr_t public_net = public & test_netmask;
const in_addr_t local_net = local & test_netmask;
const in_addr_t remote_net = remote_netmask & test_netmask;
@@ -668,37 +634,28 @@
{
msg(M_WARN,
"WARNING: --%s address [%s] conflicts with --ifconfig address pair [%s, %s]. %s",
- name,
- print_in_addr_t(public, 0, &gc),
- print_in_addr_t(local, 0, &gc),
- print_in_addr_t(remote_netmask, 0, &gc),
- ifconfig_warn_how_to_silence);
+ name, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc),
+ print_in_addr_t(remote_netmask, 0, &gc), ifconfig_warn_how_to_silence);
}
if (public_net == local_net || public_net == remote_net)
{
msg(M_WARN,
"WARNING: potential conflict between --%s address [%s] and --ifconfig address pair [%s, %s] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. %s",
- name,
- print_in_addr_t(public, 0, &gc),
- print_in_addr_t(local, 0, &gc),
- print_in_addr_t(remote_netmask, 0, &gc),
- ifconfig_warn_how_to_silence);
+ name, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc),
+ print_in_addr_t(remote_netmask, 0, &gc), ifconfig_warn_how_to_silence);
}
}
else if (type == DEV_TYPE_TAP)
{
- const in_addr_t public_network = public &remote_netmask;
+ const in_addr_t public_network = public & remote_netmask;
const in_addr_t virtual_network = local & remote_netmask;
if (public_network == virtual_network)
{
msg(M_WARN,
"WARNING: --%s address [%s] conflicts with --ifconfig subnet [%s, %s] -- local and remote addresses cannot be inside of the --ifconfig subnet. %s",
- name,
- print_in_addr_t(public, 0, &gc),
- print_in_addr_t(local, 0, &gc),
- print_in_addr_t(remote_netmask, 0, &gc),
- ifconfig_warn_how_to_silence);
+ name, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc),
+ print_in_addr_t(remote_netmask, 0, &gc), ifconfig_warn_how_to_silence);
}
}
}
@@ -710,7 +667,7 @@
{
struct gc_arena gc = gc_new();
struct route_gateway_info rgi;
- const unsigned int needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
+ const unsigned int needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED);
get_default_gateway(&rgi, 0, ctx);
if ((rgi.flags & needed) == needed)
@@ -718,7 +675,8 @@
const in_addr_t lan_network = rgi.gateway.addr & rgi.gateway.netmask;
if (lan_network == 0xC0A80000 || lan_network == 0xC0A80100)
{
- msg(M_WARN, "NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.");
+ msg(M_WARN,
+ "NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.");
}
}
gc_free(&gc);
@@ -736,8 +694,7 @@
{
if (!is_tun_p2p(tt))
{
- buf_printf(&out, "%s %s",
- print_in_addr_t(tt->local & tt->remote_netmask, 0, gc),
+ buf_printf(&out, "%s %s", print_in_addr_t(tt->local & tt->remote_netmask, 0, gc),
print_in_addr_t(tt->remote_netmask, 0, gc));
}
else if (tt->type == DEV_TYPE_TUN) /* tun p2p topology */
@@ -774,20 +731,16 @@
{
if (rwflags & EVENT_READ)
{
- buf_printf(&out, "T%s",
- (tt->rwflags_debug & EVENT_READ) ? "R" : "r");
+ buf_printf(&out, "T%s", (tt->rwflags_debug & EVENT_READ) ? "R" : "r");
#ifdef _WIN32
- buf_printf(&out, "%s",
- overlapped_io_state_ascii(&tt->reads));
+ buf_printf(&out, "%s", overlapped_io_state_ascii(&tt->reads));
#endif
}
if (rwflags & EVENT_WRITE)
{
- buf_printf(&out, "T%s",
- (tt->rwflags_debug & EVENT_WRITE) ? "W" : "w");
+ buf_printf(&out, "T%s", (tt->rwflags_debug & EVENT_WRITE) ? "W" : "w");
#ifdef _WIN32
- buf_printf(&out, "%s",
- overlapped_io_state_ascii(&tt->writes));
+ buf_printf(&out, "%s", overlapped_io_state_ascii(&tt->writes));
#endif
}
}
@@ -806,8 +759,7 @@
{
bool tun_p2p = false;
- if (tt->type == DEV_TYPE_TAP
- || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET))
+ if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET))
{
tun_p2p = false;
}
@@ -817,7 +769,8 @@
}
else
{
- msg(M_FATAL, "Error: problem with tun vs. tap setting"); /* JYFIXME -- needs to be caught earlier, in init_tun? */
+ msg(M_FATAL, "Error: problem with tun vs. tap setting"); /* JYFIXME -- needs to be caught
+ earlier, in init_tun? */
}
return tun_p2p;
}
@@ -870,20 +823,16 @@
* but don't execute yet.
*/
struct tuntap *
-init_tun(const char *dev, /* --dev option */
- const char *dev_type, /* --dev-type option */
- int topology, /* one of the TOP_x values */
- const char *ifconfig_local_parm, /* --ifconfig parm 1 */
- const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */
- const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 IPv6 */
+init_tun(const char *dev, /* --dev option */
+ const char *dev_type, /* --dev-type option */
+ int topology, /* one of the TOP_x values */
+ const char *ifconfig_local_parm, /* --ifconfig parm 1 */
+ const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */
+ const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 IPv6 */
int ifconfig_ipv6_netbits_parm,
- const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 IPv6 */
- struct addrinfo *local_public,
- struct addrinfo *remote_public,
- const bool strict_warn,
- struct env_set *es,
- openvpn_net_ctx_t *ctx,
- struct tuntap *tt)
+ const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 IPv6 */
+ struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn,
+ struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
{
if (!tt)
{
@@ -905,25 +854,13 @@
* Convert arguments to binary IPv4 addresses.
*/
- tt->local = getaddr(
- GETADDR_RESOLVE
- | GETADDR_HOST_ORDER
- | GETADDR_FATAL_ON_SIGNAL
- | GETADDR_FATAL,
- ifconfig_local_parm,
- 0,
- NULL,
- NULL);
+ tt->local =
+ getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_FATAL_ON_SIGNAL | GETADDR_FATAL,
+ ifconfig_local_parm, 0, NULL, NULL);
- tt->remote_netmask = getaddr(
- (tun_p2p ? GETADDR_RESOLVE : 0)
- | GETADDR_HOST_ORDER
- | GETADDR_FATAL_ON_SIGNAL
- | GETADDR_FATAL,
- ifconfig_remote_netmask_parm,
- 0,
- NULL,
- NULL);
+ tt->remote_netmask = getaddr((tun_p2p ? GETADDR_RESOLVE : 0) | GETADDR_HOST_ORDER
+ | GETADDR_FATAL_ON_SIGNAL | GETADDR_FATAL,
+ ifconfig_remote_netmask_parm, 0, NULL, NULL);
/*
* Look for common errors in --ifconfig parms
@@ -942,12 +879,9 @@
{
if (curele->ai_family == AF_INET)
{
- const in_addr_t local = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
- check_addr_clash("local",
- tt->type,
- local,
- tt->local,
- tt->remote_netmask);
+ const in_addr_t local =
+ ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
+ check_addr_clash("local", tt->type, local, tt->local, tt->remote_netmask);
}
}
@@ -955,12 +889,9 @@
{
if (curele->ai_family == AF_INET)
{
- const in_addr_t remote = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
- check_addr_clash("remote",
- tt->type,
- remote,
- tt->local,
- tt->remote_netmask);
+ const in_addr_t remote =
+ ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
+ check_addr_clash("remote", tt->type, remote, tt->local, tt->remote_netmask);
}
}
}
@@ -986,15 +917,15 @@
if (ifconfig_ipv6_local_parm && ifconfig_ipv6_remote_parm)
{
-
/*
* Convert arguments to binary IPv6 addresses.
*/
- if (inet_pton( AF_INET6, ifconfig_ipv6_local_parm, &tt->local_ipv6 ) != 1
- || inet_pton( AF_INET6, ifconfig_ipv6_remote_parm, &tt->remote_ipv6 ) != 1)
+ if (inet_pton(AF_INET6, ifconfig_ipv6_local_parm, &tt->local_ipv6) != 1
+ || inet_pton(AF_INET6, ifconfig_ipv6_remote_parm, &tt->remote_ipv6) != 1)
{
- msg( M_FATAL, "init_tun: problem converting IPv6 ifconfig addresses %s and %s to binary", ifconfig_ipv6_local_parm, ifconfig_ipv6_remote_parm );
+ msg(M_FATAL, "init_tun: problem converting IPv6 ifconfig addresses %s and %s to binary",
+ ifconfig_ipv6_local_parm, ifconfig_ipv6_remote_parm);
}
tt->netbits_ipv6 = ifconfig_ipv6_netbits_parm;
@@ -1016,9 +947,7 @@
* Platform specific tun initializations
*/
void
-init_tun_post(struct tuntap *tt,
- const struct frame *frame,
- const struct tuntap_options *options)
+init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
{
tt->options = *options;
#ifdef _WIN32
@@ -1045,8 +974,7 @@
* -> helper function to simplify code below
*/
static void
-add_route_connected_v6_net(struct tuntap *tt,
- const struct env_set *es)
+add_route_connected_v6_net(struct tuntap *tt, const struct env_set *es)
{
struct route_ipv6 r6;
@@ -1054,8 +982,8 @@
r6.network = tt->local_ipv6;
r6.netbits = tt->netbits_ipv6;
r6.gateway = tt->local_ipv6;
- r6.metric = 0; /* connected route */
- r6.flags = RT_DEFINED | RT_METRIC_DEFINED;
+ r6.metric = 0; /* connected route */
+ r6.flags = RT_DEFINED | RT_METRIC_DEFINED;
add_route_ipv6(&r6, tt, 0, es, NULL);
}
@@ -1068,15 +996,16 @@
r6.network = tt->local_ipv6;
r6.netbits = tt->netbits_ipv6;
r6.gateway = tt->local_ipv6;
- r6.metric = 0; /* connected route */
- r6.flags = RT_DEFINED | RT_ADDED | RT_METRIC_DEFINED;
+ r6.metric = 0; /* connected route */
+ r6.flags = RT_DEFINED | RT_ADDED | RT_METRIC_DEFINED;
route_ipv6_clear_host_bits(&r6);
delete_route_ipv6(&r6, tt, NULL, NULL);
}
-#endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) */
+#endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || \
+ defined(TARGET_OPENBSD) */
-#if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
- || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD)
+#if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(TARGET_NETBSD) \
+ || defined(TARGET_OPENBSD)
/* we can't use true subnet mode on tun on all platforms, as that
* conflicts with IPv6 (wants to use ND then, which we don't do),
* but the OSes want "a remote address that is different from ours"
@@ -1087,11 +1016,11 @@
*/
in_addr_t
-create_arbitrary_remote( struct tuntap *tt )
+create_arbitrary_remote(struct tuntap *tt)
{
in_addr_t remote;
- remote = (tt->local & tt->remote_netmask) +1;
+ remote = (tt->local & tt->remote_netmask) + 1;
if (remote == tt->local)
{
@@ -1112,8 +1041,8 @@
* @param ctx the networking API opaque context
*/
static void
-do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu,
- const struct env_set *es, openvpn_net_ctx_t *ctx)
+do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es,
+ openvpn_net_ctx_t *ctx)
{
#if !defined(TARGET_LINUX)
struct argv argv = argv_new();
@@ -1132,16 +1061,14 @@
msg(M_FATAL, "Linux can't bring %s up", ifname);
}
- if (net_addr_v6_add(ctx, ifname, &tt->local_ipv6,
- tt->netbits_ipv6) < 0)
+ if (net_addr_v6_add(ctx, ifname, &tt->local_ipv6, tt->netbits_ipv6) < 0)
{
msg(M_FATAL, "Linux can't add IPv6 to interface %s", ifname);
}
#elif defined(TARGET_ANDROID)
char out6[64];
- snprintf(out6, sizeof(out6), "%s/%d %d",
- ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu);
+ snprintf(out6, sizeof(out6), "%s/%d %d", ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu);
management_android_control(management, "IFCONFIG6", out6);
#elif defined(TARGET_SOLARIS)
argv_printf(&argv, "%s %s inet6 unplumb", IFCONFIG_PATH, ifname);
@@ -1152,9 +1079,8 @@
{
const char *ifconfig_ipv6_remote = print_in6_addr(tt->remote_ipv6, 0, &gc);
- argv_printf(&argv, "%s %s inet6 plumb %s/%d %s mtu %d up",
- IFCONFIG_PATH, ifname, ifconfig_ipv6_local,
- tt->netbits_ipv6, ifconfig_ipv6_remote, tun_mtu);
+ argv_printf(&argv, "%s %s inet6 plumb %s/%d %s mtu %d up", IFCONFIG_PATH, ifname,
+ ifconfig_ipv6_local, tt->netbits_ipv6, ifconfig_ipv6_remote, tun_mtu);
}
else /* tap mode */
{
@@ -1162,8 +1088,7 @@
argv_printf(&argv, "%s %s inet6 plumb up", IFCONFIG_PATH, ifname);
argv_msg(M_INFO, &argv);
- if (!openvpn_execve_check(&argv, es, 0,
- "Solaris ifconfig IPv6 (prepare) failed"))
+ if (!openvpn_execve_check(&argv, es, 0, "Solaris ifconfig IPv6 (prepare) failed"))
{
solaris_error_close(tt, es, ifname, true);
}
@@ -1177,8 +1102,8 @@
/* static IPv6 addresses need to go to a subinterface (tap0:1)
* and we cannot set an mtu here (must go to the "parent")
*/
- argv_printf(&argv, "%s %s inet6 addif %s/%d up", IFCONFIG_PATH,
- ifname, ifconfig_ipv6_local, tt->netbits_ipv6 );
+ argv_printf(&argv, "%s %s inet6 addif %s/%d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local,
+ tt->netbits_ipv6);
}
argv_msg(M_INFO, &argv);
@@ -1189,23 +1114,19 @@
if (tt->type != DEV_TYPE_TUN)
{
- argv_printf(&argv, "%s %s inet6 mtu %d", IFCONFIG_PATH,
- ifname, tun_mtu);
+ argv_printf(&argv, "%s %s inet6 mtu %d", IFCONFIG_PATH, ifname, tun_mtu);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, es, 0, "Solaris ifconfig IPv6 mtu failed");
}
-#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \
- || defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) \
- || defined(TARGET_DRAGONFLY)
- argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname,
- ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu);
+#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) || defined(TARGET_DARWIN) \
+ || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
+ argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local,
+ tt->netbits_ipv6, tun_mtu);
argv_msg(M_INFO, &argv);
- openvpn_execve_check(&argv, es, S_FATAL,
- "generic BSD ifconfig inet6 failed");
+ openvpn_execve_check(&argv, es, S_FATAL, "generic BSD ifconfig inet6 failed");
-#if defined(TARGET_FREEBSD) && __FreeBSD_version >= 1200000 \
- && __FreeBSD_version < 1300000
+#if defined(TARGET_FREEBSD) && __FreeBSD_version >= 1200000 && __FreeBSD_version < 1300000
/* On FreeBSD 12.0-12.4, there is ipv6_activate_all_interfaces="YES"
* in rc.conf, which is not set by default. If it is *not* set,
* "all new interfaces that are not already up" are configured by
@@ -1224,27 +1145,26 @@
argv_printf(&argv, "%s %s inet6 -ifdisabled", IFCONFIG_PATH, ifname);
argv_msg(M_INFO, &argv);
- openvpn_execve_check(&argv, es, S_FATAL,
- "FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed");
+ openvpn_execve_check(&argv, es, S_FATAL, "FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed");
#endif
#elif defined(TARGET_AIX)
- argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname,
- ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu);
+ argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local,
+ tt->netbits_ipv6, tun_mtu);
argv_msg(M_INFO, &argv);
/* AIX ifconfig will complain if it can't find ODM path in env */
es = env_set_create(NULL);
env_set_add(es, "ODMDIR=/etc/objrepos");
- openvpn_execve_check(&argv, es, S_FATAL,
- "generic BSD ifconfig inet6 failed");
+ openvpn_execve_check(&argv, es, S_FATAL, "generic BSD ifconfig inet6 failed");
env_set_destroy(es);
-#elif defined (_WIN32)
+#elif defined(_WIN32)
if (tt->options.ip_win32_type == IPW32_SET_MANUAL)
{
- msg(M_INFO, "******** NOTE: Please manually set the v6 IP of '%s' to %s (if it is not already set)",
+ msg(M_INFO,
+ "******** NOTE: Please manually set the v6 IP of '%s' to %s (if it is not already set)",
ifname, ifconfig_ipv6_local);
}
else if (tt->options.msg_channel)
@@ -1275,8 +1195,8 @@
int netbits = (tt->type == DEV_TYPE_TUN) ? 128 : tt->netbits_ipv6;
argv_printf(&argv, "%s%s interface ipv6 set address %lu %s/%d store=active",
- get_win_sys_path(), NETSH_PATH_SUFFIX, tt->adapter_index,
- ifconfig_ipv6_local, netbits);
+ get_win_sys_path(), NETSH_PATH_SUFFIX, tt->adapter_index, ifconfig_ipv6_local,
+ netbits);
netsh_command(&argv, 4, M_FATAL);
if (tt->type == DEV_TYPE_TUN)
{
@@ -1291,8 +1211,9 @@
do_dns_domain_wmic(true, tt);
}
}
-#else /* platforms we have no IPv6 code for */
- msg(M_FATAL, "Sorry, but I don't know how to do IPv6 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script.");
+#else /* platforms we have no IPv6 code for */
+ msg(M_FATAL,
+ "Sorry, but I don't know how to do IPv6 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script.");
#endif /* outer "if defined(TARGET_xxx)" conditional */
#if !defined(TARGET_LINUX)
@@ -1311,8 +1232,8 @@
* @param ctx the networking API opaque context
*/
static void
-do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
- const struct env_set *es, openvpn_net_ctx_t *ctx)
+do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es,
+ openvpn_net_ctx_t *ctx)
{
#if !defined(_WIN32) && !defined(TARGET_ANDROID)
/*
@@ -1347,16 +1268,14 @@
if (tun_p2p)
{
- if (net_addr_ptp_v4_add(ctx, ifname, &tt->local,
- &tt->remote_netmask) < 0)
+ if (net_addr_ptp_v4_add(ctx, ifname, &tt->local, &tt->remote_netmask) < 0)
{
msg(M_FATAL, "Linux can't add IP to interface %s", ifname);
}
}
else
{
- if (net_addr_v4_add(ctx, ifname, &tt->local,
- netmask_to_netbits2(tt->remote_netmask)) < 0)
+ if (net_addr_v4_add(ctx, ifname, &tt->local, netmask_to_netbits2(tt->remote_netmask)) < 0)
{
msg(M_FATAL, "Linux can't add IP to interface %s", ifname);
}
@@ -1364,8 +1283,8 @@
#elif defined(TARGET_ANDROID)
char out[64];
- snprintf(out, sizeof(out), "%s %s %d %s", ifconfig_local,
- ifconfig_remote_netmask, tun_mtu, print_topology(tt->topology));
+ snprintf(out, sizeof(out), "%s %s %d %s", ifconfig_local, ifconfig_remote_netmask, tun_mtu,
+ print_topology(tt->topology));
management_android_control(management, "IFCONFIG", out);
#elif defined(TARGET_SOLARIS)
@@ -1376,8 +1295,8 @@
*/
if (tun_p2p)
{
- argv_printf(&argv, "%s %s %s %s mtu %d up", IFCONFIG_PATH, ifname,
- ifconfig_local, ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s %s %s mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local,
+ ifconfig_remote_netmask, tun_mtu);
argv_msg(M_INFO, &argv);
if (!openvpn_execve_check(&argv, es, 0, "Solaris ifconfig phase-1 failed"))
@@ -1385,19 +1304,16 @@
solaris_error_close(tt, es, ifname, false);
}
- argv_printf(&argv, "%s %s netmask 255.255.255.255", IFCONFIG_PATH,
- ifname);
+ argv_printf(&argv, "%s %s netmask 255.255.255.255", IFCONFIG_PATH, ifname);
}
else if (tt->type == DEV_TYPE_TUN)
{
- argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", IFCONFIG_PATH,
- ifname, ifconfig_local, ifconfig_local,
- ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", IFCONFIG_PATH, ifname,
+ ifconfig_local, ifconfig_local, ifconfig_remote_netmask, tun_mtu);
}
else /* tap */
{
- argv_printf(&argv, "%s %s %s netmask %s up",
- IFCONFIG_PATH, ifname, ifconfig_local,
+ argv_printf(&argv, "%s %s %s netmask %s up", IFCONFIG_PATH, ifname, ifconfig_local,
ifconfig_remote_netmask);
}
@@ -1422,7 +1338,7 @@
#elif defined(TARGET_OPENBSD)
- in_addr_t remote_end; /* for "virtual" subnet topology */
+ in_addr_t remote_end; /* for "virtual" subnet topology */
/*
* On OpenBSD, tun interfaces are persistent if created with
@@ -1433,24 +1349,20 @@
/* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
if (tun_p2p)
{
- argv_printf(&argv,
- "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0",
- IFCONFIG_PATH, ifname, ifconfig_local,
- ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", IFCONFIG_PATH,
+ ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu);
}
else if (tt->type == DEV_TYPE_TUN)
{
- remote_end = create_arbitrary_remote( tt );
- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0",
- IFCONFIG_PATH, ifname, ifconfig_local,
- print_in_addr_t(remote_end, 0, &gc), tun_mtu,
+ remote_end = create_arbitrary_remote(tt);
+ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", IFCONFIG_PATH, ifname,
+ ifconfig_local, print_in_addr_t(remote_end, 0, &gc), tun_mtu,
ifconfig_remote_netmask);
}
else /* tap */
{
- argv_printf(&argv, "%s %s %s netmask %s mtu %d link0",
- IFCONFIG_PATH, ifname, ifconfig_local,
- ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s %s netmask %s mtu %d link0", IFCONFIG_PATH, ifname,
+ ifconfig_local, ifconfig_remote_netmask, tun_mtu);
}
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, es, S_FATAL, "OpenBSD ifconfig failed");
@@ -1468,20 +1380,19 @@
}
#elif defined(TARGET_NETBSD)
- in_addr_t remote_end = INADDR_ANY; /* for "virtual" subnet topology */
+ in_addr_t remote_end = INADDR_ANY; /* for "virtual" subnet topology */
if (tun_p2p)
{
- argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up",
- IFCONFIG_PATH, ifname, ifconfig_local,
- ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, ifname,
+ ifconfig_local, ifconfig_remote_netmask, tun_mtu);
}
else if (tt->type == DEV_TYPE_TUN)
{
remote_end = create_arbitrary_remote(tt);
- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH,
- ifname, ifconfig_local, print_in_addr_t(remote_end, 0, &gc),
- tun_mtu, ifconfig_remote_netmask);
+ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, ifname,
+ ifconfig_local, print_in_addr_t(remote_end, 0, &gc), tun_mtu,
+ ifconfig_remote_netmask);
}
else /* tap */
{
@@ -1490,8 +1401,7 @@
* so we don't need the "link0" extra parameter to specify we want to do
* tunneling at the ethernet level
*/
- argv_printf(&argv, "%s %s %s netmask %s mtu %d",
- IFCONFIG_PATH, ifname, ifconfig_local,
+ argv_printf(&argv, "%s %s %s netmask %s mtu %d", IFCONFIG_PATH, ifname, ifconfig_local,
ifconfig_remote_netmask, tun_mtu);
}
argv_msg(M_INFO, &argv);
@@ -1517,28 +1427,24 @@
argv_printf(&argv, "%s %s delete", IFCONFIG_PATH, ifname);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, es, 0, NULL);
- msg(M_INFO,
- "NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure");
+ msg(M_INFO, "NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure");
/* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
if (tun_p2p)
{
- argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up",
- IFCONFIG_PATH, ifname, ifconfig_local,
- ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, ifname,
+ ifconfig_local, ifconfig_remote_netmask, tun_mtu);
}
else if (tt->type == DEV_TYPE_TUN)
{
- argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up",
- IFCONFIG_PATH, ifname, ifconfig_local, ifconfig_local,
- ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", IFCONFIG_PATH, ifname,
+ ifconfig_local, ifconfig_local, ifconfig_remote_netmask, tun_mtu);
}
else /* tap */
{
- argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH,
- ifname, ifconfig_local, ifconfig_remote_netmask,
- tun_mtu);
+ argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local,
+ ifconfig_remote_netmask, tun_mtu);
}
argv_msg(M_INFO, &argv);
@@ -1559,17 +1465,16 @@
#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
/* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
- if (tun_p2p) /* point-to-point tun */
+ if (tun_p2p) /* point-to-point tun */
{
- argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up",
- IFCONFIG_PATH, ifname, ifconfig_local,
- ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, ifname,
+ ifconfig_local, ifconfig_remote_netmask, tun_mtu);
}
- else /* tun with topology subnet and tap mode (always subnet) */
+ else /* tun with topology subnet and tap mode (always subnet) */
{
int netbits = netmask_to_netbits2(tt->remote_netmask);
- argv_printf(&argv, "%s %s %s/%d mtu %d up", IFCONFIG_PATH,
- ifname, ifconfig_local, netbits, tun_mtu );
+ argv_printf(&argv, "%s %s %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local, netbits,
+ tun_mtu);
}
argv_msg(M_INFO, &argv);
@@ -1579,7 +1484,7 @@
{
/* AIX ifconfig will complain if it can't find ODM path in env */
struct env_set *aix_es = env_set_create(NULL);
- env_set_add( aix_es, "ODMDIR=/etc/objrepos" );
+ env_set_add(aix_es, "ODMDIR=/etc/objrepos");
if (tt->type == DEV_TYPE_TUN)
{
@@ -1587,23 +1492,23 @@
}
/* example: ifconfig tap0 172.30.1.1 netmask 255.255.254.0 up */
- argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH,
- ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local,
+ ifconfig_remote_netmask, tun_mtu);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, aix_es, S_FATAL, "AIX ifconfig failed");
env_set_destroy(aix_es);
}
-#elif defined (_WIN32)
+#elif defined(_WIN32)
if (tt->options.ip_win32_type == IPW32_SET_MANUAL)
{
msg(M_INFO,
"******** NOTE: Please manually set the IP/netmask of '%s' to %s/%s (if it is not already set)",
- ifname, ifconfig_local,
- ifconfig_remote_netmask);
+ ifname, ifconfig_local, ifconfig_remote_netmask);
}
- else if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ || tt->options.ip_win32_type == IPW32_SET_ADAPTIVE)
+ else if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ
+ || tt->options.ip_win32_type == IPW32_SET_ADAPTIVE)
{
/* Let the DHCP configure the interface. */
}
@@ -1618,8 +1523,8 @@
{
if (tt->options.ip_win32_type == IPW32_SET_NETSH)
{
- netsh_ifconfig(&tt->options, tt->adapter_index, tt->local,
- tt->adapter_netmask, NI_IP_NETMASK | NI_OPTIONS);
+ netsh_ifconfig(&tt->options, tt->adapter_index, tt->local, tt->adapter_netmask,
+ NI_IP_NETMASK | NI_OPTIONS);
}
do_dns_domain_wmic(true, tt);
@@ -1636,13 +1541,14 @@
}
#elif defined(TARGET_HAIKU)
/* example: ifconfig tun/0 inet 1.1.1.1 255.255.255.0 mtu 1450 up */
- argv_printf(&argv, "%s %s inet %s %s mtu %d up", IFCONFIG_PATH,
- ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu);
+ argv_printf(&argv, "%s %s inet %s %s mtu %d up", IFCONFIG_PATH, ifname, ifconfig_local,
+ ifconfig_remote_netmask, tun_mtu);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, es, S_FATAL, "Haiku ifconfig failed");
#else /* if defined(TARGET_LINUX) */
- msg(M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script.");
+ msg(M_FATAL,
+ "Sorry, but I don't know how to do 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script.");
#endif /* if defined(TARGET_LINUX) */
#if !defined(TARGET_LINUX)
@@ -1653,8 +1559,8 @@
/* execute the ifconfig command through the shell */
void
-do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu,
- const struct env_set *es, openvpn_net_ctx_t *ctx)
+do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es,
+ openvpn_net_ctx_t *ctx)
{
msg(D_LOW, "do_ifconfig, ipv4=%d, ipv6=%d", tt->did_ifconfig_setup,
tt->did_ifconfig_ipv6_setup);
@@ -1662,13 +1568,8 @@
#ifdef ENABLE_MANAGEMENT
if (management)
{
- management_set_state(management,
- OPENVPN_STATE_ASSIGN_IP,
- NULL,
- &tt->local,
- &tt->local_ipv6,
- NULL,
- NULL);
+ management_set_state(management, OPENVPN_STATE_ASSIGN_IP, NULL, &tt->local, &tt->local_ipv6,
+ NULL, NULL);
}
#endif
@@ -1694,19 +1595,16 @@
if (is_tun_p2p(tt))
{
- if (net_addr_ptp_v4_del(ctx, tt->actual_name, &tt->local,
- &tt->remote_netmask) < 0)
+ if (net_addr_ptp_v4_del(ctx, tt->actual_name, &tt->local, &tt->remote_netmask) < 0)
{
- msg(M_WARN, "Linux can't del IP from iface %s",
- tt->actual_name);
+ msg(M_WARN, "Linux can't del IP from iface %s", tt->actual_name);
}
}
else
{
if (net_addr_v4_del(ctx, tt->actual_name, &tt->local, netbits) < 0)
{
- msg(M_WARN, "Linux can't del IP from iface %s",
- tt->actual_name);
+ msg(M_WARN, "Linux can't del IP from iface %s", tt->actual_name);
}
}
#elif defined(TARGET_FREEBSD)
@@ -1714,8 +1612,7 @@
const char *ifconfig_local = print_in_addr_t(tt->local, 0, &gc);
struct argv argv = argv_new();
- argv_printf(&argv, "%s %s %s -alias", IFCONFIG_PATH,
- tt->actual_name, ifconfig_local);
+ argv_printf(&argv, "%s %s %s -alias", IFCONFIG_PATH, tt->actual_name, ifconfig_local);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, NULL, 0, "FreeBSD ip addr del failed");
@@ -1729,8 +1626,7 @@
undo_ifconfig_ipv6(struct tuntap *tt, openvpn_net_ctx_t *ctx)
{
#if defined(TARGET_LINUX)
- if (net_addr_v6_del(ctx, tt->actual_name, &tt->local_ipv6,
- tt->netbits_ipv6) < 0)
+ if (net_addr_v6_del(ctx, tt->actual_name, &tt->local_ipv6, tt->netbits_ipv6) < 0)
{
msg(M_WARN, "Linux can't del IPv6 from iface %s", tt->actual_name);
}
@@ -1739,8 +1635,8 @@
const char *ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc);
struct argv argv = argv_new();
- argv_printf(&argv, "%s %s inet6 %s/%d -alias", IFCONFIG_PATH,
- tt->actual_name, ifconfig_ipv6_local, tt->netbits_ipv6);
+ argv_printf(&argv, "%s %s inet6 %s/%d -alias", IFCONFIG_PATH, tt->actual_name,
+ ifconfig_ipv6_local, tt->netbits_ipv6);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, NULL, 0, "FreeBSD ip -6 addr del failed");
@@ -1830,7 +1726,7 @@
struct iovec iv[2];
struct openvpn_iphdr *iph;
- iph = (struct openvpn_iphdr *) buf;
+ iph = (struct openvpn_iphdr *)buf;
if (OPENVPN_IPH_GET_VER(iph->version_len) == 6)
{
@@ -1893,8 +1789,7 @@
#if !(defined(_WIN32) || defined(TARGET_LINUX) || defined(TARGET_SOLARIS))
static void
-open_tun_generic(const char *dev, const char *dev_type, const char *dev_node,
- struct tuntap *tt)
+open_tun_generic(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
{
char tunname[256];
char dynamic_name[256];
@@ -1924,10 +1819,8 @@
#if defined(TARGET_HAIKU)
sep = "/";
#endif
- snprintf(tunname, sizeof(tunname),
- "/dev/%s%s%d", dev, sep, i);
- snprintf(dynamic_name, sizeof(dynamic_name),
- "%s%s%d", dev, sep, i);
+ snprintf(tunname, sizeof(tunname), "/dev/%s%s%d", dev, sep, i);
+ snprintf(dynamic_name, sizeof(dynamic_name), "%s%s%d", dev, sep, i);
if ((tt->fd = open(tunname, O_RDWR)) > 0)
{
dynamic_opened = true;
@@ -1952,9 +1845,9 @@
if (!dynamic_opened)
{
/* has named device existed before? if so, don't destroy at end */
- if (if_nametoindex( dev ) > 0)
+ if (if_nametoindex(dev) > 0)
{
- msg(M_INFO, "TUN/TAP device %s exists previously, keep at program end", dev );
+ msg(M_INFO, "TUN/TAP device %s exists previously, keep at program end", dev);
tt->persistent_if = true;
}
@@ -1970,14 +1863,13 @@
/* tt->actual_name is passed to up and down scripts and used as the ifconfig dev name */
tt->actual_name = string_alloc(dynamic_opened ? dynamic_name : dev, NULL);
-
}
#endif /* !_WIN32 && !TARGET_LINUX && !TARGET_FREEBSD*/
#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
static void
-open_tun_dco_generic(const char *dev, const char *dev_type,
- struct tuntap *tt, openvpn_net_ctx_t *ctx)
+open_tun_dco_generic(const char *dev, const char *dev_type, struct tuntap *tt,
+ openvpn_net_ctx_t *ctx)
{
char dynamic_name[256];
bool dynamic_opened = false;
@@ -1994,8 +1886,7 @@
{
for (int i = 0; i < 256; ++i)
{
- snprintf(dynamic_name, sizeof(dynamic_name),
- "%s%d", dev, i);
+ snprintf(dynamic_name, sizeof(dynamic_name), "%s%d", dev, i);
int ret = open_tun_dco(tt, ctx, dynamic_name);
if (ret == 0)
{
@@ -2025,14 +1916,12 @@
int ret = open_tun_dco(tt, ctx, dev);
if (ret == -EEXIST)
{
- msg(M_INFO, "DCO device %s already exists, won't be destroyed at shutdown",
- dev);
+ msg(M_INFO, "DCO device %s already exists, won't be destroyed at shutdown", dev);
tt->persistent_if = true;
}
else if (ret < 0)
{
- msg(M_ERR, "Cannot open DCO device %s: %s (%d)", dev,
- strerror(-ret), ret);
+ msg(M_ERR, "Cannot open DCO device %s: %s (%d)", dev, strerror(-ret), ret);
}
else
{
@@ -2059,7 +1948,7 @@
}
#endif /* !_WIN32 */
-#if defined (TARGET_ANDROID)
+#if defined(TARGET_ANDROID)
void
open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt,
openvpn_net_ctx_t *ctx)
@@ -2099,7 +1988,7 @@
int android_method = managment_android_persisttun_action(management);
- if (oldtunfd >=0 && android_method == ANDROID_KEEP_OLD_TUN)
+ if (oldtunfd >= 0 && android_method == ANDROID_KEEP_OLD_TUN)
{
/* keep the old fd */
opentun = true;
@@ -2210,8 +2099,7 @@
}
else
{
- msg(M_FATAL, "I don't recognize device %s as a tun or tap device",
- dev);
+ msg(M_FATAL, "I don't recognize device %s as a tun or tap device", dev);
}
/*
@@ -2226,7 +2114,7 @@
* Use special ioctl that configures tun/tap device with the parms
* we set in ifr
*/
- if (ioctl(tt->fd, TUNSETIFF, (void *) &ifr) < 0)
+ if (ioctl(tt->fd, TUNSETIFF, (void *)&ifr) < 0)
{
msg(M_ERR, "ERROR: Cannot ioctl TUNSETIFF %s", dev);
}
@@ -2247,7 +2135,7 @@
CLEAR(netifr);
strncpynt(netifr.ifr_name, ifr.ifr_name, IFNAMSIZ);
netifr.ifr_qlen = tt->options.txqueuelen;
- if (ioctl(ctl_fd, SIOCSIFTXQLEN, (void *) &netifr) >= 0)
+ if (ioctl(ctl_fd, SIOCSIFTXQLEN, (void *)&netifr) >= 0)
{
msg(D_OSBUF, "TUN/TAP TX queue length set to %d", tt->options.txqueuelen);
}
@@ -2286,13 +2174,13 @@
/* TUNSETGROUP appeared in 2.6.23 */
#ifndef TUNSETGROUP
-#define TUNSETGROUP _IOW('T', 206, int)
+#define TUNSETGROUP _IOW('T', 206, int)
#endif
void
-tuncfg(const char *dev, const char *dev_type, const char *dev_node,
- int persist_mode, const char *username, const char *groupname,
- const struct tuntap_options *options, openvpn_net_ctx_t *ctx)
+tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode,
+ const char *username, const char *groupname, const struct tuntap_options *options,
+ openvpn_net_ctx_t *ctx)
{
struct tuntap *tt;
@@ -2412,8 +2300,7 @@
}
else
{
- msg(M_FATAL, "I don't recognize device %s as a tun or tap device",
- dev);
+ msg(M_FATAL, "I don't recognize device %s as a tun or tap device", dev);
}
if ((tt->ip_fd = open(ip_node, O_RDWR, 0)) < 0)
@@ -2431,7 +2318,7 @@
/* get unit number */
if (*ptr)
{
- while (*ptr && !isdigit((int) *ptr))
+ while (*ptr && !isdigit((int)*ptr))
{
ptr++;
}
@@ -2444,7 +2331,7 @@
strioc_ppa.ic_len = sizeof(ppa);
strioc_ppa.ic_dp = (char *)&ppa;
- if (*ptr == '\0') /* no number given, try dynamic */
+ if (*ptr == '\0') /* no number given, try dynamic */
{
bool found_one = false;
while (!found_one && ppa < 64)
@@ -2452,27 +2339,28 @@
int new_ppa = ioctl(tt->fd, I_STR, &strioc_ppa);
if (new_ppa >= 0)
{
- msg( M_INFO, "open_tun: got dynamic interface '%s%d'", dev_tuntap_type, new_ppa );
+ msg(M_INFO, "open_tun: got dynamic interface '%s%d'", dev_tuntap_type, new_ppa);
ppa = new_ppa;
found_one = true;
break;
}
if (errno != EEXIST)
{
- msg(M_ERR, "open_tun: unexpected error trying to find free %s interface", dev_tuntap_type );
+ msg(M_ERR, "open_tun: unexpected error trying to find free %s interface",
+ dev_tuntap_type);
}
ppa++;
}
if (!found_one)
{
- msg(M_ERR, "open_tun: could not find free %s interface, give up.", dev_tuntap_type );
+ msg(M_ERR, "open_tun: could not find free %s interface, give up.", dev_tuntap_type);
}
}
- else /* try this particular one */
+ else /* try this particular one */
{
if ((ppa = ioctl(tt->fd, I_STR, &strioc_ppa)) < 0)
{
- msg(M_ERR, "Can't assign PPA for new interface (%s%d)", dev_tuntap_type, ppa );
+ msg(M_ERR, "Can't assign PPA for new interface (%s%d)", dev_tuntap_type, ppa);
}
}
@@ -2489,13 +2377,13 @@
if (tt->type == DEV_TYPE_TUN)
{
/* Assign ppa according to the unit number returned by tun device */
- if (ioctl(if_fd, IF_UNITSEL, (char *) &ppa) < 0)
+ if (ioctl(if_fd, IF_UNITSEL, (char *)&ppa) < 0)
{
msg(M_ERR, "Can't set PPA %d", ppa);
}
}
- tt->actual_name = (char *) malloc(32);
+ tt->actual_name = (char *)malloc(32);
check_malloc_return(tt->actual_name);
snprintf(tt->actual_name, 32, "%s%d", dev_tuntap_type, ppa);
@@ -2513,7 +2401,7 @@
{
msg(M_ERR, "Can't set PPA %d", ppa);
}
- if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) <0)
+ if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0)
{
msg(M_ERR, "Can't get flags\n");
}
@@ -2575,7 +2463,7 @@
CLEAR(ifr);
strncpynt(ifr.lifr_name, tt->actual_name, sizeof(ifr.lifr_name));
- ifr.lifr_ip_muxid = ip_muxid;
+ ifr.lifr_ip_muxid = ip_muxid;
if (tt->type == DEV_TYPE_TAP)
{
ifr.lifr_arp_muxid = arp_muxid;
@@ -2605,8 +2493,7 @@
if (tt->did_ifconfig_ipv6_setup)
{
struct argv argv = argv_new();
- argv_printf( &argv, "%s %s inet6 unplumb",
- IFCONFIG_PATH, tt->actual_name );
+ argv_printf(&argv, "%s %s inet6 unplumb", IFCONFIG_PATH, tt->actual_name);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, NULL, 0, "Solaris ifconfig inet6 unplumb failed");
argv_free(&argv);
@@ -2669,23 +2556,19 @@
}
static void
-solaris_error_close(struct tuntap *tt, const struct env_set *es,
- const char *actual, bool unplumb_inet6 )
+solaris_error_close(struct tuntap *tt, const struct env_set *es, const char *actual,
+ bool unplumb_inet6)
{
struct argv argv = argv_new();
if (unplumb_inet6)
{
- argv_printf( &argv, "%s %s inet6 unplumb",
- IFCONFIG_PATH, actual );
+ argv_printf(&argv, "%s %s inet6 unplumb", IFCONFIG_PATH, actual);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, es, 0, "Solaris ifconfig inet6 unplumb failed");
}
- argv_printf(&argv,
- "%s %s unplumb",
- IFCONFIG_PATH,
- actual);
+ argv_printf(&argv, "%s %s unplumb", IFCONFIG_PATH, actual);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, es, 0, "Solaris ifconfig unplumb failed");
@@ -2771,8 +2654,7 @@
/* setup command, close tun dev (clears tt->actual_name!), run command
*/
- argv_printf(&argv, "%s %s destroy",
- IFCONFIG_PATH, tt->actual_name);
+ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name);
close_tun_generic(tt);
@@ -2822,11 +2704,11 @@
if (strcmp(dev, "tap") == 0)
{
struct ifreq ifr;
- if ((tt->fd = open( "/dev/tap", O_RDWR)) < 0)
+ if ((tt->fd = open("/dev/tap", O_RDWR)) < 0)
{
msg(M_FATAL, "Cannot allocate NetBSD TAP dev dynamically");
}
- if (ioctl( tt->fd, TAPGIFNAME, (void *)&ifr ) < 0)
+ if (ioctl(tt->fd, TAPGIFNAME, (void *)&ifr) < 0)
{
msg(M_FATAL, "Cannot query NetBSD TAP device name");
}
@@ -2846,15 +2728,15 @@
if (tt->fd >= 0)
{
- int i = IFF_POINTOPOINT|IFF_MULTICAST;
- ioctl(tt->fd, TUNSIFMODE, &i); /* multicast on */
+ int i = IFF_POINTOPOINT | IFF_MULTICAST;
+ ioctl(tt->fd, TUNSIFMODE, &i); /* multicast on */
i = 0;
- ioctl(tt->fd, TUNSLMODE, &i); /* link layer mode off */
+ ioctl(tt->fd, TUNSLMODE, &i); /* link layer mode off */
if (tt->type == DEV_TYPE_TUN)
{
i = 1;
- if (ioctl(tt->fd, TUNSIFHEAD, &i) < 0) /* multi-af mode on */
+ if (ioctl(tt->fd, TUNSIFHEAD, &i) < 0) /* multi-af mode on */
{
msg(M_WARN | M_ERRNO, "ioctl(TUNSIFHEAD)");
}
@@ -2885,8 +2767,7 @@
/* setup command, close tun dev (clears tt->actual_name!), run command
*/
- argv_printf(&argv, "%s %s destroy",
- IFCONFIG_PATH, tt->actual_name);
+ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name);
close_tun_generic(tt);
@@ -2919,7 +2800,7 @@
struct iovec iv[2];
struct openvpn_iphdr *iph;
- iph = (struct openvpn_iphdr *) buf;
+ iph = (struct openvpn_iphdr *)buf;
if (OPENVPN_IPH_GET_VER(iph->version_len) == 6)
{
@@ -3027,7 +2908,7 @@
{
ASSERT(tt);
- if (tt->persistent_if) /* keep pre-existing if around */
+ if (tt->persistent_if) /* keep pre-existing if around */
{
close_tun_generic(tt);
free(tt);
@@ -3040,14 +2921,12 @@
/* setup command, close tun dev (clears tt->actual_name!), run command
*/
- argv_printf(&argv, "%s %s destroy",
- IFCONFIG_PATH, tt->actual_name);
+ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name);
close_tun_generic(tt);
argv_msg(M_INFO, &argv);
- openvpn_execve_check(&argv, NULL, 0,
- "FreeBSD 'destroy tun interface' failed (non-critical)");
+ openvpn_execve_check(&argv, NULL, 0, "FreeBSD 'destroy tun interface' failed (non-critical)");
free(tt);
argv_free(&argv);
@@ -3062,7 +2941,7 @@
struct iovec iv[2];
struct ip *iph;
- iph = (struct ip *) buf;
+ iph = (struct ip *)buf;
if (iph->ip_v == 6)
{
@@ -3157,7 +3036,7 @@
struct iovec iv[2];
struct ip *iph;
- iph = (struct ip *) buf;
+ iph = (struct ip *)buf;
if (iph->ip_v == 6)
{
@@ -3233,16 +3112,14 @@
if (fd < 0)
{
- msg(M_INFO | M_ERRNO, "Opening utun%d failed (socket(SYSPROTO_CONTROL))",
- utunnum);
+ msg(M_INFO | M_ERRNO, "Opening utun%d failed (socket(SYSPROTO_CONTROL))", utunnum);
return -2;
}
if (ioctl(fd, CTLIOCGINFO, &ctlInfo) == -1)
{
close(fd);
- msg(M_INFO | M_ERRNO, "Opening utun%d failed (ioctl(CTLIOCGINFO))",
- utunnum);
+ msg(M_INFO | M_ERRNO, "Opening utun%d failed (ioctl(CTLIOCGINFO))", utunnum);
return -2;
}
@@ -3252,7 +3129,7 @@
sc.sc_family = AF_SYSTEM;
sc.ss_sysaddr = AF_SYS_CONTROL;
- sc.sc_unit = utunnum+1;
+ sc.sc_unit = utunnum + 1;
/* If the connect is successful, a utun%d device will be created, where "%d"
@@ -3260,8 +3137,7 @@
if (connect(fd, (struct sockaddr *)&sc, sizeof(sc)) < 0)
{
- msg(M_INFO | M_ERRNO, "Opening utun%d failed (connect(AF_SYS_CONTROL))",
- utunnum);
+ msg(M_INFO | M_ERRNO, "Opening utun%d failed (connect(AF_SYS_CONTROL))", utunnum);
close(fd);
return -1;
}
@@ -3283,20 +3159,21 @@
/* dev_node is simply utun, do the normal dynamic utun
* otherwise try to parse the utun number */
- if (dev_node && (strcmp("utun", dev_node) != 0 ))
+ if (dev_node && (strcmp("utun", dev_node) != 0))
{
if (sscanf(dev_node, "utun%d", &utunnum) != 1)
{
- msg(M_FATAL, "Cannot parse 'dev-node %s' please use 'dev-node utunX'"
- "to use a utun device number X", dev_node);
+ msg(M_FATAL,
+ "Cannot parse 'dev-node %s' please use 'dev-node utunX'"
+ "to use a utun device number X",
+ dev_node);
}
}
-
CLEAR(ctlInfo);
- if (strlcpy(ctlInfo.ctl_name, UTUN_CONTROL_NAME, sizeof(ctlInfo.ctl_name)) >=
- sizeof(ctlInfo.ctl_name))
+ if (strlcpy(ctlInfo.ctl_name, UTUN_CONTROL_NAME, sizeof(ctlInfo.ctl_name))
+ >= sizeof(ctlInfo.ctl_name))
{
msg(M_ERR, "Opening utun: UTUN_CONTROL_NAME too long");
}
@@ -3316,7 +3193,7 @@
fd = utun_open_helper(ctlInfo, utunnum);
/* Break if the fd is valid,
* or if early initialization failed (-2) */
- if (fd !=-1)
+ if (fd != -1)
{
break;
}
@@ -3352,13 +3229,11 @@
openvpn_net_ctx_t *ctx)
{
/* If dev_node does not start start with utun assume regular tun/tap */
- if ((!dev_node && tt->type==DEV_TYPE_TUN)
- || (dev_node && !strncmp(dev_node, "utun", 4)))
+ if ((!dev_node && tt->type == DEV_TYPE_TUN) || (dev_node && !strncmp(dev_node, "utun", 4)))
{
-
/* Check if user has specific dev_type tap and forced utun with
* dev-node utun */
- if (tt->type!=DEV_TYPE_TUN)
+ if (tt->type != DEV_TYPE_TUN)
{
msg(M_FATAL, "Cannot use utun devices with --dev-type %s",
dev_type_string(dev, dev_type));
@@ -3386,12 +3261,11 @@
}
else
{
-
/* Use plain dev-node tun to select /dev/tun style
* Unset dev_node variable prior to passing to open_tun_generic to
* let open_tun_generic pick the first available tun device */
- if (dev_node && strcmp(dev_node, "tun")==0)
+ if (dev_node && strcmp(dev_node, "tun") == 0)
{
dev_node = NULL;
}
@@ -3410,11 +3284,9 @@
if (tt->did_ifconfig_ipv6_setup)
{
- const char *ifconfig_ipv6_local =
- print_in6_addr(tt->local_ipv6, 0, &gc);
+ const char *ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc);
- argv_printf(&argv, "%s delete -inet6 %s",
- ROUTE_PATH, ifconfig_ipv6_local );
+ argv_printf(&argv, "%s delete -inet6 %s", ROUTE_PATH, ifconfig_ipv6_local);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, NULL, 0, "MacOS X 'remove inet6 route' failed (non-critical)");
}
@@ -3463,44 +3335,46 @@
if (tt->type == DEV_TYPE_TUN)
{
- msg(M_FATAL, "no support for 'tun' devices on AIX" );
+ msg(M_FATAL, "no support for 'tun' devices on AIX");
}
- if (strncmp( dev, "tap", 3 ) != 0 || dev_node)
+ if (strncmp(dev, "tap", 3) != 0 || dev_node)
{
- msg(M_FATAL, "'--dev %s' and/or '--dev-node' not supported on AIX, use '--dev tap0', 'tap1', etc.", dev );
+ msg(M_FATAL,
+ "'--dev %s' and/or '--dev-node' not supported on AIX, use '--dev tap0', 'tap1', etc.",
+ dev);
}
- if (strcmp( dev, "tap" ) == 0) /* find first free tap dev */
- { /* (= no /dev/tapN node) */
+ if (strcmp(dev, "tap") == 0) /* find first free tap dev */
+ { /* (= no /dev/tapN node) */
int i;
- for (i = 0; i<99; i++)
+ for (i = 0; i < 99; i++)
{
snprintf(tunname, sizeof(tunname), "/dev/tap%d", i);
- if (access( tunname, F_OK ) < 0 && errno == ENOENT)
+ if (access(tunname, F_OK) < 0 && errno == ENOENT)
{
break;
}
}
if (i >= 99)
{
- msg( M_FATAL, "cannot find unused tap device" );
+ msg(M_FATAL, "cannot find unused tap device");
}
- snprintf( dynamic_name, sizeof(dynamic_name), "tap%d", i );
+ snprintf(dynamic_name, sizeof(dynamic_name), "tap%d", i);
dev = dynamic_name;
}
- else /* name given, sanity check */
+ else /* name given, sanity check */
{
/* ensure that dev name is "tap+<digits>" *only* */
p = &dev[3];
- while (isdigit(*p) )
+ while (isdigit(*p))
{
p++;
}
if (*p != '\0')
{
- msg( M_FATAL, "TAP device name must be '--dev tapNNNN'" );
+ msg(M_FATAL, "TAP device name must be '--dev tapNNNN'");
}
snprintf(tunname, sizeof(tunname), "/dev/%s", dev);
@@ -3508,16 +3382,15 @@
/* pre-existing device?
*/
- if (access( tunname, F_OK ) < 0 && errno == ENOENT)
+ if (access(tunname, F_OK) < 0 && errno == ENOENT)
{
-
/* tunnel device must be created with 'ifconfig tapN create'
*/
struct argv argv = argv_new();
struct env_set *es = env_set_create(NULL);
argv_printf(&argv, "%s %s create", IFCONFIG_PATH, dev);
argv_msg(M_INFO, &argv);
- env_set_add( es, "ODMDIR=/etc/objrepos" );
+ env_set_add(es, "ODMDIR=/etc/objrepos");
openvpn_execve_check(&argv, es, S_FATAL, "AIX 'create tun interface' failed");
env_set_destroy(es);
argv_free(&argv);
@@ -3555,18 +3428,16 @@
*/
if (tt->persistent_if)
{
- argv_printf(&argv, "%s %s 0.0.0.0 down",
- IFCONFIG_PATH, tt->actual_name);
+ argv_printf(&argv, "%s %s 0.0.0.0 down", IFCONFIG_PATH, tt->actual_name);
}
else
{
- argv_printf(&argv, "%s %s destroy",
- IFCONFIG_PATH, tt->actual_name);
+ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name);
}
close_tun_generic(tt);
argv_msg(M_INFO, &argv);
- env_set_add( es, "ODMDIR=/etc/objrepos" );
+ env_set_add(es, "ODMDIR=/etc/objrepos");
openvpn_execve_check(&argv, es, 0, "AIX 'destroy tap interface' failed (non-critical)");
free(tt);
@@ -3606,13 +3477,8 @@
/* the overlapped read will signal this event on I/O completion */
ASSERT(ResetEvent(tt->reads.overlapped.hEvent));
- status = ReadFile(
- tt->hand,
- BPTR(&tt->reads.buf),
- len,
- &tt->reads.size,
- &tt->reads.overlapped
- );
+ status =
+ ReadFile(tt->hand, BPTR(&tt->reads.buf), len, &tt->reads.size, &tt->reads.overlapped);
if (status) /* operation completed immediately? */
{
@@ -3622,9 +3488,8 @@
tt->reads.iostate = IOSTATE_IMMEDIATE_RETURN;
tt->reads.status = 0;
- dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read immediate return [%d,%d]",
- (int) len,
- (int) tt->reads.size);
+ dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read immediate return [%d,%d]", (int)len,
+ (int)tt->reads.size);
}
else
{
@@ -3633,8 +3498,7 @@
{
tt->reads.iostate = IOSTATE_QUEUED;
tt->reads.status = err;
- dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read queued [%d]",
- (int) len);
+ dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read queued [%d]", (int)len);
}
else /* error occurred */
{
@@ -3642,8 +3506,7 @@
ASSERT(SetEvent(tt->reads.overlapped.hEvent));
tt->reads.iostate = IOSTATE_IMMEDIATE_RETURN;
tt->reads.status = err;
- dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read error [%d] : %s",
- (int) len,
+ dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read error [%d] : %s", (int)len,
strerror_win32(status, &gc));
gc_free(&gc);
}
@@ -3668,13 +3531,8 @@
/* the overlapped write will signal this event on I/O completion */
ASSERT(ResetEvent(tt->writes.overlapped.hEvent));
- status = WriteFile(
- tt->hand,
- BPTR(&tt->writes.buf),
- BLEN(&tt->writes.buf),
- &tt->writes.size,
- &tt->writes.overlapped
- );
+ status = WriteFile(tt->hand, BPTR(&tt->writes.buf), BLEN(&tt->writes.buf), &tt->writes.size,
+ &tt->writes.overlapped);
if (status) /* operation completed immediately? */
{
@@ -3685,9 +3543,8 @@
tt->writes.status = 0;
- dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write immediate return [%d,%d]",
- BLEN(&tt->writes.buf),
- (int) tt->writes.size);
+ dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write immediate return [%d,%d]", BLEN(&tt->writes.buf),
+ (int)tt->writes.size);
}
else
{
@@ -3696,8 +3553,7 @@
{
tt->writes.iostate = IOSTATE_QUEUED;
tt->writes.status = err;
- dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write queued [%d]",
- BLEN(&tt->writes.buf));
+ dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write queued [%d]", BLEN(&tt->writes.buf));
}
else /* error occurred */
{
@@ -3705,8 +3561,7 @@
ASSERT(SetEvent(tt->writes.overlapped.hEvent));
tt->writes.iostate = IOSTATE_IMMEDIATE_RETURN;
tt->writes.status = err;
- dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write error [%d] : %s",
- BLEN(&tt->writes.buf),
+ dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write error [%d] : %s", BLEN(&tt->writes.buf),
strerror_win32(err, &gc));
gc_free(&gc);
}
@@ -3749,11 +3604,13 @@
struct device_instance_id_interface *first = NULL;
struct device_instance_id_interface *last = NULL;
- dev_info_set = SetupDiGetClassDevsEx(&GUID_DEVCLASS_NET, NULL, NULL, DIGCF_PRESENT, NULL, NULL, NULL);
+ dev_info_set =
+ SetupDiGetClassDevsEx(&GUID_DEVCLASS_NET, NULL, NULL, DIGCF_PRESENT, NULL, NULL, NULL);
if (dev_info_set == INVALID_HANDLE_VALUE)
{
err = GetLastError();
- msg(M_FATAL, "Error [%u] opening device information set key: %s", (unsigned int)err, strerror_win32(err, gc));
+ msg(M_FATAL, "Error [%u] opening device information set key: %s", (unsigned int)err,
+ strerror_win32(err, gc));
}
msg(D_TAP_WIN_DEBUG, "Enumerate device interface lists:");
@@ -3786,7 +3643,8 @@
}
}
- dev_key = SetupDiOpenDevRegKey(dev_info_set, &device_info_data, DICS_FLAG_GLOBAL, 0, DIREG_DRV, KEY_QUERY_VALUE);
+ dev_key = SetupDiOpenDevRegKey(dev_info_set, &device_info_data, DICS_FLAG_GLOBAL, 0,
+ DIREG_DRV, KEY_QUERY_VALUE);
if (dev_key == INVALID_HANDLE_VALUE)
{
continue;
@@ -3794,27 +3652,23 @@
len = sizeof(net_cfg_instance_id);
data_type = REG_SZ;
- status = RegQueryValueEx(dev_key,
- net_cfg_instance_id_string,
- NULL,
- &data_type,
- net_cfg_instance_id,
- &len);
+ status = RegQueryValueEx(dev_key, net_cfg_instance_id_string, NULL, &data_type,
+ net_cfg_instance_id, &len);
if (status != ERROR_SUCCESS)
{
goto next;
}
len = sizeof(device_instance_id);
- res = SetupDiGetDeviceInstanceId(dev_info_set, &device_info_data, device_instance_id, len, &len);
+ res = SetupDiGetDeviceInstanceId(dev_info_set, &device_info_data, device_instance_id, len,
+ &len);
if (!res)
{
goto next;
}
cr = CM_Get_Device_Interface_List_Size(&dev_interface_list_size,
- (LPGUID)&GUID_DEVINTERFACE_NET,
- device_instance_id,
+ (LPGUID)&GUID_DEVINTERFACE_NET, device_instance_id,
CM_GET_DEVICE_INTERFACE_LIST_PRESENT);
if (cr != CR_SUCCESS)
@@ -3824,8 +3678,7 @@
char *dev_interface_list = gc_malloc(dev_interface_list_size, false, gc);
cr = CM_Get_Device_Interface_List((LPGUID)&GUID_DEVINTERFACE_NET, device_instance_id,
- dev_interface_list,
- dev_interface_list_size,
+ dev_interface_list, dev_interface_list_size,
CM_GET_DEVICE_INTERFACE_LIST_PRESENT);
if (cr != CR_SUCCESS)
{
@@ -3839,12 +3692,12 @@
{
struct device_instance_id_interface *dev_iif;
ALLOC_OBJ_CLEAR_GC(dev_iif, struct device_instance_id_interface, gc);
- dev_iif->net_cfg_instance_id = (unsigned char *)string_alloc((char *)net_cfg_instance_id, gc);
+ dev_iif->net_cfg_instance_id =
+ (unsigned char *)string_alloc((char *)net_cfg_instance_id, gc);
dev_iif->device_interface = string_alloc(dev_if, gc);
msg(D_TAP_WIN_DEBUG, "NetCfgInstanceId: %s, Device Interface: %s",
- dev_iif->net_cfg_instance_id,
- dev_iif->device_interface);
+ dev_iif->net_cfg_instance_id, dev_iif->device_interface);
/* link into return list */
if (!first)
@@ -3879,12 +3732,7 @@
struct tap_reg *last = NULL;
int i = 0;
- status = RegOpenKeyEx(
- HKEY_LOCAL_MACHINE,
- ADAPTER_KEY,
- 0,
- KEY_READ,
- &adapter_key);
+ status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, ADAPTER_KEY, 0, KEY_READ, &adapter_key);
if (status != ERROR_SUCCESS)
{
@@ -3904,34 +3752,19 @@
DWORD data_type;
len = sizeof(enum_name);
- status = RegEnumKeyEx(
- adapter_key,
- i,
- enum_name,
- &len,
- NULL,
- NULL,
- NULL,
- NULL);
+ status = RegEnumKeyEx(adapter_key, i, enum_name, &len, NULL, NULL, NULL, NULL);
if (status == ERROR_NO_MORE_ITEMS)
{
break;
}
else if (status != ERROR_SUCCESS)
{
- msg(M_FATAL, "Error enumerating registry subkeys of key: %s",
- ADAPTER_KEY);
+ msg(M_FATAL, "Error enumerating registry subkeys of key: %s", ADAPTER_KEY);
}
- snprintf(unit_string, sizeof(unit_string), "%s\\%s",
- ADAPTER_KEY, enum_name);
+ snprintf(unit_string, sizeof(unit_string), "%s\\%s", ADAPTER_KEY, enum_name);
- status = RegOpenKeyEx(
- HKEY_LOCAL_MACHINE,
- unit_string,
- 0,
- KEY_READ,
- &unit_key);
+ status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, unit_string, 0, KEY_READ, &unit_key);
if (status != ERROR_SUCCESS)
{
@@ -3940,29 +3773,19 @@
else
{
len = sizeof(component_id);
- status = RegQueryValueEx(
- unit_key,
- component_id_string,
- NULL,
- &data_type,
- (LPBYTE)component_id,
- &len);
+ status = RegQueryValueEx(unit_key, component_id_string, NULL, &data_type,
+ (LPBYTE)component_id, &len);
if (status != ERROR_SUCCESS || data_type != REG_SZ)
{
- dmsg(D_REGISTRY, "Error opening registry key: %s\\%s",
- unit_string, component_id_string);
+ dmsg(D_REGISTRY, "Error opening registry key: %s\\%s", unit_string,
+ component_id_string);
}
else
{
len = sizeof(net_cfg_instance_id);
- status = RegQueryValueEx(
- unit_key,
- net_cfg_instance_id_string,
- NULL,
- &data_type,
- net_cfg_instance_id,
- &len);
+ status = RegQueryValueEx(unit_key, net_cfg_instance_id_string, NULL, &data_type,
+ net_cfg_instance_id, &len);
if (status == ERROR_SUCCESS && data_type == REG_SZ)
{
@@ -3996,8 +3819,8 @@
}
last = reg;
- msg(D_TAP_WIN_DEBUG, "NetCfgInstanceId: %s, Driver: %s",
- reg->guid, print_tun_backend_driver(reg->windows_driver));
+ msg(D_TAP_WIN_DEBUG, "NetCfgInstanceId: %s, Driver: %s", reg->guid,
+ print_tun_backend_driver(reg->windows_driver));
}
}
}
@@ -4020,12 +3843,8 @@
struct panel_reg *last = NULL;
int i = 0;
- status = RegOpenKeyEx(
- HKEY_LOCAL_MACHINE,
- NETWORK_CONNECTIONS_KEY,
- 0,
- KEY_READ,
- &network_connections_key);
+ status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, NETWORK_CONNECTIONS_KEY, 0, KEY_READ,
+ &network_connections_key);
if (status != ERROR_SUCCESS)
{
@@ -4042,35 +3861,20 @@
const WCHAR name_string[] = L"Name";
len = sizeof(enum_name);
- status = RegEnumKeyEx(
- network_connections_key,
- i,
- enum_name,
- &len,
- NULL,
- NULL,
- NULL,
- NULL);
+ status = RegEnumKeyEx(network_connections_key, i, enum_name, &len, NULL, NULL, NULL, NULL);
if (status == ERROR_NO_MORE_ITEMS)
{
break;
}
else if (status != ERROR_SUCCESS)
{
- msg(M_FATAL, "Error enumerating registry subkeys of key: %s",
- NETWORK_CONNECTIONS_KEY);
+ msg(M_FATAL, "Error enumerating registry subkeys of key: %s", NETWORK_CONNECTIONS_KEY);
}
- snprintf(connection_string, sizeof(connection_string),
- "%s\\%s\\Connection",
+ snprintf(connection_string, sizeof(connection_string), "%s\\%s\\Connection",
NETWORK_CONNECTIONS_KEY, enum_name);
- status = RegOpenKeyEx(
- HKEY_LOCAL_MACHINE,
- connection_string,
- 0,
- KEY_READ,
- &connection_key);
+ status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, connection_string, 0, KEY_READ, &connection_key);
if (status != ERROR_SUCCESS)
{
@@ -4079,18 +3883,13 @@
else
{
len = sizeof(name_data);
- status = RegQueryValueExW(
- connection_key,
- name_string,
- NULL,
- &name_type,
- (LPBYTE) name_data,
- &len);
+ status = RegQueryValueExW(connection_key, name_string, NULL, &name_type,
+ (LPBYTE)name_data, &len);
if (status != ERROR_SUCCESS || name_type != REG_SZ)
{
- dmsg(D_REGISTRY, "Error opening registry key: %s\\%s\\%ls",
- NETWORK_CONNECTIONS_KEY, connection_string, name_string);
+ dmsg(D_REGISTRY, "Error opening registry key: %s\\%s\\%ls", NETWORK_CONNECTIONS_KEY,
+ connection_string, name_string);
}
else
{
@@ -4143,15 +3942,14 @@
}
if ((local & (~mask)) != (remote & (~mask)))
{
- err = "must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver";
+ err =
+ "must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver";
goto error;
}
- if ((local & mask) == 0
- || (local & mask) == 3
- || (remote & mask) == 0
- || (remote & mask) == 3)
+ if ((local & mask) == 0 || (local & mask) == 3 || (remote & mask) == 0 || (remote & mask) == 3)
{
- err = "cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver";
+ err =
+ "cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver";
goto error;
}
@@ -4159,10 +3957,10 @@
return;
error:
- msg(M_FATAL, "There is a problem in your selection of --ifconfig endpoints [local=%s, remote=%s]. The local and remote VPN endpoints %s. Try '" PACKAGE " --show-valid-subnets' option for more info.",
- print_in_addr_t(local, 0, &gc),
- print_in_addr_t(remote, 0, &gc),
- err);
+ msg(M_FATAL,
+ "There is a problem in your selection of --ifconfig endpoints [local=%s, remote=%s]. The local and remote VPN endpoints %s. Try '" PACKAGE
+ " --show-valid-subnets' option for more info.",
+ print_in_addr_t(local, 0, &gc), print_in_addr_t(remote, 0, &gc), err);
gc_free(&gc);
}
@@ -4186,7 +3984,7 @@
for (i = 0; i < 256; i += 4)
{
- printf("[%3d,%3d] ", i+1, i+2);
+ printf("[%3d,%3d] ", i + 1, i + 2);
if (++col > 4)
{
col = 0;
@@ -4229,7 +4027,8 @@
{
if (!strcmp(tr->guid, pr->guid))
{
- msg(msglev, "'%s' %s %s", pr->name, tr->guid, print_tun_backend_driver(tr->windows_driver));
+ msg(msglev, "'%s' %s %s", pr->name, tr->guid,
+ print_tun_backend_driver(tr->windows_driver));
++links;
}
}
@@ -4267,12 +4066,14 @@
if (warn_panel_dup)
{
- msg(warnlev, "WARNING: Some TAP-Windows adapters have duplicate links from the Network Connections control panel");
+ msg(warnlev,
+ "WARNING: Some TAP-Windows adapters have duplicate links from the Network Connections control panel");
}
if (warn_panel_null)
{
- msg(warnlev, "WARNING: Some TAP-Windows adapters have no link from the Network Connections control panel");
+ msg(warnlev,
+ "WARNING: Some TAP-Windows adapters have no link from the Network Connections control panel");
}
gc_free(&gc);
@@ -4314,7 +4115,8 @@
}
static const struct tap_reg *
-get_adapter_by_name(const char *name, const struct tap_reg *tap_reg, const struct panel_reg *panel_reg)
+get_adapter_by_name(const char *name, const struct tap_reg *tap_reg,
+ const struct panel_reg *panel_reg)
{
const struct panel_reg *pr;
@@ -4335,8 +4137,8 @@
if (!tap_reg)
{
msg(M_FATAL, "There are no TAP-Windows or ovpn-dco adapters "
- "on this system. You should be able to create an adapter "
- "by using tapctl.exe utility.");
+ "on this system. You should be able to create an adapter "
+ "by using tapctl.exe utility.");
}
}
@@ -4345,13 +4147,10 @@
* registry for the TAP device # = device_number.
*/
static const char *
-get_unspecified_device_guid(const int device_number,
- uint8_t *actual_name,
- int actual_name_size,
+get_unspecified_device_guid(const int device_number, uint8_t *actual_name, int actual_name_size,
const struct tap_reg *tap_reg_src,
const struct panel_reg *panel_reg_src,
- enum tun_driver_type *windows_driver,
- struct gc_arena *gc)
+ enum tun_driver_type *windows_driver, struct gc_arena *gc)
{
const struct tap_reg *tap_reg = tap_reg_src;
struct buffer actual = clear_buf();
@@ -4411,13 +4210,9 @@
* returning the GUID and optional actual_name and device type
*/
static const char *
-get_device_guid(const char *name,
- uint8_t *actual_name,
- int actual_name_size,
- enum tun_driver_type *windows_driver,
- const struct tap_reg *tap_reg,
- const struct panel_reg *panel_reg,
- struct gc_arena *gc)
+get_device_guid(const char *name, uint8_t *actual_name, int actual_name_size,
+ enum tun_driver_type *windows_driver, const struct tap_reg *tap_reg,
+ const struct panel_reg *panel_reg, struct gc_arena *gc)
{
struct buffer ret = alloc_buf_gc(256, gc);
struct buffer actual = clear_buf();
@@ -4487,17 +4282,15 @@
if ((status = GetAdaptersInfo(NULL, &size)) != ERROR_BUFFER_OVERFLOW)
{
- msg(M_INFO, "GetAdaptersInfo #1 failed (status=%u) : %s",
- (unsigned int)status,
+ msg(M_INFO, "GetAdaptersInfo #1 failed (status=%u) : %s", (unsigned int)status,
strerror_win32(status, gc));
}
else
{
- pi = (PIP_ADAPTER_INFO) gc_malloc(size, false, gc);
+ pi = (PIP_ADAPTER_INFO)gc_malloc(size, false, gc);
if ((status = GetAdaptersInfo(pi, &size)) != NO_ERROR)
{
- msg(M_INFO, "GetAdaptersInfo #2 failed (status=%u) : %s",
- (unsigned int)status,
+ msg(M_INFO, "GetAdaptersInfo #2 failed (status=%u) : %s", (unsigned int)status,
strerror_win32(status, gc));
pi = NULL;
}
@@ -4516,21 +4309,19 @@
{
if ((status = GetPerAdapterInfo(index, NULL, &size)) != ERROR_BUFFER_OVERFLOW)
{
- msg(M_INFO, "GetPerAdapterInfo #1 failed (status=%u) : %s",
- (unsigned int)status,
+ msg(M_INFO, "GetPerAdapterInfo #1 failed (status=%u) : %s", (unsigned int)status,
strerror_win32(status, gc));
}
else
{
- pi = (PIP_PER_ADAPTER_INFO) gc_malloc(size, false, gc);
+ pi = (PIP_PER_ADAPTER_INFO)gc_malloc(size, false, gc);
if ((status = GetPerAdapterInfo((ULONG)index, pi, &size)) == ERROR_SUCCESS)
{
return pi;
}
else
{
- msg(M_INFO, "GetPerAdapterInfo #2 failed (status=%u) : %s",
- (unsigned int)status,
+ msg(M_INFO, "GetPerAdapterInfo #2 failed (status=%u) : %s", (unsigned int)status,
strerror_win32(status, gc));
}
}
@@ -4547,21 +4338,19 @@
if ((status = GetInterfaceInfo(NULL, &size)) != ERROR_INSUFFICIENT_BUFFER)
{
- msg(M_INFO, "GetInterfaceInfo #1 failed (status=%u) : %s",
- (unsigned int)status,
+ msg(M_INFO, "GetInterfaceInfo #1 failed (status=%u) : %s", (unsigned int)status,
strerror_win32(status, gc));
}
else
{
- ii = (PIP_INTERFACE_INFO) gc_malloc(size, false, gc);
+ ii = (PIP_INTERFACE_INFO)gc_malloc(size, false, gc);
if ((status = GetInterfaceInfo(ii, &size)) == NO_ERROR)
{
return ii;
}
else
{
- msg(M_INFO, "GetInterfaceInfo #2 failed (status=%u) : %s",
- (unsigned int)status,
+ msg(M_INFO, "GetInterfaceInfo #2 failed (status=%u) : %s", (unsigned int)status,
strerror_win32(status, gc));
}
}
@@ -4749,7 +4538,6 @@
else
{
ret = true; /* this can occur when TAP adapter is bridged */
-
}
return ret;
}
@@ -4773,7 +4561,8 @@
in_addr_t adapter_ip, adapter_netmask;
if (get_adapter_ip_netmask(ai, i, &adapter_ip, &adapter_netmask))
{
- if (adapter_ip && adapter_netmask && (ip & adapter_netmask) == (adapter_ip & adapter_netmask))
+ if (adapter_ip && adapter_netmask
+ && (ip & adapter_netmask) == (adapter_ip & adapter_netmask))
{
if (highest_netmask && adapter_netmask > *highest_netmask)
{
@@ -4788,10 +4577,7 @@
}
DWORD
-adapter_index_of_ip(const IP_ADAPTER_INFO *list,
- const in_addr_t ip,
- int *count,
- in_addr_t *netmask)
+adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask)
{
struct gc_arena gc = gc_new();
DWORD ret = TUN_ADAPTER_INDEX_INVALID;
@@ -4842,11 +4628,8 @@
}
dmsg(D_ROUTE_DEBUG, "DEBUG: IP Locate: ip=%s nm=%s index=%d count=%d metric=%d",
- print_in_addr_t(ip, 0, &gc),
- print_in_addr_t(highest_netmask, 0, &gc),
- (int)ret,
- count ? *count : -1,
- lowest_metric);
+ print_in_addr_t(ip, 0, &gc), print_in_addr_t(highest_netmask, 0, &gc), (int)ret,
+ count ? *count : -1, lowest_metric);
if (ret == TUN_ADAPTER_INDEX_INVALID && count)
{
@@ -4867,9 +4650,9 @@
* is DHCP disabled.
*/
-#define DHCP_STATUS_UNDEF 0
-#define DHCP_STATUS_ENABLED 1
-#define DHCP_STATUS_DISABLED 2
+#define DHCP_STATUS_UNDEF 0
+#define DHCP_STATUS_ENABLED 1
+#define DHCP_STATUS_DISABLED 2
static int
dhcp_status(DWORD index)
@@ -4914,22 +4697,19 @@
DWORD status;
const DWORD context = ip->Context;
- if ((status = DeleteIPAddress((ULONG) context)) == NO_ERROR)
+ if ((status = DeleteIPAddress((ULONG)context)) == NO_ERROR)
{
msg(M_INFO, "Successfully deleted previously set dynamic IP/netmask: %s/%s",
- ip->IpAddress.String,
- ip->IpMask.String);
+ ip->IpAddress.String, ip->IpMask.String);
}
else
{
const char *empty = "0.0.0.0";
- if (strcmp(ip->IpAddress.String, empty)
- || strcmp(ip->IpMask.String, empty))
+ if (strcmp(ip->IpAddress.String, empty) || strcmp(ip->IpMask.String, empty))
{
- msg(M_INFO, "NOTE: could not delete previously set dynamic IP/netmask: %s/%s (status=%u)",
- ip->IpAddress.String,
- ip->IpMask.String,
- (unsigned int)status);
+ msg(M_INFO,
+ "NOTE: could not delete previously set dynamic IP/netmask: %s/%s (status=%u)",
+ ip->IpAddress.String, ip->IpMask.String, (unsigned int)status);
}
}
ip = ip->Next;
@@ -5099,7 +4879,7 @@
}
else
{
- msg(M_INFO|M_NOPREFIX, "TAP-Windows device: %s [Non-admin access allowed]", device_path);
+ msg(M_INFO | M_NOPREFIX, "TAP-Windows device: %s [Non-admin access allowed]", device_path);
}
}
@@ -5119,7 +4899,8 @@
if (dev_node)
{
/* Get the device GUID for the device specified with --dev-node. */
- device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), NULL, tap_reg, panel_reg, &gc);
+ device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), NULL, tap_reg,
+ panel_reg, &gc);
if (!device_guid)
{
@@ -5127,20 +4908,11 @@
}
/* Open Windows TAP-Windows adapter */
- snprintf(device_path, sizeof(device_path), "%s%s%s",
- USERMODEDEVICEDIR,
- device_guid,
+ snprintf(device_path, sizeof(device_path), "%s%s%s", USERMODEDEVICEDIR, device_guid,
TAP_WIN_SUFFIX);
- hand = CreateFile(
- device_path,
- MAXIMUM_ALLOWED,
- 0, /* was: FILE_SHARE_READ */
- 0,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
- 0
- );
+ hand = CreateFile(device_path, MAXIMUM_ALLOWED, 0, /* was: FILE_SHARE_READ */
+ 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0);
if (hand == INVALID_HANDLE_VALUE)
{
@@ -5157,13 +4929,8 @@
/* Try opening all TAP devices */
while (true)
{
- device_guid = get_unspecified_device_guid(device_number,
- actual_buffer,
- sizeof(actual_buffer),
- tap_reg,
- panel_reg,
- NULL,
- &gc);
+ device_guid = get_unspecified_device_guid(
+ device_number, actual_buffer, sizeof(actual_buffer), tap_reg, panel_reg, NULL, &gc);
if (!device_guid)
{
@@ -5171,20 +4938,11 @@
}
/* Open Windows TAP-Windows adapter */
- snprintf(device_path, sizeof(device_path), "%s%s%s",
- USERMODEDEVICEDIR,
- device_guid,
+ snprintf(device_path, sizeof(device_path), "%s%s%s", USERMODEDEVICEDIR, device_guid,
TAP_WIN_SUFFIX);
- hand = CreateFile(
- device_path,
- MAXIMUM_ALLOWED,
- 0, /* was: FILE_SHARE_READ */
- 0,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
- 0
- );
+ hand = CreateFile(device_path, MAXIMUM_ALLOWED, 0, /* was: FILE_SHARE_READ */
+ 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0);
if (hand == INVALID_HANDLE_VALUE)
{
@@ -5222,9 +4980,9 @@
}
else
{
- msg(M_WARN, "NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: %s (code=%u)",
- strerror_win32(status, &gc),
- (unsigned int)status);
+ msg(M_WARN,
+ "NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: %s (code=%u)",
+ strerror_win32(status, &gc), (unsigned int)status);
}
}
@@ -5235,7 +4993,8 @@
static bool
dhcp_release(const struct tuntap *tt)
{
- if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID)
+ if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ
+ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID)
{
return dhcp_release_by_adapter_index(tt->adapter_index);
}
@@ -5262,9 +5021,9 @@
}
else
{
- msg(M_WARN, "WARNING: Failed to renew DHCP IP address lease on TAP-Windows adapter: %s (code=%u)",
- strerror_win32(status, &gc),
- (unsigned int)status);
+ msg(M_WARN,
+ "WARNING: Failed to renew DHCP IP address lease on TAP-Windows adapter: %s (code=%u)",
+ strerror_win32(status, &gc), (unsigned int)status);
}
}
gc_free(&gc);
@@ -5274,7 +5033,8 @@
static bool
dhcp_renew(const struct tuntap *tt)
{
- if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID)
+ if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ
+ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID)
{
return dhcp_renew_by_adapter_index(tt->adapter_index);
}
@@ -5320,15 +5080,11 @@
msg(D_TUNTAP_INFO, "Start ipconfig commands for register-dns...");
netcmd_semaphore_lock();
- argv_printf(&argv, "%s%s /flushdns",
- get_win_sys_path(),
- WIN_IPCONFIG_PATH_SUFFIX);
+ argv_printf(&argv, "%s%s /flushdns", get_win_sys_path(), WIN_IPCONFIG_PATH_SUFFIX);
argv_msg(D_TUNTAP_INFO, &argv);
openvpn_execve_check(&argv, es, 0, err);
- argv_printf(&argv, "%s%s /registerdns",
- get_win_sys_path(),
- WIN_IPCONFIG_PATH_SUFFIX);
+ argv_printf(&argv, "%s%s /registerdns", get_win_sys_path(), WIN_IPCONFIG_PATH_SUFFIX);
argv_msg(D_TUNTAP_INFO, &argv);
openvpn_execve_check(&argv, es, 0, err);
argv_free(&argv);
@@ -5429,34 +5185,28 @@
* are cleared first.
*/
static void
-netsh_set_dns6_servers(const struct in6_addr *addr_list,
- const int addr_len,
- DWORD adapter_index)
+netsh_set_dns6_servers(const struct in6_addr *addr_list, const int addr_len, DWORD adapter_index)
{
struct gc_arena gc = gc_new();
struct argv argv = argv_new();
/* delete existing DNS settings from TAP interface */
- argv_printf(&argv, "%s%s interface ipv6 delete dns %lu all",
- get_win_sys_path(),
- NETSH_PATH_SUFFIX,
- adapter_index);
+ argv_printf(&argv, "%s%s interface ipv6 delete dns %lu all", get_win_sys_path(),
+ NETSH_PATH_SUFFIX, adapter_index);
netsh_command(&argv, 2, M_FATAL);
for (int i = 0; i < addr_len; ++i)
{
- const char *fmt = (i == 0) ?
- "%s%s interface ipv6 set dns %lu static %s"
- : "%s%s interface ipv6 add dns %lu %s";
- argv_printf(&argv, fmt, get_win_sys_path(),
- NETSH_PATH_SUFFIX, adapter_index,
+ const char *fmt = (i == 0) ? "%s%s interface ipv6 set dns %lu static %s"
+ : "%s%s interface ipv6 add dns %lu %s";
+ argv_printf(&argv, fmt, get_win_sys_path(), NETSH_PATH_SUFFIX, adapter_index,
print_in6_addr(addr_list[i], 0, &gc));
/* disable slow address validation */
argv_printf_cat(&argv, "%s", "validate=no");
/* Treat errors while adding as non-fatal as we do not check for duplicates */
- netsh_command(&argv, 1, (i==0) ? M_FATAL : M_NONFATAL);
+ netsh_command(&argv, 1, (i == 0) ? M_FATAL : M_NONFATAL);
}
argv_free(&argv);
@@ -5464,12 +5214,8 @@
}
static void
-netsh_ifconfig_options(const char *type,
- const in_addr_t *addr_list,
- const int addr_len,
- const IP_ADDR_STRING *current,
- DWORD adapter_index,
- const bool test_first)
+netsh_ifconfig_options(const char *type, const in_addr_t *addr_list, const int addr_len,
+ const IP_ADDR_STRING *current, DWORD adapter_index, const bool test_first)
{
struct gc_arena gc = gc_new();
struct argv argv = argv_new();
@@ -5492,11 +5238,8 @@
/* delete existing DNS/WINS settings from TAP interface */
if (delete_first)
{
- argv_printf(&argv, "%s%s interface ip delete %s %lu all",
- get_win_sys_path(),
- NETSH_PATH_SUFFIX,
- type,
- adapter_index);
+ argv_printf(&argv, "%s%s interface ip delete %s %lu all", get_win_sys_path(),
+ NETSH_PATH_SUFFIX, type, adapter_index);
netsh_command(&argv, 2, M_FATAL);
}
@@ -5508,15 +5251,10 @@
{
if (delete_first || !test_first || !ip_addr_member_of(addr_list[i], current))
{
- const char *fmt = count ?
- "%s%s interface ip add %s %lu %s"
- : "%s%s interface ip set %s %lu static %s";
+ const char *fmt = count ? "%s%s interface ip add %s %lu %s"
+ : "%s%s interface ip set %s %lu static %s";
- argv_printf(&argv, fmt,
- get_win_sys_path(),
- NETSH_PATH_SUFFIX,
- type,
- adapter_index,
+ argv_printf(&argv, fmt, get_win_sys_path(), NETSH_PATH_SUFFIX, type, adapter_index,
print_in_addr_t(addr_list[i], 0, &gc));
/* disable slow address validation for DNS */
@@ -5531,9 +5269,7 @@
}
else
{
- msg(M_INFO, "NETSH: %lu %s %s [already set]",
- adapter_index,
- type,
+ msg(M_INFO, "NETSH: %lu %s %s [already set]", adapter_index, type,
print_in_addr_t(addr_list[i], 0, &gc));
}
}
@@ -5562,11 +5298,8 @@
}
static void
-netsh_ifconfig(const struct tuntap_options *to,
- DWORD adapter_index,
- const in_addr_t ip,
- const in_addr_t netmask,
- const unsigned int flags)
+netsh_ifconfig(const struct tuntap_options *to, DWORD adapter_index, const in_addr_t ip,
+ const in_addr_t netmask, const unsigned int flags)
{
struct gc_arena gc = gc_new();
struct argv argv = argv_new();
@@ -5584,19 +5317,14 @@
{
if (test_adapter_ip_netmask(ai, ip, netmask))
{
- msg(M_INFO, "NETSH: %lu %s/%s [already set]",
- adapter_index,
- print_in_addr_t(ip, 0, &gc),
- print_in_addr_t(netmask, 0, &gc));
+ msg(M_INFO, "NETSH: %lu %s/%s [already set]", adapter_index,
+ print_in_addr_t(ip, 0, &gc), print_in_addr_t(netmask, 0, &gc));
}
else
{
/* example: netsh interface ip set address 42 static 10.3.0.1 255.255.255.0 */
- argv_printf(&argv, "%s%s interface ip set address %lu static %s %s",
- get_win_sys_path(),
- NETSH_PATH_SUFFIX,
- adapter_index,
- print_in_addr_t(ip, 0, &gc),
+ argv_printf(&argv, "%s%s interface ip set address %lu static %s %s", get_win_sys_path(),
+ NETSH_PATH_SUFFIX, adapter_index, print_in_addr_t(ip, 0, &gc),
print_in_addr_t(netmask, 0, &gc));
netsh_command(&argv, 4, M_FATAL);
@@ -5610,22 +5338,14 @@
CLEAR(wins[0]);
CLEAR(wins[1]);
- netsh_ifconfig_options("dns",
- to->dns,
- to->dns_len,
- pai ? &pai->DnsServerList : NULL,
- adapter_index,
- BOOL_CAST(flags & NI_TEST_FIRST));
+ netsh_ifconfig_options("dns", to->dns, to->dns_len, pai ? &pai->DnsServerList : NULL,
+ adapter_index, BOOL_CAST(flags & NI_TEST_FIRST));
if (ai && ai->HaveWins)
{
init_ip_addr_string2(wins, &ai->PrimaryWinsServer, &ai->SecondaryWinsServer);
}
- netsh_ifconfig_options("wins",
- to->wins,
- to->wins_len,
- ai ? wins : NULL,
- adapter_index,
+ netsh_ifconfig_options("wins", to->wins, to->wins_len, ai ? wins : NULL, adapter_index,
BOOL_CAST(flags & NI_TEST_FIRST));
}
@@ -5639,11 +5359,8 @@
struct argv argv = argv_new();
/* example: netsh interface ip set address 42 dhcp */
- argv_printf(&argv,
- "%s%s interface ip set address %lu dhcp",
- get_win_sys_path(),
- NETSH_PATH_SUFFIX,
- adapter_index);
+ argv_printf(&argv, "%s%s interface ip set address %lu dhcp", get_win_sys_path(),
+ NETSH_PATH_SUFFIX, adapter_index);
netsh_command(&argv, 4, M_FATAL);
@@ -5659,14 +5376,8 @@
struct gc_arena gc = gc_new();
HANDLE pipe = tt->options.msg_channel;
- enable_dhcp_message_t dhcp = {
- .header = {
- msg_enable_dhcp,
- sizeof(enable_dhcp_message_t),
- 0
- },
- .iface = { .index = tt->adapter_index, .name = "" }
- };
+ enable_dhcp_message_t dhcp = { .header = { msg_enable_dhcp, sizeof(enable_dhcp_message_t), 0 },
+ .iface = { .index = tt->adapter_index, .name = "" } };
if (!send_msg_iservice(pipe, &dhcp, sizeof(dhcp), &ack, "Enable_dhcp"))
{
@@ -5690,8 +5401,7 @@
}
static void
-windows_set_mtu(const int iface_index, const short family,
- const int mtu)
+windows_set_mtu(const int iface_index, const short family, const int mtu)
{
DWORD err = 0;
struct gc_arena gc = gc_new();
@@ -5702,7 +5412,8 @@
ipiface.InterfaceIndex = iface_index;
if (family == AF_INET6 && mtu < 1280)
{
- msg(M_INFO, "NOTE: IPv6 interface MTU < 1280 conflicts with IETF standards and might not work");
+ msg(M_INFO,
+ "NOTE: IPv6 interface MTU < 1280 conflicts with IETF standards and might not work");
}
err = GetIpInterfaceEntry(&ipiface);
@@ -5718,12 +5429,13 @@
if (err != NO_ERROR)
{
- msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%lu if_index=%d]",
- family_name, strerror_win32(err, &gc), err, iface_index);
+ msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%lu if_index=%d]", family_name,
+ strerror_win32(err, &gc), err, iface_index);
}
else
{
- msg(M_INFO, "%s MTU set to %d on interface %d using SetIpInterfaceEntry()", family_name, mtu, iface_index);
+ msg(M_INFO, "%s MTU set to %d on interface %d using SetIpInterfaceEntry()", family_name,
+ mtu, iface_index);
}
}
@@ -5743,13 +5455,16 @@
if (dev_node)
{
- guid = get_device_guid(dev_node, BPTR(&actual), BCAP(&actual), NULL, tap_reg, panel_reg, gc);
+ guid =
+ get_device_guid(dev_node, BPTR(&actual), BCAP(&actual), NULL, tap_reg, panel_reg, gc);
}
else
{
- guid = get_unspecified_device_guid(0, BPTR(&actual), BCAP(&actual), tap_reg, panel_reg, NULL, gc);
+ guid = get_unspecified_device_guid(0, BPTR(&actual), BCAP(&actual), tap_reg, panel_reg,
+ NULL, gc);
- if (get_unspecified_device_guid(1, NULL, 0, tap_reg, panel_reg, NULL, gc)) /* ambiguous if more than one TAP-Windows adapter */
+ if (get_unspecified_device_guid(1, NULL, 0, tap_reg, panel_reg, NULL,
+ gc)) /* ambiguous if more than one TAP-Windows adapter */
{
guid = NULL;
}
@@ -5757,7 +5472,7 @@
if (!guid)
{
- return "NULL"; /* not found */
+ return "NULL"; /* not found */
}
else if (strcmp(BSTR(&actual), "NULL"))
{
@@ -5765,7 +5480,7 @@
}
else
{
- return guid; /* no control panel name, return GUID instead */
+ return guid; /* no control panel name, return GUID instead */
}
}
@@ -5788,13 +5503,10 @@
if (tt->standby_iter == IPW32_SET_ADAPTIVE_TRY_NETSH)
{
msg(M_INFO, "NOTE: now trying netsh (this may take some time)");
- netsh_ifconfig(&tt->options,
- tt->adapter_index,
- tt->local,
- tt->adapter_netmask,
- NI_TEST_FIRST|NI_IP_NETMASK|NI_OPTIONS);
+ netsh_ifconfig(&tt->options, tt->adapter_index, tt->local, tt->adapter_netmask,
+ NI_TEST_FIRST | NI_IP_NETMASK | NI_OPTIONS);
}
- else if (tt->standby_iter >= IPW32_SET_ADAPTIVE_TRY_NETSH*2)
+ else if (tt->standby_iter >= IPW32_SET_ADAPTIVE_TRY_NETSH * 2)
{
ret = false;
}
@@ -5822,7 +5534,8 @@
}
static void
-write_dhcp_u32_array(struct buffer *buf, const int type, const uint32_t *data, const unsigned int len, bool *error)
+write_dhcp_u32_array(struct buffer *buf, const int type, const uint32_t *data,
+ const unsigned int len, bool *error)
{
if (len > 0)
{
@@ -5890,7 +5603,7 @@
for (i = 0; i < array_len; i++)
{
- const char *ptr = str_array[i];
+ const char *ptr = str_array[i];
if (strlen(ptr) + len + 1 > sizeof(tmp_buf))
{
@@ -5909,7 +5622,7 @@
{
if (*ptr == '.' || *ptr == '\0')
{
- tmp_buf[label_length_pos] = (len-label_length_pos)-1;
+ tmp_buf[label_length_pos] = (len - label_length_pos) - 1;
label_length_pos = len;
if (*ptr == '\0')
{
@@ -5966,9 +5679,7 @@
if (o->domain_search_list_len > 0)
{
- write_dhcp_search_str(buf, 119, o->domain_search_list,
- o->domain_search_list_len,
- &error);
+ write_dhcp_search_str(buf, 119, o->domain_search_list, o->domain_search_list_len, &error);
}
/* the MS DHCP server option 'Disable Netbios-over-TCP/IP
@@ -5981,10 +5692,10 @@
msg(M_WARN, "build_dhcp_options_string: buffer overflow building DHCP options");
return false;
}
- buf_write_u8(buf, 43);
- buf_write_u8(buf, 6);/* total length field */
- buf_write_u8(buf, 0x001);
- buf_write_u8(buf, 4);/* length of the vendor specified field */
+ buf_write_u8(buf, 43);
+ buf_write_u8(buf, 6); /* total length field */
+ buf_write_u8(buf, 0x001);
+ buf_write_u8(buf, 4); /* length of the vendor specified field */
buf_write_u32(buf, 0x002);
}
return !error;
@@ -6081,7 +5792,9 @@
if (dsa == local)
{
- msg(M_FATAL, "ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to %s -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server", print_in_addr_t(dsa, 0, &gc));
+ msg(M_FATAL,
+ "ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to %s -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server",
+ print_in_addr_t(dsa, 0, &gc));
}
if ((local & netmask) != (dsa & netmask))
@@ -6099,38 +5812,38 @@
ULONG info[3];
DWORD len;
CLEAR(info);
- if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_VERSION,
- &info, sizeof(info),
- &info, sizeof(info), &len, NULL))
+ if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_VERSION, &info, sizeof(info), &info,
+ sizeof(info), &len, NULL))
{
- msg(D_TUNTAP_INFO, "TAP-Windows Driver Version %d.%d %s",
- (int)info[0],
- (int)info[1],
+ msg(D_TUNTAP_INFO, "TAP-Windows Driver Version %d.%d %s", (int)info[0], (int)info[1],
(info[2] ? "(DEBUG)" : ""));
-
}
if (!(info[0] == TAP_WIN_MIN_MAJOR && info[1] >= TAP_WIN_MIN_MINOR))
{
- msg(M_FATAL, "ERROR: This version of " PACKAGE_NAME " requires a TAP-Windows driver that is at least version %d.%d -- If you recently upgraded your " PACKAGE_NAME " distribution, a reboot is probably required at this point to get Windows to see the new driver.",
- TAP_WIN_MIN_MAJOR,
- TAP_WIN_MIN_MINOR);
+ msg(M_FATAL,
+ "ERROR: This version of " PACKAGE_NAME
+ " requires a TAP-Windows driver that is at least version %d.%d -- If you recently upgraded your " PACKAGE_NAME
+ " distribution, a reboot is probably required at this point to get Windows to see the new driver.",
+ TAP_WIN_MIN_MAJOR, TAP_WIN_MIN_MINOR);
}
/* usage of numeric constants is ugly, but this is really tied to
* *this* version of the driver
*/
- if (tt->type == DEV_TYPE_TUN
- && info[0] == 9 && info[1] < 8)
+ if (tt->type == DEV_TYPE_TUN && info[0] == 9 && info[1] < 8)
{
- msg(M_INFO, "WARNING: Tap-Win32 driver version %d.%d does not support IPv6 in TUN mode. IPv6 will not work. Upgrade your Tap-Win32 driver.", (int)info[0], (int)info[1]);
+ msg(M_INFO,
+ "WARNING: Tap-Win32 driver version %d.%d does not support IPv6 in TUN mode. IPv6 will not work. Upgrade your Tap-Win32 driver.",
+ (int)info[0], (int)info[1]);
}
/* tap driver 9.8 (2.2.0 and 2.2.1 release) is buggy
*/
- if (tt->type == DEV_TYPE_TUN
- && info[0] == 9 && info[1] == 8)
+ if (tt->type == DEV_TYPE_TUN && info[0] == 9 && info[1] == 8)
{
- msg(M_FATAL, "ERROR: Tap-Win32 driver version %d.%d is buggy regarding small IPv4 packets in TUN mode. Upgrade your Tap-Win32 driver.", (int)info[0], (int)info[1]);
+ msg(M_FATAL,
+ "ERROR: Tap-Win32 driver version %d.%d is buggy regarding small IPv4 packets in TUN mode. Upgrade your Tap-Win32 driver.",
+ (int)info[0], (int)info[1]);
}
}
@@ -6139,43 +5852,33 @@
{
ULONG mtu = 0;
DWORD len;
- if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_MTU,
- &mtu, sizeof(mtu),
- &mtu, sizeof(mtu), &len, NULL))
+ if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_MTU, &mtu, sizeof(mtu), &mtu, sizeof(mtu), &len,
+ NULL))
{
msg(D_MTU_INFO, "TAP-Windows MTU=%d", (int)mtu);
}
}
static void
-tuntap_set_ip_addr(struct tuntap *tt,
- const char *device_guid,
- bool dhcp_masq_post)
+tuntap_set_ip_addr(struct tuntap *tt, const char *device_guid, bool dhcp_masq_post)
{
struct gc_arena gc = gc_new();
const DWORD index = tt->adapter_index;
/* flush arp cache */
- if (tt->backend_driver == WINDOWS_DRIVER_TAP_WINDOWS6
- && index != TUN_ADAPTER_INDEX_INVALID)
+ if (tt->backend_driver == WINDOWS_DRIVER_TAP_WINDOWS6 && index != TUN_ADAPTER_INDEX_INVALID)
{
DWORD status = -1;
if (tt->options.msg_channel)
{
ack_message_t ack;
- flush_neighbors_message_t msg = {
- .header = {
- msg_flush_neighbors,
- sizeof(flush_neighbors_message_t),
- 0
- },
- .family = AF_INET,
- .iface = {.index = index, .name = "" }
- };
+ flush_neighbors_message_t msg = { .header = { msg_flush_neighbors,
+ sizeof(flush_neighbors_message_t), 0 },
+ .family = AF_INET,
+ .iface = { .index = index, .name = "" } };
- if (send_msg_iservice(tt->options.msg_channel, &msg, sizeof(msg),
- &ack, "TUN"))
+ if (send_msg_iservice(tt->options.msg_channel, &msg, sizeof(msg), &ack, "TUN"))
{
status = ack.error_number;
}
@@ -6187,17 +5890,13 @@
if (status == NO_ERROR)
{
- msg(M_INFO, "Successful ARP Flush on interface [%lu] %s",
- index,
- device_guid);
+ msg(M_INFO, "Successful ARP Flush on interface [%lu] %s", index, device_guid);
}
else if (status != -1)
{
- msg(D_TUNTAP_INFO, "NOTE: FlushIpNetTable failed on interface [%lu] %s (status=%lu) : %s",
- index,
- device_guid,
- status,
- strerror_win32(status, &gc));
+ msg(D_TUNTAP_INFO,
+ "NOTE: FlushIpNetTable failed on interface [%lu] %s (status=%lu) : %s", index,
+ device_guid, status, strerror_win32(status, &gc));
}
/*
@@ -6210,7 +5909,8 @@
/* check dhcp enable status */
if (dhcp_status(index) == DHCP_STATUS_DISABLED)
{
- msg(M_WARN, "WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'");
+ msg(M_WARN,
+ "WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'");
}
/* force an explicit DHCP lease renewal on TAP adapter? */
@@ -6232,20 +5932,21 @@
if (tt->did_ifconfig_setup && tt->options.ip_win32_type == IPW32_SET_IPAPI)
{
DWORD status;
- const char *error_suffix = "I am having trouble using the Windows 'IP helper API' to automatically set the IP address -- consider using other --ip-win32 methods (not 'ipapi')";
+ const char *error_suffix =
+ "I am having trouble using the Windows 'IP helper API' to automatically set the IP address -- consider using other --ip-win32 methods (not 'ipapi')";
/* couldn't get adapter index */
if (index == TUN_ADAPTER_INDEX_INVALID)
{
- msg(M_FATAL, "ERROR: unable to get adapter index for interface %s -- %s",
- device_guid,
+ msg(M_FATAL, "ERROR: unable to get adapter index for interface %s -- %s", device_guid,
error_suffix);
}
/* check dhcp enable status */
if (dhcp_status(index) == DHCP_STATUS_DISABLED)
{
- msg(M_WARN, "NOTE: You have selected (explicitly or by default) '--ip-win32 ipapi', which has a better chance of working correctly if the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'");
+ msg(M_WARN,
+ "NOTE: You have selected (explicitly or by default) '--ip-win32 ipapi', which has a better chance of working correctly if the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'");
}
/* delete previously added IP addresses which were not
@@ -6253,28 +5954,21 @@
delete_temp_addresses(index);
/* add a new IP address */
- if ((status = AddIPAddress(htonl(tt->local),
- htonl(tt->adapter_netmask),
- index,
- &tt->ipapi_context,
- &tt->ipapi_instance)) == NO_ERROR)
+ if ((status = AddIPAddress(htonl(tt->local), htonl(tt->adapter_netmask), index,
+ &tt->ipapi_context, &tt->ipapi_instance))
+ == NO_ERROR)
{
- msg(M_INFO, "Succeeded in adding a temporary IP/netmask of %s/%s to interface %s using the Win32 IP Helper API",
- print_in_addr_t(tt->local, 0, &gc),
- print_in_addr_t(tt->adapter_netmask, 0, &gc),
- device_guid
- );
+ msg(M_INFO,
+ "Succeeded in adding a temporary IP/netmask of %s/%s to interface %s using the Win32 IP Helper API",
+ print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->adapter_netmask, 0, &gc),
+ device_guid);
}
else
{
- msg(M_FATAL, "ERROR: AddIPAddress %s/%s failed on interface %s, index=%lu, status=%lu (windows error: '%s') -- %s",
- print_in_addr_t(tt->local, 0, &gc),
- print_in_addr_t(tt->adapter_netmask, 0, &gc),
- device_guid,
- index,
- status,
- strerror_win32(status, &gc),
- error_suffix);
+ msg(M_FATAL,
+ "ERROR: AddIPAddress %s/%s failed on interface %s, index=%lu, status=%lu (windows error: '%s') -- %s",
+ print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->adapter_netmask, 0, &gc),
+ device_guid, index, status, strerror_win32(status, &gc), error_suffix);
}
tt->ipapi_context_defined = true;
}
@@ -6287,11 +5981,11 @@
{
ULONG status = TRUE;
DWORD len;
- if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_SET_MEDIA_STATUS,
- &status, sizeof(status),
- &status, sizeof(status), &len, NULL))
+ if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_SET_MEDIA_STATUS, &status, sizeof(status), &status,
+ sizeof(status), &len, NULL))
{
- msg(M_WARN, "WARNING: The TAP-Windows driver rejected a TAP_WIN_IOCTL_SET_MEDIA_STATUS DeviceIoControl call.");
+ msg(M_WARN,
+ "WARNING: The TAP-Windows driver rejected a TAP_WIN_IOCTL_SET_MEDIA_STATUS DeviceIoControl call.");
}
int s = tt->options.tap_sleep;
@@ -6325,17 +6019,16 @@
ep[1] = htonl(tt->local & tt->remote_netmask);
ep[2] = htonl(tt->remote_netmask);
- status = DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_TUN,
- ep, sizeof(ep),
- ep, sizeof(ep), &len, NULL);
+ status = DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_TUN, ep, sizeof(ep), ep, sizeof(ep),
+ &len, NULL);
if (tt->did_ifconfig_setup)
{
- msg(status ? M_INFO : M_FATAL, "Set TAP-Windows TUN subnet mode network/local/netmask = %s/%s/%s [%s]",
+ msg(status ? M_INFO : M_FATAL,
+ "Set TAP-Windows TUN subnet mode network/local/netmask = %s/%s/%s [%s]",
print_in_addr_t(ep[1], IA_NET_ORDER, &gc),
print_in_addr_t(ep[0], IA_NET_ORDER, &gc),
- print_in_addr_t(ep[2], IA_NET_ORDER, &gc),
- status ? "SUCCEEDED" : "FAILED");
+ print_in_addr_t(ep[2], IA_NET_ORDER, &gc), status ? "SUCCEEDED" : "FAILED");
}
else
{
@@ -6349,11 +6042,11 @@
ep[0] = htonl(tt->local);
ep[1] = htonl(tt->remote_netmask);
- if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT,
- ep, sizeof(ep),
- ep, sizeof(ep), &len, NULL))
+ if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT, ep, sizeof(ep), ep,
+ sizeof(ep), &len, NULL))
{
- msg(M_FATAL, "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set Point-to-Point mode, which is required for --dev tun");
+ msg(M_FATAL,
+ "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set Point-to-Point mode, which is required for --dev tun");
}
}
@@ -6376,7 +6069,9 @@
{
if (tt->topology == TOP_SUBNET)
{
- ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0);
+ ep[2] = dhcp_masq_addr(
+ tt->local, tt->remote_netmask,
+ tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0);
}
else
{
@@ -6386,7 +6081,9 @@
else
{
ASSERT(tt->type == DEV_TYPE_TAP);
- ep[2] = dhcp_masq_addr(tt->local, tt->adapter_netmask, tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0);
+ ep[2] =
+ dhcp_masq_addr(tt->local, tt->adapter_netmask,
+ tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0);
}
/* lease time in seconds */
@@ -6395,20 +6092,17 @@
ASSERT(ep[3] > 0);
#ifndef SIMULATE_DHCP_FAILED /* this code is disabled to simulate bad DHCP negotiation */
- if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_MASQ,
- ep, sizeof(ep),
- ep, sizeof(ep), &len, NULL))
+ if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_MASQ, ep, sizeof(ep), ep, sizeof(ep),
+ &len, NULL))
{
- msg(M_FATAL, "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set TAP_WIN_IOCTL_CONFIG_DHCP_MASQ mode");
+ msg(M_FATAL,
+ "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set TAP_WIN_IOCTL_CONFIG_DHCP_MASQ mode");
}
- msg(M_INFO, "Notified TAP-Windows driver to set a DHCP IP/netmask of %s/%s on interface %s [DHCP-serv: %s, lease-time: %d]",
- print_in_addr_t(tt->local, 0, &gc),
- print_in_addr_t(tt->adapter_netmask, 0, &gc),
- device_guid,
- print_in_addr_t(ep[2], IA_NET_ORDER, &gc),
- ep[3]
- );
+ msg(M_INFO,
+ "Notified TAP-Windows driver to set a DHCP IP/netmask of %s/%s on interface %s [DHCP-serv: %s, lease-time: %d]",
+ print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->adapter_netmask, 0, &gc),
+ device_guid, print_in_addr_t(ep[2], IA_NET_ORDER, &gc), ep[3]);
/* user-supplied DHCP options capability */
if (tt->options.dhcp_options)
@@ -6417,11 +6111,11 @@
if (build_dhcp_options_string(&buf, &tt->options))
{
msg(D_DHCP_OPT, "DHCP option string: %s", format_hex(BPTR(&buf), BLEN(&buf), 0, &gc));
- if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT,
- BPTR(&buf), BLEN(&buf),
- BPTR(&buf), BLEN(&buf), &len, NULL))
+ if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT, BPTR(&buf),
+ BLEN(&buf), BPTR(&buf), BLEN(&buf), &len, NULL))
{
- msg(M_FATAL, "ERROR: The TAP-Windows driver rejected a TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT DeviceIoControl call");
+ msg(M_FATAL,
+ "ERROR: The TAP-Windows driver rejected a TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT DeviceIoControl call");
}
}
else
@@ -6430,13 +6124,14 @@
}
free_buf(&buf);
}
-#endif /* ifndef SIMULATE_DHCP_FAILED */
+#endif /* ifndef SIMULATE_DHCP_FAILED */
gc_free(&gc);
}
static bool
-tun_try_open_device(struct tuntap *tt, const char *device_guid, const struct device_instance_id_interface *device_instance_id_interface)
+tun_try_open_device(struct tuntap *tt, const char *device_guid,
+ const struct device_instance_id_interface *device_instance_id_interface)
{
const char *path = NULL;
char tuntap_device_path[256];
@@ -6455,8 +6150,7 @@
if (tt->backend_driver == DRIVER_DCO)
{
char *last_sep = strrchr(dev_if->device_interface, '\\');
- if (!last_sep
- || strcmp(last_sep + 1, DCO_WIN_REFERENCE_STRING) != 0)
+ if (!last_sep || strcmp(last_sep + 1, DCO_WIN_REFERENCE_STRING) != 0)
{
continue;
}
@@ -6473,25 +6167,19 @@
else
{
/* Open TAP-Windows */
- snprintf(tuntap_device_path, sizeof(tuntap_device_path), "%s%s%s",
- USERMODEDEVICEDIR,
- device_guid,
- TAP_WIN_SUFFIX);
+ snprintf(tuntap_device_path, sizeof(tuntap_device_path), "%s%s%s", USERMODEDEVICEDIR,
+ device_guid, TAP_WIN_SUFFIX);
path = tuntap_device_path;
}
msg(D_TAP_WIN_DEBUG, "Using device interface: %s", path);
- tt->hand = CreateFile(path,
- GENERIC_READ | GENERIC_WRITE,
- 0, /* was: FILE_SHARE_READ */
- 0,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
- 0);
+ tt->hand = CreateFile(path, GENERIC_READ | GENERIC_WRITE, 0, /* was: FILE_SHARE_READ */
+ 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0);
if (tt->hand == INVALID_HANDLE_VALUE)
{
- msg(D_TUNTAP_INFO | M_ERRNO, "CreateFile failed on %s device: %s", print_tun_backend_driver(tt->backend_driver), path);
+ msg(D_TUNTAP_INFO | M_ERRNO, "CreateFile failed on %s device: %s",
+ print_tun_backend_driver(tt->backend_driver), path);
return false;
}
@@ -6499,11 +6187,13 @@
}
void
-tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid, struct gc_arena *gc)
+tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid,
+ struct gc_arena *gc)
{
const struct tap_reg *tap_reg = get_tap_reg(gc);
const struct panel_reg *panel_reg = get_panel_reg(gc);
- const struct device_instance_id_interface *device_instance_id_interface = get_device_instance_id_interface(gc);
+ const struct device_instance_id_interface *device_instance_id_interface =
+ get_device_instance_id_interface(gc);
uint8_t actual_buffer[256];
@@ -6515,7 +6205,8 @@
enum tun_driver_type windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
/* Get the device GUID for the device specified with --dev-node. */
- *device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), &windows_driver, tap_reg, panel_reg, gc);
+ *device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer),
+ &windows_driver, tap_reg, panel_reg, gc);
if (!*device_guid)
{
@@ -6524,13 +6215,16 @@
if (tt->backend_driver != windows_driver)
{
- msg(M_FATAL, "Adapter '%s' is using %s driver, %s expected. If you want to use this device, adjust --windows-driver.",
- dev_node, print_tun_backend_driver(windows_driver), print_tun_backend_driver(tt->backend_driver));
+ msg(M_FATAL,
+ "Adapter '%s' is using %s driver, %s expected. If you want to use this device, adjust --windows-driver.",
+ dev_node, print_tun_backend_driver(windows_driver),
+ print_tun_backend_driver(tt->backend_driver));
}
if (!tun_try_open_device(tt, *device_guid, device_instance_id_interface))
{
- msg(M_FATAL, "Failed to open %s adapter: %s", print_tun_backend_driver(tt->backend_driver), dev_node);
+ msg(M_FATAL, "Failed to open %s adapter: %s",
+ print_tun_backend_driver(tt->backend_driver), dev_node);
}
}
else
@@ -6542,20 +6236,18 @@
while (true)
{
enum tun_driver_type windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
- *device_guid = get_unspecified_device_guid(device_number,
- actual_buffer,
- sizeof(actual_buffer),
- tap_reg,
- panel_reg,
- &windows_driver,
- gc);
+ *device_guid =
+ get_unspecified_device_guid(device_number, actual_buffer, sizeof(actual_buffer),
+ tap_reg, panel_reg, &windows_driver, gc);
if (!*device_guid)
{
/* try to create an adapter a few times if we have a service pipe handle */
- if ((++adapters_created > 10) || !do_create_adapter_service(tt->options.msg_channel, tt->backend_driver))
+ if ((++adapters_created > 10)
+ || !do_create_adapter_service(tt->options.msg_channel, tt->backend_driver))
{
- msg(M_FATAL, "All %s adapters on this system are currently in use or disabled.", print_tun_backend_driver(tt->backend_driver));
+ msg(M_FATAL, "All %s adapters on this system are currently in use or disabled.",
+ print_tun_backend_driver(tt->backend_driver));
}
else
{
@@ -6622,10 +6314,7 @@
*/
if (dhcp_status(tt->adapter_index) != DHCP_STATUS_ENABLED)
{
- netsh_ifconfig(&tt->options,
- tt->adapter_index,
- tt->local,
- tt->adapter_netmask,
+ netsh_ifconfig(&tt->options, tt->adapter_index, tt->local, tt->adapter_netmask,
NI_TEST_FIRST | NI_IP_NETMASK | NI_OPTIONS);
}
else
@@ -6686,9 +6375,11 @@
if ((tt->options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
&& tt->backend_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
{
- msg(M_WARN, "Some --dhcp-option or --dns options require DHCP server,"
+ msg(M_WARN,
+ "Some --dhcp-option or --dns options require DHCP server,"
" which is not supported by the selected %s driver. They will be"
- " ignored.", print_tun_backend_driver(tt->backend_driver));
+ " ignored.",
+ print_tun_backend_driver(tt->backend_driver));
}
/* dco-win already opened the device, which handle we treat as socket */
@@ -6701,11 +6392,11 @@
/*netcmd_semaphore_lock ();*/
- msg( M_INFO, "open_tun");
+ msg(M_INFO, "open_tun");
if (tt->type != DEV_TYPE_TAP && tt->type != DEV_TYPE_TUN)
{
- msg(M_FATAL|M_NOPREFIX, "Unknown virtual device type: '%s'", dev);
+ msg(M_FATAL | M_NOPREFIX, "Unknown virtual device type: '%s'", dev);
}
struct gc_arena gc = gc_new(); /* used also for device_guid allocation */
@@ -6725,10 +6416,8 @@
{
struct buffer out = alloc_buf_gc(256, gc);
DWORD len;
- if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_INFO,
- BSTR(&out), BCAP(&out),
- BSTR(&out), BCAP(&out),
- &len, NULL))
+ if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_INFO, BSTR(&out), BCAP(&out), BSTR(&out),
+ BCAP(&out), &len, NULL))
{
return BSTR(&out);
}
@@ -6743,10 +6432,8 @@
{
struct buffer out = alloc_buf(1024);
DWORD len;
- while (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_LOG_LINE,
- BSTR(&out), BCAP(&out),
- BSTR(&out), BCAP(&out),
- &len, NULL))
+ while (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_LOG_LINE, BSTR(&out), BCAP(&out),
+ BSTR(&out), BCAP(&out), &len, NULL))
{
msg(D_TAP_WIN_DEBUG, "TAP-Windows: %s", BSTR(&out));
}
@@ -6764,22 +6451,15 @@
int len = ipv6 ? tt->options.dns6_len : tt->options.dns_len;
if (len > 0)
{
- argv_printf(&argv,
- "%s%s interface %s delete dns %lu all",
- get_win_sys_path(),
- NETSH_PATH_SUFFIX,
- ipv6 ? "ipv6" : "ipv4",
- tt->adapter_index);
+ argv_printf(&argv, "%s%s interface %s delete dns %lu all", get_win_sys_path(),
+ NETSH_PATH_SUFFIX, ipv6 ? "ipv6" : "ipv4", tt->adapter_index);
netsh_command(&argv, 1, M_WARN);
}
if (!ipv6 && tt->options.wins_len > 0)
{
- argv_printf(&argv,
- "%s%s interface ipv4 delete winsservers %lu all",
- get_win_sys_path(),
- NETSH_PATH_SUFFIX,
- tt->adapter_index);
+ argv_printf(&argv, "%s%s interface ipv4 delete winsservers %lu all", get_win_sys_path(),
+ NETSH_PATH_SUFFIX, tt->adapter_index);
netsh_command(&argv, 1, M_WARN);
}
@@ -6801,13 +6481,8 @@
{
ifconfig_ip_local = print_in_addr_t(tt->local, 0, gc);
}
- argv_printf(&argv,
- "%s%s interface %s delete address %lu %s store=active",
- get_win_sys_path(),
- NETSH_PATH_SUFFIX,
- ipv6 ? "ipv6" : "ipv4",
- tt->adapter_index,
- ifconfig_ip_local);
+ argv_printf(&argv, "%s%s interface %s delete address %lu %s store=active", get_win_sys_path(),
+ NETSH_PATH_SUFFIX, ipv6 ? "ipv6" : "ipv4", tt->adapter_index, ifconfig_ip_local);
netsh_command(&argv, 1, M_WARN);
argv_free(&argv);
@@ -6885,7 +6560,8 @@
{
/* We didn't do ifconfig. */
}
- else if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ || tt->options.ip_win32_type == IPW32_SET_ADAPTIVE)
+ else if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ
+ || tt->options.ip_win32_type == IPW32_SET_ADAPTIVE)
{
/* We don't have to clean the configuration with DHCP. */
}
@@ -6912,10 +6588,9 @@
DWORD status;
if ((status = DeleteIPAddress(tt->ipapi_context)) != NO_ERROR)
{
- msg(M_WARN, "Warning: DeleteIPAddress[%u] failed on TAP-Windows adapter, status=%u : %s",
- (unsigned int)tt->ipapi_context,
- (unsigned int)status,
- strerror_win32(status, &gc));
+ msg(M_WARN,
+ "Warning: DeleteIPAddress[%u] failed on TAP-Windows adapter, status=%u : %s",
+ (unsigned int)tt->ipapi_context, (unsigned int)status, strerror_win32(status, &gc));
}
}
@@ -6934,17 +6609,14 @@
* Convert --ip-win32 constants between index and ascii form.
*/
-struct ipset_names {
+struct ipset_names
+{
const char *short_form;
};
/* Indexed by IPW32_SET_x */
static const struct ipset_names ipset_names[] = {
- {"manual"},
- {"netsh"},
- {"ipapi"},
- {"dynamic"},
- {"adaptive"}
+ { "manual" }, { "netsh" }, { "ipapi" }, { "dynamic" }, { "adaptive" }
};
int
@@ -6994,7 +6666,7 @@
return BSTR(&out);
}
-#else /* generic */
+#else /* generic */
void
open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt,
@@ -7024,4 +6696,4 @@
return read(tt->fd, buf, len);
}
-#endif /* if defined (TARGET_ANDROID) */
+#endif /* if defined (TARGET_ANDROID) */
@@ -40,7 +40,8 @@
#include "networking.h"
#include "dco.h"
-enum tun_driver_type {
+enum tun_driver_type
+{
WINDOWS_DRIVER_UNSPECIFIED,
WINDOWS_DRIVER_TAP_WINDOWS6,
DRIVER_GENERIC_TUNTAP,
@@ -67,19 +68,20 @@
#define IPW32_SET_ADAPTIVE_TRY_NETSH 20
/* bit flags for DHCP options */
-#define DHCP_OPTIONS_DHCP_OPTIONAL (1<<0)
-#define DHCP_OPTIONS_DHCP_REQUIRED (1<<1)
+#define DHCP_OPTIONS_DHCP_OPTIONAL (1 << 0)
+#define DHCP_OPTIONS_DHCP_REQUIRED (1 << 1)
-struct tuntap_options {
+struct tuntap_options
+{
/* --ip-win32 options */
bool ip_win32_defined;
-#define IPW32_SET_MANUAL 0 /* "--ip-win32 manual" */
-#define IPW32_SET_NETSH 1 /* "--ip-win32 netsh" */
-#define IPW32_SET_IPAPI 2 /* "--ip-win32 ipapi" */
-#define IPW32_SET_DHCP_MASQ 3 /* "--ip-win32 dynamic" */
-#define IPW32_SET_ADAPTIVE 4 /* "--ip-win32 adaptive" */
-#define IPW32_SET_N 5
+#define IPW32_SET_MANUAL 0 /* "--ip-win32 manual" */
+#define IPW32_SET_NETSH 1 /* "--ip-win32 netsh" */
+#define IPW32_SET_IPAPI 2 /* "--ip-win32 ipapi" */
+#define IPW32_SET_DHCP_MASQ 3 /* "--ip-win32 dynamic" */
+#define IPW32_SET_ADAPTIVE 4 /* "--ip-win32 adaptive" */
+#define IPW32_SET_N 5
int ip_win32_type;
#ifdef _WIN32
@@ -98,14 +100,15 @@
int dhcp_options;
- const char *domain; /* DOMAIN (15) */
+ const char *domain; /* DOMAIN (15) */
const char *netbios_scope; /* NBS (47) */
- int netbios_node_type; /* NBT 1,2,4,8 (46) */
+ int netbios_node_type; /* NBT 1,2,4,8 (46) */
-#define N_DHCP_ADDR 4 /* Max # of addresses allowed for
- * DNS, WINS, etc. */
+#define N_DHCP_ADDR \
+ 4 /* Max # of addresses allowed for \
+ * DNS, WINS, etc. */
/* DNS (6) */
in_addr_t dns[N_DHCP_ADDR];
@@ -147,13 +150,15 @@
#elif defined(TARGET_LINUX)
-struct tuntap_options {
+struct tuntap_options
+{
int txqueuelen;
};
#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
-struct tuntap_options {
+struct tuntap_options
+{
int dummy; /* not used */
};
@@ -169,7 +174,8 @@
} afunix_context_t;
#else /* ifndef WIN32 */
-typedef struct {
+typedef struct
+{
int dummy;
} afunix_context_t;
#endif
@@ -195,11 +201,11 @@
* been set up. This does NOT mean ifconfig has been called */
bool did_ifconfig_ipv6_setup;
- bool persistent_if; /* if existed before, keep on program end */
+ bool persistent_if; /* if existed before, keep on program end */
struct tuntap_options options; /* options set on command line */
- char *actual_name; /* actual name of TUN/TAP dev, usually including unit number */
+ char *actual_name; /* actual name of TUN/TAP dev, usually including unit number */
/* ifconfig parameters */
in_addr_t local;
@@ -230,7 +236,7 @@
int standby_iter;
- #else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
int fd; /* file descriptor for TUN/TAP dev */
#endif /* ifdef _WIN32 */
@@ -259,13 +265,13 @@
* Function prototypes
*/
-void open_tun(const char *dev, const char *dev_type, const char *dev_node,
- struct tuntap *tt, openvpn_net_ctx_t *ctx);
+void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt,
+ openvpn_net_ctx_t *ctx);
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx);
-void tun_open_device(struct tuntap *tt, const char *dev_node,
- const char **device_guid, struct gc_arena *gc);
+void tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid,
+ struct gc_arena *gc);
void close_tun_handle(struct tuntap *tt);
@@ -273,37 +279,29 @@
int read_tun(struct tuntap *tt, uint8_t *buf, int len);
-void tuncfg(const char *dev, const char *dev_type, const char *dev_node,
- int persist_mode, const char *username,
- const char *groupname, const struct tuntap_options *options,
+void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode,
+ const char *username, const char *groupname, const struct tuntap_options *options,
openvpn_net_ctx_t *ctx);
-const char *guess_tuntap_dev(const char *dev,
- const char *dev_type,
- const char *dev_node,
+const char *guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node,
struct gc_arena *gc);
-struct tuntap *init_tun(const char *dev, /* --dev option */
- const char *dev_type, /* --dev-type option */
- int topology, /* one of the TOP_x values */
- const char *ifconfig_local_parm, /* --ifconfig parm 1 */
- const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */
- const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 / IPv6 */
- int ifconfig_ipv6_netbits_parm, /* --ifconfig parm 1 / bits */
- const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 / IPv6 */
- struct addrinfo *local_public,
- struct addrinfo *remote_public,
- const bool strict_warn,
- struct env_set *es,
- openvpn_net_ctx_t *ctx,
+struct tuntap *init_tun(const char *dev, /* --dev option */
+ const char *dev_type, /* --dev-type option */
+ int topology, /* one of the TOP_x values */
+ const char *ifconfig_local_parm, /* --ifconfig parm 1 */
+ const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */
+ const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 / IPv6 */
+ int ifconfig_ipv6_netbits_parm, /* --ifconfig parm 1 / bits */
+ const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 / IPv6 */
+ struct addrinfo *local_public, struct addrinfo *remote_public,
+ const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx,
struct tuntap *tt);
-void init_tun_post(struct tuntap *tt,
- const struct frame *frame,
+void init_tun_post(struct tuntap *tt, const struct frame *frame,
const struct tuntap_options *options);
-void do_ifconfig_setenv(const struct tuntap *tt,
- struct env_set *es);
+void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es);
/**
* do_ifconfig - configure the tunnel interface
@@ -314,8 +312,8 @@
* @param es the environment to be used when executing the commands
* @param ctx the networking API opaque context
*/
-void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu,
- const struct env_set *es, openvpn_net_ctx_t *ctx);
+void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es,
+ openvpn_net_ctx_t *ctx);
/**
* undo_ifconfig - undo configuration of the tunnel interface
@@ -331,7 +329,8 @@
const char *dev_type_string(const char *dev, const char *dev_type);
-const char *ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc);
+const char *ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable,
+ struct gc_arena *gc);
bool is_tun_p2p(const struct tuntap *tt);
@@ -340,8 +339,7 @@
/**
* Return a string representation of the tun backed driver type
*/
-const char *
-print_tun_backend_driver(enum tun_driver_type driver);
+const char *print_tun_backend_driver(enum tun_driver_type driver);
/*
* Should ifconfig be called before or after
@@ -351,7 +349,7 @@
#define IFCONFIG_BEFORE_TUN_OPEN 0
#define IFCONFIG_AFTER_TUN_OPEN 1
-#define IFCONFIG_DEFAULT IFCONFIG_AFTER_TUN_OPEN
+#define IFCONFIG_DEFAULT IFCONFIG_AFTER_TUN_OPEN
static inline int
ifconfig_order(struct tuntap *tt)
@@ -374,13 +372,13 @@
return IFCONFIG_AFTER_TUN_OPEN;
#elif defined(TARGET_ANDROID)
return IFCONFIG_BEFORE_TUN_OPEN;
-#else /* if defined(TARGET_LINUX) */
+#else /* if defined(TARGET_LINUX) */
return IFCONFIG_DEFAULT;
#endif
}
-#define ROUTE_BEFORE_TUN 0
-#define ROUTE_AFTER_TUN 1
+#define ROUTE_BEFORE_TUN 0
+#define ROUTE_AFTER_TUN 1
#define ROUTE_ORDER_DEFAULT ROUTE_AFTER_TUN
static inline int
@@ -441,11 +439,10 @@
bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list);
-bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask);
+bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip,
+ in_addr_t *highest_netmask);
-DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list,
- const in_addr_t ip,
- int *count,
+DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count,
in_addr_t *netmask);
void show_tap_win_adapters(int msglev, int warnlev);
@@ -599,10 +596,7 @@
}
static inline void
-tun_set(struct tuntap *tt,
- struct event_set *es,
- unsigned int rwflags,
- void *arg,
+tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg,
unsigned int *persistent)
{
if (!tuntap_defined(tt) || tuntap_is_dco_win(tt))
@@ -626,7 +620,6 @@
}
#endif
tt->rwflags_debug = rwflags;
-
}
const char *tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc);
@@ -47,7 +47,6 @@
#include <stdlib.h>
-
static void
tun_afunix_exec_child(const char *dev_node, struct tuntap *tt, struct env_set *env)
{
@@ -60,8 +59,7 @@
argv_printf(&argv, "%s", program);
- tt->afunix.childprocess = openvpn_execve_check(&argv, env, S_NOWAITPID,
- msgprefix);
+ tt->afunix.childprocess = openvpn_execve_check(&argv, env, S_NOWAITPID, msgprefix);
if (!openvpn_waitpid_check(tt->afunix.childprocess, msgprefix, M_WARN))
{
tt->afunix.childprocess = 0;
@@ -70,10 +68,7 @@
}
void
-open_tun_afunix(struct options *o,
- int mtu,
- struct tuntap *tt,
- struct env_set *orig_env)
+open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *orig_env)
{
struct gc_arena gc = gc_new();
@@ -81,14 +76,14 @@
if (!(socketpair(AF_UNIX, SOCK_DGRAM, 0, fds) == 0))
{
msg(M_ERR, "Cannot create socket pair for AF_UNIX socket to external "
- "program");
+ "program");
return;
}
/* Ensure that the buffer sizes are decently sized. Otherwise macOS will
* just have 2048 */
- struct socket_buffer_size newsizes = {65536, 65536 };
+ struct socket_buffer_size newsizes = { 65536, 65536 };
socket_set_buffers(fds[0], &newsizes, false);
socket_set_buffers(fds[1], &newsizes, false);
@@ -167,8 +162,8 @@
}
#else /* ifndef WIN32 */
void
-open_tun_afunix(const char *dev, const char *dev_type, int mtu,
- struct tuntap *tt, struct env_set env)
+open_tun_afunix(const char *dev, const char *dev_type, int mtu, struct tuntap *tt,
+ struct env_set env)
{
msg(M_ERR, "AF_UNIX socket support not available on this platform");
}
@@ -31,31 +31,24 @@
* the user provided taking care of implementing the actual tun
* device.
*/
-void
-open_tun_afunix(struct options *o,
- int mtu,
- struct tuntap *tt,
- struct env_set *env);
+void open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *env);
/**
* Closes the socket used for the AF_UNIX based device. Also sends a
* SIGINT to the child process that was spawned to handle the tun device
*/
-void
-close_tun_afunix(struct tuntap *tt);
+void close_tun_afunix(struct tuntap *tt);
/**
* Writes a packet to a AF_UNIX based tun device.
*/
-ssize_t
-write_tun_afunix(struct tuntap *tt, uint8_t *buf, int len);
+ssize_t write_tun_afunix(struct tuntap *tt, uint8_t *buf, int len);
/**
* Reads a packet from a AF_UNIX based tun device.
*/
-ssize_t
-read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len);
+ssize_t read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len);
#endif /* AFUNIX_TUN_H */
@@ -52,8 +52,8 @@
static void
vlanhdr_set_vid(struct openvpn_8021qhdr *hdr, const uint16_t vid)
{
- hdr->pcp_cfi_vid = (hdr->pcp_cfi_vid & ~OPENVPN_8021Q_MASK_VID)
- | (htons(vid) & OPENVPN_8021Q_MASK_VID);
+ hdr->pcp_cfi_vid =
+ (hdr->pcp_cfi_vid & ~OPENVPN_8021Q_MASK_VID) | (htons(vid) & OPENVPN_8021Q_MASK_VID);
}
/*
@@ -96,15 +96,13 @@
/* reject untagged frame */
if (c->options.vlan_accept == VLAN_ONLY_TAGGED)
{
- msg(D_VLAN_DEBUG,
- "dropping frame without vlan-tag (proto/len 0x%04x)",
+ msg(D_VLAN_DEBUG, "dropping frame without vlan-tag (proto/len 0x%04x)",
ntohs(ethhdr->proto));
goto drop;
}
/* untagged frame is accepted and associated with the global VID */
- msg(D_VLAN_DEBUG,
- "assuming pvid for frame without vlan-tag, pvid: %u (proto/len 0x%04x)",
+ msg(D_VLAN_DEBUG, "assuming pvid for frame without vlan-tag, pvid: %u (proto/len 0x%04x)",
c->options.vlan_pvid, ntohs(ethhdr->proto));
return c->options.vlan_pvid;
@@ -125,8 +123,8 @@
/* VLAN-tagged frame: drop packet */
if (vid != 0)
{
- msg(D_VLAN_DEBUG, "dropping frame with vlan-tag, vid: %u (proto/len 0x%04x)",
- vid, ntohs(vlanhdr->proto));
+ msg(D_VLAN_DEBUG, "dropping frame with vlan-tag, vid: %u (proto/len 0x%04x)", vid,
+ ntohs(vlanhdr->proto));
goto drop;
}
@@ -148,8 +146,7 @@
/* here we have a proper VLAN tagged frame: perform decapsulation
* and return embedded VID
*/
- msg(D_VLAN_DEBUG,
- "removing vlan-tag from frame: vid: %u, wrapped proto/len: 0x%04x",
+ msg(D_VLAN_DEBUG, "removing vlan-tag from frame: vid: %u, wrapped proto/len: 0x%04x",
vid, ntohs(vlanhdr->proto));
/* save inner protocol to be restored later after decapsulation */
@@ -224,8 +221,7 @@
goto drop;
}
- vlanhdr = (struct openvpn_8021qhdr *)buf_prepend(buf,
- SIZE_ETH_TO_8021Q_HDR);
+ vlanhdr = (struct openvpn_8021qhdr *)buf_prepend(buf, SIZE_ETH_TO_8021Q_HDR);
/* Initialise VLAN/802.1q header.
* Move the Eth header so to keep dst/src addresses the same and then
@@ -244,8 +240,8 @@
/* set the VID corresponding to the current context (client) */
vlanhdr_set_vid(vlanhdr, c->options.vlan_pvid);
- msg(D_VLAN_DEBUG, "tagging frame: vid %u (wrapping proto/len: %04x)",
- c->options.vlan_pvid, vlanhdr->proto);
+ msg(D_VLAN_DEBUG, "tagging frame: vid %u (wrapping proto/len: %04x)", c->options.vlan_pvid,
+ vlanhdr->proto);
return;
drop:
@@ -31,13 +31,10 @@
struct multi_context;
struct multi_instance;
-int16_t
-vlan_decapsulate(const struct context *c, struct buffer *buf);
+int16_t vlan_decapsulate(const struct context *c, struct buffer *buf);
-bool
-vlan_is_tagged(const struct buffer *buf);
+bool vlan_is_tagged(const struct buffer *buf);
-void
-vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi);
+void vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi);
#endif /* VLAN_H */
@@ -48,68 +48,33 @@
#endif
/* c38d57d1-05a7-4c33-904f-7fbceee60e82 */
-DEFINE_GUID(
- FWPM_LAYER_ALE_AUTH_CONNECT_V4,
- 0xc38d57d1,
- 0x05a7,
- 0x4c33,
- 0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
- );
+DEFINE_GUID(FWPM_LAYER_ALE_AUTH_CONNECT_V4, 0xc38d57d1, 0x05a7, 0x4c33, 0x90, 0x4f, 0x7f, 0xbc,
+ 0xee, 0xe6, 0x0e, 0x82);
/* 4a72393b-319f-44bc-84c3-ba54dcb3b6b4 */
-DEFINE_GUID(
- FWPM_LAYER_ALE_AUTH_CONNECT_V6,
- 0x4a72393b,
- 0x319f,
- 0x44bc,
- 0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
- );
+DEFINE_GUID(FWPM_LAYER_ALE_AUTH_CONNECT_V6, 0x4a72393b, 0x319f, 0x44bc, 0x84, 0xc3, 0xba, 0x54,
+ 0xdc, 0xb3, 0xb6, 0xb4);
/* d78e1e87-8644-4ea5-9437-d809ecefc971 */
-DEFINE_GUID(
- FWPM_CONDITION_ALE_APP_ID,
- 0xd78e1e87,
- 0x8644,
- 0x4ea5,
- 0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
- );
+DEFINE_GUID(FWPM_CONDITION_ALE_APP_ID, 0xd78e1e87, 0x8644, 0x4ea5, 0x94, 0x37, 0xd8, 0x09, 0xec,
+ 0xef, 0xc9, 0x71);
/* c35a604d-d22b-4e1a-91b4-68f674ee674b */
-DEFINE_GUID(
- FWPM_CONDITION_IP_REMOTE_PORT,
- 0xc35a604d,
- 0xd22b,
- 0x4e1a,
- 0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b
- );
+DEFINE_GUID(FWPM_CONDITION_IP_REMOTE_PORT, 0xc35a604d, 0xd22b, 0x4e1a, 0x91, 0xb4, 0x68, 0xf6, 0x74,
+ 0xee, 0x67, 0x4b);
/* 4cd62a49-59c3-4969-b7f3-bda5d32890a4 */
-DEFINE_GUID(
- FWPM_CONDITION_IP_LOCAL_INTERFACE,
- 0x4cd62a49,
- 0x59c3,
- 0x4969,
- 0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4
- );
+DEFINE_GUID(FWPM_CONDITION_IP_LOCAL_INTERFACE, 0x4cd62a49, 0x59c3, 0x4969, 0xb7, 0xf3, 0xbd, 0xa5,
+ 0xd3, 0x28, 0x90, 0xa4);
/* 632ce23b-5167-435c-86d7-e903684aa80c */
-DEFINE_GUID(
- FWPM_CONDITION_FLAGS,
- 0x632ce23b,
- 0x5167,
- 0x435c,
- 0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a, 0xa8, 0x0c
- );
+DEFINE_GUID(FWPM_CONDITION_FLAGS, 0x632ce23b, 0x5167, 0x435c, 0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a,
+ 0xa8, 0x0c);
/* UUID of WFP sublayer used by all instances of openvpn
* 2f660d7e-6a37-11e6-a181-001e8c6e04a2 */
-DEFINE_GUID(
- OPENVPN_WFP_BLOCK_SUBLAYER,
- 0x2f660d7e,
- 0x6a37,
- 0x11e6,
- 0xa1, 0x81, 0x00, 0x1e, 0x8c, 0x6e, 0x04, 0xa2
- );
+DEFINE_GUID(OPENVPN_WFP_BLOCK_SUBLAYER, 0x2f660d7e, 0x6a37, 0x11e6, 0xa1, 0x81, 0x00, 0x1e, 0x8c,
+ 0x6e, 0x04, 0xa2);
static WCHAR *FIREWALL_NAME = L"OpenVPN";
@@ -123,7 +88,11 @@
}
#define OUT_ON_ERROR(err, msg) \
- if (err) { msg_handler(err, msg); goto out; }
+ if (err) \
+ { \
+ msg_handler(err, msg); \
+ goto out; \
+ }
/*
* Add a persistent sublayer with specified uuid.
@@ -181,24 +150,21 @@
*/
DWORD
-add_wfp_block_filters(HANDLE *engine_handle,
- int index,
- const WCHAR *exe_path,
- wfp_block_msg_handler_t msg_handler,
- BOOL dns_only)
+add_wfp_block_filters(HANDLE *engine_handle, int index, const WCHAR *exe_path,
+ wfp_block_msg_handler_t msg_handler, BOOL dns_only)
{
- FWPM_SESSION0 session = {0};
+ FWPM_SESSION0 session = { 0 };
FWPM_SUBLAYER0 *sublayer_ptr = NULL;
NET_LUID itf_luid;
UINT64 filterid;
FWP_BYTE_BLOB *openvpnblob = NULL;
- FWPM_FILTER0 Filter = {0};
+ FWPM_FILTER0 Filter = { 0 };
FWPM_FILTER_CONDITION0 Condition[2];
- FWPM_FILTER_CONDITION0 match_openvpn = {0};
- FWPM_FILTER_CONDITION0 match_port_53 = {0};
- FWPM_FILTER_CONDITION0 match_interface = {0};
- FWPM_FILTER_CONDITION0 match_loopback = {0};
- FWPM_FILTER_CONDITION0 match_not_loopback = {0};
+ FWPM_FILTER_CONDITION0 match_openvpn = { 0 };
+ FWPM_FILTER_CONDITION0 match_port_53 = { 0 };
+ FWPM_FILTER_CONDITION0 match_interface = { 0 };
+ FWPM_FILTER_CONDITION0 match_loopback = { 0 };
+ FWPM_FILTER_CONDITION0 match_not_loopback = { 0 };
DWORD err = 0;
if (!msg_handler)
@@ -223,8 +189,8 @@
FwpmFreeMemory0((void **)&sublayer_ptr);
}
else
- { /* Add a new sublayer -- as another process may add it in the meantime,
- * do not treat "already exists" as an error */
+ { /* Add a new sublayer -- as another process may add it in the meantime,
+ * do not treat "already exists" as an error */
err = add_sublayer(OPENVPN_WFP_BLOCK_SUBLAYER);
if (err == FWP_E_ALREADY_EXISTS || err == ERROR_SUCCESS)
@@ -439,8 +405,7 @@
*/
DWORD
-set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family,
- const ULONG metric)
+set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, const ULONG metric)
{
DWORD err = 0;
MIB_IPINTERFACE_ROW ipiface;
@@ -32,7 +32,7 @@
/* Any value less than 5 should work fine. 3 is chosen without any real reason. */
#define WFP_BLOCK_IFACE_METRIC 3
-typedef void (*wfp_block_msg_handler_t) (DWORD err, const char *msg);
+typedef void (*wfp_block_msg_handler_t)(DWORD err, const char *msg);
DWORD
delete_wfp_block_filters(HANDLE engine);
@@ -51,8 +51,7 @@
*
* @return positive interface metric on success or -1 on error
*/
-int
-get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, int *is_auto);
+int get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, int *is_auto);
/**
* Sets interface metric value for specified interface index.
@@ -65,8 +64,7 @@
*/
DWORD
-set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family,
- const ULONG metric);
+set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, const ULONG metric);
#endif /* ifndef WFP_BLOCK_H */
#endif /* ifdef _WIN32 */
@@ -161,7 +161,7 @@
if (WideCharToMultiByte(CP_UTF8, 0, wtmpdir, -1, NULL, 0, NULL, NULL) > sizeof(tmpdir))
{
msg(M_WARN, "Could not get temporary directory. Path is too long."
- " Consider using --tmp-dir");
+ " Consider using --tmp-dir");
return NULL;
}
@@ -101,8 +101,7 @@
/**
* Set OpenSSL environment variables to a safe directory
*/
-static void
-set_openssl_env_vars(void);
+static void set_openssl_env_vars(void);
void
init_win32(void)
@@ -167,9 +166,7 @@
}
void
-overlapped_io_init(struct overlapped_io *o,
- const struct frame *frame,
- BOOL event_state)
+overlapped_io_init(struct overlapped_io *o, const struct frame *frame, BOOL event_state)
{
CLEAR(*o);
@@ -219,7 +216,8 @@
*/
void
-init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd, unsigned int flags)
+init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd,
+ unsigned int flags)
{
/* manual reset events, initially set to unsignaled */
@@ -292,7 +290,8 @@
{
if (!CloseHandle(event->read))
{
- msg(M_WARN | M_ERRNO, "Warning: CloseHandle (read) failed in close_net_event_win32");
+ msg(M_WARN | M_ERRNO,
+ "Warning: CloseHandle (read) failed in close_net_event_win32");
}
event->read = NULL;
}
@@ -308,7 +307,8 @@
{
if (!CloseHandle(event->write))
{
- msg(M_WARN | M_ERRNO, "Warning: CloseHandle (write) failed in close_net_event_win32");
+ msg(M_WARN | M_ERRNO,
+ "Warning: CloseHandle (write) failed in close_net_event_win32");
}
event->write = NULL;
}
@@ -332,7 +332,7 @@
ASSERT(!socket_defined(ne->sd));
ne->sd = sd;
ne->event_mask = 0;
- init_net_event_win32(&ne->handle, network_events, sd, NE32_PERSIST_EVENT|NE32_WRITE_EVENT);
+ init_net_event_win32(&ne->handle, network_events, sd, NE32_PERSIST_EVENT | NE32_WRITE_EVENT);
}
void
@@ -406,7 +406,7 @@
ir.Event.KeyEvent.bKeyDown = true;
if (!stdin_handle || !WriteConsoleInput(stdin_handle, &ir, 1, &tmp))
{
- msg(M_WARN|M_ERRNO, "WARN: win_trigger_event: WriteConsoleInput");
+ msg(M_WARN | M_ERRNO, "WARN: win_trigger_event: WriteConsoleInput");
}
}
}
@@ -417,7 +417,7 @@
static bool WINAPI
win_ctrl_handler(DWORD signum)
{
- msg(D_LOW, "win_ctrl_handler: signal received (code=%lu)", (unsigned long) signum);
+ msg(D_LOW, "win_ctrl_handler: signal received (code=%lu)", (unsigned long)signum);
if (siginfo_static.signal_received == SIGTERM)
{
@@ -435,7 +435,7 @@
break;
default:
- msg(D_LOW, "win_ctrl_handler: signal (code=%lu) not handled", (unsigned long) signum);
+ msg(D_LOW, "win_ctrl_handler: signal (code=%lu) not handled", (unsigned long)signum);
break;
}
/* pass all other signals to the next handler */
@@ -449,9 +449,7 @@
}
void
-win32_signal_open(struct win32_signal *ws,
- int force,
- const char *exit_event_name,
+win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name,
bool exit_event_initial_state)
{
CLEAR(*ws);
@@ -473,12 +471,10 @@
if (GetConsoleMode(ws->in.read, &ws->console_mode_save))
{
/* running on a console */
- const DWORD new_console_mode = ws->console_mode_save
- & ~(ENABLE_WINDOW_INPUT
- | ENABLE_PROCESSED_INPUT
- | ENABLE_LINE_INPUT
- | ENABLE_ECHO_INPUT
- | ENABLE_MOUSE_INPUT);
+ const DWORD new_console_mode =
+ ws->console_mode_save
+ & ~(ENABLE_WINDOW_INPUT | ENABLE_PROCESSED_INPUT | ENABLE_LINE_INPUT
+ | ENABLE_ECHO_INPUT | ENABLE_MOUSE_INPUT);
if (new_console_mode != ws->console_mode_save)
{
@@ -501,8 +497,8 @@
* If console open failed, assume we are running
* as a service.
*/
- if ((force == WSO_NOFORCE || force == WSO_FORCE_SERVICE)
- && !HANDLE_DEFINED(ws->in.read) && exit_event_name)
+ if ((force == WSO_NOFORCE || force == WSO_FORCE_SERVICE) && !HANDLE_DEFINED(ws->in.read)
+ && exit_event_name)
{
struct security_attributes sa;
struct gc_arena gc = gc_new();
@@ -513,11 +509,11 @@
msg(M_ERR, "Error: win32_signal_open: init SA failed");
}
- ws->in.read = CreateEventW(&sa.sa, TRUE, exit_event_initial_state ? TRUE : FALSE,
- exit_event_nameW);
+ ws->in.read =
+ CreateEventW(&sa.sa, TRUE, exit_event_initial_state ? TRUE : FALSE, exit_event_nameW);
if (ws->in.read == NULL)
{
- msg(M_WARN|M_ERRNO, "NOTE: CreateEventW '%s' failed", exit_event_name);
+ msg(M_WARN | M_ERRNO, "NOTE: CreateEventW '%s' failed", exit_event_name);
}
else
{
@@ -533,9 +529,9 @@
gc_free(&gc);
}
/* set the ctrl handler in both console and service modes */
- if (!SetConsoleCtrlHandler((PHANDLER_ROUTINE) win_ctrl_handler, true))
+ if (!SetConsoleCtrlHandler((PHANDLER_ROUTINE)win_ctrl_handler, true))
{
- msg(M_WARN|M_ERRNO, "WARN: SetConsoleCtrlHandler failed");
+ msg(M_WARN | M_ERRNO, "WARN: SetConsoleCtrlHandler failed");
}
}
@@ -562,8 +558,7 @@
return ir->Event.KeyEvent.wVirtualScanCode;
}
- if ((ir->Event.KeyEvent.dwControlKeyState
- & (LEFT_ALT_PRESSED | RIGHT_ALT_PRESSED))
+ if ((ir->Event.KeyEvent.dwControlKeyState & (LEFT_ALT_PRESSED | RIGHT_ALT_PRESSED))
&& (ir->Event.KeyEvent.wVirtualKeyCode != 18))
{
return ir->Event.KeyEvent.wVirtualScanCode * 256;
@@ -625,8 +620,7 @@
{
if (ws->mode == WSO_MODE_SERVICE)
{
- if (HANDLE_DEFINED(ws->in.read)
- && WaitForSingleObject(ws->in.read, 0) == WAIT_OBJECT_0)
+ if (HANDLE_DEFINED(ws->in.read) && WaitForSingleObject(ws->in.read, 0) == WAIT_OBJECT_0)
{
return true;
}
@@ -683,7 +677,7 @@
{
if (ws->mode == WSO_MODE_CONSOLE && HANDLE_DEFINED(ws->in.read))
{
- msg(M_INFO|M_NOPREFIX, "Press any key to continue...");
+ msg(M_INFO | M_NOPREFIX, "Press any key to continue...");
do
{
WaitForSingleObject(ws->in.read, INFINITE);
@@ -734,7 +728,8 @@
{
title = "";
}
- buf_printf(&out, "[%s] " PACKAGE_NAME " " PACKAGE_VERSION " F4:EXIT F1:USR1 F2:USR2 F3:HUP", title);
+ buf_printf(&out, "[%s] " PACKAGE_NAME " " PACKAGE_VERSION " F4:EXIT F1:USR1 F2:USR2 F3:HUP",
+ title);
SetConsoleTitle(BSTR(&out));
gc_free(&gc);
}
@@ -763,7 +758,7 @@
if (s->hand == NULL)
{
- msg(M_WARN|M_ERRNO, "WARNING: Cannot create Win32 semaphore '%s'", name);
+ msg(M_WARN | M_ERRNO, "WARNING: Cannot create Win32 semaphore '%s'", name);
}
else
{
@@ -781,9 +776,10 @@
DWORD status;
ASSERT(!s->locked);
- dmsg(D_SEMAPHORE_LOW, "Attempting to lock Win32 semaphore '%s' prior to net shell command (timeout = %d sec)",
- s->name,
- timeout_milliseconds / 1000);
+ dmsg(
+ D_SEMAPHORE_LOW,
+ "Attempting to lock Win32 semaphore '%s' prior to net shell command (timeout = %d sec)",
+ s->name, timeout_milliseconds / 1000);
status = WaitForSingleObject(s->hand, timeout_milliseconds);
if (status == WAIT_FAILED)
{
@@ -798,8 +794,7 @@
else
{
dmsg(D_SEMAPHORE, "Wait on Win32 semaphore '%s' timed out after %d milliseconds",
- s->name,
- timeout_milliseconds);
+ s->name, timeout_milliseconds);
}
}
return ret;
@@ -814,8 +809,7 @@
dmsg(D_SEMAPHORE, "Releasing Win32 semaphore '%s'", s->name);
if (!ReleaseSemaphore(s->hand, 1, NULL))
{
- msg(M_WARN | M_ERRNO, "ReleaseSemaphore failed on Win32 semaphore '%s'",
- s->name);
+ msg(M_WARN | M_ERRNO, "ReleaseSemaphore failed on Win32 semaphore '%s'", s->name);
}
s->locked = false;
}
@@ -906,9 +900,9 @@
nchars += strlen(e->string) + 1;
}
- nchars += strlen(force_path)+1;
+ nchars += strlen(force_path) + 1;
- ret = (char *) malloc(nchars);
+ ret = (char *)malloc(nchars);
check_malloc_return(ret);
p = ret;
@@ -919,7 +913,7 @@
strcpy(p, e->string);
p += strlen(e->string) + 1;
}
- if (strncmp(e->string, "PATH=", 5 ) == 0)
+ if (strncmp(e->string, "PATH=", 5) == 0)
{
path_seen = true;
}
@@ -928,8 +922,8 @@
/* make sure PATH is set */
if (!path_seen)
{
- msg( M_INFO, "env_block: add %s", force_path );
- strcpy( p, force_path );
+ msg(M_INFO, "env_block: add %s", force_path);
+ strcpy(p, force_path);
p += strlen(force_path) + 1;
}
@@ -975,7 +969,7 @@
{
const char *arg = a->argv[i];
strcpy(work, arg);
- string_mod(work, CC_PRINT, CC_DOUBLE_QUOTE|CC_CRLF, '_');
+ string_mod(work, CC_PRINT, CC_DOUBLE_QUOTE | CC_CRLF, '_');
if (i)
{
buf_printf(&buf, " ");
@@ -1026,7 +1020,8 @@
start_info.dwFlags = STARTF_USESHOWWINDOW;
start_info.wShowWindow = SW_HIDE;
- if (CreateProcessW(cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info))
+ if (CreateProcessW(cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info,
+ &proc_info))
{
DWORD exit_status = 0;
CloseHandle(proc_info.hThread);
@@ -1037,13 +1032,13 @@
}
else
{
- msg(M_WARN|M_ERRNO, "openvpn_execve: GetExitCodeProcess %ls failed", cmd);
+ msg(M_WARN | M_ERRNO, "openvpn_execve: GetExitCodeProcess %ls failed", cmd);
}
CloseHandle(proc_info.hProcess);
}
else
{
- msg(M_WARN|M_ERRNO, "openvpn_execve: CreateProcess %ls failed", cmd);
+ msg(M_WARN | M_ERRNO, "openvpn_execve: CreateProcess %ls failed", cmd);
}
free(env);
gc_free(&gc);
@@ -1084,7 +1079,8 @@
status = GetModuleFileName(NULL, self_exe, sizeof(self_exe));
if (status == 0 || status == sizeof(self_exe))
{
- msg(M_WARN|M_ERRNO, "fork_to_self: CreateProcess failed: cannot get module name via GetModuleFileName");
+ msg(M_WARN | M_ERRNO,
+ "fork_to_self: CreateProcess failed: cannot get module name via GetModuleFileName");
goto done;
}
@@ -1101,7 +1097,7 @@
}
else
{
- msg(M_WARN|M_ERRNO, "fork_to_self: CreateProcess failed: %s", cmdline);
+ msg(M_WARN | M_ERRNO, "fork_to_self: CreateProcess failed: %s", cmdline);
}
done:
@@ -1134,7 +1130,8 @@
}
if (status > sizeof(buf) - 1)
{
- msg(M_FATAL, "String overflow attempting to read environmental variable %s", SYS_PATH_ENV_VAR_NAME);
+ msg(M_FATAL, "String overflow attempting to read environmental variable %s",
+ SYS_PATH_ENV_VAR_NAME);
}
set_win_sys_path(buf, es);
}
@@ -1145,7 +1142,7 @@
DWORD status = GetModuleFileNameW(NULL, path, size);
if (status == 0 || status == size)
{
- msg(M_WARN|M_ERRNO, "cannot get executable path");
+ msg(M_WARN | M_ERRNO, "cannot get executable path");
return false;
}
return true;
@@ -1162,8 +1159,7 @@
}
else
{
- msg(M_WARN, "Error in WFP: %s : %s [status=0x%lx]",
- msg, strerror_win32(err, &gc), err);
+ msg(M_WARN, "Error in WFP: %s : %s [status=0x%lx]", msg, strerror_win32(err, &gc), err);
}
gc_free(&gc);
@@ -1176,15 +1172,10 @@
ack_message_t ack;
struct gc_arena gc = gc_new();
- wfp_block_message_t data = {
- .header = {
- (add ? msg_add_wfp_block : msg_del_wfp_block),
- sizeof(wfp_block_message_t),
- 0
- },
- .flags = dns_only ? wfp_block_dns : wfp_block_local,
- .iface = { .index = index, .name = "" }
- };
+ wfp_block_message_t data = { .header = { (add ? msg_add_wfp_block : msg_del_wfp_block),
+ sizeof(wfp_block_message_t), 0 },
+ .flags = dns_only ? wfp_block_dns : wfp_block_local,
+ .iface = { .index = index, .name = "" } };
if (!send_msg_iservice(pipe, &data, sizeof(data), &ack, "WFP block"))
{
@@ -1193,9 +1184,10 @@
if (ack.error_number != NO_ERROR)
{
- msg(M_WARN, "WFP block: %s block filters using service failed: %s [status=0x%x if_index=%d]",
- (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc),
- ack.error_number, data.iface.index);
+ msg(M_WARN,
+ "WFP block: %s block filters using service failed: %s [status=0x%x if_index=%d]",
+ (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number,
+ data.iface.index);
goto out;
}
@@ -1226,8 +1218,8 @@
goto out;
}
- status = add_wfp_block_filters(&m_hEngineHandle, index, openvpnpath,
- win_wfp_msg_handler, dns_only);
+ status =
+ add_wfp_block_filters(&m_hEngineHandle, index, openvpnpath, win_wfp_msg_handler, dns_only);
if (status == 0)
{
int is_auto = 0;
@@ -1282,7 +1274,8 @@
return true;
}
-typedef enum {
+typedef enum
+{
ARCH_X86,
ARCH_AMD64,
ARCH_ARM64,
@@ -1296,9 +1289,9 @@
*process_arch = ARCH_UNKNOWN;
*host_arch = ARCH_NATIVE;
- typedef BOOL (WINAPI *is_wow64_process2_t)(HANDLE, USHORT *, USHORT *);
- is_wow64_process2_t is_wow64_process2 = (is_wow64_process2_t)
- GetProcAddress(GetModuleHandle("Kernel32.dll"), "IsWow64Process2");
+ typedef BOOL(WINAPI * is_wow64_process2_t)(HANDLE, USHORT *, USHORT *);
+ is_wow64_process2_t is_wow64_process2 =
+ (is_wow64_process2_t)GetProcAddress(GetModuleHandle("Kernel32.dll"), "IsWow64Process2");
USHORT process_machine = 0;
USHORT native_machine = 0;
@@ -1310,8 +1303,7 @@
if (is_wow64_process2)
{
/* this could be amd64 on arm64 */
- BOOL is_wow64 = is_wow64_process2(GetCurrentProcess(),
- &process_machine, &native_machine);
+ BOOL is_wow64 = is_wow64_process2(GetCurrentProcess(), &process_machine, &native_machine);
if (is_wow64 && native_machine == IMAGE_FILE_MACHINE_ARM64)
{
*host_arch = ARCH_ARM64;
@@ -1323,8 +1315,7 @@
if (is_wow64_process2)
{
/* check if we're running on arm64 or amd64 machine */
- BOOL is_wow64 = is_wow64_process2(GetCurrentProcess(),
- &process_machine, &native_machine);
+ BOOL is_wow64 = is_wow64_process2(GetCurrentProcess(), &process_machine, &native_machine);
if (is_wow64)
{
switch (native_machine)
@@ -1383,7 +1374,7 @@
}
}
-typedef LONG (WINAPI *RtlGetVersionPtr)(PRTL_OSVERSIONINFOW);
+typedef LONG(WINAPI *RtlGetVersionPtr)(PRTL_OSVERSIONINFOW);
const char *
win32_version_string(struct gc_arena *gc)
@@ -1428,18 +1419,16 @@
}
bool
-send_msg_iservice(HANDLE pipe, const void *data, size_t size,
- ack_message_t *ack, const char *context)
+send_msg_iservice(HANDLE pipe, const void *data, size_t size, ack_message_t *ack,
+ const char *context)
{
struct gc_arena gc = gc_new();
DWORD len;
bool ret = true;
- if (!WriteFile(pipe, data, size, &len, NULL)
- || !ReadFile(pipe, ack, sizeof(*ack), &len, NULL))
+ if (!WriteFile(pipe, data, size, &len, NULL) || !ReadFile(pipe, ack, sizeof(*ack), &len, NULL))
{
- msg(M_WARN, "%s: could not talk to service: %s [%lu]",
- context ? context : "Unknown",
+ msg(M_WARN, "%s: could not talk to service: %s [%lu]", context ? context : "Unknown",
strerror_win32(GetLastError(), &gc), GetLastError());
ret = false;
}
@@ -1487,14 +1476,13 @@
install_path[wcslen(install_path) - 1] = L'\0';
}
- static struct {
+ static struct
+ {
WCHAR *name;
WCHAR *value;
- } ossl_env[] = {
- {L"OPENSSL_CONF", L"openssl.cnf"},
- {L"OPENSSL_ENGINES", L"engines"},
- {L"OPENSSL_MODULES", L"modules"}
- };
+ } ossl_env[] = { { L"OPENSSL_CONF", L"openssl.cnf" },
+ { L"OPENSSL_ENGINES", L"engines" },
+ { L"OPENSSL_MODULES", L"modules" } };
for (size_t i = 0; i < SIZE(ossl_env); ++i)
{
@@ -1503,7 +1491,7 @@
_wgetenv_s(&size, NULL, 0, ossl_env[i].name);
if (size == 0)
{
- WCHAR val[MAX_PATH] = {0};
+ WCHAR val[MAX_PATH] = { 0 };
swprintf(val, _countof(val), L"%ls\\ssl\\%ls", install_path, ossl_env[i].value);
_wputenv_s(ossl_env[i].name, val);
}
@@ -1524,7 +1512,7 @@
{
if (n > 0)
{
- Sleep(n*1000);
+ Sleep(n * 1000);
}
return;
}
@@ -1534,9 +1522,8 @@
while (expire >= now)
{
- DWORD status = WaitForSingleObject(win32_signal.in.read, (expire-now)*1000);
- if ((status == WAIT_OBJECT_0 && win32_signal_get(&win32_signal))
- || status == WAIT_TIMEOUT)
+ DWORD status = WaitForSingleObject(win32_signal.in.read, (expire - now) * 1000);
+ if ((status == WAIT_OBJECT_0 && win32_signal_get(&win32_signal)) || status == WAIT_TIMEOUT)
{
return;
}
@@ -1547,7 +1534,7 @@
{
if (expire > now)
{
- Sleep((expire-now)*1000);
+ Sleep((expire - now) * 1000);
}
return;
}
@@ -1599,8 +1586,8 @@
}
/* Check if the plugin path resides within the plugin/install directory */
- if ((wcslen(normalized_plugin_dir) > 0) && (wcsnicmp(normalized_plugin_dir,
- plugin_path, wcslen(normalized_plugin_dir)) == 0))
+ if ((wcslen(normalized_plugin_dir) > 0)
+ && (wcsnicmp(normalized_plugin_dir, plugin_path, wcslen(normalized_plugin_dir)) == 0))
{
return true;
}
@@ -34,12 +34,13 @@
#include "win32-util.h"
/* location of executables */
-#define SYS_PATH_ENV_VAR_NAME "SystemRoot" /* environmental variable name that normally contains the system path */
-#define NETSH_PATH_SUFFIX "\\system32\\netsh.exe"
-#define WIN_ROUTE_PATH_SUFFIX "\\system32\\route.exe"
+#define SYS_PATH_ENV_VAR_NAME \
+ "SystemRoot" /* environmental variable name that normally contains the system path */
+#define NETSH_PATH_SUFFIX "\\system32\\netsh.exe"
+#define WIN_ROUTE_PATH_SUFFIX "\\system32\\route.exe"
#define WIN_IPCONFIG_PATH_SUFFIX "\\system32\\ipconfig.exe"
-#define WIN_NET_PATH_SUFFIX "\\system32\\net.exe"
-#define WMIC_PATH_SUFFIX "\\system32\\wbem\\wmic.exe"
+#define WIN_NET_PATH_SUFFIX "\\system32\\net.exe"
+#define WMIC_PATH_SUFFIX "\\system32\\wbem\\wmic.exe"
/*
* Win32-specific OpenVPN code, targeted at the mingw
@@ -75,7 +76,8 @@
char old_window_title[256];
};
-struct rw_handle {
+struct rw_handle
+{
HANDLE read;
HANDLE write;
};
@@ -84,8 +86,8 @@
* Event-based notification of incoming TCP connections
*/
-#define NE32_PERSIST_EVENT (1<<0)
-#define NE32_WRITE_EVENT (1<<1)
+#define NE32_PERSIST_EVENT (1 << 0)
+#define NE32_WRITE_EVENT (1 << 1)
static inline bool
defined_net_event_win32(const struct rw_handle *event)
@@ -93,7 +95,8 @@
return event->read != NULL;
}
-void init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd, unsigned int flags);
+void init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd,
+ unsigned int flags);
long reset_net_event_win32(struct rw_handle *event, socket_descriptor_t sd);
@@ -149,7 +152,8 @@
/*
* Signal handling
*/
-struct win32_signal {
+struct win32_signal
+{
#define WSO_MODE_UNDEF 0
#define WSO_MODE_SERVICE 1
#define WSO_MODE_CONSOLE 2
@@ -169,10 +173,8 @@
#define WSO_FORCE_SERVICE 1
#define WSO_FORCE_CONSOLE 2
-void win32_signal_open(struct win32_signal *ws,
- int force, /* set to WSO force parm */
- const char *exit_event_name,
- bool exit_event_initial_state);
+void win32_signal_open(struct win32_signal *ws, int force, /* set to WSO force parm */
+ const char *exit_event_name, bool exit_event_initial_state);
void win32_signal_close(struct win32_signal *ws);
@@ -198,17 +200,19 @@
* We try to do all Win32 I/O using overlapped
* (i.e. asynchronous) I/O for a performance win.
*/
-struct overlapped_io {
+struct overlapped_io
+{
#define IOSTATE_INITIAL 0
-#define IOSTATE_QUEUED 1 /* overlapped I/O has been queued */
-#define IOSTATE_IMMEDIATE_RETURN 2 /* I/O function returned immediately without queueing */
+#define IOSTATE_QUEUED 1 /* overlapped I/O has been queued */
+#define IOSTATE_IMMEDIATE_RETURN 2 /* I/O function returned immediately without queueing */
int iostate;
OVERLAPPED overlapped;
DWORD size;
DWORD flags;
int status;
bool addr_defined;
- union {
+ union
+ {
struct sockaddr_in addr;
struct sockaddr_in6 addr6;
};
@@ -217,9 +221,7 @@
struct buffer buf;
};
-void overlapped_io_init(struct overlapped_io *o,
- const struct frame *frame,
- BOOL event_state);
+void overlapped_io_init(struct overlapped_io *o, const struct frame *frame, BOOL event_state);
void overlapped_io_close(struct overlapped_io *o);
@@ -304,14 +306,13 @@
* and read the result in |ack|. Returns false on communication error.
* The string in |context| is used to prefix error messages.
*/
-bool send_msg_iservice(HANDLE pipe, const void *data, size_t size,
- ack_message_t *ack, const char *context);
+bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, ack_message_t *ack,
+ const char *context);
/*
* Attempt to simulate fork/execve on Windows
*/
-int
-openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags);
+int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags);
/* Sleep that can be interrupted by signals and exit event */
void win32_sleep(const int n);
@@ -324,8 +325,7 @@
* @param size Size of `value` buffer in bytes.
* @return `true` if successful, `false` otherwise.
*/
-bool
-get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size);
+bool get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size);
/**
* @brief Checks if a plugin is located in a trusted directory.
@@ -340,8 +340,7 @@
* @param plugin_path Normalized path to the plugin.
* @return \c true if the plugin is in a trusted directory and not a UNC path; \c false otherwise.
*/
-bool
-plugin_in_trusted_dir(const WCHAR *plugin_path);
+bool plugin_in_trusted_dir(const WCHAR *plugin_path);
/**
* Encrypt a region of memory using CryptProtectMemory()
@@ -351,8 +350,7 @@
* - len number of bytes to encrypt -- must be a multiple of
* CRYPTPROTECTMEMORY_BLOCK_SIZE = 16
*/
-bool
-protect_buffer_win32(char *buf, size_t len);
+bool protect_buffer_win32(char *buf, size_t len);
/**
* Decrypt a previously encrypted region of memory using CryptUnProtectMemory()
@@ -362,8 +360,7 @@
* - len number of bytes to encrypt -- must be a multiple of
* CRYPTPROTECTMEMORY_BLOCK_SIZE = 16
*/
-bool
-unprotect_buffer_win32(char *buf, size_t len);
+bool unprotect_buffer_win32(char *buf, size_t len);
#endif /* ifndef OPENVPN_WIN32_H */
#endif /* ifdef _WIN32 */
@@ -46,12 +46,13 @@
* Struct to encapsulate signature algorithm parameters to pass
* to sign operation.
*/
-typedef struct {
+typedef struct
+{
const char *padmode; /**< "pkcs1", "pss" or "none" */
- const char *mdname; /**< "SHA256" or "SHA2-256" etc. */
+ const char *mdname; /**< "SHA256" or "SHA2-256" etc. */
const char *saltlen; /**< "digest", "auto" or "max" */
const char *keytype; /**< "EC" or "RSA" */
- const char *op; /**< "Sign" or "DigestSign" */
+ const char *op; /**< "Sign" or "DigestSign" */
} XKEY_SIGALG;
/**
@@ -78,15 +79,14 @@
* before signing. The digest algorithm used (or to be used) is passed in the sigalg
* structure.
*/
-typedef int (XKEY_EXTERNAL_SIGN_fn)(void *handle, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen,
- XKEY_SIGALG sigalg);
+typedef int(XKEY_EXTERNAL_SIGN_fn)(void *handle, unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg);
/**
* Signature of private key free function callback used
* to free the opaque private key handle obtained from the
* backend. Not required for management-external-key.
*/
-typedef void (XKEY_PRIVKEY_FREE_fn)(void *handle);
+typedef void(XKEY_PRIVKEY_FREE_fn)(void *handle);
/**
* Generate an encapsulated EVP_PKEY for management-external-key
@@ -115,9 +115,8 @@
* to the required size and false is returned.
*
*/
-bool
-encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname,
- const unsigned char *tbs, size_t tbslen);
+bool encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, const unsigned char *tbs,
+ size_t tbslen);
/**
* Compute message digest
@@ -133,9 +132,8 @@
* On successful return *buflen is set to the actual size of the result.
* TIP: EVP_MD_MAX_SIZE should be enough capacity of buf for al algorithms.
*/
-int
-xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf,
- size_t *buflen, const char *mdname);
+int xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, size_t *buflen,
+ const char *mdname);
/**
* Load a generic external key with custom sign and free ops
@@ -150,9 +148,8 @@
* IMPORTANT: a reference to the handle is retained by the provider and
* relased by calling free_op. The caller should not free it.
*/
-EVP_PKEY *
-xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey,
- XKEY_EXTERNAL_SIGN_fn *sign_op, XKEY_PRIVKEY_FREE_fn *free_op);
+EVP_PKEY *xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey,
+ XKEY_EXTERNAL_SIGN_fn *sign_op, XKEY_PRIVKEY_FREE_fn *free_op);
extern OSSL_LIB_CTX *tls_libctx; /* Global */
@@ -166,7 +163,7 @@
static inline int
xkey_max_saltlen(int modBits, int hLen)
{
- int emLen = (modBits - 1 + 7)/8; /* ceil((modBits - 1)/8) */
+ int emLen = (modBits - 1 + 7) / 8; /* ceil((modBits - 1)/8) */
return emLen - hLen - 2;
}
@@ -181,8 +178,7 @@
* @returns the size of the converted signature or <= 0 on error.
* On success, buf is overwritten by its DER encoding
*/
-int
-ecdsa_bin2der(unsigned char *buf, int len, size_t capacity);
+int ecdsa_bin2der(unsigned char *buf, int len, size_t capacity);
#endif /* HAVE_XKEY_PROVIDER */
@@ -59,8 +59,8 @@
/** helper to compute digest */
int
-xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf,
- size_t *buflen, const char *mdname)
+xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, size_t *buflen,
+ const char *mdname)
{
dmsg(D_XKEY, "In xkey_digest");
EVP_MD *md = EVP_MD_fetch(NULL, mdname, NULL); /* from default context */
@@ -70,7 +70,7 @@
return 0;
}
- unsigned int len = (unsigned int) *buflen;
+ unsigned int len = (unsigned int)*buflen;
if (EVP_Digest(src, srclen, buf, &len, md, NULL) != 1)
{
msg(M_WARN, "WARN: xkey_digest: EVP_Digest failed");
@@ -121,18 +121,17 @@
/* UTF8 string pointers in here are only read from, so cast is safe */
OSSL_PARAM params[] = {
- {"xkey-origin", OSSL_PARAM_UTF8_STRING, (char *) origin, 0, 0},
- {"pubkey", OSSL_PARAM_OCTET_STRING, &pubkey, sizeof(pubkey), 0},
- {"handle", OSSL_PARAM_OCTET_PTR, &handle, sizeof(handle), 0},
- {"sign_op", OSSL_PARAM_OCTET_PTR, (void **) &sign_op, sizeof(sign_op), 0},
- {"free_op", OSSL_PARAM_OCTET_PTR, (void **) &free_op, sizeof(free_op), 0},
- {NULL, 0, NULL, 0, 0}
+ { "xkey-origin", OSSL_PARAM_UTF8_STRING, (char *)origin, 0, 0 },
+ { "pubkey", OSSL_PARAM_OCTET_STRING, &pubkey, sizeof(pubkey), 0 },
+ { "handle", OSSL_PARAM_OCTET_PTR, &handle, sizeof(handle), 0 },
+ { "sign_op", OSSL_PARAM_OCTET_PTR, (void **)&sign_op, sizeof(sign_op), 0 },
+ { "free_op", OSSL_PARAM_OCTET_PTR, (void **)&free_op, sizeof(free_op), 0 },
+ { NULL, 0, NULL, 0, 0 }
};
/* Do not use EVP_PKEY_new_from_pkey as that will take keymgmt from pubkey */
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(libctx, EVP_PKEY_get0_type_name(pubkey), props);
- if (!ctx
- || EVP_PKEY_fromdata_init(ctx) != 1
+ if (!ctx || EVP_PKEY_fromdata_init(ctx) != 1
|| EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) != 1)
{
print_openssl_errors();
@@ -161,13 +160,12 @@
* @return signature length or -1 on error.
*/
int
-xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen, XKEY_SIGALG alg)
+xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, const unsigned char *tbs,
+ size_t tbslen, XKEY_SIGALG alg)
{
- dmsg(D_XKEY, "In xkey_management_sign with keytype = %s, op = %s",
- alg.keytype, alg.op);
+ dmsg(D_XKEY, "In xkey_management_sign with keytype = %s, op = %s", alg.keytype, alg.op);
- (void) unused;
+ (void)unused;
char alg_str[128];
unsigned char buf[EVP_MAX_MD_SIZE]; /* for computing digest if required */
size_t buflen = sizeof(buf);
@@ -228,8 +226,7 @@
/* For undigested message, add hashalg=digest parameter */
else
{
- snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s",
- "RSA_PKCS1_PADDING", alg.mdname);
+ snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s", "RSA_PKCS1_PADDING", alg.mdname);
}
}
else if (!strcmp(alg.padmode, "none") && (flags & MF_EXTERNAL_KEY_NOPADDING)
@@ -239,13 +236,12 @@
}
else if (!strcmp(alg.padmode, "pss") && (flags & MF_EXTERNAL_KEY_PSSPAD))
{
- snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s,saltlen=%s",
- "RSA_PKCS1_PSS_PADDING", alg.mdname, alg.saltlen);
+ snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s,saltlen=%s", "RSA_PKCS1_PSS_PADDING",
+ alg.mdname, alg.saltlen);
}
else
{
- msg(M_NONFATAL, "RSA padding mode not supported by management-client <%s>",
- alg.padmode);
+ msg(M_NONFATAL, "RSA padding mode not supported by management-client <%s>", alg.padmode);
return 0;
}
@@ -260,7 +256,7 @@
char *out_b64 = NULL;
int len = -1;
- int bencret = openvpn_base64_encode(tbs, (int) tbslen, &in_b64);
+ int bencret = openvpn_base64_encode(tbs, (int)tbslen, &in_b64);
if (management && bencret > 0)
{
@@ -268,7 +264,7 @@
}
if (out_b64)
{
- len = openvpn_base64_decode(out_b64, sig, (int) *siglen);
+ len = openvpn_base64_decode(out_b64, sig, (int)*siglen);
}
free(in_b64);
free(out_b64);
@@ -295,8 +291,8 @@
* to the required size and false is returned.
*/
bool
-encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname,
- const unsigned char *tbs, size_t tbslen)
+encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, const unsigned char *tbs,
+ size_t tbslen)
{
ASSERT(enc_len != NULL);
ASSERT(tbs != NULL);
@@ -309,32 +305,34 @@
* Also see the table in RFC 8017 section 9.2, Note 1.
*/
- const unsigned char sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b,
- 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
- const unsigned char sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
- 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
- const unsigned char sha384[] = {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
- 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
- const unsigned char sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
- 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
- const unsigned char sha224[] = {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
- 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c};
- const unsigned char sha512_224[] = {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
- 0x01, 0x65, 0x03, 0x04, 0x02, 0x05, 0x05, 0x00, 0x04, 0x1c};
- const unsigned char sha512_256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
- 0x01, 0x65, 0x03, 0x04, 0x02, 0x06, 0x05, 0x00, 0x04, 0x20};
+ const unsigned char sha1[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
+ 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
+ const unsigned char sha256[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+ 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 };
+ const unsigned char sha384[] = { 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+ 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30 };
+ const unsigned char sha512[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+ 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 };
+ const unsigned char sha224[] = { 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+ 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c };
+ const unsigned char sha512_224[] = { 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+ 0x65, 0x03, 0x04, 0x02, 0x05, 0x05, 0x00, 0x04, 0x1c };
+ const unsigned char sha512_256[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+ 0x65, 0x03, 0x04, 0x02, 0x06, 0x05, 0x00, 0x04, 0x20 };
- typedef struct {
+ typedef struct
+ {
const int nid;
const unsigned char *header;
size_t sz;
} DIG_INFO;
-#define MAKE_DI(x) {NID_ ## x, x, sizeof(x)}
+#define MAKE_DI(x) { NID_##x, x, sizeof(x) }
- DIG_INFO dinfo[] = {MAKE_DI(sha1), MAKE_DI(sha256), MAKE_DI(sha384),
- MAKE_DI(sha512), MAKE_DI(sha224), MAKE_DI(sha512_224),
- MAKE_DI(sha512_256), {0, NULL, 0}};
+ DIG_INFO dinfo[] = {
+ MAKE_DI(sha1), MAKE_DI(sha256), MAKE_DI(sha384), MAKE_DI(sha512),
+ MAKE_DI(sha224), MAKE_DI(sha512_224), MAKE_DI(sha512_256), { 0, NULL, 0 }
+ };
size_t out_len = 0;
bool ret = false;
@@ -387,8 +385,7 @@
/* combine header and digest */
memcpy(enc, di->header, di->sz);
memcpy(enc + di->sz, tbs, tbslen);
- dmsg(D_XKEY, "encode_pkcs1: digest length = %zu encoded length = %zu",
- tbslen, out_len);
+ dmsg(D_XKEY, "encode_pkcs1: digest length = %zu encoded length = %zu", tbslen, out_len);
ret = true;
}
@@ -408,9 +405,9 @@
ecdsa_bin2der(unsigned char *buf, int len, size_t capacity)
{
ECDSA_SIG *ecsig = NULL;
- int rlen = len/2;
+ int rlen = len / 2;
BIGNUM *r = BN_bin2bn(buf, rlen, NULL);
- BIGNUM *s = BN_bin2bn(buf+rlen, rlen, NULL);
+ BIGNUM *s = BN_bin2bn(buf + rlen, rlen, NULL);
if (!r || !s)
{
goto err;
@@ -427,7 +424,7 @@
}
int derlen = i2d_ECDSA_SIG(ecsig, NULL);
- if (derlen > (int) capacity)
+ if (derlen > (int)capacity)
{
ECDSA_SIG_free(ecsig);
msg(M_NONFATAL, "Error: DER encoded ECDSA signature is too long (%d)\n", derlen);
@@ -46,15 +46,16 @@
typedef struct
{
- OSSL_LIB_CTX *libctx; /**< a child libctx for our own use */
+ OSSL_LIB_CTX *libctx; /**< a child libctx for our own use */
} XKEY_PROVIDER_CTX;
/* helper to print debug messages */
-#define xkey_dmsg(f, ...) \
- do { \
- dmsg(f|M_NOLF, "xkey_provider: In %s: ", __func__); \
- dmsg(f|M_NOPREFIX, __VA_ARGS__); \
- } while(0)
+#define xkey_dmsg(f, ...) \
+ do \
+ { \
+ dmsg(f | M_NOLF, "xkey_provider: In %s: ", __func__); \
+ dmsg(f | M_NOPREFIX, __VA_ARGS__); \
+ } while (0)
typedef enum
{
@@ -93,7 +94,7 @@
/** keydata handle free function of backend */
XKEY_PRIVKEY_FREE_fn *free;
XKEY_PROVIDER_CTX *prov;
- int refcount; /**< reference count */
+ int refcount; /**< reference count */
} XKEY_KEYDATA;
static inline const char *
@@ -128,9 +129,8 @@
* Helper sign function for native keys
* Implemented using OpenSSL calls.
*/
-int
-xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg);
+int xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg);
/* keymgmt provider */
@@ -150,8 +150,7 @@
static OSSL_FUNC_keymgmt_query_operation_name_fn rsa_keymgmt_name;
static OSSL_FUNC_keymgmt_query_operation_name_fn ec_keymgmt_name;
-static int
-keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]);
+static int keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]);
static XKEY_KEYDATA *
keydata_new(void)
@@ -273,9 +272,8 @@
int selection_pub = selection & ~OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(key->prov->libctx, name, NULL);
- if (!ctx
- || (EVP_PKEY_fromdata_init(ctx) != 1)
- || (EVP_PKEY_fromdata(ctx, &pkey, selection_pub, (OSSL_PARAM *) params) !=1))
+ if (!ctx || (EVP_PKEY_fromdata_init(ctx) != 1)
+ || (EVP_PKEY_fromdata(ctx, &pkey, selection_pub, (OSSL_PARAM *)params) != 1))
{
msg(M_WARN, "Error: keymgmt_import failed for key type <%s>", name);
if (pkey)
@@ -295,10 +293,10 @@
{
/* create private key */
pkey = NULL;
- if (EVP_PKEY_fromdata(ctx, &pkey, selection, (OSSL_PARAM *) params) == 1)
+ if (EVP_PKEY_fromdata(ctx, &pkey, selection, (OSSL_PARAM *)params) == 1)
{
key->handle = pkey;
- key->free = (XKEY_PRIVKEY_FREE_fn *) EVP_PKEY_free;
+ key->free = (XKEY_PRIVKEY_FREE_fn *)EVP_PKEY_free;
}
}
EVP_PKEY_CTX_free(ctx);
@@ -419,12 +417,10 @@
{
xkey_dmsg(D_XKEY, "entry");
- static OSSL_PARAM gettable[] = {
- OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
- OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
- OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
- OSSL_PARAM_END
- };
+ static OSSL_PARAM gettable[] = { OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
+ OSSL_PARAM_END };
return gettable;
}
@@ -471,14 +467,14 @@
/* only check params we understand and ignore the rest */
p = OSSL_PARAM_locate_const(params, "pubkey"); /*setting pubkey on our keydata */
- if (p && p->data_type == OSSL_PARAM_OCTET_STRING
- && p->data_size == sizeof(pkey))
+ if (p && p->data_type == OSSL_PARAM_OCTET_STRING && p->data_size == sizeof(pkey))
{
pkey = *(EVP_PKEY **)p->data;
ASSERT(pkey);
int id = EVP_PKEY_get_id(pkey);
- if (id != EVP_PKEY_RSA && id != EVP_PKEY_EC && id != EVP_PKEY_ED25519 && id != EVP_PKEY_ED448)
+ if (id != EVP_PKEY_RSA && id != EVP_PKEY_EC && id != EVP_PKEY_ED25519
+ && id != EVP_PKEY_ED448)
{
msg(M_WARN, "Error: xkey keymgmt_import: unknown key type (%d)", id);
return 0;
@@ -493,8 +489,7 @@
}
p = OSSL_PARAM_locate_const(params, "handle"); /*setting privkey */
- if (p && p->data_type == OSSL_PARAM_OCTET_PTR
- && p->data_size == sizeof(key->handle))
+ if (p && p->data_type == OSSL_PARAM_OCTET_PTR && p->data_size == sizeof(key->handle))
{
key->handle = *(void **)p->data;
/* caller should keep the reference alive until we call free */
@@ -502,8 +497,7 @@
}
p = OSSL_PARAM_locate_const(params, "sign_op"); /*setting sign_op */
- if (p && p->data_type == OSSL_PARAM_OCTET_PTR
- && p->data_size == sizeof(key->sign))
+ if (p && p->data_type == OSSL_PARAM_OCTET_PTR && p->data_size == sizeof(key->sign))
{
key->sign = *(void **)p->data;
ASSERT(key->sign); /* fix your params array */
@@ -511,8 +505,7 @@
/* optional parameters */
p = OSSL_PARAM_locate_const(params, "free_op"); /*setting free_op */
- if (p && p->data_type == OSSL_PARAM_OCTET_PTR
- && p->data_size == sizeof(key->free))
+ if (p && p->data_type == OSSL_PARAM_OCTET_PTR && p->data_size == sizeof(key->free))
{
key->free = *(void **)p->data;
}
@@ -586,75 +579,80 @@
}
static const OSSL_DISPATCH rsa_keymgmt_functions[] = {
- {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new},
- {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free},
- {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load},
- {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has},
- {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match},
- {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))rsa_keymgmt_import},
- {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types},
- {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params},
- {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params},
- {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params},
- {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */
- {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))rsa_keymgmt_name},
- {0, NULL }
+ { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new },
+ { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free },
+ { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load },
+ { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has },
+ { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match },
+ { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))rsa_keymgmt_import },
+ { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types },
+ { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params },
+ { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params },
+ { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params },
+ { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS,
+ (void (*)(void))keymgmt_gettable_params }, /* same as gettable */
+ { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))rsa_keymgmt_name },
+ { 0, NULL }
};
static const OSSL_DISPATCH ec_keymgmt_functions[] = {
- {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new},
- {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free},
- {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load},
- {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has},
- {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match},
- {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ec_keymgmt_import},
- {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types},
- {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params},
- {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params},
- {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params},
- {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */
- {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))ec_keymgmt_name},
- {0, NULL }
+ { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new },
+ { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free },
+ { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load },
+ { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has },
+ { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match },
+ { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ec_keymgmt_import },
+ { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types },
+ { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params },
+ { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params },
+ { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params },
+ { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS,
+ (void (*)(void))keymgmt_gettable_params }, /* same as gettable */
+ { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))ec_keymgmt_name },
+ { 0, NULL }
};
static const OSSL_DISPATCH ed448_keymgmt_functions[] = {
- {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new},
- {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free},
- {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load},
- {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has},
- {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match},
- {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ed448_keymgmt_import},
- {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types},
- {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params},
- {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params},
- {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params},
- {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */
- {0, NULL }
+ { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new },
+ { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free },
+ { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load },
+ { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has },
+ { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match },
+ { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ed448_keymgmt_import },
+ { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types },
+ { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params },
+ { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params },
+ { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params },
+ { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS,
+ (void (*)(void))keymgmt_gettable_params }, /* same as gettable */
+ { 0, NULL }
};
static const OSSL_DISPATCH ed25519_keymgmt_functions[] = {
- {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new},
- {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free},
- {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load},
- {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has},
- {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match},
- {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ed25519_keymgmt_import},
- {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types},
- {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params},
- {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params},
- {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params},
- {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */
- {0, NULL }
+ { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new },
+ { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free },
+ { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load },
+ { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has },
+ { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match },
+ { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ed25519_keymgmt_import },
+ { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types },
+ { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params },
+ { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params },
+ { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params },
+ { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS,
+ (void (*)(void))keymgmt_gettable_params }, /* same as gettable */
+ { 0, NULL }
};
const OSSL_ALGORITHM keymgmts[] = {
- {"RSA:rsaEncryption", XKEY_PROV_PROPS, rsa_keymgmt_functions, "OpenVPN xkey RSA Key Manager"},
- {"RSA-PSS:RSASSA-PSS", XKEY_PROV_PROPS, rsa_keymgmt_functions, "OpenVPN xkey RSA-PSS Key Manager"},
- {"EC:id-ecPublicKey", XKEY_PROV_PROPS, ec_keymgmt_functions, "OpenVPN xkey EC Key Manager"},
- {"ED448", XKEY_PROV_PROPS, ed448_keymgmt_functions, "OpenVPN xkey ED448 Key Manager"},
- {"ED25519", XKEY_PROV_PROPS, ed25519_keymgmt_functions, "OpenVPN xkey ED25519 Key Manager"},
- {NULL, NULL, NULL, NULL}
+ { "RSA:rsaEncryption", XKEY_PROV_PROPS, rsa_keymgmt_functions, "OpenVPN xkey RSA Key Manager" },
+ { "RSA-PSS:RSASSA-PSS", XKEY_PROV_PROPS, rsa_keymgmt_functions,
+ "OpenVPN xkey RSA-PSS Key Manager" },
+ { "EC:id-ecPublicKey", XKEY_PROV_PROPS, ec_keymgmt_functions, "OpenVPN xkey EC Key Manager" },
+ { "ED448", XKEY_PROV_PROPS, ed448_keymgmt_functions, "OpenVPN xkey ED448 Key Manager" },
+ { "ED25519", XKEY_PROV_PROPS, ed25519_keymgmt_functions, "OpenVPN xkey ED25519 Key Manager" },
+ { NULL, NULL, NULL, NULL }
};
@@ -681,29 +679,39 @@
XKEY_SIGALG sigalg;
} XKEY_SIGNATURE_CTX;
-static const XKEY_SIGALG default_sigalg = { .mdname = "MD5-SHA1", .saltlen = "digest",
- .padmode = "pkcs1", .keytype = "RSA"};
+static const XKEY_SIGALG default_sigalg = {
+ .mdname = "MD5-SHA1", .saltlen = "digest", .padmode = "pkcs1", .keytype = "RSA"
+};
-const struct {
+const struct
+{
int nid;
const char *name;
-} digest_names[] = {{NID_md5_sha1, "MD5-SHA1"}, {NID_sha1, "SHA1"},
- {NID_sha224, "SHA224", }, {NID_sha256, "SHA256"}, {NID_sha384, "SHA384"},
- {NID_sha512, "SHA512"}, {0, NULL}};
+} digest_names[] = { { NID_md5_sha1, "MD5-SHA1" },
+ { NID_sha1, "SHA1" },
+ {
+ NID_sha224,
+ "SHA224",
+ },
+ { NID_sha256, "SHA256" },
+ { NID_sha384, "SHA384" },
+ { NID_sha512, "SHA512" },
+ { 0, NULL } };
/* Use of NIDs as opposed to EVP_MD_fetch is okay here
* as these are only used for converting names passed in
* by OpenSSL to const strings.
*/
-static struct {
+static struct
+{
int id;
const char *name;
-} padmode_names[] = {{RSA_PKCS1_PADDING, "pkcs1"},
- {RSA_PKCS1_PSS_PADDING, "pss"},
- {RSA_NO_PADDING, "none"},
- {0, NULL}};
+} padmode_names[] = { { RSA_PKCS1_PADDING, "pkcs1" },
+ { RSA_PKCS1_PSS_PADDING, "pss" },
+ { RSA_NO_PADDING, "none" },
+ { 0, NULL } };
-static const char *saltlen_names[] = {"digest", "max", "auto", NULL};
+static const char *saltlen_names[] = { "digest", "max", "auto", NULL };
/* Return a string literal for digest name - normalizes
* alternate names like SHA2-256 to SHA256 etc.
@@ -724,7 +732,7 @@
{
i++;
}
- return digest_names[i].name ? digest_names[i].name : "MD5-SHA1";
+ return digest_names[i].name ? digest_names[i].name : "MD5-SHA1";
}
static void *
@@ -732,7 +740,7 @@
{
xkey_dmsg(D_XKEY, "entry");
- (void) propq; /* unused */
+ (void)propq; /* unused */
XKEY_SIGNATURE_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx));
if (!sctx)
@@ -767,8 +775,7 @@
static OSSL_PARAM settable[] = {
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
- OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
- OSSL_PARAM_END
+ OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), OSSL_PARAM_END
};
return settable;
@@ -784,7 +791,7 @@
if (params == NULL)
{
- return 1; /* not an error */
+ return 1; /* not an error */
}
p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
if (p && p->data_type == OSSL_PARAM_UTF8_STRING)
@@ -800,8 +807,7 @@
}
if (sctx->sigalg.padmode == NULL)
{
- msg(M_WARN, "xkey signature_ctx: padmode <%s>, treating as <none>",
- (char *)p->data);
+ msg(M_WARN, "xkey signature_ctx: padmode <%s>, treating as <none>", (char *)p->data);
sctx->sigalg.padmode = "none";
}
xkey_dmsg(D_XKEY, "setting padmode as %s", sctx->sigalg.padmode);
@@ -834,7 +840,7 @@
}
p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
- if (p && p->data_type == OSSL_PARAM_UTF8_STRING)
+ if (p && p->data_type == OSSL_PARAM_UTF8_STRING)
{
sctx->sigalg.mdname = xkey_mdname(p->data);
xkey_dmsg(D_XKEY, "setting hashalg as %s", sctx->sigalg.mdname);
@@ -858,8 +864,7 @@
}
if (sctx->sigalg.saltlen == NULL)
{
- msg(M_WARN, "xkey_signature_params: unknown saltlen <%s>",
- (char *)p->data);
+ msg(M_WARN, "xkey_signature_params: unknown saltlen <%s>", (char *)p->data);
sctx->sigalg.saltlen = "digest"; /* most common */
}
xkey_dmsg(D_XKEY, "setting saltlen to %s", sctx->sigalg.saltlen);
@@ -924,7 +929,8 @@
else if (sign)
{
ret = sign(sctx->keydata->handle, sig, siglen, tbs, tbslen, sctx->sigalg);
- xkey_dmsg(D_XKEY, "xkey_provider: external sign op returned ret = %d siglen = %d", ret, (int) *siglen);
+ xkey_dmsg(D_XKEY, "xkey_provider: external sign op returned ret = %d siglen = %d", ret,
+ (int)*siglen);
}
else
{
@@ -979,8 +985,7 @@
}
static int
-signature_digest_sign_init(void *ctx, const char *mdname,
- void *provkey, const OSSL_PARAM params[])
+signature_digest_sign_init(void *ctx, const char *mdname, void *provkey, const OSSL_PARAM params[])
{
xkey_dmsg(D_XKEY, "mdname = <%s>", mdname);
@@ -1022,8 +1027,8 @@
}
static int
-signature_digest_sign(void *ctx, unsigned char *sig, size_t *siglen,
- size_t sigsize, const unsigned char *tbs, size_t tbslen)
+signature_digest_sign(void *ctx, unsigned char *sig, size_t *siglen, size_t sigsize,
+ const unsigned char *tbs, size_t tbslen)
{
xkey_dmsg(D_XKEY, "entry");
@@ -1072,8 +1077,8 @@
/* Sign digest using native sign function -- will only work for native keys
*/
int
-xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg)
+xkey_native_sign(XKEY_KEYDATA *key, unsigned char *sig, size_t *siglen, const unsigned char *tbs,
+ size_t tbslen, XKEY_SIGALG sigalg)
{
xkey_dmsg(D_XKEY, "entry");
@@ -1100,13 +1105,17 @@
OSSL_PARAM params[6];
if (EVP_PKEY_get_id(pkey) == EVP_PKEY_RSA)
{
- params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, (char *)mdname, 0);
- params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, (char *)padmode, 0);
+ params[i++] =
+ OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, (char *)mdname, 0);
+ params[i++] =
+ OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, (char *)padmode, 0);
if (!strcmp(sigalg.padmode, "pss"))
{
- params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, (char *) saltlen, 0);
+ params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN,
+ (char *)saltlen, 0);
/* same digest for mgf1 */
- params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, (char *) mdname, 0);
+ params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST,
+ (char *)mdname, 0);
}
}
params[i++] = OSSL_PARAM_construct_end();
@@ -1133,27 +1142,27 @@
}
static const OSSL_DISPATCH signature_functions[] = {
- {OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))signature_newctx},
- {OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))signature_freectx},
- {OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))signature_sign_init},
- {OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))signature_sign},
- {OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, (void (*)(void))signature_digest_verify_init},
- {OSSL_FUNC_SIGNATURE_DIGEST_VERIFY, (void (*)(void))signature_digest_verify},
- {OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, (void (*)(void))signature_digest_sign_init},
- {OSSL_FUNC_SIGNATURE_DIGEST_SIGN, (void (*)(void))signature_digest_sign},
- {OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))signature_set_ctx_params},
- {OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, (void (*)(void))signature_settable_ctx_params},
- {OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))signature_get_ctx_params},
- {OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, (void (*)(void))signature_gettable_ctx_params},
- {0, NULL }
+ { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))signature_newctx },
+ { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))signature_freectx },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))signature_sign_init },
+ { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))signature_sign },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, (void (*)(void))signature_digest_verify_init },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY, (void (*)(void))signature_digest_verify },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, (void (*)(void))signature_digest_sign_init },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN, (void (*)(void))signature_digest_sign },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))signature_set_ctx_params },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, (void (*)(void))signature_settable_ctx_params },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))signature_get_ctx_params },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, (void (*)(void))signature_gettable_ctx_params },
+ { 0, NULL }
};
const OSSL_ALGORITHM signatures[] = {
- {"RSA:rsaEncryption", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey RSA Signature"},
- {"ECDSA", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey ECDSA Signature"},
- {"ED448", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey Ed448 Signature"},
- {"ED25519", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey Ed25519 Signature"},
- {NULL, NULL, NULL, NULL}
+ { "RSA:rsaEncryption", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey RSA Signature" },
+ { "ECDSA", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey ECDSA Signature" },
+ { "ED448", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey Ed448 Signature" },
+ { "ED25519", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey Ed25519 Signature" },
+ { NULL, NULL, NULL, NULL }
};
/* main provider interface */
@@ -1192,8 +1201,7 @@
xkey_dmsg(D_XKEY, "entry");
static const OSSL_PARAM param_types[] = {
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
- OSSL_PARAM_END
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_END
};
return param_types;
@@ -1228,11 +1236,11 @@
}
static const OSSL_DISPATCH dispatch_table[] = {
- {OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))gettable_params},
- {OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))get_params},
- {OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))query_operation},
- {OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))teardown},
- {0, NULL}
+ { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))gettable_params },
+ { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))get_params },
+ { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))query_operation },
+ { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))teardown },
+ { 0, NULL }
};
int
@@ -41,10 +41,7 @@
* DLL entry point
*/
BOOL WINAPI
-DllMain(
- _In_ HINSTANCE hinstDLL,
- _In_ DWORD dwReason,
- _In_ LPVOID lpReserved)
+DllMain(_In_ HINSTANCE hinstDLL, _In_ DWORD dwReason, _In_ LPVOID lpReserved)
{
UNREFERENCED_PARAMETER(hinstDLL);
UNREFERENCED_PARAMETER(lpReserved);
@@ -58,12 +55,13 @@
{
return FALSE;
}
- /* Fall through. */
+ /* Fall through. */
case DLL_THREAD_ATTACH:
{
/* Create thread local storage data. */
- struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)calloc(1, sizeof(struct openvpnmsica_thread_data));
+ struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)calloc(
+ 1, sizeof(struct openvpnmsica_thread_data));
if (s == NULL)
{
return FALSE;
@@ -107,7 +105,8 @@
/* Secure last error before it is overridden. */
DWORD dwResult = (flags & M_ERRNO) != 0 ? GetLastError() : ERROR_SUCCESS;
- struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx);
+ struct openvpnmsica_thread_data *s =
+ (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx);
if (s->hInstall == 0)
{
/* No MSI session, no fun. */
@@ -160,16 +159,13 @@
/* Field 4: The Windows error description. */
LPWSTR szErrMessage = NULL;
- if (FormatMessage(
- FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
- 0,
- dwResult,
- 0,
- (LPWSTR)&szErrMessage,
- 0,
- NULL) && szErrMessage)
+ if (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER
+ | FORMAT_MESSAGE_IGNORE_INSERTS,
+ 0, dwResult, 0, (LPWSTR)&szErrMessage, 0, NULL)
+ && szErrMessage)
{
- /* Trim trailing whitespace. Set terminator after the last non-whitespace character. This prevents excessive trailing line breaks. */
+ /* Trim trailing whitespace. Set terminator after the last non-whitespace character.
+ * This prevents excessive trailing line breaks. */
for (size_t i = 0, i_last = 0;; i++)
{
if (szErrMessage[i])
@@ -190,6 +186,7 @@
}
}
- MsiProcessMessage(s->hInstall, (flags & M_WARN) ? INSTALLMESSAGE_INFO : INSTALLMESSAGE_ERROR, hRecordProg);
+ MsiProcessMessage(s->hInstall, (flags & M_WARN) ? INSTALLMESSAGE_INFO : INSTALLMESSAGE_ERROR,
+ hRecordProg);
MsiCloseHandle(hRecordProg);
}
@@ -51,15 +51,14 @@
void
-msica_arg_seq_add_head(
- _Inout_ struct msica_arg_seq *seq,
- _In_z_ LPCWSTR argument)
+msica_arg_seq_add_head(_Inout_ struct msica_arg_seq *seq, _In_z_ LPCWSTR argument)
{
size_t argument_size = (wcslen(argument) + 1) * sizeof(WCHAR);
struct msica_arg *p = malloc(sizeof(struct msica_arg) + argument_size);
if (p == NULL)
{
- msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, sizeof(struct msica_arg) + argument_size);
+ msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__,
+ sizeof(struct msica_arg) + argument_size);
}
memcpy(p->val, argument, argument_size);
p->next = seq->head;
@@ -72,15 +71,14 @@
void
-msica_arg_seq_add_tail(
- _Inout_ struct msica_arg_seq *seq,
- _Inout_ LPCWSTR argument)
+msica_arg_seq_add_tail(_Inout_ struct msica_arg_seq *seq, _Inout_ LPCWSTR argument)
{
size_t argument_size = (wcslen(argument) + 1) * sizeof(WCHAR);
struct msica_arg *p = malloc(sizeof(struct msica_arg) + argument_size);
if (p == NULL)
{
- msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, sizeof(struct msica_arg) + argument_size);
+ msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__,
+ sizeof(struct msica_arg) + argument_size);
}
memcpy(p->val, argument, argument_size);
p->next = NULL;
@@ -110,10 +108,13 @@
#ifdef _MSC_VER
#pragma warning(push)
-#pragma warning(disable: 4996) /* Using unsafe string functions: The space in s and termination of p->val has been implicitly verified at the beginning of this function. */
+#pragma warning( \
+ disable : 4996) /* Using unsafe string functions: The space in s and termination of p->val has \
+ been implicitly verified at the beginning of this function. */
#endif
- /* Dummy argv[0] (i.e. executable name), for CommandLineToArgvW to work correctly when parsing this string. */
+ /* Dummy argv[0] (i.e. executable name), for CommandLineToArgvW to work correctly when parsing
+ * this string. */
wcscpy(str, L"x");
/* Join. */
@@ -27,7 +27,7 @@
#ifdef _MSC_VER
#pragma warning(push)
-#pragma warning(disable: 4200) /* Using zero-sized arrays in struct/union. */
+#pragma warning(disable : 4200) /* Using zero-sized arrays in struct/union. */
#endif
@@ -56,8 +56,7 @@
*
* @param seq Pointer to uninitialized argument sequence
*/
-void
-msica_arg_seq_init(_Inout_ struct msica_arg_seq *seq);
+void msica_arg_seq_init(_Inout_ struct msica_arg_seq *seq);
/**
@@ -65,8 +64,7 @@
*
* @param seq Pointer to the argument sequence
*/
-void
-msica_arg_seq_free(_Inout_ struct msica_arg_seq *seq);
+void msica_arg_seq_free(_Inout_ struct msica_arg_seq *seq);
/**
@@ -76,10 +74,7 @@
*
* @param argument Zero-terminated argument string to insert.
*/
-void
-msica_arg_seq_add_head(
- _Inout_ struct msica_arg_seq *seq,
- _In_z_ LPCWSTR argument);
+void msica_arg_seq_add_head(_Inout_ struct msica_arg_seq *seq, _In_z_ LPCWSTR argument);
/**
@@ -89,10 +84,7 @@
*
* @param argument Zero-terminated argument string to append.
*/
-void
-msica_arg_seq_add_tail(
- _Inout_ struct msica_arg_seq *seq,
- _Inout_ LPCWSTR argument);
+void msica_arg_seq_add_tail(_Inout_ struct msica_arg_seq *seq, _Inout_ LPCWSTR argument);
/**
* Join arguments of the argument sequence into a space delimited string
@@ -34,10 +34,7 @@
UINT
-msi_get_string(
- _In_ MSIHANDLE hInstall,
- _In_z_ LPCWSTR szName,
- _Out_ LPWSTR *pszValue)
+msi_get_string(_In_ MSIHANDLE hInstall, _In_z_ LPCWSTR szName, _Out_ LPWSTR *pszValue)
{
if (pszValue == NULL)
{
@@ -84,7 +81,8 @@
}
else
{
- SetLastError(uiResult); /* MSDN does not mention MsiGetProperty() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(uiResult); /* MSDN does not mention MsiGetProperty() to set GetLastError(). But
+ we do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: MsiGetProperty failed", __FUNCTION__);
return uiResult;
}
@@ -92,10 +90,7 @@
UINT
-msi_get_record_string(
- _In_ MSIHANDLE hRecord,
- _In_ unsigned int iField,
- _Out_ LPWSTR *pszValue)
+msi_get_record_string(_In_ MSIHANDLE hRecord, _In_ unsigned int iField, _Out_ LPWSTR *pszValue)
{
if (pszValue == NULL)
{
@@ -142,7 +137,8 @@
}
else
{
- SetLastError(uiResult); /* MSDN does not mention MsiRecordGetString() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(uiResult); /* MSDN does not mention MsiRecordGetString() to set GetLastError().
+ But we do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: MsiRecordGetString failed", __FUNCTION__);
return uiResult;
}
@@ -150,10 +146,7 @@
UINT
-msi_format_record(
- _In_ MSIHANDLE hInstall,
- _In_ MSIHANDLE hRecord,
- _Out_ LPWSTR *pszValue)
+msi_format_record(_In_ MSIHANDLE hInstall, _In_ MSIHANDLE hRecord, _Out_ LPWSTR *pszValue)
{
if (pszValue == NULL)
{
@@ -200,7 +193,8 @@
}
else
{
- SetLastError(uiResult); /* MSDN does not mention MsiFormatRecord() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(uiResult); /* MSDN does not mention MsiFormatRecord() to set GetLastError().
+ But we do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: MsiFormatRecord failed", __FUNCTION__);
return uiResult;
}
@@ -208,11 +202,8 @@
UINT
-msi_format_field(
- _In_ MSIHANDLE hInstall,
- _In_ MSIHANDLE hRecord,
- _In_ unsigned int iField,
- _Out_ LPWSTR *pszValue)
+msi_format_field(_In_ MSIHANDLE hInstall, _In_ MSIHANDLE hRecord, _In_ unsigned int iField,
+ _Out_ LPWSTR *pszValue)
{
if (pszValue == NULL)
{
@@ -246,7 +237,8 @@
uiResult = MsiRecordSetString(hRecordEx, 0, szValue);
if (uiResult != ERROR_SUCCESS)
{
- SetLastError(uiResult); /* MSDN does not mention MsiRecordSetString() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(uiResult); /* MSDN does not mention MsiRecordSetString() to set GetLastError().
+ But we do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: MsiRecordSetString failed", __FUNCTION__);
goto cleanup_hRecordEx;
}
@@ -37,11 +37,7 @@
*
* @return ERROR_SUCCESS on success; Win32 error code otherwise
*/
-UINT
-msi_get_string(
- _In_ MSIHANDLE hInstall,
- _In_z_ LPCWSTR szName,
- _Out_ LPWSTR *pszValue);
+UINT msi_get_string(_In_ MSIHANDLE hInstall, _In_z_ LPCWSTR szName, _Out_ LPWSTR *pszValue);
/**
@@ -56,11 +52,8 @@
*
* @return ERROR_SUCCESS on success; Win32 error code otherwise
*/
-UINT
-msi_get_record_string(
- _In_ MSIHANDLE hRecord,
- _In_ unsigned int iField,
- _Out_ LPWSTR *pszValue);
+UINT msi_get_record_string(_In_ MSIHANDLE hRecord, _In_ unsigned int iField,
+ _Out_ LPWSTR *pszValue);
/**
@@ -78,11 +71,7 @@
*
* @return ERROR_SUCCESS on success; Win32 error code otherwise
*/
-UINT
-msi_format_record(
- _In_ MSIHANDLE hInstall,
- _In_ MSIHANDLE hRecord,
- _Out_ LPWSTR *pszValue);
+UINT msi_format_record(_In_ MSIHANDLE hInstall, _In_ MSIHANDLE hRecord, _Out_ LPWSTR *pszValue);
/**
@@ -101,11 +90,7 @@
*
* @return ERROR_SUCCESS on success; Win32 error code otherwise
*/
-UINT
-msi_format_field(
- _In_ MSIHANDLE hInstall,
- _In_ MSIHANDLE hRecord,
- _In_ unsigned int iField,
- _Out_ LPWSTR *pszValue);
+UINT msi_format_field(_In_ MSIHANDLE hInstall, _In_ MSIHANDLE hRecord, _In_ unsigned int iField,
+ _Out_ LPWSTR *pszValue);
#endif /* ifndef MSIHLP_H */
@@ -59,9 +59,9 @@
*/
/** Amount of tick space to reserve for one TAP/TUN adapter creation/deletition. */
-#define MSICA_ADAPTER_TICK_SIZE (16 * 1024)
+#define MSICA_ADAPTER_TICK_SIZE (16 * 1024)
-#define FILE_NEED_REBOOT L".ovpn_need_reboot"
+#define FILE_NEED_REBOOT L".ovpn_need_reboot"
#define OPENVPN_CONNECT_ADAPTER_SUBSTR L"OpenVPN Connect"
@@ -77,10 +77,7 @@
* @return ERROR_SUCCESS on success; An error code otherwise
*/
static UINT
-setup_sequence(
- _In_ MSIHANDLE hInstall,
- _In_z_ LPCWSTR szProperty,
- _In_ struct msica_arg_seq *seq)
+setup_sequence(_In_ MSIHANDLE hInstall, _In_z_ LPCWSTR szProperty, _In_ struct msica_arg_seq *seq)
{
UINT uiResult;
LPWSTR szSequence = msica_arg_seq_join(seq);
@@ -110,12 +107,11 @@
static void
_debug_popup(_In_z_ LPCSTR szFunctionName)
{
- WCHAR szTitle[0x100], szMessage[0x100+MAX_PATH], szProcessPath[MAX_PATH];
+ WCHAR szTitle[0x100], szMessage[0x100 + MAX_PATH], szProcessPath[MAX_PATH];
/* Compose pop-up title. The dialog title will contain function name to ease the process
* locating. Mind that Visual Studio displays window titles on the process list. */
- swprintf_s(szTitle, _countof(szTitle), L"%hs v%ls",
- szFunctionName, _L(PACKAGE_VERSION));
+ swprintf_s(szTitle, _countof(szTitle), L"%hs v%ls", szFunctionName, _L(PACKAGE_VERSION));
/* Get process name. */
GetModuleFileName(NULL, szProcessPath, _countof(szProcessPath));
@@ -131,9 +127,7 @@
L"If you would like to debug the custom action, attach a debugger to this process and set breakpoints before dismissing this dialog.\r\n"
L"\r\n"
L"If you are not debugging this custom action, you can safely ignore this message.",
- szProcessName,
- GetCurrentProcessId(),
- szFunctionName);
+ szProcessName, GetCurrentProcessId(), szFunctionName);
MessageBox(NULL, szMessage, szTitle, MB_OK);
}
@@ -144,11 +138,8 @@
#endif /* ifdef _DEBUG */
static void
-find_adapters(
- _In_ MSIHANDLE hInstall,
- _In_z_ LPCWSTR szzHardwareIDs,
- _In_z_ LPCWSTR szAdaptersPropertyName,
- _In_z_ LPCWSTR szActiveAdaptersPropertyName)
+find_adapters(_In_ MSIHANDLE hInstall, _In_z_ LPCWSTR szzHardwareIDs,
+ _In_z_ LPCWSTR szAdaptersPropertyName, _In_z_ LPCWSTR szActiveAdaptersPropertyName)
{
UINT uiResult;
@@ -165,24 +156,26 @@
return;
}
- /* Get IPv4/v6 info for all network adapters. Actually, we're interested in link status only: up/down? */
+ /* Get IPv4/v6 info for all network adapters. Actually, we're interested in link status only:
+ * up/down? */
PIP_ADAPTER_ADDRESSES pAdapterAdresses = NULL;
- ULONG ulAdapterAdressesSize = 16*1024;
+ ULONG ulAdapterAdressesSize = 16 * 1024;
for (size_t iteration = 0; iteration < 2; iteration++)
{
pAdapterAdresses = (PIP_ADAPTER_ADDRESSES)malloc(ulAdapterAdressesSize);
if (pAdapterAdresses == NULL)
{
msg(M_NONFATAL, "%s: malloc(%u) failed", __FUNCTION__, ulAdapterAdressesSize);
- uiResult = ERROR_OUTOFMEMORY; goto cleanup_pAdapterList;
+ uiResult = ERROR_OUTOFMEMORY;
+ goto cleanup_pAdapterList;
}
ULONG ulResult = GetAdaptersAddresses(
AF_UNSPEC,
- GAA_FLAG_SKIP_UNICAST | GAA_FLAG_SKIP_ANYCAST | GAA_FLAG_SKIP_MULTICAST | GAA_FLAG_SKIP_DNS_SERVER | GAA_FLAG_SKIP_FRIENDLY_NAME | GAA_FLAG_INCLUDE_ALL_INTERFACES,
- NULL,
- pAdapterAdresses,
- &ulAdapterAdressesSize);
+ GAA_FLAG_SKIP_UNICAST | GAA_FLAG_SKIP_ANYCAST | GAA_FLAG_SKIP_MULTICAST
+ | GAA_FLAG_SKIP_DNS_SERVER | GAA_FLAG_SKIP_FRIENDLY_NAME
+ | GAA_FLAG_INCLUDE_ALL_INTERFACES,
+ NULL, pAdapterAdresses, &ulAdapterAdressesSize);
if (ulResult == ERROR_SUCCESS)
{
@@ -192,9 +185,12 @@
free(pAdapterAdresses);
if (ulResult != ERROR_BUFFER_OVERFLOW)
{
- SetLastError(ulResult); /* MSDN does not mention GetAdaptersAddresses() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(
+ ulResult); /* MSDN does not mention GetAdaptersAddresses() to set GetLastError().
+ But we do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: GetAdaptersAddresses() failed", __FUNCTION__);
- uiResult = ulResult; goto cleanup_pAdapterList;
+ uiResult = ulResult;
+ goto cleanup_pAdapterList;
}
}
@@ -207,26 +203,33 @@
/* Prepare semicolon delimited list of TAP adapter ID(s) and active TAP adapter ID(s). */
LPWSTR
- szAdapters = (LPWSTR)malloc(adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)),
- szAdaptersTail = szAdapters;
+ szAdapters =
+ (LPWSTR)malloc(adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)),
+ szAdaptersTail = szAdapters;
if (szAdapters == NULL)
{
- msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR));
- uiResult = ERROR_OUTOFMEMORY; goto cleanup_pAdapterAdresses;
+ msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__,
+ adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR));
+ uiResult = ERROR_OUTOFMEMORY;
+ goto cleanup_pAdapterAdresses;
}
LPWSTR
- szAdaptersActive = (LPWSTR)malloc(adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)),
- szAdaptersActiveTail = szAdaptersActive;
+ szAdaptersActive =
+ (LPWSTR)malloc(adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR)),
+ szAdaptersActiveTail = szAdaptersActive;
if (szAdaptersActive == NULL)
{
- msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR));
- uiResult = ERROR_OUTOFMEMORY; goto cleanup_szAdapters;
+ msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__,
+ adapter_count * (38 /*GUID*/ + 1 /*separator/terminator*/) * sizeof(WCHAR));
+ uiResult = ERROR_OUTOFMEMORY;
+ goto cleanup_szAdapters;
}
for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter; pAdapter = pAdapter->pNext)
{
- /* exclude adapters created by OpenVPN Connect, since they're removed on Connect uninstallation */
+ /* exclude adapters created by OpenVPN Connect, since they're removed on Connect
+ * uninstallation */
if (wcsstr(pAdapter->szName, OPENVPN_CONNECT_ADAPTER_SUBSTR))
{
msg(M_WARN, "%s: skip OpenVPN Connect adapter '%ls'", __FUNCTION__, pAdapter->szName);
@@ -250,7 +253,9 @@
{
OLECHAR szId[38 /*GUID*/ + 1 /*terminator*/];
GUID guid;
- if (MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, p->AdapterName, -1, szId, _countof(szId)) > 0
+ if (MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, p->AdapterName, -1, szId,
+ _countof(szId))
+ > 0
&& SUCCEEDED(IIDFromString(szId, &guid))
&& memcmp(&guid, &pAdapter->guid, sizeof(GUID)) == 0)
{
@@ -269,22 +274,26 @@
}
CoTaskMemFree(szAdapterId);
}
- szAdaptersTail [0] = 0;
+ szAdaptersTail[0] = 0;
szAdaptersActiveTail[0] = 0;
/* Set Installer properties. */
uiResult = MsiSetProperty(hInstall, szAdaptersPropertyName, szAdapters);
if (uiResult != ERROR_SUCCESS)
{
- SetLastError(uiResult); /* MSDN does not mention MsiSetProperty() to set GetLastError(). But we do have an error code. Set last error manually. */
- msg(M_NONFATAL | M_ERRNO, "%s: MsiSetProperty(\"%s\") failed", __FUNCTION__, szAdaptersPropertyName);
+ SetLastError(uiResult); /* MSDN does not mention MsiSetProperty() to set GetLastError(). But
+ we do have an error code. Set last error manually. */
+ msg(M_NONFATAL | M_ERRNO, "%s: MsiSetProperty(\"%s\") failed", __FUNCTION__,
+ szAdaptersPropertyName);
goto cleanup_szAdaptersActive;
}
uiResult = MsiSetProperty(hInstall, szActiveAdaptersPropertyName, szAdaptersActive);
if (uiResult != ERROR_SUCCESS)
{
- SetLastError(uiResult); /* MSDN does not mention MsiSetProperty() to set GetLastError(). But we do have an error code. Set last error manually. */
- msg(M_NONFATAL | M_ERRNO, "%s: MsiSetProperty(\"%s\") failed", __FUNCTION__, szActiveAdaptersPropertyName);
+ SetLastError(uiResult); /* MSDN does not mention MsiSetProperty() to set GetLastError(). But
+ we do have an error code. Set last error manually. */
+ msg(M_NONFATAL | M_ERRNO, "%s: MsiSetProperty(\"%s\") failed", __FUNCTION__,
+ szActiveAdaptersPropertyName);
goto cleanup_szAdaptersActive;
}
@@ -299,8 +308,7 @@
}
-UINT __stdcall
-FindSystemInfo(_In_ MSIHANDLE hInstall)
+UINT __stdcall FindSystemInfo(_In_ MSIHANDLE hInstall)
{
#ifdef DLLEXP_EXPORT
#pragma comment(linker, DLLEXP_EXPORT)
@@ -312,16 +320,12 @@
OPENVPNMSICA_SAVE_MSI_SESSION(hInstall);
- find_adapters(
- hInstall,
- L"root\\" _L(TAP_WIN_COMPONENT_ID) L"\0" _L(TAP_WIN_COMPONENT_ID) L"\0",
- L"TAPWINDOWS6ADAPTERS",
- L"ACTIVETAPWINDOWS6ADAPTERS");
- find_adapters(
- hInstall,
- L"ovpn-dco" L"\0",
- L"OVPNDCOADAPTERS",
- L"ACTIVEOVPNDCOADAPTERS");
+ find_adapters(hInstall, L"root\\" _L(TAP_WIN_COMPONENT_ID) L"\0" _L(TAP_WIN_COMPONENT_ID) L"\0",
+ L"TAPWINDOWS6ADAPTERS", L"ACTIVETAPWINDOWS6ADAPTERS");
+ find_adapters(hInstall,
+ L"ovpn-dco"
+ L"\0",
+ L"OVPNDCOADAPTERS", L"ACTIVEOVPNDCOADAPTERS");
if (bIsCoInitialized)
{
@@ -331,13 +335,13 @@
}
-UINT __stdcall
-CloseOpenVPNGUI(_In_ MSIHANDLE hInstall)
+UINT __stdcall CloseOpenVPNGUI(_In_ MSIHANDLE hInstall)
{
#ifdef DLLEXP_EXPORT
#pragma comment(linker, DLLEXP_EXPORT)
#endif
- UNREFERENCED_PARAMETER(hInstall); /* This CA is does not interact with MSI session (report errors, access properties, tables, etc.). */
+ UNREFERENCED_PARAMETER(hInstall); /* This CA is does not interact with MSI session (report
+ errors, access properties, tables, etc.). */
debug_popup(__FUNCTION__);
@@ -345,7 +349,8 @@
HWND hWnd = FindWindow(L"OpenVPN-GUI", NULL);
if (hWnd)
{
- /* Ask it to close and wait for 100ms. Unfortunately, this will succeed only for recent OpenVPN GUI that do not run elevated. */
+ /* Ask it to close and wait for 100ms. Unfortunately, this will succeed only for recent
+ * OpenVPN GUI that do not run elevated. */
SendMessage(hWnd, WM_CLOSE, 0, 0);
Sleep(100);
}
@@ -354,8 +359,7 @@
}
-UINT __stdcall
-StartOpenVPNGUI(_In_ MSIHANDLE hInstall)
+UINT __stdcall StartOpenVPNGUI(_In_ MSIHANDLE hInstall)
{
#ifdef DLLEXP_EXPORT
#pragma comment(linker, DLLEXP_EXPORT)
@@ -379,7 +383,8 @@
uiResult = MsiRecordSetString(hRecord, 0, L"\"[#bin.openvpn_gui.exe]\"");
if (uiResult != ERROR_SUCCESS)
{
- SetLastError(uiResult); /* MSDN does not mention MsiRecordSetString() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(uiResult); /* MSDN does not mention MsiRecordSetString() to set GetLastError().
+ But we do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: MsiRecordSetString failed", __FUNCTION__);
goto cleanup_MsiCreateRecord;
}
@@ -396,25 +401,26 @@
if (szPath == NULL)
{
msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, dwPathSize * sizeof(WCHAR));
- uiResult = ERROR_OUTOFMEMORY; goto cleanup_MsiCreateRecord;
+ uiResult = ERROR_OUTOFMEMORY;
+ goto cleanup_MsiCreateRecord;
}
uiResult = MsiFormatRecord(hInstall, hRecord, szPath, &dwPathSize);
}
if (uiResult != ERROR_SUCCESS)
{
- SetLastError(uiResult); /* MSDN does not mention MsiFormatRecord() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(uiResult); /* MSDN does not mention MsiFormatRecord() to set GetLastError().
+ But we do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: MsiFormatRecord failed", __FUNCTION__);
goto cleanup_malloc_szPath;
}
/* Launch the OpenVPN GUI. */
- SHELLEXECUTEINFO sei = {
- .cbSize = sizeof(SHELLEXECUTEINFO),
- .fMask = SEE_MASK_FLAG_NO_UI, /* Don't show error UI, we'll display it. */
- .lpFile = szPath,
- .nShow = SW_SHOWNORMAL
- };
+ SHELLEXECUTEINFO sei = { .cbSize = sizeof(SHELLEXECUTEINFO),
+ .fMask =
+ SEE_MASK_FLAG_NO_UI, /* Don't show error UI, we'll display it. */
+ .lpFile = szPath,
+ .nShow = SW_SHOWNORMAL };
if (!ShellExecuteEx(&sei))
{
uiResult = GetLastError();
@@ -461,12 +467,9 @@
* @return ERROR_SUCCESS on success; An error code otherwise
*/
static DWORD
-schedule_adapter_create(
- _Inout_ struct msica_arg_seq *seq,
- _Inout_opt_ struct msica_arg_seq *seqRollback,
- _In_z_ LPCWSTR szDisplayName,
- _In_z_ LPCWSTR szHardwareId,
- _Inout_ int *iTicks)
+schedule_adapter_create(_Inout_ struct msica_arg_seq *seq,
+ _Inout_opt_ struct msica_arg_seq *seqRollback, _In_z_ LPCWSTR szDisplayName,
+ _In_z_ LPCWSTR szHardwareId, _Inout_ int *iTicks)
{
/* Get existing network adapters. */
struct tap_adapter_node *pAdapterList = NULL;
@@ -477,28 +480,25 @@
}
/* Does adapter exist? */
- for (struct tap_adapter_node *pAdapterOther = pAdapterList;; pAdapterOther = pAdapterOther->pNext)
+ for (struct tap_adapter_node *pAdapterOther = pAdapterList;;
+ pAdapterOther = pAdapterOther->pNext)
{
if (pAdapterOther == NULL)
{
/* No adapter with a same name found. */
- WCHAR szArgument[10 /*create=""|deleteN=""*/ + MAX_PATH /*szDisplayName*/ + 1 /*|*/ + MAX_PATH /*szHardwareId*/ + 1 /*terminator*/];
+ WCHAR szArgument[10 /*create=""|deleteN=""*/ + MAX_PATH /*szDisplayName*/ + 1 /*|*/
+ + MAX_PATH /*szHardwareId*/ + 1 /*terminator*/];
/* InstallTUNTAPAdapters will create the adapter. */
- swprintf_s(
- szArgument, _countof(szArgument),
- L"create=\"%.*s|%.*s\"",
- MAX_PATH, szDisplayName,
- MAX_PATH, szHardwareId);
+ swprintf_s(szArgument, _countof(szArgument), L"create=\"%.*s|%.*s\"", MAX_PATH,
+ szDisplayName, MAX_PATH, szHardwareId);
msica_arg_seq_add_tail(seq, szArgument);
if (seqRollback)
{
/* InstallTUNTAPAdaptersRollback will delete the adapter. */
- swprintf_s(
- szArgument, _countof(szArgument),
- L"deleteN=\"%.*s\"",
- MAX_PATH, szDisplayName);
+ swprintf_s(szArgument, _countof(szArgument), L"deleteN=\"%.*s\"", MAX_PATH,
+ szDisplayName);
msica_arg_seq_add_head(seqRollback, szArgument);
}
@@ -513,13 +513,15 @@
if (hwid[0] == 0)
{
/* This adapter has a different hardware ID. */
- msg(M_NONFATAL, "%s: Adapter with name \"%ls\" already exists", __FUNCTION__, pAdapterOther->szName);
+ msg(M_NONFATAL, "%s: Adapter with name \"%ls\" already exists", __FUNCTION__,
+ pAdapterOther->szName);
dwResult = ERROR_ALREADY_EXISTS;
goto cleanup_pAdapterList;
}
else if (wcsicmp(hwid, szHardwareId) == 0)
{
- /* This is an adapter with the requested hardware ID. We already have what we want! */
+ /* This is an adapter with the requested hardware ID. We already have what we
+ * want! */
break;
}
}
@@ -561,13 +563,10 @@
* @return ERROR_SUCCESS on success; An error code otherwise
*/
static DWORD
-schedule_adapter_delete(
- _Inout_ struct msica_arg_seq *seq,
- _Inout_opt_ struct msica_arg_seq *seqCommit,
- _Inout_opt_ struct msica_arg_seq *seqRollback,
- _In_z_ LPCWSTR szDisplayName,
- _In_z_ LPCWSTR szzHardwareIDs,
- _Inout_ int *iTicks)
+schedule_adapter_delete(_Inout_ struct msica_arg_seq *seq,
+ _Inout_opt_ struct msica_arg_seq *seqCommit,
+ _Inout_opt_ struct msica_arg_seq *seqRollback, _In_z_ LPCWSTR szDisplayName,
+ _In_z_ LPCWSTR szzHardwareIDs, _Inout_ int *iTicks)
{
/* Get adapters with given hardware ID. */
struct tap_adapter_node *pAdapterList = NULL;
@@ -578,42 +577,36 @@
}
/* Does adapter exist? */
- for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter != NULL; pAdapter = pAdapter->pNext)
+ for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter != NULL;
+ pAdapter = pAdapter->pNext)
{
if (wcsicmp(szDisplayName, pAdapter->szName) == 0)
{
/* Adapter found. */
- WCHAR szArgument[8 /*disable=|enable=|delete=*/ + 38 /*{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}*/ + 1 /*terminator*/];
+ WCHAR szArgument[8 /*disable=|enable=|delete=*/
+ + 38 /*{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}*/ + 1 /*terminator*/];
if (seqCommit && seqRollback)
{
/* UninstallTUNTAPAdapters will disable the adapter. */
- swprintf_s(
- szArgument, _countof(szArgument),
- L"disable=" _L(PRIXGUID),
- PRIGUID_PARAM(pAdapter->guid));
+ swprintf_s(szArgument, _countof(szArgument), L"disable=" _L(PRIXGUID),
+ PRIGUID_PARAM(pAdapter->guid));
msica_arg_seq_add_tail(seq, szArgument);
/* UninstallTUNTAPAdaptersRollback will re-enable the adapter. */
- swprintf_s(
- szArgument, _countof(szArgument),
- L"enable=" _L(PRIXGUID),
- PRIGUID_PARAM(pAdapter->guid));
+ swprintf_s(szArgument, _countof(szArgument), L"enable=" _L(PRIXGUID),
+ PRIGUID_PARAM(pAdapter->guid));
msica_arg_seq_add_head(seqRollback, szArgument);
/* UninstallTUNTAPAdaptersCommit will delete the adapter. */
- swprintf_s(
- szArgument, _countof(szArgument),
- L"delete=" _L(PRIXGUID),
- PRIGUID_PARAM(pAdapter->guid));
+ swprintf_s(szArgument, _countof(szArgument), L"delete=" _L(PRIXGUID),
+ PRIGUID_PARAM(pAdapter->guid));
msica_arg_seq_add_tail(seqCommit, szArgument);
}
else
{
/* UninstallTUNTAPAdapters will delete the adapter. */
- swprintf_s(
- szArgument, _countof(szArgument),
- L"delete=" _L(PRIXGUID),
- PRIGUID_PARAM(pAdapter->guid));
+ swprintf_s(szArgument, _countof(szArgument), L"delete=" _L(PRIXGUID),
+ PRIGUID_PARAM(pAdapter->guid));
msica_arg_seq_add_tail(seq, szArgument);
}
@@ -627,8 +620,7 @@
}
-UINT __stdcall
-EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall)
+UINT __stdcall EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall)
{
#ifdef DLLEXP_EXPORT
#pragma comment(linker, DLLEXP_EXPORT)
@@ -641,13 +633,8 @@
OPENVPNMSICA_SAVE_MSI_SESSION(hInstall);
- struct msica_arg_seq
- seqInstall,
- seqInstallCommit,
- seqInstallRollback,
- seqUninstall,
- seqUninstallCommit,
- seqUninstallRollback;
+ struct msica_arg_seq seqInstall, seqInstallCommit, seqInstallRollback, seqUninstall,
+ seqUninstallCommit, seqUninstallRollback;
msica_arg_seq_init(&seqInstall);
msica_arg_seq_init(&seqInstallCommit);
msica_arg_seq_init(&seqInstallRollback);
@@ -656,7 +643,8 @@
msica_arg_seq_init(&seqUninstallRollback);
/* Check rollback state. */
- bool bRollbackEnabled = MsiEvaluateCondition(hInstall, L"RollbackDisabled") != MSICONDITION_TRUE;
+ bool bRollbackEnabled =
+ MsiEvaluateCondition(hInstall, L"RollbackDisabled") != MSICONDITION_TRUE;
/* Open MSI database. */
MSIHANDLE hDatabase = MsiGetActiveDatabase(hInstall);
@@ -671,7 +659,8 @@
switch (MsiDatabaseIsTablePersistent(hDatabase, L"TUNTAPAdapter"))
{
case MSICONDITION_FALSE:
- case MSICONDITION_TRUE: break;
+ case MSICONDITION_TRUE:
+ break;
default:
uiResult = ERROR_SUCCESS;
@@ -680,11 +669,14 @@
/* Prepare a query to get a list/view of adapters. */
MSIHANDLE hViewST = 0;
- LPCWSTR szQuery = L"SELECT `Adapter`,`DisplayName`,`Condition`,`Component_`,`HardwareId` FROM `TUNTAPAdapter`";
+ LPCWSTR szQuery =
+ L"SELECT `Adapter`,`DisplayName`,`Condition`,`Component_`,`HardwareId` FROM `TUNTAPAdapter`";
uiResult = MsiDatabaseOpenView(hDatabase, szQuery, &hViewST);
if (uiResult != ERROR_SUCCESS)
{
- SetLastError(uiResult); /* MSDN does not mention MsiDatabaseOpenView() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(
+ uiResult); /* MSDN does not mention MsiDatabaseOpenView() to set GetLastError(). But we
+ do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: MsiDatabaseOpenView(\"%ls\") failed", __FUNCTION__, szQuery);
goto cleanup_hDatabase;
}
@@ -693,7 +685,8 @@
uiResult = MsiViewExecute(hViewST, 0);
if (uiResult != ERROR_SUCCESS)
{
- SetLastError(uiResult); /* MSDN does not mention MsiViewExecute() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(uiResult); /* MSDN does not mention MsiViewExecute() to set GetLastError(). But
+ we do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: MsiViewExecute(\"%ls\") failed", __FUNCTION__, szQuery);
goto cleanup_hViewST;
}
@@ -707,7 +700,7 @@
goto cleanup_hViewST_close;
}
- for (;; )
+ for (;;)
{
/* Fetch one record from the view. */
MSIHANDLE hRecord = 0;
@@ -719,7 +712,8 @@
}
else if (uiResult != ERROR_SUCCESS)
{
- SetLastError(uiResult); /* MSDN does not mention MsiViewFetch() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(uiResult); /* MSDN does not mention MsiViewFetch() to set GetLastError().
+ But we do have an error code. Set last error manually. */
msg(M_NONFATAL | M_ERRNO, "%s: MsiViewFetch failed", __FUNCTION__);
goto cleanup_hRecordProg;
}
@@ -738,8 +732,11 @@
uiResult = MsiGetComponentState(hInstall, szValue, &iInstalled, &iAction);
if (uiResult != ERROR_SUCCESS)
{
- SetLastError(uiResult); /* MSDN does not mention MsiGetComponentState() to set GetLastError(). But we do have an error code. Set last error manually. */
- msg(M_NONFATAL | M_ERRNO, "%s: MsiGetComponentState(\"%ls\") failed", __FUNCTION__, szValue);
+ SetLastError(uiResult); /* MSDN does not mention MsiGetComponentState() to set
+ GetLastError(). But we do have an error code. Set last
+ error manually. */
+ msg(M_NONFATAL | M_ERRNO, "%s: MsiGetComponentState(\"%ls\") failed", __FUNCTION__,
+ szValue);
free(szValue);
goto cleanup_hRecord;
}
@@ -753,7 +750,9 @@
{
goto cleanup_hRecord;
}
- /* `DisplayName` field type is [Filename](https://docs.microsoft.com/en-us/windows/win32/msi/filename), which is either "8.3|long name" or "8.3". */
+ /* `DisplayName` field type is
+ * [Filename](https://docs.microsoft.com/en-us/windows/win32/msi/filename), which is either
+ * "8.3|long name" or "8.3". */
LPWSTR szDisplayNameEx = wcschr(szDisplayName, L'|');
szDisplayNameEx = szDisplayNameEx != NULL ? szDisplayNameEx + 1 : szDisplayName;
@@ -766,7 +765,10 @@
{
goto cleanup_szDisplayName;
}
- memcpy_s(szzHardwareIDs, sizeof(szzHardwareIDs) - 2*sizeof(WCHAR) /*requires double zero termination*/, szHwId, wcslen(szHwId)*sizeof(WCHAR));
+ memcpy_s(szzHardwareIDs,
+ sizeof(szzHardwareIDs)
+ - 2 * sizeof(WCHAR) /*requires double zero termination*/,
+ szHwId, wcslen(szHwId) * sizeof(WCHAR));
free(szHwId);
}
@@ -799,7 +801,8 @@
case MSICONDITION_ERROR:
uiResult = ERROR_INVALID_FIELD;
- msg(M_NONFATAL | M_ERRNO, "%s: MsiEvaluateCondition(\"%ls\") failed", __FUNCTION__, szValue);
+ msg(M_NONFATAL | M_ERRNO, "%s: MsiEvaluateCondition(\"%ls\") failed",
+ __FUNCTION__, szValue);
free(szValue);
goto cleanup_szDisplayName;
}
@@ -809,12 +812,10 @@
free(szValue);
/* Component is or should be installed. Schedule adapter creation. */
- if (schedule_adapter_create(
- &seqInstall,
- bRollbackEnabled ? &seqInstallRollback : NULL,
- szDisplayNameEx,
- szzHardwareIDs,
- &iTicks) != ERROR_SUCCESS)
+ if (schedule_adapter_create(&seqInstall,
+ bRollbackEnabled ? &seqInstallRollback : NULL,
+ szDisplayNameEx, szzHardwareIDs, &iTicks)
+ != ERROR_SUCCESS)
{
uiResult = ERROR_INSTALL_FAILED;
goto cleanup_szDisplayName;
@@ -822,18 +823,16 @@
}
else
{
- /* Component is installed, but should be degraded to advertised/removed. Schedule adapter deletition.
+ /* Component is installed, but should be degraded to advertised/removed. Schedule
+ * adapter deletition.
*
- * Note: On adapter removal (product is being uninstalled), we tolerate dwResult error.
- * Better a partial uninstallation than no uninstallation at all.
+ * Note: On adapter removal (product is being uninstalled), we tolerate dwResult
+ * error. Better a partial uninstallation than no uninstallation at all.
*/
- schedule_adapter_delete(
- &seqUninstall,
- bRollbackEnabled ? &seqUninstallCommit : NULL,
- bRollbackEnabled ? &seqUninstallRollback : NULL,
- szDisplayNameEx,
- szzHardwareIDs,
- &iTicks);
+ schedule_adapter_delete(&seqUninstall,
+ bRollbackEnabled ? &seqUninstallCommit : NULL,
+ bRollbackEnabled ? &seqUninstallRollback : NULL,
+ szDisplayNameEx, szzHardwareIDs, &iTicks);
}
/* Arrange the amount of tick space to add to the progress indicator.
@@ -871,12 +870,21 @@
msica_arg_seq_add_tail(&seqUninstallRollback, str);
/* Store deferred custom action parameters. */
- if ((uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdapters", &seqInstall )) != ERROR_SUCCESS
- || (uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdaptersCommit", &seqInstallCommit )) != ERROR_SUCCESS
- || (uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdaptersRollback", &seqInstallRollback )) != ERROR_SUCCESS
- || (uiResult = setup_sequence(hInstall, L"UninstallTUNTAPAdapters", &seqUninstall )) != ERROR_SUCCESS
- || (uiResult = setup_sequence(hInstall, L"UninstallTUNTAPAdaptersCommit", &seqUninstallCommit )) != ERROR_SUCCESS
- || (uiResult = setup_sequence(hInstall, L"UninstallTUNTAPAdaptersRollback", &seqUninstallRollback)) != ERROR_SUCCESS)
+ if ((uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdapters", &seqInstall))
+ != ERROR_SUCCESS
+ || (uiResult = setup_sequence(hInstall, L"InstallTUNTAPAdaptersCommit", &seqInstallCommit))
+ != ERROR_SUCCESS
+ || (uiResult =
+ setup_sequence(hInstall, L"InstallTUNTAPAdaptersRollback", &seqInstallRollback))
+ != ERROR_SUCCESS
+ || (uiResult = setup_sequence(hInstall, L"UninstallTUNTAPAdapters", &seqUninstall))
+ != ERROR_SUCCESS
+ || (uiResult =
+ setup_sequence(hInstall, L"UninstallTUNTAPAdaptersCommit", &seqUninstallCommit))
+ != ERROR_SUCCESS
+ || (uiResult =
+ setup_sequence(hInstall, L"UninstallTUNTAPAdaptersRollback", &seqUninstallRollback))
+ != ERROR_SUCCESS)
{
goto cleanup_hRecordProg;
}
@@ -916,9 +924,7 @@
* @return TRUE on success; FALSE otherwise
*/
static BOOL
-parse_guid(
- _In_z_ LPCWSTR szArg,
- _Out_ GUID *guid)
+parse_guid(_In_z_ LPCWSTR szArg, _Out_ GUID *guid)
{
if (swscanf_s(szArg, _L(PRIXGUID), PRIGUID_PARAM_REF(*guid)) != 11)
{
@@ -945,7 +951,8 @@
msg(M_WARN, "%s: Reboot required, create reboot indication file \"%ls\"", __FUNCTION__, path);
- HANDLE file = CreateFileW(path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+ HANDLE file =
+ CreateFileW(path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (file == INVALID_HANDLE_VALUE)
{
msg(M_NONFATAL | M_ERRNO, "%s: CreateFile(\"%ls\") failed", __FUNCTION__, path);
@@ -956,8 +963,7 @@
}
}
-UINT __stdcall
-ProcessDeferredAction(_In_ MSIHANDLE hInstall)
+UINT __stdcall ProcessDeferredAction(_In_ MSIHANDLE hInstall)
{
#ifdef DLLEXP_EXPORT
#pragma comment(linker, DLLEXP_EXPORT)
@@ -967,13 +973,15 @@
UINT uiResult;
BOOL bIsCoInitialized = SUCCEEDED(CoInitialize(NULL));
- WCHAR tmpDir[MAX_PATH] = {0};
+ WCHAR tmpDir[MAX_PATH] = { 0 };
OPENVPNMSICA_SAVE_MSI_SESSION(hInstall);
- BOOL bIsCleanup = MsiGetMode(hInstall, MSIRUNMODE_COMMIT) || MsiGetMode(hInstall, MSIRUNMODE_ROLLBACK);
+ BOOL bIsCleanup =
+ MsiGetMode(hInstall, MSIRUNMODE_COMMIT) || MsiGetMode(hInstall, MSIRUNMODE_ROLLBACK);
- /* Get sequence arguments. Always Unicode as CommandLineToArgvW() is available as Unicode-only. */
+ /* Get sequence arguments. Always Unicode as CommandLineToArgvW() is available as Unicode-only.
+ */
LPWSTR szSequence = NULL;
uiResult = msi_get_string(hInstall, L"CustomActionData", &szSequence);
if (uiResult != ERROR_SUCCESS)
@@ -985,7 +993,8 @@
if (szArg == NULL)
{
uiResult = GetLastError();
- msg(M_NONFATAL | M_ERRNO, "%s: CommandLineToArgvW(\"%ls\") failed", __FUNCTION__, szSequence);
+ msg(M_NONFATAL | M_ERRNO, "%s: CommandLineToArgvW(\"%ls\") failed", __FUNCTION__,
+ szSequence);
goto cleanup_szSequence;
}
@@ -1037,8 +1046,8 @@
dwResult = tap_create_adapter(NULL, NULL, szHardwareId, &bRebootRequired, &guidAdapter);
if (dwResult == ERROR_SUCCESS)
{
- /* Set adapter name. May fail on some machines, but that is not critical - use silent
- * flag to mute messagebox and print error only to log */
+ /* Set adapter name. May fail on some machines, but that is not critical - use
+ * silent flag to mute messagebox and print error only to log */
tap_set_adapter_name(&guidAdapter, szName, TRUE);
}
}
@@ -1067,7 +1076,8 @@
if (dwResult == ERROR_SUCCESS)
{
/* Does the adapter exist? */
- for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter != NULL; pAdapter = pAdapter->pNext)
+ for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter != NULL;
+ pAdapter = pAdapter->pNext)
{
if (wcsicmp(szName, pAdapter->szName) == 0)
{
@@ -1156,8 +1166,7 @@
return uiResult;
}
-UINT __stdcall
-CheckAndScheduleReboot(_In_ MSIHANDLE hInstall)
+UINT __stdcall CheckAndScheduleReboot(_In_ MSIHANDLE hInstall)
{
#ifdef DLLEXP_EXPORT
#pragma comment(linker, DLLEXP_EXPORT)
@@ -50,10 +50,11 @@
/**
* Set MSI session handle in thread local storage.
*/
-#define OPENVPNMSICA_SAVE_MSI_SESSION(hInstall) \
- { \
- struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx); \
- s->hInstall = (hInstall); \
+#define OPENVPNMSICA_SAVE_MSI_SESSION(hInstall) \
+ { \
+ struct openvpnmsica_thread_data *s = \
+ (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx); \
+ s->hInstall = (hInstall); \
}
@@ -62,7 +63,8 @@
*/
#ifdef __cplusplus
-extern "C" {
+extern "C"
+{
#endif
/* Ensure that clang-cl, which does not understand the cl specific
@@ -77,90 +79,84 @@
#endif
-/**
- * Determines Windows information:
- *
- * - Sets `OPENVPNSERVICE` MSI property to PID of OpenVPN Service if running, or its EXE path if
- * configured for auto-start.
- *
- * - Finds existing TAP-Windows6 adapters and set TAPWINDOWS6ADAPTERS and
- * ACTIVETAPWINDOWS6ADAPTERS properties with semicolon delimited list of all installed adapter
- * GUIDs and active adapter GUIDs respectively.
- *
- * - Finds existing ovpn-dco adapters and set OVPNDCOADAPTERS and ACTIVEOVPNDCOADAPTERS properties
- * with semicolon delimited list of all installed adapter GUIDs and active adapter GUIDs
- * respectively.
- *
- * @param hInstall Handle to the installation provided to the DLL custom action
- *
- * @return ERROR_SUCCESS on success; An error code otherwise
- * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
- */
-DLLEXP_DECL UINT __stdcall
-FindSystemInfo(_In_ MSIHANDLE hInstall);
+ /**
+ * Determines Windows information:
+ *
+ * - Sets `OPENVPNSERVICE` MSI property to PID of OpenVPN Service if running, or its EXE path if
+ * configured for auto-start.
+ *
+ * - Finds existing TAP-Windows6 adapters and set TAPWINDOWS6ADAPTERS and
+ * ACTIVETAPWINDOWS6ADAPTERS properties with semicolon delimited list of all installed adapter
+ * GUIDs and active adapter GUIDs respectively.
+ *
+ * - Finds existing ovpn-dco adapters and set OVPNDCOADAPTERS and ACTIVEOVPNDCOADAPTERS
+ * properties with semicolon delimited list of all installed adapter GUIDs and active adapter
+ * GUIDs respectively.
+ *
+ * @param hInstall Handle to the installation provided to the DLL custom action
+ *
+ * @return ERROR_SUCCESS on success; An error code otherwise
+ * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
+ */
+ DLLEXP_DECL UINT __stdcall FindSystemInfo(_In_ MSIHANDLE hInstall);
-/**
- * Find OpenVPN GUI window and send it a WM_CLOSE message.
- *
- * @param hInstall Handle to the installation provided to the DLL custom action
- *
- * @return ERROR_SUCCESS on success; An error code otherwise
- * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
- */
-DLLEXP_DECL UINT __stdcall
-CloseOpenVPNGUI(_In_ MSIHANDLE hInstall);
+ /**
+ * Find OpenVPN GUI window and send it a WM_CLOSE message.
+ *
+ * @param hInstall Handle to the installation provided to the DLL custom action
+ *
+ * @return ERROR_SUCCESS on success; An error code otherwise
+ * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
+ */
+ DLLEXP_DECL UINT __stdcall CloseOpenVPNGUI(_In_ MSIHANDLE hInstall);
-/**
- * Launches OpenVPN GUI. It's path is obtained by expanding the `[#bin.openvpn_gui.exe]`
- * therefore, its Id field in File table must be "bin.openvpn_gui.exe".
- *
- * @param hInstall Handle to the installation provided to the DLL custom action
- *
- * @return ERROR_SUCCESS on success; An error code otherwise
- * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
- */
-DLLEXP_DECL UINT __stdcall
-StartOpenVPNGUI(_In_ MSIHANDLE hInstall);
+ /**
+ * Launches OpenVPN GUI. It's path is obtained by expanding the `[#bin.openvpn_gui.exe]`
+ * therefore, its Id field in File table must be "bin.openvpn_gui.exe".
+ *
+ * @param hInstall Handle to the installation provided to the DLL custom action
+ *
+ * @return ERROR_SUCCESS on success; An error code otherwise
+ * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
+ */
+ DLLEXP_DECL UINT __stdcall StartOpenVPNGUI(_In_ MSIHANDLE hInstall);
-/**
- * Evaluate the TUNTAPAdapter table of the MSI package database and prepare a list of TAP
- * adapters to install/remove.
- *
- * @param hInstall Handle to the installation provided to the DLL custom action
- *
- * @return ERROR_SUCCESS on success; An error code otherwise
- * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
- */
-DLLEXP_DECL UINT __stdcall
-EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall);
+ /**
+ * Evaluate the TUNTAPAdapter table of the MSI package database and prepare a list of TAP
+ * adapters to install/remove.
+ *
+ * @param hInstall Handle to the installation provided to the DLL custom action
+ *
+ * @return ERROR_SUCCESS on success; An error code otherwise
+ * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
+ */
+ DLLEXP_DECL UINT __stdcall EvaluateTUNTAPAdapters(_In_ MSIHANDLE hInstall);
-/**
- * Perform scheduled deferred action.
- *
- * @param hInstall Handle to the installation provided to the DLL custom action
- *
- * @return ERROR_SUCCESS on success; An error code otherwise
- * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
- */
-DLLEXP_DECL UINT __stdcall
-ProcessDeferredAction(_In_ MSIHANDLE hInstall);
+ /**
+ * Perform scheduled deferred action.
+ *
+ * @param hInstall Handle to the installation provided to the DLL custom action
+ *
+ * @return ERROR_SUCCESS on success; An error code otherwise
+ * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
+ */
+ DLLEXP_DECL UINT __stdcall ProcessDeferredAction(_In_ MSIHANDLE hInstall);
-/**
- * Schedule reboot after installation if reboot
- * indication file is found in user's temp directory
- *
- * @param hInstall Handle to the installation provided to the DLL custom action
- *
- * @return ERROR_SUCCESS on success; An error code otherwise
- * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
- */
-DLLEXP_DECL UINT __stdcall
-CheckAndScheduleReboot(_In_ MSIHANDLE hInstall);
+ /**
+ * Schedule reboot after installation if reboot
+ * indication file is found in user's temp directory
+ *
+ * @param hInstall Handle to the installation provided to the DLL custom action
+ *
+ * @return ERROR_SUCCESS on success; An error code otherwise
+ * See: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368072.aspx
+ */
+ DLLEXP_DECL UINT __stdcall CheckAndScheduleReboot(_In_ MSIHANDLE hInstall);
#ifdef __cplusplus
}
@@ -29,12 +29,11 @@
static DWORD
GetRegString(HKEY key, LPCWSTR value, LPWSTR data, DWORD size, LPCWSTR default_value)
{
- LONG status = RegGetValue(key, NULL, value, RRF_RT_REG_SZ,
- NULL, (LPBYTE) data, &size);
+ LONG status = RegGetValue(key, NULL, value, RRF_RT_REG_SZ, NULL, (LPBYTE)data, &size);
if (status == ERROR_FILE_NOT_FOUND && default_value)
{
- size_t len = size/sizeof(data[0]);
+ size_t len = size / sizeof(data[0]);
if (swprintf(data, len, default_value))
{
status = ERROR_SUCCESS;
@@ -44,7 +43,10 @@
if (status != ERROR_SUCCESS)
{
SetLastError(status);
- return MsgToEventLog(M_SYSERR, L"Error querying registry value: HKLM\\SOFTWARE\\" _L(PACKAGE_NAME) L"%ls\\%ls", service_instance, value);
+ return MsgToEventLog(
+ M_SYSERR,
+ L"Error querying registry value: HKLM\\SOFTWARE\\" _L(PACKAGE_NAME) L"%ls\\%ls",
+ service_instance, value);
}
return ERROR_SUCCESS;
@@ -68,7 +70,8 @@
if (status != ERROR_SUCCESS)
{
SetLastError(status);
- return MsgToEventLog(M_SYSERR, L"Could not open Registry key HKLM\\%ls not found", reg_path);
+ return MsgToEventLog(M_SYSERR, L"Could not open Registry key HKLM\\%ls not found",
+ reg_path);
}
/* The default value of REG_KEY is the install path */
@@ -79,8 +82,7 @@
goto out;
}
- swprintf(default_value, _countof(default_value), L"%ls\\bin\\openvpn.exe",
- install_path);
+ swprintf(default_value, _countof(default_value), L"%ls\\bin\\openvpn.exe", install_path);
error = GetRegString(key, L"exe_path", s->exe_path, sizeof(s->exe_path), default_value);
if (error != ERROR_SUCCESS)
{
@@ -88,23 +90,20 @@
}
swprintf(default_value, _countof(default_value), L"%ls\\config", install_path);
- error = GetRegString(key, L"config_dir", s->config_dir, sizeof(s->config_dir),
- default_value);
+ error = GetRegString(key, L"config_dir", s->config_dir, sizeof(s->config_dir), default_value);
if (error != ERROR_SUCCESS)
{
goto out;
}
swprintf(default_value, _countof(default_value), L"%ls\\bin", install_path);
- error = GetRegString(key, L"bin_dir", s->bin_dir, sizeof(s->bin_dir),
- default_value);
+ error = GetRegString(key, L"bin_dir", s->bin_dir, sizeof(s->bin_dir), default_value);
if (error != ERROR_SUCCESS)
{
goto out;
}
- error = GetRegString(key, L"config_ext", s->ext_string, sizeof(s->ext_string),
- L".ovpn");
+ error = GetRegString(key, L"config_ext", s->ext_string, sizeof(s->ext_string), L".ovpn");
if (error != ERROR_SUCCESS)
{
goto out;
@@ -117,8 +116,7 @@
goto out;
}
- error = GetRegString(key, L"priority", priority, sizeof(priority),
- L"NORMAL_PRIORITY_CLASS");
+ error = GetRegString(key, L"priority", priority, sizeof(priority), L"NORMAL_PRIORITY_CLASS");
if (error != ERROR_SUCCESS)
{
goto out;
@@ -131,8 +129,8 @@
}
/* read if present, else use default */
- error = GetRegString(key, L"ovpn_admin_group", s->ovpn_admin_group,
- sizeof(s->ovpn_admin_group), OVPN_ADMIN_GROUP);
+ error = GetRegString(key, L"ovpn_admin_group", s->ovpn_admin_group, sizeof(s->ovpn_admin_group),
+ OVPN_ADMIN_GROUP);
if (error != ERROR_SUCCESS)
{
goto out;
@@ -185,7 +183,8 @@
else
{
SetLastError(ERROR_INVALID_DATA);
- error = MsgToEventLog(M_ERR, L"Log file append flag (given as '%ls') must be '0' or '1'", append);
+ error = MsgToEventLog(M_ERR, L"Log file append flag (given as '%ls') must be '0' or '1'",
+ append);
goto out;
}
@@ -204,10 +203,11 @@
LPWSTR tmp = NULL;
error = GetLastError();
- len = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY,
+ len = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM
+ | FORMAT_MESSAGE_ARGUMENT_ARRAY,
NULL, error, LANG_NEUTRAL, tmp, 0, NULL);
- if (len == 0 || (long) _countof(buf) < (long) len + 14)
+ if (len == 0 || (long)_countof(buf) < (long)len + 14)
{
buf[0] = L'\0';
}
@@ -244,8 +244,7 @@
hEventSource = RegisterEventSource(NULL, APPNAME);
if (hEventSource != NULL)
{
- swprintf(msg[0], _countof(msg[0]),
- L"%ls%ls%ls: %ls", APPNAME, service_instance,
+ swprintf(msg[0], _countof(msg[0]), L"%ls%ls%ls: %ls", APPNAME, service_instance,
(flags & MSG_FLAGS_ERROR) ? L" error" : L"", err_msg);
va_start(arglist, format);
@@ -253,9 +252,9 @@
va_end(arglist);
const WCHAR *mesg[] = { msg[0], msg[1] };
- ReportEvent(hEventSource, flags & MSG_FLAGS_ERROR ?
- EVENTLOG_ERROR_TYPE : EVENTLOG_INFORMATION_TYPE,
- 0, 0, NULL, 2, 0, mesg, NULL);
+ ReportEvent(hEventSource,
+ flags & MSG_FLAGS_ERROR ? EVENTLOG_ERROR_TYPE : EVENTLOG_INFORMATION_TYPE, 0, 0,
+ NULL, 2, 0, mesg, NULL);
DeregisterEventSource(hEventSource);
}
@@ -40,32 +40,30 @@
#include "validate.h"
#include "wfp_block.h"
-#define IO_TIMEOUT 2000 /*ms*/
+#define IO_TIMEOUT 2000 /*ms*/
-#define ERROR_OPENVPN_STARTUP 0x20000000
-#define ERROR_STARTUP_DATA 0x20000001
-#define ERROR_MESSAGE_DATA 0x20000002
-#define ERROR_MESSAGE_TYPE 0x20000003
+#define ERROR_OPENVPN_STARTUP 0x20000000
+#define ERROR_STARTUP_DATA 0x20000001
+#define ERROR_MESSAGE_DATA 0x20000002
+#define ERROR_MESSAGE_TYPE 0x20000003
static SERVICE_STATUS_HANDLE service;
static SERVICE_STATUS status = { .dwServiceType = SERVICE_WIN32_SHARE_PROCESS };
static HANDLE exit_event = NULL;
static settings_t settings;
static HANDLE rdns_semaphore = NULL;
-#define RDNS_TIMEOUT 600 /* seconds to wait for the semaphore */
+#define RDNS_TIMEOUT 600 /* seconds to wait for the semaphore */
-#define TUN_IOCTL_REGISTER_RINGS CTL_CODE(51820U, 0x970U, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
+#define TUN_IOCTL_REGISTER_RINGS \
+ CTL_CODE(51820U, 0x970U, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
-openvpn_service_t interactive_service = {
- interactive,
- _L(PACKAGE_NAME) L"ServiceInteractive",
- _L(PACKAGE_NAME) L" Interactive Service",
- SERVICE_DEPENDENCIES,
- SERVICE_AUTO_START
-};
+openvpn_service_t interactive_service = { interactive, _L(PACKAGE_NAME) L"ServiceInteractive",
+ _L(PACKAGE_NAME) L" Interactive Service",
+ SERVICE_DEPENDENCIES, SERVICE_AUTO_START };
-typedef struct {
+typedef struct
+{
WCHAR *directory;
WCHAR *options;
WCHAR *std_input;
@@ -73,14 +71,16 @@
/* Datatype for linked lists */
-typedef struct _list_item {
+typedef struct _list_item
+{
struct _list_item *next;
LPVOID data;
} list_item_t;
/* Datatypes for undo information */
-typedef enum {
+typedef enum
+{
address,
route,
wfp_block,
@@ -93,19 +93,22 @@
} undo_type_t;
typedef list_item_t *undo_lists_t[_undo_type_max];
-typedef struct {
+typedef struct
+{
HANDLE engine;
int index;
int metric_v4;
int metric_v6;
} wfp_block_data_t;
-typedef struct {
+typedef struct
+{
char itf_name[256];
PWSTR domains;
} dns_domains_undo_data_t;
-typedef union {
+typedef union
+{
message_header_t header;
address_message_t address;
route_message_t route;
@@ -119,7 +122,8 @@
create_adapter_message_t create_adapter;
} pipe_message_t;
-typedef struct {
+typedef struct
+{
CHAR addresses[NRPT_ADDR_NUM * NRPT_ADDR_SIZE];
WCHAR domains[512]; /* MULTI_SZ string */
DWORD domains_size; /* bytes in domains */
@@ -142,7 +146,7 @@
return NO_ERROR;
}
-typedef BOOL (*match_fn_t) (LPVOID item, LPVOID ctx);
+typedef BOOL (*match_fn_t)(LPVOID item, LPVOID ctx);
static LPVOID
RemoveListItem(list_item_t **pfirst, match_fn_t match, LPVOID ctx)
@@ -201,7 +205,8 @@
}
-typedef enum {
+typedef enum
+{
peek,
read,
write
@@ -248,8 +253,7 @@
handles[i + 1] = events[i];
}
- res = WaitForMultipleObjects(count + 1, handles, FALSE,
- op == peek ? INFINITE : IO_TIMEOUT);
+ res = WaitForMultipleObjects(count + 1, handles, FALSE, op == peek ? INFINITE : IO_TIMEOUT);
if (res != WAIT_OBJECT_0)
{
CancelIo(pipe);
@@ -309,32 +313,25 @@
{
DWORD result_len;
LPWSTR result = L"0xffffffff\nFormatMessage failed\nCould not return result";
- DWORD_PTR args[] = {
- (DWORD_PTR) error,
- (DWORD_PTR) func,
- (DWORD_PTR) ""
- };
+ DWORD_PTR args[] = { (DWORD_PTR)error, (DWORD_PTR)func, (DWORD_PTR) "" };
if (error != ERROR_OPENVPN_STARTUP)
{
- FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM
- |FORMAT_MESSAGE_ALLOCATE_BUFFER
- |FORMAT_MESSAGE_IGNORE_INSERTS,
- 0, error, 0, (LPWSTR) &args[2], 0, NULL);
+ FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER
+ | FORMAT_MESSAGE_IGNORE_INSERTS,
+ 0, error, 0, (LPWSTR)&args[2], 0, NULL);
}
- result_len = FormatMessageW(FORMAT_MESSAGE_FROM_STRING
- |FORMAT_MESSAGE_ALLOCATE_BUFFER
- |FORMAT_MESSAGE_ARGUMENT_ARRAY,
- L"0x%1!08x!\n%2!s!\n%3!s!", 0, 0,
- (LPWSTR) &result, 0, (va_list *) args);
+ result_len = FormatMessageW(
+ FORMAT_MESSAGE_FROM_STRING | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_ARGUMENT_ARRAY,
+ L"0x%1!08x!\n%2!s!\n%3!s!", 0, 0, (LPWSTR)&result, 0, (va_list *)args);
WritePipeAsync(pipe, result, (DWORD)(wcslen(result) * 2), count, events);
MsgToEventLog(MSG_FLAGS_ERROR, result);
if (error != ERROR_OPENVPN_STARTUP)
{
- LocalFree((LPVOID) args[2]);
+ LocalFree((LPVOID)args[2]);
}
if (result_len)
{
@@ -355,7 +352,8 @@
* Returns true on success, false on error with reason set in errmsg.
*/
static BOOL
-ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options, WCHAR *errmsg, DWORD capacity)
+ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options, WCHAR *errmsg,
+ DWORD capacity)
{
WCHAR **argv;
int argc;
@@ -380,7 +378,7 @@
}
/* Note: argv[0] is the first option */
- if (argc < 1) /* no options */
+ if (argc < 1) /* no options */
{
ret = TRUE;
goto out;
@@ -395,8 +393,7 @@
if (!CheckOption(workdir, 2, argv_tmp, &settings))
{
- swprintf(errmsg, capacity, msg1, argv[0], workdir,
- settings.ovpn_admin_group);
+ swprintf(errmsg, capacity, msg1, argv[0], workdir, settings.ovpn_admin_group);
}
goto out;
}
@@ -408,17 +405,15 @@
continue;
}
- if (!CheckOption(workdir, argc-i, &argv[i], &settings))
+ if (!CheckOption(workdir, argc - i, &argv[i], &settings))
{
- if (wcscmp(L"--config", argv[i]) == 0 && argc-i > 1)
+ if (wcscmp(L"--config", argv[i]) == 0 && argc - i > 1)
{
- swprintf(errmsg, capacity, msg1, argv[i+1], workdir,
- settings.ovpn_admin_group);
+ swprintf(errmsg, capacity, msg1, argv[i + 1], workdir, settings.ovpn_admin_group);
}
else
{
- swprintf(errmsg, capacity, msg2, argv[i],
- settings.ovpn_admin_group);
+ swprintf(errmsg, capacity, msg2, argv[i], settings.ovpn_admin_group);
}
goto out;
}
@@ -505,7 +500,7 @@
return TRUE;
err:
- sud->directory = NULL; /* caller must not free() */
+ sud->directory = NULL; /* caller must not free() */
free(data);
return FALSE;
}
@@ -580,7 +575,7 @@
InitializeUnicastIpAddressEntry(addr_row);
addr_row->Address = sockaddr_inet(msg->family, &msg->address);
- addr_row->OnLinkPrefixLength = (UINT8) msg->prefix_len;
+ addr_row->OnLinkPrefixLength = (UINT8)msg->prefix_len;
if (msg->iface.index != -1)
{
@@ -662,7 +657,7 @@
fwd_row->Protocol = MIB_IPPROTO_NETMGMT;
fwd_row->Metric = msg->metric;
fwd_row->DestinationPrefix.Prefix = sockaddr_inet(msg->family, &msg->prefix);
- fwd_row->DestinationPrefix.PrefixLength = (UINT8) msg->prefix_len;
+ fwd_row->DestinationPrefix.PrefixLength = (UINT8)msg->prefix_len;
fwd_row->NextHop = sockaddr_inet(msg->family, &msg->gateway);
if (msg->iface.index != -1)
@@ -740,7 +735,7 @@
err_str = L"Unknown Win32 Error";
if (FormatMessage(FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM
- | FORMAT_MESSAGE_ARGUMENT_ARRAY,
+ | FORMAT_MESSAGE_ARGUMENT_ARRAY,
NULL, err, 0, buf, sizeof(buf), NULL))
{
err_str = buf;
@@ -767,13 +762,11 @@
err = delete_wfp_block_filters(block_data->engine);
if (block_data->metric_v4 >= 0)
{
- set_interface_metric(msg->iface.index, AF_INET,
- block_data->metric_v4);
+ set_interface_metric(msg->iface.index, AF_INET, block_data->metric_v4);
}
if (block_data->metric_v6 >= 0)
{
- set_interface_metric(msg->iface.index, AF_INET6,
- block_data->metric_v6);
+ set_interface_metric(msg->iface.index, AF_INET6, block_data->metric_v6);
}
free(block_data);
}
@@ -809,14 +802,12 @@
block_data->engine = engine;
block_data->index = msg->iface.index;
int is_auto = 0;
- block_data->metric_v4 = get_interface_metric(msg->iface.index,
- AF_INET, &is_auto);
+ block_data->metric_v4 = get_interface_metric(msg->iface.index, AF_INET, &is_auto);
if (is_auto)
{
block_data->metric_v4 = 0;
}
- block_data->metric_v6 = get_interface_metric(msg->iface.index,
- AF_INET6, &is_auto);
+ block_data->metric_v6 = get_interface_metric(msg->iface.index, AF_INET6, &is_auto);
if (is_auto)
{
block_data->metric_v6 = 0;
@@ -825,8 +816,7 @@
err = AddListItem(&(*lists)[wfp_block], block_data);
if (!err)
{
- err = set_interface_metric(msg->iface.index, AF_INET,
- WFP_BLOCK_IFACE_METRIC);
+ err = set_interface_metric(msg->iface.index, AF_INET, WFP_BLOCK_IFACE_METRIC);
if (!err)
{
/* for IPv6, we intentionally ignore errors, because
@@ -834,8 +824,7 @@
* admin has disabled IPv6 on the tun/tap/dco interface
* (if OpenVPN wants IPv6 ifconfig, we'll fail there)
*/
- set_interface_metric(msg->iface.index, AF_INET6,
- WFP_BLOCK_IFACE_METRIC);
+ set_interface_metric(msg->iface.index, AF_INET6, WFP_BLOCK_IFACE_METRIC);
}
if (err)
{
@@ -880,7 +869,7 @@
DWORD exit_code;
STARTUPINFOW si;
PROCESS_INFORMATION pi;
- DWORD proc_flags = CREATE_NO_WINDOW|CREATE_UNICODE_ENVIRONMENT;
+ DWORD proc_flags = CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT;
WCHAR *cmdline_dup = NULL;
ZeroMemory(&si, sizeof(si));
@@ -890,8 +879,8 @@
/* CreateProcess needs a modifiable cmdline: make a copy */
cmdline_dup = _wcsdup(cmdline);
- if (cmdline_dup && CreateProcessW(argv0, cmdline_dup, NULL, NULL, FALSE,
- proc_flags, NULL, NULL, &si, &pi) )
+ if (cmdline_dup
+ && CreateProcessW(argv0, cmdline_dup, NULL, NULL, FALSE, proc_flags, NULL, NULL, &si, &pi))
{
WaitForSingleObject(pi.hProcess, timeout ? timeout : INFINITE);
if (!GetExitCodeProcess(pi.hProcess, &exit_code))
@@ -905,13 +894,12 @@
/* kill without impunity */
TerminateProcess(pi.hProcess, exit_code);
- MsgToEventLog(M_ERR, L"ExecCommand: \"%ls %ls\" killed after timeout",
- argv0, cmdline);
+ MsgToEventLog(M_ERR, L"ExecCommand: \"%ls %ls\" killed after timeout", argv0, cmdline);
}
else if (exit_code)
{
- MsgToEventLog(M_ERR, L"ExecCommand: \"%ls %ls\" exited with status = %lu",
- argv0, cmdline, exit_code);
+ MsgToEventLog(M_ERR, L"ExecCommand: \"%ls %ls\" exited with status = %lu", argv0,
+ cmdline, exit_code);
}
else
{
@@ -924,8 +912,7 @@
else
{
exit_code = GetLastError();
- MsgToEventLog(M_SYSERR, L"ExecCommand: could not run \"%ls %ls\" :",
- argv0, cmdline);
+ MsgToEventLog(M_SYSERR, L"ExecCommand: could not run \"%ls %ls\" :", argv0, cmdline);
}
free(cmdline_dup);
@@ -950,12 +937,12 @@
WCHAR *argv0;
WCHAR *cmdline;
DWORD timeout;
- } cmds [] = {
- { ipcfg, L"ipconfig /flushdns", timeout },
+ } cmds[] = {
+ { ipcfg, L"ipconfig /flushdns", timeout },
{ ipcfg, L"ipconfig /registerdns", timeout },
};
- HANDLE wait_handles[2] = {rdns_semaphore, exit_event};
+ HANDLE wait_handles[2] = { rdns_semaphore, exit_event };
swprintf(ipcfg, MAX_PATH, L"%ls\\%ls", get_win_sys_path(), L"ipconfig.exe");
@@ -967,9 +954,10 @@
ExecCommand(cmds[i].argv0, cmds[i].cmdline, cmds[i].timeout);
}
err = 0;
- if (!ReleaseSemaphore(rdns_semaphore, 1, NULL) )
+ if (!ReleaseSemaphore(rdns_semaphore, 1, NULL))
{
- err = MsgToEventLog(M_SYSERR, L"RegisterDNS: Failed to release regsiter-dns semaphore:");
+ err =
+ MsgToEventLog(M_SYSERR, L"RegisterDNS: Failed to release regsiter-dns semaphore:");
}
}
else
@@ -1046,7 +1034,7 @@
/* max cmdline length in wchars -- include room for worst case and some */
size_t ncmdline = wcslen(fmt) + wcslen(if_name) + wcslen(action) + wcslen(addr)
- +wcslen(addr_static) + 32 + 1;
+ + wcslen(addr_static) + 32 + 1;
cmdline = malloc(ncmdline * sizeof(wchar_t));
if (!cmdline)
{
@@ -1078,13 +1066,8 @@
static BOOL
ApplyGpolSettings32(void)
{
- typedef NTSTATUS (__stdcall *publish_fn_t)(
- DWORD StateNameLo,
- DWORD StateNameHi,
- DWORD TypeId,
- DWORD Buffer,
- DWORD Length,
- DWORD ExplicitScope);
+ typedef NTSTATUS(__stdcall * publish_fn_t)(DWORD StateNameLo, DWORD StateNameHi, DWORD TypeId,
+ DWORD Buffer, DWORD Length, DWORD ExplicitScope);
publish_fn_t RtlPublishWnfStateData;
const DWORD WNF_GPOL_SYSTEM_CHANGES_HI = 0x0D891E2A;
const DWORD WNF_GPOL_SYSTEM_CHANGES_LO = 0xA3BC0875;
@@ -1095,13 +1078,14 @@
return FALSE;
}
- RtlPublishWnfStateData = (publish_fn_t) GetProcAddress(ntdll, "RtlPublishWnfStateData");
+ RtlPublishWnfStateData = (publish_fn_t)GetProcAddress(ntdll, "RtlPublishWnfStateData");
if (RtlPublishWnfStateData == NULL)
{
return FALSE;
}
- if (RtlPublishWnfStateData(WNF_GPOL_SYSTEM_CHANGES_LO, WNF_GPOL_SYSTEM_CHANGES_HI, 0, 0, 0, 0) != ERROR_SUCCESS)
+ if (RtlPublishWnfStateData(WNF_GPOL_SYSTEM_CHANGES_LO, WNF_GPOL_SYSTEM_CHANGES_HI, 0, 0, 0, 0)
+ != ERROR_SUCCESS)
{
return FALSE;
}
@@ -1118,12 +1102,8 @@
static BOOL
ApplyGpolSettings64(void)
{
- typedef NTSTATUS (*publish_fn_t)(
- INT64 StateName,
- INT64 TypeId,
- INT64 Buffer,
- unsigned int Length,
- INT64 ExplicitScope);
+ typedef NTSTATUS (*publish_fn_t)(INT64 StateName, INT64 TypeId, INT64 Buffer,
+ unsigned int Length, INT64 ExplicitScope);
publish_fn_t RtlPublishWnfStateData;
const INT64 WNF_GPOL_SYSTEM_CHANGES = 0x0D891E2AA3BC0875;
@@ -1133,7 +1113,7 @@
return FALSE;
}
- RtlPublishWnfStateData = (publish_fn_t) GetProcAddress(ntdll, "RtlPublishWnfStateData");
+ RtlPublishWnfStateData = (publish_fn_t)GetProcAddress(ntdll, "RtlPublishWnfStateData");
if (RtlPublishWnfStateData == NULL)
{
return FALSE;
@@ -1183,24 +1163,21 @@
scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (scm == NULL)
{
- MsgToEventLog(M_ERR, L"%S: OpenSCManager call failed (%lu)",
- __func__, GetLastError());
+ MsgToEventLog(M_ERR, L"%S: OpenSCManager call failed (%lu)", __func__, GetLastError());
goto out;
}
dnssvc = OpenServiceA(scm, "Dnscache", SERVICE_PAUSE_CONTINUE);
if (dnssvc == NULL)
{
- MsgToEventLog(M_ERR, L"%S: OpenService call failed (%lu)",
- __func__, GetLastError());
+ MsgToEventLog(M_ERR, L"%S: OpenService call failed (%lu)", __func__, GetLastError());
goto out;
}
SERVICE_STATUS status;
if (ControlService(dnssvc, SERVICE_CONTROL_PARAMCHANGE, &status) == 0)
{
- MsgToEventLog(M_ERR, L"%S: ControlService call failed (%lu)",
- __func__, GetLastError());
+ MsgToEventLog(M_ERR, L"%S: ControlService call failed (%lu)", __func__, GetLastError());
goto out;
}
@@ -1328,8 +1305,7 @@
*gpol = FALSE;
/* Try the group policy search list */
- err = RegOpenKeyExA(HKEY_LOCAL_MACHINE,
- "SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient",
+ err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient",
0, KEY_ALL_ACCESS, key);
if (!err)
{
@@ -1342,9 +1318,9 @@
}
/* Try the system-wide search list */
- err = RegOpenKeyExA(HKEY_LOCAL_MACHINE,
- "System\\CurrentControlSet\\Services\\TCPIP\\Parameters",
- 0, KEY_ALL_ACCESS, key);
+ err =
+ RegOpenKeyExA(HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\TCPIP\\Parameters",
+ 0, KEY_ALL_ACCESS, key);
if (!err)
{
if (HasValidSearchList(*key))
@@ -1362,9 +1338,10 @@
if (!iid_err)
{
HKEY itfs;
- err = RegOpenKeyExA(HKEY_LOCAL_MACHINE,
- "System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\Interfaces",
- 0, KEY_ALL_ACCESS, &itfs);
+ err =
+ RegOpenKeyExA(HKEY_LOCAL_MACHINE,
+ "System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\Interfaces",
+ 0, KEY_ALL_ACCESS, &itfs);
if (!err)
{
err = RegOpenKeyExW(itfs, iid, 0, KEY_ALL_ACCESS, key);
@@ -1400,8 +1377,7 @@
{
return FALSE;
}
- MsgToEventLog(M_ERR, L"%S: failed to get InitialSearchList (%lu)",
- __func__, err);
+ MsgToEventLog(M_ERR, L"%S: failed to get InitialSearchList (%lu)", __func__, err);
}
return TRUE;
@@ -1436,8 +1412,7 @@
LSTATUS err = RegSetValueExW(key, L"InitialSearchList", 0, REG_SZ, (PBYTE)list, size);
if (err)
{
- MsgToEventLog(M_ERR, L"%S: failed to set InitialSearchList value (%lu)",
- __func__, err);
+ MsgToEventLog(M_ERR, L"%S: failed to set InitialSearchList value (%lu)", __func__, err);
return FALSE;
}
@@ -1457,7 +1432,7 @@
AddDnsSearchDomains(HKEY key, BOOL have_list, PCWSTR domains)
{
LSTATUS err;
- WCHAR list[2048] = {0};
+ WCHAR list[2048] = { 0 };
DWORD size = sizeof(list);
if (have_list)
@@ -1465,8 +1440,8 @@
err = RegGetValueW(key, NULL, L"SearchList", RRF_RT_REG_SZ, NULL, list, &size);
if (err)
{
- MsgToEventLog(M_SYSERR, L"%S: could not get SearchList from registry (%lu)",
- __func__, err);
+ MsgToEventLog(M_SYSERR, L"%S: could not get SearchList from registry (%lu)", __func__,
+ err);
return FALSE;
}
@@ -1498,8 +1473,7 @@
err = RegSetValueExW(key, L"SearchList", 0, REG_SZ, (PBYTE)list, size);
if (err)
{
- MsgToEventLog(M_SYSERR, L"%S: could not set SearchList to registry (%lu)",
- __func__, err);
+ MsgToEventLog(M_SYSERR, L"%S: could not set SearchList to registry (%lu)", __func__, err);
return FALSE;
}
@@ -1540,8 +1514,7 @@
err = RegSetValueExW(key, L"SearchList", 0, REG_SZ, (PBYTE)list, size);
if (err)
{
- MsgToEventLog(M_SYSERR, L"%S: could not set SearchList in registry (%lu)",
- __func__, err);
+ MsgToEventLog(M_SYSERR, L"%S: could not set SearchList in registry (%lu)", __func__, err);
goto out;
}
@@ -1568,8 +1541,7 @@
err = RegGetValueW(key, NULL, L"SearchList", RRF_RT_REG_SZ, NULL, list, &size);
if (err)
{
- MsgToEventLog(M_SYSERR, L"%S: could not get SearchList from registry (%lu)",
- __func__, err);
+ MsgToEventLog(M_SYSERR, L"%S: could not get SearchList from registry (%lu)", __func__, err);
return;
}
@@ -1613,8 +1585,7 @@
err = RegSetValueExW(key, L"SearchList", 0, REG_SZ, (PBYTE)list, size);
if (err)
{
- MsgToEventLog(M_SYSERR, L"%S: could not set SearchList in registry (%lu)",
- __func__, err);
+ MsgToEventLog(M_SYSERR, L"%S: could not set SearchList in registry (%lu)", __func__, err);
}
}
@@ -1732,8 +1703,8 @@
GetInterfacesKey(short family, PHKEY key)
{
PCSTR itfs_key = family == AF_INET6
- ? "SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces"
- : "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces";
+ ? "SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces"
+ : "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces";
LSTATUS err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, itfs_key, 0, KEY_ALL_ACCESS, key);
if (err)
@@ -1842,11 +1813,12 @@
return ERROR_MESSAGE_DATA;
}
- /* use a non-const reference with limited scope to enforce null-termination of strings from client */
+ /* use a non-const reference with limited scope to enforce null-termination of strings from
+ * client */
{
- dns_cfg_message_t *msgptr = (dns_cfg_message_t *) msg;
- msgptr->iface.name[_countof(msg->iface.name)-1] = '\0';
- msgptr->domains[_countof(msg->domains)-1] = '\0';
+ dns_cfg_message_t *msgptr = (dns_cfg_message_t *)msg;
+ msgptr->iface.name[_countof(msg->iface.name) - 1] = '\0';
+ msgptr->domains[_countof(msg->domains) - 1] = '\0';
}
WCHAR iid[64];
@@ -1878,7 +1850,7 @@
err = SetDnsSearchDomains(msg->iface.name, NULL, &gpol, lists);
}
ApplyDnsSettings(gpol);
- return err; /* job done */
+ return err; /* job done */
}
if (msg->addr_len > 0)
@@ -2100,8 +2072,7 @@
s--;
}
- if (inet_ntop(AF_INET6, &in_addrs[i],
- pos, s) != NULL)
+ if (inet_ntop(AF_INET6, &in_addrs[i], pos, s) != NULL)
{
*size = 0;
return ERROR_MORE_DATA;
@@ -2188,7 +2159,7 @@
LSTATUS err = ERROR_FILE_NOT_FOUND;
const DWORD buf_size = *size;
const size_t one_glyph = sizeof(*domains);
- PWSTR values[] = { L"SearchList", L"Domain", L"DhcpDomainSearchList", L"DhcpDomain", NULL};
+ PWSTR values[] = { L"SearchList", L"Domain", L"DhcpDomainSearchList", L"DhcpDomain", NULL };
for (int i = 0; values[i]; i++)
{
@@ -2284,7 +2255,8 @@
/* Get GUID from string */
if (IIDFromString(iid_str, &iid) != S_OK)
{
- MsgToEventLog(M_SYSERR, L"%S: could not convert interface %s GUID string", __func__, iid_str);
+ MsgToEventLog(M_SYSERR, L"%S: could not convert interface %s GUID string", __func__,
+ iid_str);
goto out;
}
@@ -2326,8 +2298,7 @@
HKEY v4_itfs = INVALID_HANDLE_VALUE;
HKEY v6_itfs = INVALID_HANDLE_VALUE;
- if (!GetInterfacesKey(AF_INET, &v4_itfs)
- || !GetInterfacesKey(AF_INET6, &v6_itfs))
+ if (!GetInterfacesKey(AF_INET, &v4_itfs) || !GetInterfacesKey(AF_INET6, &v6_itfs))
{
goto out;
}
@@ -2338,8 +2309,8 @@
{
WCHAR itf_guid[MAX_PATH];
DWORD itf_guid_len = _countof(itf_guid);
- LSTATUS err = RegEnumKeyExW(v4_itfs, enum_index++, itf_guid, &itf_guid_len,
- NULL, NULL, NULL, NULL);
+ LSTATUS err =
+ RegEnumKeyExW(v4_itfs, enum_index++, itf_guid, &itf_guid_len, NULL, NULL, NULL, NULL);
if (err)
{
if (err != ERROR_NO_MORE_ITEMS)
@@ -2358,7 +2329,8 @@
HKEY v4_itf;
if (RegOpenKeyExW(v4_itfs, itf_guid, 0, KEY_READ, &v4_itf) != NO_ERROR)
{
- MsgToEventLog(M_SYSERR, L"%S: could not open interface %s v4 registry key", __func__, itf_guid);
+ MsgToEventLog(M_SYSERR, L"%S: could not open interface %s v4 registry key", __func__,
+ itf_guid);
goto out;
}
@@ -2370,7 +2342,8 @@
{
if (err != ERROR_FILE_NOT_FOUND)
{
- MsgToEventLog(M_SYSERR, L"%S: could not read interface %s domain suffix", __func__, itf_guid);
+ MsgToEventLog(M_SYSERR, L"%S: could not read interface %s domain suffix", __func__,
+ itf_guid);
}
goto next_itf;
}
@@ -2393,7 +2366,8 @@
HKEY v6_itf;
if (RegOpenKeyExW(v6_itfs, itf_guid, 0, KEY_READ, &v6_itf) != NO_ERROR)
{
- MsgToEventLog(M_SYSERR, L"%S: could not open interface %s v6 registry key", __func__, itf_guid);
+ MsgToEventLog(M_SYSERR, L"%S: could not open interface %s v6 registry key",
+ __func__, itf_guid);
goto next_itf;
}
err = GetItfDnsServersV6(v6_itf, v6_addrs, &v6_addrs_size);
@@ -2441,8 +2415,8 @@
* @return NO_ERROR on success, or Windows error code
*/
static DWORD
-SetNrptRule(HKEY nrpt_key, PCWSTR subkey, PCSTR address,
- PCWSTR domains, DWORD dom_size, BOOL dnssec)
+SetNrptRule(HKEY nrpt_key, PCWSTR subkey, PCSTR address, PCWSTR domains, DWORD dom_size,
+ BOOL dnssec)
{
/* Create rule subkey */
DWORD err = NO_ERROR;
@@ -2461,7 +2435,8 @@
}
/* Set DNS Server address */
- err = RegSetValueExA(rule_key, "GenericDNSServers", 0, REG_SZ, (PBYTE)address, strlen(address) + 1);
+ err = RegSetValueExA(rule_key, "GenericDNSServers", 0, REG_SZ, (PBYTE)address,
+ strlen(address) + 1);
if (err)
{
goto out;
@@ -2472,21 +2447,24 @@
if (dnssec)
{
reg_val = 1;
- err = RegSetValueExA(rule_key, "DNSSECValidationRequired", 0, REG_DWORD, (PBYTE)®_val, sizeof(reg_val));
+ err = RegSetValueExA(rule_key, "DNSSECValidationRequired", 0, REG_DWORD, (PBYTE)®_val,
+ sizeof(reg_val));
if (err)
{
goto out;
}
reg_val = 0;
- err = RegSetValueExA(rule_key, "DNSSECQueryIPSECRequired", 0, REG_DWORD, (PBYTE)®_val, sizeof(reg_val));
+ err = RegSetValueExA(rule_key, "DNSSECQueryIPSECRequired", 0, REG_DWORD, (PBYTE)®_val,
+ sizeof(reg_val));
if (err)
{
goto out;
}
reg_val = 0;
- err = RegSetValueExA(rule_key, "DNSSECQueryIPSECEncryption", 0, REG_DWORD, (PBYTE)®_val, sizeof(reg_val));
+ err = RegSetValueExA(rule_key, "DNSSECQueryIPSECEncryption", 0, REG_DWORD, (PBYTE)®_val,
+ sizeof(reg_val));
if (err)
{
goto out;
@@ -2495,7 +2473,8 @@
/* Set NRPT config options */
reg_val = dnssec ? 0x0000000A : 0x00000008;
- err = RegSetValueExA(rule_key, "ConfigOptions", 0, REG_DWORD, (const PBYTE)®_val, sizeof(reg_val));
+ err = RegSetValueExA(rule_key, "ConfigOptions", 0, REG_DWORD, (const PBYTE)®_val,
+ sizeof(reg_val));
if (err)
{
goto out;
@@ -2653,7 +2632,8 @@
* remains in the registry even if the last GP-NRPT rule is deleted.
*/
static PCSTR gpol_key = "SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient\\DnsPolicyConfig";
- static PCSTR sys_key = "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters\\DnsPolicyConfig";
+ static PCSTR sys_key =
+ "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters\\DnsPolicyConfig";
HKEY nrpt;
*gpol = TRUE;
@@ -2661,7 +2641,8 @@
if (err == ERROR_FILE_NOT_FOUND)
{
*gpol = FALSE;
- err = RegCreateKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, NULL, 0, KEY_ALL_ACCESS, NULL, &nrpt, NULL);
+ err = RegCreateKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, NULL, 0, KEY_ALL_ACCESS, NULL, &nrpt,
+ NULL);
if (err)
{
nrpt = INVALID_HANDLE_VALUE;
@@ -2763,15 +2744,14 @@
* @return NO_ERROR on success, or a Windows error code
*/
static DWORD
-HandleDNSConfigNrptMessage(const nrpt_dns_cfg_message_t *msg,
- DWORD ovpn_pid, undo_lists_t *lists)
+HandleDNSConfigNrptMessage(const nrpt_dns_cfg_message_t *msg, DWORD ovpn_pid, undo_lists_t *lists)
{
/*
* Use a non-const reference with limited scope to
* enforce null-termination of strings from client
*/
{
- nrpt_dns_cfg_message_t *msgptr = (nrpt_dns_cfg_message_t *) msg;
+ nrpt_dns_cfg_message_t *msgptr = (nrpt_dns_cfg_message_t *)msg;
msgptr->iface.name[_countof(msg->iface.name) - 1] = '\0';
msgptr->search_domains[_countof(msg->search_domains) - 1] = '\0';
msgptr->resolve_domains[_countof(msg->resolve_domains) - 1] = '\0';
@@ -2864,7 +2844,8 @@
/* Set NRPT rules */
BOOL dnssec = (msg->flags & nrpt_dnssec) != 0;
- err = SetNrptRules(key, msg->addresses, msg->resolve_domains, msg->search_domains, dnssec, ovpn_pid);
+ err = SetNrptRules(key, msg->addresses, msg->resolve_domains, msg->search_domains, dnssec,
+ ovpn_pid);
if (err)
{
goto out;
@@ -2907,7 +2888,8 @@
return ERROR_MESSAGE_DATA;
}
- /* use a non-const reference with limited scope to enforce null-termination of strings from client */
+ /* use a non-const reference with limited scope to enforce null-termination of strings from
+ * client */
{
wins_cfg_message_t *msgptr = (wins_cfg_message_t *)msg;
msgptr->iface.name[_countof(msg->iface.name) - 1] = '\0';
@@ -2934,7 +2916,7 @@
if (msg->header.type == msg_del_wins_cfg)
{
- goto out; /* job done */
+ goto out; /* job done */
}
for (int i = 0; i < addr_len; ++i)
@@ -2988,7 +2970,7 @@
* 10 chars for 32 bit int in decimal and +1 for NUL
*/
size_t ncmdline = wcslen(fmt) + 10 + 1;
- wchar_t *cmdline = malloc(ncmdline*sizeof(wchar_t));
+ wchar_t *cmdline = malloc(ncmdline * sizeof(wchar_t));
if (!cmdline)
{
err = ERROR_OUTOFMEMORY;
@@ -3073,16 +3055,12 @@
}
static VOID
-HandleMessage(HANDLE pipe, PPROCESS_INFORMATION proc_info,
- DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists)
+HandleMessage(HANDLE pipe, PPROCESS_INFORMATION proc_info, DWORD bytes, DWORD count,
+ LPHANDLE events, undo_lists_t *lists)
{
pipe_message_t msg;
ack_message_t ack = {
- .header = {
- .type = msg_acknowledgement,
- .size = sizeof(ack),
- .message_id = -1
- },
+ .header = { .type = msg_acknowledgement, .size = sizeof(ack), .message_id = -1 },
.error_number = ERROR_MESSAGE_DATA
};
@@ -3264,27 +3242,24 @@
STARTUPINFOW startup_info;
PROCESS_INFORMATION proc_info;
LPVOID user_env = NULL;
- WCHAR ovpn_pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according to MSDN. */
+ WCHAR ovpn_pipe_name[256]; /* The entire pipe name string can be up to 256 characters long
+ according to MSDN. */
LPCWSTR exe_path;
WCHAR *cmdline = NULL;
size_t cmdline_size;
undo_lists_t undo_lists;
WCHAR errmsg[512] = L"";
- SECURITY_ATTRIBUTES inheritable = {
- .nLength = sizeof(inheritable),
- .lpSecurityDescriptor = NULL,
- .bInheritHandle = TRUE
- };
+ SECURITY_ATTRIBUTES inheritable = { .nLength = sizeof(inheritable),
+ .lpSecurityDescriptor = NULL,
+ .bInheritHandle = TRUE };
PACL ovpn_dacl;
EXPLICIT_ACCESS ea[2];
SECURITY_DESCRIPTOR ovpn_sd;
- SECURITY_ATTRIBUTES ovpn_sa = {
- .nLength = sizeof(ovpn_sa),
- .lpSecurityDescriptor = &ovpn_sd,
- .bInheritHandle = FALSE
- };
+ SECURITY_ATTRIBUTES ovpn_sa = { .nLength = sizeof(ovpn_sa),
+ .lpSecurityDescriptor = &ovpn_sd,
+ .bInheritHandle = FALSE };
ZeroMemory(&ea, sizeof(ea));
ZeroMemory(&startup_info, sizeof(startup_info));
@@ -3370,7 +3345,8 @@
* OR user is authorized to run any config.
*/
if (!ValidateOptions(pipe, sud.directory, sud.options, errmsg, _countof(errmsg))
- && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group, settings.ovpn_service_user))
+ && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group,
+ settings.ovpn_service_user))
{
ReturnError(pipe, ERROR_STARTUP_DATA, errmsg, 1, &exit_event);
goto out;
@@ -3382,14 +3358,14 @@
ea[0].grfInheritance = NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
- ea[0].Trustee.ptstrName = (LPWSTR) svc_user->User.Sid;
- ea[1].grfAccessPermissions = READ_CONTROL | SYNCHRONIZE | PROCESS_VM_READ
- |SYNCHRONIZE | PROCESS_TERMINATE | PROCESS_QUERY_INFORMATION;
+ ea[0].Trustee.ptstrName = (LPWSTR)svc_user->User.Sid;
+ ea[1].grfAccessPermissions = READ_CONTROL | SYNCHRONIZE | PROCESS_VM_READ | SYNCHRONIZE
+ | PROCESS_TERMINATE | PROCESS_QUERY_INFORMATION;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].grfInheritance = NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
- ea[1].Trustee.ptstrName = (LPWSTR) ovpn_user->User.Sid;
+ ea[1].Trustee.ptstrName = (LPWSTR)ovpn_user->User.Sid;
/* Set owner and DACL of OpenVPN security descriptor */
if (!SetSecurityDescriptorOwner(&ovpn_sd, svc_user->User.Sid, FALSE))
@@ -3416,8 +3392,8 @@
}
/* use /dev/null for stdout of openvpn (client should use --log for output) */
- stdout_write = CreateFile(_L("NUL"), GENERIC_WRITE, FILE_SHARE_WRITE,
- &inheritable, OPEN_EXISTING, 0, NULL);
+ stdout_write = CreateFile(_L("NUL"), GENERIC_WRITE, FILE_SHARE_WRITE, &inheritable,
+ OPEN_EXISTING, 0, NULL);
if (stdout_write == INVALID_HANDLE_VALUE)
{
ReturnLastError(pipe, L"CreateFile for stdout");
@@ -3432,18 +3408,19 @@
}
swprintf(ovpn_pipe_name, _countof(ovpn_pipe_name),
- L"\\\\.\\pipe\\" _L(PACKAGE) L"%ls\\service_%lu", service_instance, GetCurrentThreadId());
- ovpn_pipe = CreateNamedPipe(ovpn_pipe_name,
- PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED,
- PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 128, 128, 0, NULL);
+ L"\\\\.\\pipe\\" _L(PACKAGE) L"%ls\\service_%lu", service_instance,
+ GetCurrentThreadId());
+ ovpn_pipe = CreateNamedPipe(
+ ovpn_pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED,
+ PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 128, 128, 0, NULL);
if (ovpn_pipe == INVALID_HANDLE_VALUE)
{
ReturnLastError(pipe, L"CreateNamedPipe");
goto out;
}
- svc_pipe = CreateFile(ovpn_pipe_name, GENERIC_READ | GENERIC_WRITE, 0,
- &inheritable, OPEN_EXISTING, 0, NULL);
+ svc_pipe = CreateFile(ovpn_pipe_name, GENERIC_READ | GENERIC_WRITE, 0, &inheritable,
+ OPEN_EXISTING, 0, NULL);
if (svc_pipe == INVALID_HANDLE_VALUE)
{
ReturnLastError(pipe, L"CreateFile");
@@ -3467,8 +3444,8 @@
/* there seem to be no common printf specifier that works on all
* mingw/msvc platforms without trickery, so convert to void* and use
* PRIuPTR to print that as best compromise */
- swprintf(cmdline, cmdline_size, L"openvpn %ls --msg-channel %" PRIuPTR,
- sud.options, (uintptr_t)svc_pipe);
+ swprintf(cmdline, cmdline_size, L"openvpn %ls --msg-channel %" PRIuPTR, sud.options,
+ (uintptr_t)svc_pipe);
if (!CreateEnvironmentBlock(&user_env, imp_token, FALSE))
{
@@ -3527,7 +3504,10 @@
if (bytes > sizeof(pipe_message_t))
{
/* process at the other side of the pipe is misbehaving, shut it down */
- MsgToEventLog(MSG_FLAGS_ERROR, L"OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated", bytes);
+ MsgToEventLog(
+ MSG_FLAGS_ERROR,
+ L"OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated",
+ bytes);
break;
}
@@ -3543,8 +3523,7 @@
else if (exit_code != 0)
{
WCHAR buf[256];
- swprintf(buf, _countof(buf),
- L"OpenVPN exited with error: exit code = %lu", exit_code);
+ swprintf(buf, _countof(buf), L"OpenVPN exited with error: exit code = %lu", exit_code);
ReturnError(pipe, ERROR_OPENVPN_STARTUP, buf, 1, &exit_event);
}
Undo(&undo_lists);
@@ -3607,17 +3586,19 @@
* allow read/write for authenticated users
* deny all access to anonymous
*/
- const WCHAR *sddlString = L"D:(A;OICI;GA;;;S-1-5-18)(D;OICI;0x4;;;S-1-1-0)(A;OICI;GRGW;;;S-1-5-11)(D;;GA;;;S-1-5-7)";
+ const WCHAR *sddlString =
+ L"D:(A;OICI;GA;;;S-1-5-18)(D;OICI;0x4;;;S-1-1-0)(A;OICI;GRGW;;;S-1-5-11)(D;;GA;;;S-1-5-7)";
PSECURITY_DESCRIPTOR sd = NULL;
- if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddlString, SDDL_REVISION_1, &sd, NULL))
+ if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddlString, SDDL_REVISION_1, &sd,
+ NULL))
{
MsgToEventLog(M_SYSERR, L"ConvertStringSecurityDescriptorToSecurityDescriptor failed.");
return INVALID_HANDLE_VALUE;
}
/* Set up SECURITY_ATTRIBUTES */
- SECURITY_ATTRIBUTES sa = {0};
+ SECURITY_ATTRIBUTES sa = { 0 };
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = sd;
sa.bInheritHandle = FALSE;
@@ -3631,11 +3612,13 @@
first = FALSE;
}
- WCHAR pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according to MSDN. */
- swprintf(pipe_name, _countof(pipe_name), L"\\\\.\\pipe\\" _L(PACKAGE) L"%ls\\service", service_instance);
- HANDLE pipe = CreateNamedPipe(pipe_name, flags,
- PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS,
- PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, &sa);
+ WCHAR pipe_name[256]; /* The entire pipe name string can be up to 256 characters long according
+ to MSDN. */
+ swprintf(pipe_name, _countof(pipe_name), L"\\\\.\\pipe\\" _L(PACKAGE) L"%ls\\service",
+ service_instance);
+ HANDLE pipe = CreateNamedPipe(
+ pipe_name, flags, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS,
+ PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, &sa);
LocalFree(sd);
@@ -3650,8 +3633,8 @@
static DWORD
-UpdateWaitHandles(LPHANDLE *handles_ptr, LPDWORD count,
- HANDLE io_event, HANDLE exit_event, list_item_t *threads)
+UpdateWaitHandles(LPHANDLE *handles_ptr, LPDWORD count, HANDLE io_event, HANDLE exit_event,
+ list_item_t *threads)
{
static DWORD size = 10;
static LPHANDLE handles = NULL;
@@ -3762,7 +3745,8 @@
PHANDLE handles = NULL;
DWORD handle_count;
- service = RegisterServiceCtrlHandlerEx(interactive_service.name, ServiceCtrlInteractive, &status);
+ service =
+ RegisterServiceCtrlHandlerEx(interactive_service.name, ServiceCtrlInteractive, &status);
if (!service)
{
return;
@@ -3817,8 +3801,7 @@
while (TRUE)
{
- if (ConnectNamedPipe(pipe, &overlapped) == FALSE
- && GetLastError() != ERROR_PIPE_CONNECTED
+ if (ConnectNamedPipe(pipe, &overlapped) == FALSE && GetLastError() != ERROR_PIPE_CONNECTED
&& GetLastError() != ERROR_IO_PENDING)
{
MsgToEventLog(M_SYSERR, L"Could not connect pipe");
@@ -3836,11 +3819,13 @@
error = AddListItem(&threads, thread);
if (!error)
{
- error = UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads);
+ error =
+ UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads);
}
if (error)
{
- ReturnError(pipe, error, L"Insufficient resources to service new clients", 1, &exit_event);
+ ReturnError(pipe, error, L"Insufficient resources to service new clients", 1,
+ &exit_event);
/* Update wait handles again after removing the last worker thread */
RemoveListItem(&threads, CmpHandle, thread);
UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads);
@@ -33,8 +33,7 @@
status->dwControlsAccepted = SERVICE_ACCEPT_STOP;
}
- if (status->dwCurrentState == SERVICE_RUNNING
- || status->dwCurrentState == SERVICE_STOPPED)
+ if (status->dwCurrentState == SERVICE_RUNNING || status->dwCurrentState == SERVICE_STOPPED)
{
status->dwCheckPoint = 0;
}
@@ -79,16 +78,10 @@
for (i = 0; i < _service_max; i++)
{
- service = CreateService(svc_ctl_mgr,
- openvpn_service[i].name,
- openvpn_service[i].display_name,
- SERVICE_QUERY_STATUS,
- SERVICE_WIN32_SHARE_PROCESS,
- openvpn_service[i].start_type,
- SERVICE_ERROR_NORMAL,
- path, NULL, NULL,
- openvpn_service[i].dependencies,
- NULL, NULL);
+ service = CreateService(
+ svc_ctl_mgr, openvpn_service[i].name, openvpn_service[i].display_name,
+ SERVICE_QUERY_STATUS, SERVICE_WIN32_SHARE_PROCESS, openvpn_service[i].start_type,
+ SERVICE_ERROR_NORMAL, path, NULL, NULL, openvpn_service[i].dependencies, NULL, NULL);
if (service)
{
wprintf(L"%ls installed.\n", openvpn_service[i].display_name);
@@ -163,8 +156,8 @@
for (i = 0; i < _service_max; i++)
{
openvpn_service_t *ovpn_svc = &openvpn_service[i];
- service = OpenService(svc_ctl_mgr, ovpn_svc->name,
- DELETE | SERVICE_STOP | SERVICE_QUERY_STATUS);
+ service =
+ OpenService(svc_ctl_mgr, ovpn_svc->name, DELETE | SERVICE_STOP | SERVICE_QUERY_STATUS);
if (service == NULL)
{
wprintf(L"OpenService failed - %ls\n", GetLastErrorText());
@@ -228,15 +221,12 @@
* This is the default.
*/
const SERVICE_TABLE_ENTRY dispatchTable_shared[] = {
- { interactive_service.name, ServiceStartInteractive },
- { NULL, NULL }
+ { interactive_service.name, ServiceStartInteractive }, { NULL, NULL }
};
/* Interactive service only (as a SERVICE_WIN32_OWN_PROCESS) */
- const SERVICE_TABLE_ENTRY dispatchTable_interactive[] = {
- { L"", ServiceStartInteractiveOwn },
- { NULL, NULL }
- };
+ const SERVICE_TABLE_ENTRY dispatchTable_interactive[] = { { L"", ServiceStartInteractiveOwn },
+ { NULL, NULL } };
const SERVICE_TABLE_ENTRY *dispatchTable = dispatchTable_shared;
@@ -260,7 +250,7 @@
}
else if (argc > i + 2 && _wcsicmp(L"instance", argv[i] + 1) == 0)
{
- if (_wcsicmp(L"interactive", argv[i+1]) == 0)
+ if (_wcsicmp(L"interactive", argv[i + 1]) == 0)
{
dispatchTable = dispatchTable_interactive;
service_instance = argv[i + 2];
@@ -268,22 +258,28 @@
}
else
{
- MsgToEventLog(M_ERR, L"Invalid argument to -instance <%s>. Service not started.", argv[i+1]);
+ MsgToEventLog(M_ERR,
+ L"Invalid argument to -instance <%s>. Service not started.",
+ argv[i + 1]);
return 1;
}
}
else
{
wprintf(L"%ls -install to install the interactive service\n", APPNAME);
- wprintf(L"%ls -start [name] to start the service (name = \"interactive\") is optional\n", APPNAME);
+ wprintf(
+ L"%ls -start [name] to start the service (name = \"interactive\") is optional\n",
+ APPNAME);
wprintf(L"%ls -remove to remove the service\n", APPNAME);
wprintf(L"\nService run-time parameters:\n");
wprintf(L"-instance interactive <id>\n"
L" Runs the service as an alternate instance.\n"
L" The service settings will be loaded from\n"
- L" HKLM\\Software\\" _L(PACKAGE_NAME) L"<id> registry key, and the service will accept\n"
- L" requests on \\\\.\\pipe\\" _L(PACKAGE) L"<id>\\service named pipe.\n");
+ L" HKLM\\Software\\" _L(
+ PACKAGE_NAME) L"<id> registry key, and the service will accept\n"
+ L" requests on \\\\.\\pipe\\" _L(
+ PACKAGE) L"<id>\\service named pipe.\n");
return 0;
}
@@ -33,24 +33,26 @@
#include <wchar.h>
#include "../tapctl/basic.h"
-#define APPNAME _L(PACKAGE) L"serv"
-#define SERVICE_DEPENDENCIES _L(TAP_WIN_COMPONENT_ID) L"\0Dhcp\0\0"
+#define APPNAME _L(PACKAGE) L"serv"
+#define SERVICE_DEPENDENCIES _L(TAP_WIN_COMPONENT_ID) L"\0Dhcp\0\0"
/*
* Message handling
*/
-#define MSG_FLAGS_ERROR (1<<0)
-#define MSG_FLAGS_SYS_CODE (1<<1)
-#define M_INFO (0) /* informational */
-#define M_SYSERR (MSG_FLAGS_ERROR|MSG_FLAGS_SYS_CODE) /* error + system code */
-#define M_ERR (MSG_FLAGS_ERROR) /* error */
+#define MSG_FLAGS_ERROR (1 << 0)
+#define MSG_FLAGS_SYS_CODE (1 << 1)
+#define M_INFO (0) /* informational */
+#define M_SYSERR (MSG_FLAGS_ERROR | MSG_FLAGS_SYS_CODE) /* error + system code */
+#define M_ERR (MSG_FLAGS_ERROR) /* error */
-typedef enum {
+typedef enum
+{
interactive,
_service_max
} openvpn_service_type;
-typedef struct {
+typedef struct
+{
openvpn_service_type type;
WCHAR *name;
WCHAR *display_name;
@@ -59,7 +61,8 @@
} openvpn_service_t;
#define MAX_NAME 256
-typedef struct {
+typedef struct
+{
WCHAR exe_path[MAX_PATH];
WCHAR config_dir[MAX_PATH];
WCHAR bin_dir[MAX_PATH];
@@ -26,8 +26,7 @@
#include <shlwapi.h>
#include <lm.h>
-static const WCHAR *white_list[] =
-{
+static const WCHAR *white_list[] = {
L"auth-retry",
L"config",
L"log",
@@ -46,7 +45,7 @@
L"pull-filter",
L"script-security",
- NULL /* last value */
+ NULL /* last value */
};
static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name);
@@ -65,7 +64,7 @@
const WCHAR *config_dir = NULL;
/* convert fname to full path */
- if (PathIsRelativeW(fname) )
+ if (PathIsRelativeW(fname))
{
swprintf(tmp, _countof(tmp), L"%ls\\%ls", workdir, fname);
config_file = tmp;
@@ -128,7 +127,7 @@
return FALSE;
}
- b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
+ b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
if (b)
{
b = LookupAccountSidW(NULL, admin_sid, name, &nlen, domain, &dlen, &snu);
@@ -140,7 +139,8 @@
}
BOOL
-IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user)
+IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group,
+ const WCHAR *ovpn_service_user)
{
const WCHAR *admin_group[2];
WCHAR username[MAX_NAME];
@@ -171,7 +171,8 @@
}
else
{
- MsgToEventLog(M_SYSERR, L"Failed to get the name of Administrators group. Using the default.");
+ MsgToEventLog(M_SYSERR,
+ L"Failed to get the name of Administrators group. Using the default.");
/* use the default value */
admin_group[0] = SYSTEM_ADMIN_GROUP;
}
@@ -183,7 +184,8 @@
ret = IsUserInGroup(sid, token_groups, admin_group[i]);
if (ret)
{
- MsgToEventLog(M_INFO, L"Authorizing user '%ls@%ls' by virtue of membership in group '%ls'",
+ MsgToEventLog(M_INFO,
+ L"Authorizing user '%ls@%ls' by virtue of membership in group '%ls'",
username, domain, admin_group[i]);
goto out;
}
@@ -265,11 +267,11 @@
int nloop = 0; /* a counter used to not get stuck in the do .. while() */
/* first check in the token groups */
- if (token_groups && LookupSID(group_name, (PSID) grp_sid, _countof(grp_sid)))
+ if (token_groups && LookupSID(group_name, (PSID)grp_sid, _countof(grp_sid)))
{
for (DWORD i = 0; i < token_groups->GroupCount; ++i)
{
- if (EqualSid((PSID) grp_sid, token_groups->Groups[i].Sid))
+ if (EqualSid((PSID)grp_sid, token_groups->Groups[i].Sid))
{
return TRUE;
}
@@ -285,8 +287,8 @@
{
DWORD nread, nmax;
LOCALGROUP_MEMBERS_INFO_0 *members = NULL;
- err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *) &members,
- MAX_PREFERRED_LENGTH, &nread, &nmax, &resume);
+ err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *)&members, MAX_PREFERRED_LENGTH,
+ &nread, &nmax, &resume);
if ((err != NERR_Success && err != ERROR_MORE_DATA))
{
break;
@@ -319,16 +321,13 @@
{
/* Do not modify argv or *argv -- ideally it should be const WCHAR *const *, but alas...*/
- if (wcscmp(argv[0], L"--config") == 0
- && argc > 1
- && !CheckConfigPath(workdir, argv[1], s)
- )
+ if (wcscmp(argv[0], L"--config") == 0 && argc > 1 && !CheckConfigPath(workdir, argv[1], s))
{
return FALSE;
}
/* option name starts at 2 characters from argv[i] */
- if (OptionLookup(argv[0] + 2, white_list) == -1) /* not found */
+ if (OptionLookup(argv[0] + 2, white_list) == -1) /* not found */
{
return FALSE;
}
@@ -28,19 +28,20 @@
/* Authorized groups who can use any options and config locations */
#define SYSTEM_ADMIN_GROUP L"Administrators"
-#define OVPN_ADMIN_GROUP L"OpenVPN Administrators" /* may be set in HKLM\Software\OpenVPN\ovpn_admin_group */
-#define OVPN_SERVICE_USER L"OpenVPNService" /* may be set in HKLM\Software\OpenVPN\ovpn_service_user */
+#define OVPN_ADMIN_GROUP \
+ L"OpenVPN Administrators" /* may be set in HKLM\Software\OpenVPN\ovpn_admin_group */
+#define OVPN_SERVICE_USER \
+ L"OpenVPNService" /* may be set in HKLM\Software\OpenVPN\ovpn_service_user */
/*
* Check whether user is a member of Administrators group or
* the group specified in ovpn_admin_group or
* OpenVPN Virtual Service Account user
*/
-BOOL
-IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user);
+BOOL IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group,
+ const WCHAR *ovpn_service_user);
-BOOL
-CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s);
+BOOL CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s);
static inline BOOL
IsOption(const WCHAR *o)
@@ -99,12 +99,14 @@
#define N_NAME_VALUE 16
-struct name_value {
+struct name_value
+{
const char *name;
const char *value;
};
-struct name_value_list {
+struct name_value_list
+{
int len;
struct name_value data[N_NAME_VALUE];
};
@@ -113,7 +115,8 @@
* Used to pass the username/password
* to the PAM conversation function.
*/
-struct user_pass {
+struct user_pass
+{
int verb;
char username[128];
@@ -126,7 +129,8 @@
};
/* Background process function */
-static void pam_server(int fd, const char *service, int verb, const struct name_value_list *name_value_list);
+static void pam_server(int fd, const char *service, int verb,
+ const struct name_value_list *name_value_list);
/*
@@ -152,11 +156,11 @@
static int
send_control(int fd, int code)
{
- unsigned char c = (unsigned char) code;
+ unsigned char c = (unsigned char)code;
const ssize_t size = write(fd, &c, sizeof(c));
if (size == sizeof(c))
{
- return (int) size;
+ return (int)size;
}
else
{
@@ -171,7 +175,7 @@
{
memset(buffer, 0, len);
ssize_t size = read(fd, buffer, len);
- buffer[len-1] = 0;
+ buffer[len - 1] = 0;
if (size >= 1)
{
return size;
@@ -220,7 +224,7 @@
#endif
if (daemon(0, 0) < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "daemonization failed");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "daemonization failed");
}
#if defined(__APPLE__) && defined(__clang__)
#pragma clang diagnostic pop
@@ -321,11 +325,11 @@
}
*resp++ = '\0';
- int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1);
+ int n = plugin_base64_decode(pass, up->password, sizeof(up->password) - 1);
if (n >= 0)
{
up->password[n] = '\0';
- n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1);
+ n = plugin_base64_decode(resp, up->response, sizeof(up->response) - 1);
if (n >= 0)
{
up->response[n] = '\0';
@@ -353,8 +357,7 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *ret)
{
pid_t pid;
@@ -371,14 +374,15 @@
/* Check API compatibility -- struct version 5 or higher needed */
if (v3structver < 5)
{
- fprintf(stderr, "AUTH-PAM: This plugin is incompatible with the running version of OpenVPN\n");
+ fprintf(stderr,
+ "AUTH-PAM: This plugin is incompatible with the running version of OpenVPN\n");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
/*
* Allocate our context
*/
- context = (struct auth_pam_context *) calloc(1, sizeof(struct auth_pam_context));
+ context = (struct auth_pam_context *)calloc(1, sizeof(struct auth_pam_context));
if (!context)
{
goto error;
@@ -426,7 +430,7 @@
{
const int base = base_parms + i * 2;
name_value_list.data[i].name = argv[base];
- name_value_list.data[i].value = argv[base+1];
+ name_value_list.data[i].value = argv[base + 1];
}
}
@@ -447,7 +451,7 @@
*/
if (socketpair(PF_UNIX, SOCK_DGRAM, 0, fd) == -1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "socketpair call failed");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "socketpair call failed");
goto error;
}
@@ -473,7 +477,8 @@
/* don't let future subprocesses inherit child socket */
if (fcntl(fd[0], F_SETFD, FD_CLOEXEC) < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Set FD_CLOEXEC flag on socket file descriptor failed");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE,
+ "Set FD_CLOEXEC flag on socket file descriptor failed");
}
/* wait for background child process to initialize */
@@ -481,8 +486,8 @@
if (status == RESPONSE_INIT_SUCCEEDED)
{
context->foreground_fd = fd[0];
- ret->handle = (openvpn_plugin_handle_t *) context;
- plugin_log( PLOG_NOTE, MODULE, "initialization succeeded (fg)" );
+ ret->handle = (openvpn_plugin_handle_t *)context;
+ plugin_log(PLOG_NOTE, MODULE, "initialization succeeded (fg)");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
}
@@ -518,9 +523,10 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[])
{
- struct auth_pam_context *context = (struct auth_pam_context *) handle;
+ struct auth_pam_context *context = (struct auth_pam_context *)handle;
if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY && context->foreground_fd >= 0)
{
@@ -549,8 +555,7 @@
{
if (DEBUG(context->verb))
{
- plugin_log(PLOG_NOTE, MODULE, "do deferred auth '%s'",
- auth_control_file);
+ plugin_log(PLOG_NOTE, MODULE, "do deferred auth '%s'", auth_control_file);
}
}
else
@@ -567,7 +572,8 @@
|| send_string(context->foreground_fd, auth_control_file) == -1
|| send_string(context->foreground_fd, remote) == -1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error sending auth info to background process");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE,
+ "Error sending auth info to background process");
}
else
{
@@ -586,7 +592,8 @@
}
if (status == -1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error receiving auth confirmation from background process");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE,
+ "Error receiving auth confirmation from background process");
}
}
}
@@ -597,7 +604,7 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct auth_pam_context *context = (struct auth_pam_context *) handle;
+ struct auth_pam_context *context = (struct auth_pam_context *)handle;
if (DEBUG(context->verb))
{
@@ -609,7 +616,7 @@
/* tell background process to exit */
if (send_control(context->foreground_fd, COMMAND_EXIT) == -1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error signaling background process to exit");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "Error signaling background process to exit");
}
/* wait for background process to exit */
@@ -628,7 +635,7 @@
OPENVPN_EXPORT void
openvpn_plugin_abort_v1(openvpn_plugin_handle_t handle)
{
- struct auth_pam_context *context = (struct auth_pam_context *) handle;
+ struct auth_pam_context *context = (struct auth_pam_context *)handle;
/* tell background process to exit */
if (context && context->foreground_fd >= 0)
@@ -643,10 +650,10 @@
* PAM conversation function
*/
static int
-my_conv(int num_msg, const struct pam_message **msg_array,
- struct pam_response **response_array, void *appdata_ptr)
+my_conv(int num_msg, const struct pam_message **msg_array, struct pam_response **response_array,
+ void *appdata_ptr)
{
- const struct user_pass *up = ( const struct user_pass *) appdata_ptr;
+ const struct user_pass *up = (const struct user_pass *)appdata_ptr;
struct pam_response *aresp;
int ret = PAM_SUCCESS;
@@ -670,10 +677,8 @@
if (DEBUG(up->verb))
{
- plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: my_conv[%d] query='%s' style=%d",
- i,
- msg->msg ? msg->msg : "NULL",
- msg->msg_style);
+ plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: my_conv[%d] query='%s' style=%d", i,
+ msg->msg ? msg->msg : "NULL", msg->msg_style);
}
if (up->name_value_list && up->name_value_list->len > 0)
@@ -695,10 +700,10 @@
if (DEBUG(up->verb))
{
- plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'",
- msg->msg,
- match_name,
- match_value);
+ plugin_log(
+ PLOG_NOTE, MODULE,
+ "BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'",
+ msg->msg, match_name, match_value);
}
if (strstr(match_value, "USERNAME"))
@@ -711,7 +716,8 @@
}
else if (strstr(match_value, "COMMONNAME"))
{
- aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name);
+ aresp[i].resp =
+ searchandreplace(match_value, "COMMONNAME", up->common_name);
}
else if (strstr(match_value, "OTP"))
{
@@ -822,8 +828,7 @@
if (!ret)
{
plugin_log(PLOG_ERR, MODULE, "BACKGROUND: user '%s' failed to authenticate: %s",
- up->username,
- pam_strerror(pamh, status));
+ up->username, pam_strerror(pamh, status));
}
/* Close PAM */
@@ -844,12 +849,12 @@
*/
static void
-do_deferred_pam_auth(int fd, const char *ac_file_name,
- const char *service, const struct user_pass *up)
+do_deferred_pam_auth(int fd, const char *ac_file_name, const char *service,
+ const struct user_pass *up)
{
if (send_control(fd, RESPONSE_DEFER) == -1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [4]");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [4]");
return;
}
@@ -858,52 +863,50 @@
if (p1 < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(1) failed");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: fork(1) failed");
return;
}
- if (p1 != 0) /* parent */
+ if (p1 != 0) /* parent */
{
waitpid(p1, NULL, 0);
- return; /* parent's job succeeded */
+ return; /* parent's job succeeded */
}
/* child */
- close(fd); /* socketpair no longer needed */
+ close(fd); /* socketpair no longer needed */
pid_t p2 = fork();
if (p2 < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
exit(1);
}
- if (p2 != 0) /* new parent: exit right away */
+ if (p2 != 0) /* new parent: exit right away */
{
exit(0);
}
/* grandchild */
- plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: deferred auth for '%s', pid=%d",
- up->username, (int) getpid() );
+ plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: deferred auth for '%s', pid=%d", up->username,
+ (int)getpid());
/* the rest is very simple: do PAM, write status byte to file, done */
- int ac_fd = open( ac_file_name, O_WRONLY );
+ int ac_fd = open(ac_file_name, O_WRONLY);
if (ac_fd < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "cannot open '%s' for writing",
- ac_file_name );
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "cannot open '%s' for writing", ac_file_name);
exit(1);
}
int pam_success = pam_auth(service, up);
- if (write( ac_fd, pam_success ? "1" : "0", 1 ) != 1)
+ if (write(ac_fd, pam_success ? "1" : "0", 1) != 1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "cannot write to '%s'",
- ac_file_name );
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "cannot write to '%s'", ac_file_name);
}
close(ac_fd);
- plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: %s: deferred auth: PAM %s",
- up->username, pam_success ? "succeeded" : "rejected" );
+ plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: %s: deferred auth: PAM %s", up->username,
+ pam_success ? "succeeded" : "rejected");
exit(0);
}
@@ -934,7 +937,8 @@
*/
if (!dlopen_pam(pam_so))
{
- plugin_log(PLOG_ERR, MODULE, "BACKGROUND: could not load PAM lib %s: %s", pam_so, dlerror());
+ plugin_log(PLOG_ERR, MODULE, "BACKGROUND: could not load PAM lib %s: %s", pam_so,
+ dlerror());
send_control(fd, RESPONSE_INIT_FAILED);
goto done;
}
@@ -945,7 +949,7 @@
*/
if (send_control(fd, RESPONSE_INIT_SUCCEEDED) == -1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [1]");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [1]");
goto done;
}
@@ -977,7 +981,8 @@
|| recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1
|| recv_string(fd, up.remote, sizeof(up.remote)) == -1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read error on command channel: code=%d, exiting",
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE,
+ "BACKGROUND: read error on command channel: code=%d, exiting",
command);
goto done;
}
@@ -1012,7 +1017,8 @@
{
if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [2]");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE,
+ "BACKGROUND: write error on response socket [2]");
goto done;
}
}
@@ -1020,7 +1026,8 @@
{
if (send_control(fd, RESPONSE_VERIFY_FAILED) == -1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: write error on response socket [3]");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE,
+ "BACKGROUND: write error on response socket [3]");
goto done;
}
}
@@ -1031,7 +1038,8 @@
goto done;
case -1:
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read error on command channel");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE,
+ "BACKGROUND: read error on command channel");
goto done;
default:
@@ -19,14 +19,20 @@
static void *libpam_h = NULL;
-#define RESOLVE_PAM_FUNCTION(x, y, z, err) \
- { \
- union { const void *tpointer; y(*fn) z; } fptr; \
- fptr.tpointer = dlsym(libpam_h, #x); real_ ## x = fptr.fn; \
- if (real_ ## x == NULL) { \
+#define RESOLVE_PAM_FUNCTION(x, y, z, err) \
+ { \
+ union \
+ { \
+ const void *tpointer; \
+ y(*fn) z; \
+ } fptr; \
+ fptr.tpointer = dlsym(libpam_h, #x); \
+ real_##x = fptr.fn; \
+ if (real_##x == NULL) \
+ { \
fprintf(stderr, "PAMDL: unable to resolve '%s': %s\n", #x, dlerror()); \
- return err; \
- } \
+ return err; \
+ } \
}
int
@@ -34,7 +40,7 @@
{
if (libpam_h == NULL)
{
- libpam_h = dlopen(so, RTLD_GLOBAL|RTLD_NOW);
+ libpam_h = dlopen(so, RTLD_GLOBAL | RTLD_NOW);
}
return libpam_h != NULL;
}
@@ -50,16 +56,13 @@
}
int
-pam_start(const char *service_name, const char *user,
- const struct pam_conv *pam_conversation,
+pam_start(const char *service_name, const char *user, const struct pam_conv *pam_conversation,
pam_handle_t **pamh)
{
- int (*real_pam_start)(const char *, const char *,
- const struct pam_conv *,
- pam_handle_t **);
- RESOLVE_PAM_FUNCTION(pam_start, int, (const char *, const char *,
- const struct pam_conv *,
- pam_handle_t **), PAM_ABORT);
+ int (*real_pam_start)(const char *, const char *, const struct pam_conv *, pam_handle_t **);
+ RESOLVE_PAM_FUNCTION(pam_start, int,
+ (const char *, const char *, const struct pam_conv *, pam_handle_t **),
+ PAM_ABORT);
return real_pam_start(service_name, user, pam_conversation, pamh);
}
@@ -75,8 +78,7 @@
pam_set_item(pam_handle_t *pamh, int item_type, const void *item)
{
int (*real_pam_set_item)(pam_handle_t *, int, const void *);
- RESOLVE_PAM_FUNCTION(pam_set_item, int,
- (pam_handle_t *, int, const void *), PAM_ABORT);
+ RESOLVE_PAM_FUNCTION(pam_set_item, int, (pam_handle_t *, int, const void *), PAM_ABORT);
return real_pam_set_item(pamh, item_type, item);
}
@@ -84,9 +86,7 @@
pam_get_item(const pam_handle_t *pamh, int item_type, const void **item)
{
int (*real_pam_get_item)(const pam_handle_t *, int, const void **);
- RESOLVE_PAM_FUNCTION(pam_get_item, int,
- (const pam_handle_t *, int, const void **),
- PAM_ABORT);
+ RESOLVE_PAM_FUNCTION(pam_get_item, int, (const pam_handle_t *, int, const void **), PAM_ABORT);
return real_pam_get_item(pamh, item_type, item);
}
@@ -94,8 +94,7 @@
pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay)
{
int (*real_pam_fail_delay)(pam_handle_t *, unsigned int);
- RESOLVE_PAM_FUNCTION(pam_fail_delay, int, (pam_handle_t *, unsigned int),
- PAM_ABORT);
+ RESOLVE_PAM_FUNCTION(pam_fail_delay, int, (pam_handle_t *, unsigned int), PAM_ABORT);
return real_pam_fail_delay(pamh, musec_delay);
}
@@ -105,8 +104,7 @@
pam_strerror(pam_handle_t *pamh, int errnum)
{
const_char_pointer (*real_pam_strerror)(pam_handle_t *, int);
- RESOLVE_PAM_FUNCTION(pam_strerror, const_char_pointer,
- (pam_handle_t *, int), NULL);
+ RESOLVE_PAM_FUNCTION(pam_strerror, const_char_pointer, (pam_handle_t *, int), NULL);
return real_pam_strerror(pamh, errnum);
}
@@ -114,8 +112,7 @@
pam_putenv(pam_handle_t *pamh, const char *name_value)
{
int (*real_pam_putenv)(pam_handle_t *, const char *);
- RESOLVE_PAM_FUNCTION(pam_putenv, int, (pam_handle_t *, const char *),
- PAM_ABORT);
+ RESOLVE_PAM_FUNCTION(pam_putenv, int, (pam_handle_t *, const char *), PAM_ABORT);
return real_pam_putenv(pamh, name_value);
}
@@ -123,8 +120,7 @@
pam_getenv(pam_handle_t *pamh, const char *name)
{
const_char_pointer (*real_pam_getenv)(pam_handle_t *, const char *);
- RESOLVE_PAM_FUNCTION(pam_getenv, const_char_pointer,
- (pam_handle_t *, const char *), NULL);
+ RESOLVE_PAM_FUNCTION(pam_getenv, const_char_pointer, (pam_handle_t *, const char *), NULL);
return real_pam_getenv(pamh, name);
}
@@ -133,8 +129,7 @@
pam_getenvlist(pam_handle_t *pamh)
{
char_ppointer (*real_pam_getenvlist)(pam_handle_t *);
- RESOLVE_PAM_FUNCTION(pam_getenvlist, char_ppointer, (pam_handle_t *),
- NULL);
+ RESOLVE_PAM_FUNCTION(pam_getenvlist, char_ppointer, (pam_handle_t *), NULL);
return real_pam_getenvlist(pamh);
}
@@ -144,8 +139,7 @@
pam_authenticate(pam_handle_t *pamh, int flags)
{
int (*real_pam_authenticate)(pam_handle_t *, int);
- RESOLVE_PAM_FUNCTION(pam_authenticate, int, (pam_handle_t *, int),
- PAM_ABORT);
+ RESOLVE_PAM_FUNCTION(pam_authenticate, int, (pam_handle_t *, int), PAM_ABORT);
return real_pam_authenticate(pamh, flags);
}
@@ -173,8 +167,7 @@
pam_open_session(pam_handle_t *pamh, int flags)
{
int (*real_pam_open_session)(pam_handle_t *, int);
- RESOLVE_PAM_FUNCTION(pam_open_session, int, (pam_handle_t *, int),
- PAM_ABORT);
+ RESOLVE_PAM_FUNCTION(pam_open_session, int, (pam_handle_t *, int), PAM_ABORT);
return real_pam_open_session(pamh, flags);
}
@@ -182,8 +175,7 @@
pam_close_session(pam_handle_t *pamh, int flags)
{
int (*real_pam_close_session)(pam_handle_t *, int);
- RESOLVE_PAM_FUNCTION(pam_close_session, int, (pam_handle_t *, int),
- PAM_ABORT);
+ RESOLVE_PAM_FUNCTION(pam_close_session, int, (pam_handle_t *, int), PAM_ABORT);
return real_pam_close_session(pamh, flags);
}
@@ -55,7 +55,8 @@
return NULL;
}
- bool is_potential_integer_overflow = (templen == SIZE_MAX) || (templen / tosearchlen != replacewithlen);
+ bool is_potential_integer_overflow =
+ (templen == SIZE_MAX) || (templen / tosearchlen != replacewithlen);
if (is_potential_integer_overflow)
{
@@ -67,7 +68,7 @@
const char *searching = tosearch;
char *scratch;
- char temp[templen+1];
+ char temp[templen + 1];
temp[0] = 0;
scratch = strstr(searching, searchfor);
@@ -78,10 +79,10 @@
while (scratch)
{
- strncat(temp, searching, (size_t)(scratch-searching));
+ strncat(temp, searching, (size_t)(scratch - searching));
strcat(temp, replacewith);
- searching = scratch+strlen(searchfor);
+ searching = scratch + strlen(searchfor);
scratch = strstr(searching, searchfor);
}
return strdup(temp);
@@ -34,11 +34,10 @@
* @param searchfor needle to search for in the haystack
* @param replacewith when a match is found, replace needle with this string
*
- * @return Returns NULL when any parameter is NULL or the worst-case result is to large ( >= SIZE_MAX).
- * Otherwise it returns a pointer to a new buffer containing the modified input
+ * @return Returns NULL when any parameter is NULL or the worst-case result is to large ( >=
+ * SIZE_MAX). Otherwise it returns a pointer to a new buffer containing the modified input
*/
-char *
-searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith);
+char *searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith);
/**
* Given an environmental variable name, search
@@ -47,10 +46,10 @@
* @param name Environment variable to look up
* @param envp Environment variable table with all key/value pairs
*
- * @return Returns a pointer to the value of the environment variable if found, otherwise NULL is returned.
+ * @return Returns a pointer to the value of the environment variable if found, otherwise NULL is
+ * returned.
*/
-const char *
-get_env(const char *name, const char *envp[]);
+const char *get_env(const char *name, const char *envp[]);
/**
* Return the length of a string array
@@ -58,7 +57,6 @@
* @param array Pointer to the array to calculate size of
*
*/
-int
-string_array_len(const char *array[]);
+int string_array_len(const char *array[]);
#endif
@@ -142,7 +142,7 @@
static ssize_t
send_control(int fd, int code)
{
- unsigned char c = (unsigned char) code;
+ unsigned char c = (unsigned char)code;
const ssize_t size = write(fd, &c, sizeof(c));
if (size == sizeof(c))
{
@@ -252,7 +252,7 @@
int ret = 0;
pid = fork();
- if (pid == (pid_t)0) /* child side */
+ if (pid == (pid_t)0) /* child side */
{
execve(argv[0], argv, envp);
/* If execve() fails to run, exit child with exit code 127 */
@@ -263,12 +263,13 @@
warn("DOWN-ROOT: Failed to fork child to run %s", argv[0]);
return -1;
}
- else /* parent side */
+ else /* parent side */
{
if (waitpid(pid, &ret, 0) != pid)
{
/* waitpid does not return error information via errno */
- fprintf(stderr, "DOWN-ROOT: waitpid() failed, don't know exit code of child (%s)\n", argv[0]);
+ fprintf(stderr, "DOWN-ROOT: waitpid() failed, don't know exit code of child (%s)\n",
+ argv[0]);
return -1;
}
}
@@ -283,7 +284,7 @@
/*
* Allocate our context
*/
- context = (struct down_root_context *) calloc(1, sizeof(struct down_root_context));
+ context = (struct down_root_context *)calloc(1, sizeof(struct down_root_context));
if (!context)
{
warn("DOWN-ROOT: Could not allocate memory for plug-in context");
@@ -319,7 +320,7 @@
/* Ignore argv[0], as it contains just the plug-in file name */
for (int i = 1; i < string_array_len(argv); i++)
{
- context->command[i-1] = (char *) argv[i];
+ context->command[i - 1] = (char *)argv[i];
}
/*
@@ -333,7 +334,7 @@
}
}
- return (openvpn_plugin_handle_t) context;
+ return (openvpn_plugin_handle_t)context;
error:
free_context(context);
@@ -341,11 +342,13 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[])
{
- struct down_root_context *context = (struct down_root_context *) handle;
+ struct down_root_context *context = (struct down_root_context *)handle;
- if (type == OPENVPN_PLUGIN_UP && context->foreground_fd == -1) /* fork off a process to hold onto root */
+ if (type == OPENVPN_PLUGIN_UP
+ && context->foreground_fd == -1) /* fork off a process to hold onto root */
{
pid_t pid;
int fd[2];
@@ -409,7 +412,7 @@
daemonize(envp);
/* execute the event loop */
- down_root_server(fd[1], context->command, (char *const *) envp, context->verb);
+ down_root_server(fd[1], context->command, (char *const *)envp, context->verb);
close(fd[1]);
exit(0);
@@ -431,7 +434,8 @@
}
if (status == -1)
{
- warn("DOWN-ROOT: Error receiving script execution confirmation from background process");
+ warn(
+ "DOWN-ROOT: Error receiving script execution confirmation from background process");
}
}
}
@@ -441,7 +445,7 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct down_root_context *context = (struct down_root_context *) handle;
+ struct down_root_context *context = (struct down_root_context *)handle;
if (DEBUG(context->verb))
{
@@ -472,7 +476,7 @@
OPENVPN_EXPORT void
openvpn_plugin_abort_v1(openvpn_plugin_handle_t handle)
{
- struct down_root_context *context = (struct down_root_context *) handle;
+ struct down_root_context *context = (struct down_root_context *)handle;
if (context && context->foreground_fd >= 0)
{
@@ -525,7 +529,7 @@
switch (command_code)
{
case COMMAND_RUN_SCRIPT:
- if ( (exit_code = run_script(argv, envp)) == 0) /* Succeeded */
+ if ((exit_code = run_script(argv, envp)) == 0) /* Succeeded */
{
if (send_control(fd, RESPONSE_SCRIPT_SUCCEEDED) == -1)
{
@@ -535,7 +539,8 @@
}
else /* Failed */
{
- fprintf(stderr, "DOWN-ROOT: BACKGROUND: %s exited with exit code %i\n", argv[0], exit_code);
+ fprintf(stderr, "DOWN-ROOT: BACKGROUND: %s exited with exit code %i\n", argv[0],
+ exit_code);
if (send_control(fd, RESPONSE_SCRIPT_FAILED) == -1)
{
warn("DOWN-ROOT: BACKGROUND: write error on response socket [3]");
@@ -26,14 +26,16 @@
#define UNICODE
#endif
-#define PRIXGUID "{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX}"
-#define PRIGUID_PARAM(g) \
- (g).Data1, (g).Data2, (g).Data3, (g).Data4[0], (g).Data4[1], (g).Data4[2], (g).Data4[3], (g).Data4[4], (g).Data4[5], (g).Data4[6], (g).Data4[7]
-#define PRIGUID_PARAM_REF(g) \
- &(g).Data1, &(g).Data2, &(g).Data3, &(g).Data4[0], &(g).Data4[1], &(g).Data4[2], &(g).Data4[3], &(g).Data4[4], &(g).Data4[5], &(g).Data4[6], &(g).Data4[7]
+#define PRIXGUID "{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX}"
+#define PRIGUID_PARAM(g) \
+ (g).Data1, (g).Data2, (g).Data3, (g).Data4[0], (g).Data4[1], (g).Data4[2], (g).Data4[3], \
+ (g).Data4[4], (g).Data4[5], (g).Data4[6], (g).Data4[7]
+#define PRIGUID_PARAM_REF(g) \
+ &(g).Data1, &(g).Data2, &(g).Data3, &(g).Data4[0], &(g).Data4[1], &(g).Data4[2], \
+ &(g).Data4[3], &(g).Data4[4], &(g).Data4[5], &(g).Data4[6], &(g).Data4[7]
-#define __L(q) L ## q
-#define _L(q) __L(q)
+#define __L(q) L##q
+#define _L(q) __L(q)
#ifndef _In_
#define _In_
@@ -34,27 +34,27 @@
/* msg() flags */
-#define M_DEBUG_LEVEL (0x0F) /* debug level mask */
+#define M_DEBUG_LEVEL (0x0F) /* debug level mask */
-#define M_FATAL (1<<4) /* exit program */
-#define M_NONFATAL (1<<5) /* non-fatal error */
-#define M_WARN (1<<6) /* call syslog with LOG_WARNING */
-#define M_DEBUG (1<<7)
+#define M_FATAL (1 << 4) /* exit program */
+#define M_NONFATAL (1 << 5) /* non-fatal error */
+#define M_WARN (1 << 6) /* call syslog with LOG_WARNING */
+#define M_DEBUG (1 << 7)
-#define M_ERRNO (1<<8) /* show errno description */
+#define M_ERRNO (1 << 8) /* show errno description */
-#define M_NOMUTE (1<<11) /* don't do mute processing */
-#define M_NOPREFIX (1<<12) /* don't show date/time prefix */
-#define M_USAGE_SMALL (1<<13) /* fatal options error, call usage_small */
-#define M_MSG_VIRT_OUT (1<<14) /* output message through msg_status_output callback */
-#define M_OPTERR (1<<15) /* print "Options error:" prefix */
-#define M_NOLF (1<<16) /* don't print new line */
-#define M_NOIPREFIX (1<<17) /* don't print instance prefix */
+#define M_NOMUTE (1 << 11) /* don't do mute processing */
+#define M_NOPREFIX (1 << 12) /* don't show date/time prefix */
+#define M_USAGE_SMALL (1 << 13) /* fatal options error, call usage_small */
+#define M_MSG_VIRT_OUT (1 << 14) /* output message through msg_status_output callback */
+#define M_OPTERR (1 << 15) /* print "Options error:" prefix */
+#define M_NOLF (1 << 16) /* don't print new line */
+#define M_NOIPREFIX (1 << 17) /* don't print instance prefix */
/* flag combinations which are frequently used */
-#define M_ERR (M_FATAL | M_ERRNO)
-#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR)
-#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX)
+#define M_ERR (M_FATAL | M_ERRNO)
+#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR)
+#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX)
/** Check muting filter */
@@ -62,18 +62,42 @@
/* Macro to ensure (and teach static analysis tools) we exit on fatal errors */
#ifdef _MSC_VER
-#pragma warning(disable: 4127) /* EXIT_FATAL(flags) macro raises "warning C4127: conditional expression is constant" on each non M_FATAL invocation. */
+#pragma warning(disable : 4127) /* EXIT_FATAL(flags) macro raises "warning C4127: conditional \
+ expression is constant" on each non M_FATAL invocation. */
#endif
-#define EXIT_FATAL(flags) do { if ((flags) & M_FATAL) {_exit(1);}} while (false)
+#define EXIT_FATAL(flags) \
+ do \
+ { \
+ if ((flags) & M_FATAL) \
+ { \
+ _exit(1); \
+ } \
+ } while (false)
-#define msg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false)
+#define msg(flags, ...) \
+ do \
+ { \
+ if (msg_test(flags)) \
+ { \
+ x_msg((flags), __VA_ARGS__); \
+ } \
+ EXIT_FATAL(flags); \
+ } while (false)
#ifdef ENABLE_DEBUG
-#define dmsg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false)
+#define dmsg(flags, ...) \
+ do \
+ { \
+ if (msg_test(flags)) \
+ { \
+ x_msg((flags), __VA_ARGS__); \
+ } \
+ EXIT_FATAL(flags); \
+ } while (false)
#else
#define dmsg(flags, ...)
#endif
-void x_msg(const unsigned int flags, const char *format, ...); /* should be called via msg above */
+void x_msg(const unsigned int flags, const char *format, ...); /* should be called via msg above */
void x_msg_va(const unsigned int flags, const char *format, va_list arglist);
@@ -120,9 +120,7 @@
static void
usage(void)
{
- fwprintf(stderr,
- usage_message,
- title_string);
+ fwprintf(stderr, usage_message, title_string);
}
/**
@@ -139,8 +137,10 @@
{
LPOLESTR adapter_id = NULL;
StringFromIID((REFIID)&a->guid, &adapter_id);
- fwprintf(stderr, L"Adapter \"%ls\" already exists (GUID %"
- L"ls).\n", a->szName, adapter_id);
+ fwprintf(stderr,
+ L"Adapter \"%ls\" already exists (GUID %"
+ L"ls).\n",
+ a->szName, adapter_id);
CoTaskMemFree(adapter_id);
}
@@ -204,8 +204,7 @@
/**
* Program entry point
*/
-int __cdecl
-wmain(int argc, LPCWSTR argv[])
+int __cdecl wmain(int argc, LPCWSTR argv[])
{
int iResult;
BOOL bRebootRequired = FALSE;
@@ -239,8 +238,10 @@
}
else
{
- fwprintf(stderr, L"Unknown command \"%ls"
- L"\". Please, use \"tapctl help\" to list supported commands.\n", argv[2]);
+ fwprintf(stderr,
+ L"Unknown command \"%ls"
+ L"\". Please, use \"tapctl help\" to list supported commands.\n",
+ argv[2]);
}
return 1;
@@ -263,25 +264,24 @@
}
else
{
- fwprintf(stderr, L"Unknown option \"%ls"
- L"\". Please, use \"tapctl help create\" to list supported options. Ignored.\n",
- argv[i]);
+ fwprintf(
+ stderr,
+ L"Unknown option \"%ls"
+ L"\". Please, use \"tapctl help create\" to list supported options. Ignored.\n",
+ argv[i]);
}
}
/* Create TUN/TAP adapter. */
GUID guidAdapter;
LPOLESTR szAdapterId = NULL;
- DWORD dwResult = tap_create_adapter(
- NULL,
- L"Virtual Ethernet",
- szHwId,
- &bRebootRequired,
- &guidAdapter);
+ DWORD dwResult =
+ tap_create_adapter(NULL, L"Virtual Ethernet", szHwId, &bRebootRequired, &guidAdapter);
if (dwResult != ERROR_SUCCESS)
{
fwprintf(stderr, L"Creating TUN/TAP adapter failed (error 0x%x).\n", dwResult);
- iResult = 1; goto quit;
+ iResult = 1;
+ goto quit;
}
/* Get existing network adapters. */
@@ -294,7 +294,8 @@
goto create_delete_adapter;
}
- LPWSTR adapter_name = szName ? wcsdup(szName) : get_unique_adapter_name(szHwId, pAdapterList);
+ LPWSTR adapter_name =
+ szName ? wcsdup(szName) : get_unique_adapter_name(szHwId, pAdapterList);
if (adapter_name)
{
/* Check for duplicates when name was specified,
@@ -310,11 +311,13 @@
if (dwResult != ERROR_SUCCESS)
{
StringFromIID((REFIID)&guidAdapter, &szAdapterId);
- fwprintf(stderr, L"Renaming TUN/TAP adapter %ls"
+ fwprintf(stderr,
+ L"Renaming TUN/TAP adapter %ls"
L" to \"%ls\" failed (error 0x%x).\n",
szAdapterId, adapter_name, dwResult);
CoTaskMemFree(szAdapterId);
- iResult = 1; goto quit;
+ iResult = 1;
+ goto quit;
}
}
@@ -334,21 +337,19 @@
fwprintf(stdout, L"%ls\n", szAdapterId);
CoTaskMemFree(szAdapterId);
- iResult = 0; goto quit;
+ iResult = 0;
+ goto quit;
create_delete_adapter:
- tap_delete_adapter(
- NULL,
- &guidAdapter,
- &bRebootRequired);
- iResult = 1; goto quit;
+ tap_delete_adapter(NULL, &guidAdapter, &bRebootRequired);
+ iResult = 1;
+ goto quit;
}
else if (wcsicmp(argv[1], L"list") == 0)
{
WCHAR szzHwId[0x100] =
- L"root\\" _L(TAP_WIN_COMPONENT_ID) L"\0"
- _L(TAP_WIN_COMPONENT_ID) L"\0"
- L"ovpn-dco\0";
+ L"root\\" _L(TAP_WIN_COMPONENT_ID) L"\0" _L(TAP_WIN_COMPONENT_ID) L"\0"
+ L"ovpn-dco\0";
/* Parse options. */
for (int i = 2; i < argc; i++)
@@ -357,13 +358,17 @@
{
memset(szzHwId, 0, sizeof(szzHwId));
++i;
- memcpy_s(szzHwId, sizeof(szzHwId) - 2*sizeof(WCHAR) /*requires double zero termination*/, argv[i], wcslen(argv[i])*sizeof(WCHAR));
+ memcpy_s(szzHwId,
+ sizeof(szzHwId) - 2 * sizeof(WCHAR) /*requires double zero termination*/,
+ argv[i], wcslen(argv[i]) * sizeof(WCHAR));
}
else
{
- fwprintf(stderr, L"Unknown option \"%ls"
- L"\". Please, use \"tapctl help list\" to list supported options. Ignored.\n",
- argv[i]);
+ fwprintf(
+ stderr,
+ L"Unknown option \"%ls"
+ L"\". Please, use \"tapctl help list\" to list supported options. Ignored.\n",
+ argv[i]);
}
}
@@ -373,15 +378,18 @@
if (dwResult != ERROR_SUCCESS)
{
fwprintf(stderr, L"Enumerating TUN/TAP adapters failed (error 0x%x).\n", dwResult);
- iResult = 1; goto quit;
+ iResult = 1;
+ goto quit;
}
for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter; pAdapter = pAdapter->pNext)
{
LPOLESTR szAdapterId = NULL;
StringFromIID((REFIID)&pAdapter->guid, &szAdapterId);
- fwprintf(stdout, L"%ls\t%"
- L"ls\n", szAdapterId, pAdapter->szName);
+ fwprintf(stdout,
+ L"%ls\t%"
+ L"ls\n",
+ szAdapterId, pAdapter->szName);
CoTaskMemFree(szAdapterId);
}
@@ -392,7 +400,9 @@
{
if (argc < 3)
{
- fwprintf(stderr, L"Missing adapter GUID or name. Please, use \"tapctl help delete\" for usage info.\n");
+ fwprintf(
+ stderr,
+ L"Missing adapter GUID or name. Please, use \"tapctl help delete\" for usage info.\n");
return 1;
}
@@ -405,7 +415,8 @@
if (dwResult != ERROR_SUCCESS)
{
fwprintf(stderr, L"Enumerating TUN/TAP adapters failed (error 0x%x).\n", dwResult);
- iResult = 1; goto quit;
+ iResult = 1;
+ goto quit;
}
for (struct tap_adapter_node *pAdapter = pAdapterList;; pAdapter = pAdapter->pNext)
@@ -413,7 +424,8 @@
if (pAdapter == NULL)
{
fwprintf(stderr, L"\"%ls\" adapter not found.\n", argv[2]);
- iResult = 1; goto delete_cleanup_pAdapterList;
+ iResult = 1;
+ goto delete_cleanup_pAdapterList;
}
else if (wcsicmp(argv[2], pAdapter->szName) == 0)
{
@@ -433,23 +445,26 @@
}
/* Delete the network adapter. */
- DWORD dwResult = tap_delete_adapter(
- NULL,
- &guidAdapter,
- &bRebootRequired);
+ DWORD dwResult = tap_delete_adapter(NULL, &guidAdapter, &bRebootRequired);
if (dwResult != ERROR_SUCCESS)
{
- fwprintf(stderr, L"Deleting adapter \"%ls"
- L"\" failed (error 0x%x).\n", argv[2], dwResult);
- iResult = 1; goto quit;
+ fwprintf(stderr,
+ L"Deleting adapter \"%ls"
+ L"\" failed (error 0x%x).\n",
+ argv[2], dwResult);
+ iResult = 1;
+ goto quit;
}
- iResult = 0; goto quit;
+ iResult = 0;
+ goto quit;
}
else
{
- fwprintf(stderr, L"Unknown command \"%ls"
- L"\". Please, use \"tapctl help\" to list supported commands.\n", argv[1]);
+ fwprintf(stderr,
+ L"Unknown command \"%ls"
+ L"\". Please, use \"tapctl help\" to list supported commands.\n",
+ argv[1]);
return 1;
}
@@ -484,16 +499,13 @@
/* Output system error message (if possible). */
DWORD dwResult = GetLastError();
LPWSTR szErrMessage = NULL;
- if (FormatMessage(
- FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
- 0,
- dwResult,
- 0,
- (LPWSTR)&szErrMessage,
- 0,
- NULL) && szErrMessage)
+ if (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER
+ | FORMAT_MESSAGE_IGNORE_INSERTS,
+ 0, dwResult, 0, (LPWSTR)&szErrMessage, 0, NULL)
+ && szErrMessage)
{
- /* Trim trailing whitespace. Set terminator after the last non-whitespace character. This prevents excessive trailing line breaks. */
+ /* Trim trailing whitespace. Set terminator after the last non-whitespace character.
+ * This prevents excessive trailing line breaks. */
for (size_t i = 0, i_last = 0;; i++)
{
if (szErrMessage[i])
@@ -40,10 +40,15 @@
#endif
-const static GUID GUID_DEVCLASS_NET = { 0x4d36e972L, 0xe325, 0x11ce, { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 } };
+const static GUID GUID_DEVCLASS_NET = {
+ 0x4d36e972L, 0xe325, 0x11ce, { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 }
+};
-const static WCHAR szAdapterRegKeyPathTemplate[] = L"SYSTEM\\CurrentControlSet\\Control\\Network\\%ls\\%ls\\Connection";
-#define ADAPTER_REGKEY_PATH_MAX (_countof(L"SYSTEM\\CurrentControlSet\\Control\\Network\\") - 1 + 38 + _countof(L"\\") - 1 + 38 + _countof(L"\\Connection"))
+const static WCHAR szAdapterRegKeyPathTemplate[] =
+ L"SYSTEM\\CurrentControlSet\\Control\\Network\\%ls\\%ls\\Connection";
+#define ADAPTER_REGKEY_PATH_MAX \
+ (_countof(L"SYSTEM\\CurrentControlSet\\Control\\Network\\") - 1 + 38 + _countof(L"\\") - 1 \
+ + 38 + _countof(L"\\Connection"))
/**
* Dynamically load a library and find a function in it
@@ -154,10 +159,8 @@
*
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
-typedef DWORD (*devop_func_t)(
- _In_ HDEVINFO hDeviceInfoSet,
- _In_ PSP_DEVINFO_DATA pDeviceInfoData,
- _Inout_ LPBOOL pbRebootRequired);
+typedef DWORD (*devop_func_t)(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData,
+ _Inout_ LPBOOL pbRebootRequired);
/**
@@ -177,10 +180,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
static DWORD
-check_reboot(
- _In_ HDEVINFO hDeviceInfoSet,
- _In_ PSP_DEVINFO_DATA pDeviceInfoData,
- _Inout_ LPBOOL pbRebootRequired)
+check_reboot(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData,
+ _Inout_ LPBOOL pbRebootRequired)
{
if (pbRebootRequired == NULL)
{
@@ -188,10 +189,7 @@
}
SP_DEVINSTALL_PARAMS devinstall_params = { .cbSize = sizeof(SP_DEVINSTALL_PARAMS) };
- if (!SetupDiGetDeviceInstallParams(
- hDeviceInfoSet,
- pDeviceInfoData,
- &devinstall_params))
+ if (!SetupDiGetDeviceInstallParams(hDeviceInfoSet, pDeviceInfoData, &devinstall_params))
{
DWORD dwResult = GetLastError();
msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceInstallParams failed", __FUNCTION__);
@@ -224,10 +222,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
static DWORD
-delete_device(
- _In_ HDEVINFO hDeviceInfoSet,
- _In_ PSP_DEVINFO_DATA pDeviceInfoData,
- _Inout_ LPBOOL pbRebootRequired)
+delete_device(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData,
+ _Inout_ LPBOOL pbRebootRequired)
{
SP_REMOVEDEVICE_PARAMS params =
{
@@ -241,11 +237,8 @@
};
/* Set class installer parameters for DIF_REMOVE. */
- if (!SetupDiSetClassInstallParams(
- hDeviceInfoSet,
- pDeviceInfoData,
- ¶ms.ClassInstallHeader,
- sizeof(SP_REMOVEDEVICE_PARAMS)))
+ if (!SetupDiSetClassInstallParams(hDeviceInfoSet, pDeviceInfoData, ¶ms.ClassInstallHeader,
+ sizeof(SP_REMOVEDEVICE_PARAMS)))
{
DWORD dwResult = GetLastError();
msg(M_NONFATAL | M_ERRNO, "%s: SetupDiSetClassInstallParams failed", __FUNCTION__);
@@ -253,10 +246,7 @@
}
/* Call appropriate class installer. */
- if (!SetupDiCallClassInstaller(
- DIF_REMOVE,
- hDeviceInfoSet,
- pDeviceInfoData))
+ if (!SetupDiCallClassInstaller(DIF_REMOVE, hDeviceInfoSet, pDeviceInfoData))
{
DWORD dwResult = GetLastError();
msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_REMOVE) failed", __FUNCTION__);
@@ -288,11 +278,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
static DWORD
-change_device_state(
- _In_ HDEVINFO hDeviceInfoSet,
- _In_ PSP_DEVINFO_DATA pDeviceInfoData,
- _In_ BOOL bEnable,
- _Inout_ LPBOOL pbRebootRequired)
+change_device_state(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData,
+ _In_ BOOL bEnable, _Inout_ LPBOOL pbRebootRequired)
{
SP_PROPCHANGE_PARAMS params =
{
@@ -307,11 +294,8 @@
};
/* Set class installer parameters for DIF_PROPERTYCHANGE. */
- if (!SetupDiSetClassInstallParams(
- hDeviceInfoSet,
- pDeviceInfoData,
- ¶ms.ClassInstallHeader,
- sizeof(SP_PROPCHANGE_PARAMS)))
+ if (!SetupDiSetClassInstallParams(hDeviceInfoSet, pDeviceInfoData, ¶ms.ClassInstallHeader,
+ sizeof(SP_PROPCHANGE_PARAMS)))
{
DWORD dwResult = GetLastError();
msg(M_NONFATAL | M_ERRNO, "%s: SetupDiSetClassInstallParams failed", __FUNCTION__);
@@ -319,13 +303,11 @@
}
/* Call appropriate class installer. */
- if (!SetupDiCallClassInstaller(
- DIF_PROPERTYCHANGE,
- hDeviceInfoSet,
- pDeviceInfoData))
+ if (!SetupDiCallClassInstaller(DIF_PROPERTYCHANGE, hDeviceInfoSet, pDeviceInfoData))
{
DWORD dwResult = GetLastError();
- msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_PROPERTYCHANGE) failed", __FUNCTION__);
+ msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_PROPERTYCHANGE) failed",
+ __FUNCTION__);
return dwResult;
}
@@ -352,10 +334,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
static DWORD
-enable_device(
- _In_ HDEVINFO hDeviceInfoSet,
- _In_ PSP_DEVINFO_DATA pDeviceInfoData,
- _Inout_ LPBOOL pbRebootRequired)
+enable_device(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData,
+ _Inout_ LPBOOL pbRebootRequired)
{
return change_device_state(hDeviceInfoSet, pDeviceInfoData, TRUE, pbRebootRequired);
}
@@ -378,10 +358,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
static DWORD
-disable_device(
- _In_ HDEVINFO hDeviceInfoSet,
- _In_ PSP_DEVINFO_DATA pDeviceInfoData,
- _Inout_ LPBOOL pbRebootRequired)
+disable_device(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData,
+ _Inout_ LPBOOL pbRebootRequired)
{
return change_device_state(hDeviceInfoSet, pDeviceInfoData, FALSE, pbRebootRequired);
}
@@ -402,10 +380,7 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
*/
static DWORD
-get_reg_string(
- _In_ HKEY hKey,
- _In_ LPCWSTR szName,
- _Out_ LPWSTR *pszValue)
+get_reg_string(_In_ HKEY hKey, _In_ LPCWSTR szName, _Out_ LPWSTR *pszValue)
{
if (pszValue == NULL)
{
@@ -413,17 +388,13 @@
}
DWORD dwValueType = REG_NONE, dwSize = 0;
- DWORD dwResult = RegQueryValueEx(
- hKey,
- szName,
- NULL,
- &dwValueType,
- NULL,
- &dwSize);
+ DWORD dwResult = RegQueryValueEx(hKey, szName, NULL, &dwValueType, NULL, &dwSize);
if (dwResult != ERROR_SUCCESS)
{
- SetLastError(dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But we do have an error code. Set last error manually. */
- msg(M_NONFATAL | M_ERRNO, "%s: enumerating \"%ls\" registry value failed", __FUNCTION__, szName);
+ SetLastError(dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError().
+ But we do have an error code. Set last error manually. */
+ msg(M_NONFATAL | M_ERRNO, "%s: enumerating \"%ls\" registry value failed", __FUNCTION__,
+ szName);
return dwResult;
}
@@ -440,17 +411,14 @@
return ERROR_OUTOFMEMORY;
}
- dwResult = RegQueryValueEx(
- hKey,
- szName,
- NULL,
- NULL,
- (LPBYTE)szValue,
- &dwSize);
+ dwResult = RegQueryValueEx(hKey, szName, NULL, NULL, (LPBYTE)szValue, &dwSize);
if (dwResult != ERROR_SUCCESS)
{
- SetLastError(dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But we do have an error code. Set last error manually. */
- msg(M_NONFATAL | M_ERRNO, "%s: reading \"%ls\" registry value failed", __FUNCTION__, szName);
+ SetLastError(
+ dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But
+ we do have an error code. Set last error manually. */
+ msg(M_NONFATAL | M_ERRNO, "%s: reading \"%ls\" registry value failed", __FUNCTION__,
+ szName);
free(szValue);
return dwResult;
}
@@ -459,12 +427,12 @@
{
/* Expand the environment strings. */
DWORD
- dwSizeExp = dwSize * 2,
- dwCountExp =
+ dwSizeExp = dwSize * 2, dwCountExp =
#ifdef UNICODE
- dwSizeExp / sizeof(WCHAR);
+ dwSizeExp / sizeof(WCHAR);
#else
- dwSizeExp / sizeof(WCHAR) - 1; /* Note: ANSI version requires one extra char. */
+ dwSizeExp / sizeof(WCHAR)
+ - 1; /* Note: ANSI version requires one extra char. */
#endif
LPWSTR szValueExp = (LPWSTR)malloc(dwSizeExp);
if (szValueExp == NULL)
@@ -474,13 +442,11 @@
return ERROR_OUTOFMEMORY;
}
- DWORD dwCountExpResult = ExpandEnvironmentStrings(
- szValue,
- szValueExp, dwCountExp
- );
+ DWORD dwCountExpResult = ExpandEnvironmentStrings(szValue, szValueExp, dwCountExp);
if (dwCountExpResult == 0)
{
- msg(M_NONFATAL | M_ERRNO, "%s: expanding \"%ls\" registry value failed", __FUNCTION__, szName);
+ msg(M_NONFATAL | M_ERRNO, "%s: expanding \"%ls\" registry value failed",
+ __FUNCTION__, szName);
free(szValueExp);
free(szValue);
return dwResult;
@@ -511,9 +477,7 @@
return ERROR_OUTOFMEMORY;
}
- dwCountExpResult = ExpandEnvironmentStrings(
- szValue,
- szValueExp, dwCountExp);
+ dwCountExpResult = ExpandEnvironmentStrings(szValue, szValueExp, dwCountExp);
free(szValue);
*pszValue = szValueExp;
return ERROR_SUCCESS;
@@ -527,7 +491,8 @@
}
default:
- msg(M_NONFATAL, "%s: \"%ls\" registry value is not string (type %u)", __FUNCTION__, dwValueType);
+ msg(M_NONFATAL, "%s: \"%ls\" registry value is not string (type %u)", __FUNCTION__,
+ dwValueType);
return ERROR_UNSUPPORTED_TYPE;
}
}
@@ -552,11 +517,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
static DWORD
-get_net_adapter_guid(
- _In_ HDEVINFO hDeviceInfoSet,
- _In_ PSP_DEVINFO_DATA pDeviceInfoData,
- _In_ int iNumAttempts,
- _Out_ LPGUID pguidAdapter)
+get_net_adapter_guid(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData,
+ _In_ int iNumAttempts, _Out_ LPGUID pguidAdapter)
{
DWORD dwResult = ERROR_BAD_ARGUMENTS;
@@ -566,13 +528,8 @@
}
/* Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\<class>\<id> registry key. */
- HKEY hKey = SetupDiOpenDevRegKey(
- hDeviceInfoSet,
- pDeviceInfoData,
- DICS_FLAG_GLOBAL,
- 0,
- DIREG_DRV,
- KEY_READ);
+ HKEY hKey = SetupDiOpenDevRegKey(hDeviceInfoSet, pDeviceInfoData, DICS_FLAG_GLOBAL, 0,
+ DIREG_DRV, KEY_READ);
if (hKey == INVALID_HANDLE_VALUE)
{
dwResult = GetLastError();
@@ -582,7 +539,8 @@
while (iNumAttempts > 0)
{
- /* Query the NetCfgInstanceId value. Using get_reg_string() right on might clutter the output with error messages while the registry is still being populated. */
+ /* Query the NetCfgInstanceId value. Using get_reg_string() right on might clutter the
+ * output with error messages while the registry is still being populated. */
LPWSTR szCfgGuidString = NULL;
dwResult = RegQueryValueEx(hKey, L"NetCfgInstanceId", NULL, NULL, NULL, NULL);
if (dwResult != ERROR_SUCCESS)
@@ -594,22 +552,24 @@
continue;
}
- SetLastError(dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But we do have an error code. Set last error manually. */
- msg(M_NONFATAL | M_ERRNO, "%s: querying \"NetCfgInstanceId\" registry value failed", __FUNCTION__);
+ SetLastError(
+ dwResult); /* MSDN does not mention RegQueryValueEx() to set GetLastError(). But we
+ do have an error code. Set last error manually. */
+ msg(M_NONFATAL | M_ERRNO, "%s: querying \"NetCfgInstanceId\" registry value failed",
+ __FUNCTION__);
break;
}
/* Read the NetCfgInstanceId value now. */
- dwResult = get_reg_string(
- hKey,
- L"NetCfgInstanceId",
- &szCfgGuidString);
+ dwResult = get_reg_string(hKey, L"NetCfgInstanceId", &szCfgGuidString);
if (dwResult != ERROR_SUCCESS)
{
break;
}
- dwResult = SUCCEEDED(CLSIDFromString(szCfgGuidString, (LPCLSID)pguidAdapter)) ? ERROR_SUCCESS : ERROR_INVALID_DATA;
+ dwResult = SUCCEEDED(CLSIDFromString(szCfgGuidString, (LPCLSID)pguidAdapter))
+ ? ERROR_SUCCESS
+ : ERROR_INVALID_DATA;
free(szCfgGuidString);
break;
}
@@ -641,12 +601,9 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
static DWORD
-get_device_reg_property(
- _In_ HDEVINFO hDeviceInfoSet,
- _In_ PSP_DEVINFO_DATA pDeviceInfoData,
- _In_ DWORD dwProperty,
- _Out_opt_ LPDWORD pdwPropertyRegDataType,
- _Out_ LPVOID *ppData)
+get_device_reg_property(_In_ HDEVINFO hDeviceInfoSet, _In_ PSP_DEVINFO_DATA pDeviceInfoData,
+ _In_ DWORD dwProperty, _Out_opt_ LPDWORD pdwPropertyRegDataType,
+ _Out_ LPVOID *ppData)
{
DWORD dwResult = ERROR_BAD_ARGUMENTS;
@@ -658,14 +615,9 @@
/* Try with stack buffer first. */
BYTE bBufStack[128];
DWORD dwRequiredSize = 0;
- if (SetupDiGetDeviceRegistryProperty(
- hDeviceInfoSet,
- pDeviceInfoData,
- dwProperty,
- pdwPropertyRegDataType,
- bBufStack,
- sizeof(bBufStack),
- &dwRequiredSize))
+ if (SetupDiGetDeviceRegistryProperty(hDeviceInfoSet, pDeviceInfoData, dwProperty,
+ pdwPropertyRegDataType, bBufStack, sizeof(bBufStack),
+ &dwRequiredSize))
{
/* Copy from stack. */
*ppData = malloc(dwRequiredSize);
@@ -691,27 +643,24 @@
return ERROR_OUTOFMEMORY;
}
- if (SetupDiGetDeviceRegistryProperty(
- hDeviceInfoSet,
- pDeviceInfoData,
- dwProperty,
- pdwPropertyRegDataType,
- *ppData,
- dwRequiredSize,
- &dwRequiredSize))
+ if (SetupDiGetDeviceRegistryProperty(hDeviceInfoSet, pDeviceInfoData, dwProperty,
+ pdwPropertyRegDataType, *ppData, dwRequiredSize,
+ &dwRequiredSize))
{
return ERROR_SUCCESS;
}
else
{
dwResult = GetLastError();
- msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceRegistryProperty(%u) failed", __FUNCTION__, dwProperty);
+ msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceRegistryProperty(%u) failed",
+ __FUNCTION__, dwProperty);
return dwResult;
}
}
else
{
- msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceRegistryProperty(%u) failed", __FUNCTION__, dwProperty);
+ msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetDeviceRegistryProperty(%u) failed",
+ __FUNCTION__, dwProperty);
return dwResult;
}
}
@@ -719,19 +668,13 @@
DWORD
-tap_create_adapter(
- _In_opt_ HWND hwndParent,
- _In_opt_ LPCWSTR szDeviceDescription,
- _In_ LPCWSTR szHwId,
- _Inout_ LPBOOL pbRebootRequired,
- _Out_ LPGUID pguidAdapter)
+tap_create_adapter(_In_opt_ HWND hwndParent, _In_opt_ LPCWSTR szDeviceDescription,
+ _In_ LPCWSTR szHwId, _Inout_ LPBOOL pbRebootRequired, _Out_ LPGUID pguidAdapter)
{
DWORD dwResult;
HMODULE libnewdev = NULL;
- if (szHwId == NULL
- || pbRebootRequired == NULL
- || pguidAdapter == NULL)
+ if (szHwId == NULL || pbRebootRequired == NULL || pguidAdapter == NULL)
{
return ERROR_BAD_ARGUMENTS;
}
@@ -747,11 +690,7 @@
/* Get the device class name from GUID. */
WCHAR szClassName[MAX_CLASS_NAME_LEN];
- if (!SetupDiClassNameFromGuid(
- &GUID_DEVCLASS_NET,
- szClassName,
- _countof(szClassName),
- NULL))
+ if (!SetupDiClassNameFromGuid(&GUID_DEVCLASS_NET, szClassName, _countof(szClassName), NULL))
{
dwResult = GetLastError();
msg(M_NONFATAL, "%s: SetupDiClassNameFromGuid failed", __FUNCTION__);
@@ -760,14 +699,8 @@
/* Create a new device info element and add it to the device info set. */
SP_DEVINFO_DATA devinfo_data = { .cbSize = sizeof(SP_DEVINFO_DATA) };
- if (!SetupDiCreateDeviceInfo(
- hDevInfoList,
- szClassName,
- &GUID_DEVCLASS_NET,
- szDeviceDescription,
- hwndParent,
- DICD_GENERATE_ID,
- &devinfo_data))
+ if (!SetupDiCreateDeviceInfo(hDevInfoList, szClassName, &GUID_DEVCLASS_NET, szDeviceDescription,
+ hwndParent, DICD_GENERATE_ID, &devinfo_data))
{
dwResult = GetLastError();
msg(M_NONFATAL, "%s: SetupDiCreateDeviceInfo failed", __FUNCTION__);
@@ -775,9 +708,7 @@
}
/* Set a device information element as the selected member of a device information set. */
- if (!SetupDiSetSelectedDevice(
- hDevInfoList,
- &devinfo_data))
+ if (!SetupDiSetSelectedDevice(hDevInfoList, &devinfo_data))
{
dwResult = GetLastError();
msg(M_NONFATAL, "%s: SetupDiSetSelectedDevice failed", __FUNCTION__);
@@ -785,11 +716,9 @@
}
/* Set Plug&Play device hardware ID property. */
- if (!SetupDiSetDeviceRegistryProperty(
- hDevInfoList,
- &devinfo_data,
- SPDRP_HARDWAREID,
- (const BYTE *)szHwId, (DWORD)((wcslen(szHwId) + 1) * sizeof(WCHAR))))
+ if (!SetupDiSetDeviceRegistryProperty(hDevInfoList, &devinfo_data, SPDRP_HARDWAREID,
+ (const BYTE *)szHwId,
+ (DWORD)((wcslen(szHwId) + 1) * sizeof(WCHAR))))
{
dwResult = GetLastError();
msg(M_NONFATAL, "%s: SetupDiSetDeviceRegistryProperty failed", __FUNCTION__);
@@ -797,10 +726,7 @@
}
/* Register the device instance with the PnP Manager */
- if (!SetupDiCallClassInstaller(
- DIF_REGISTERDEVICE,
- hDevInfoList,
- &devinfo_data))
+ if (!SetupDiCallClassInstaller(DIF_REGISTERDEVICE, hDevInfoList, &devinfo_data))
{
dwResult = GetLastError();
msg(M_NONFATAL, "%s: SetupDiCallClassInstaller(DIF_REGISTERDEVICE) failed", __FUNCTION__);
@@ -816,10 +742,9 @@
if (!DiInstallDevice(hwndParent, hDevInfoList, &devinfo_data, NULL, 0, pbRebootRequired))
#else
/* mingw does not resolve DiInstallDevice, so load it at run time. */
- typedef BOOL (WINAPI *DiInstallDeviceFn)(HWND, HDEVINFO, SP_DEVINFO_DATA *,
- SP_DRVINFO_DATA *, DWORD, BOOL *);
- DiInstallDeviceFn installfn
- = find_function(L"newdev.dll", "DiInstallDevice", &libnewdev);
+ typedef BOOL(WINAPI * DiInstallDeviceFn)(HWND, HDEVINFO, SP_DEVINFO_DATA *, SP_DRVINFO_DATA *,
+ DWORD, BOOL *);
+ DiInstallDeviceFn installfn = find_function(L"newdev.dll", "DiInstallDevice", &libnewdev);
if (!installfn)
{
@@ -855,24 +780,20 @@
};
/* Set class installer parameters for DIF_REMOVE. */
- if (SetupDiSetClassInstallParams(
- hDevInfoList,
- &devinfo_data,
- &removedevice_params.ClassInstallHeader,
- sizeof(SP_REMOVEDEVICE_PARAMS)))
+ if (SetupDiSetClassInstallParams(hDevInfoList, &devinfo_data,
+ &removedevice_params.ClassInstallHeader,
+ sizeof(SP_REMOVEDEVICE_PARAMS)))
{
/* Call appropriate class installer. */
- if (SetupDiCallClassInstaller(
- DIF_REMOVE,
- hDevInfoList,
- &devinfo_data))
+ if (SetupDiCallClassInstaller(DIF_REMOVE, hDevInfoList, &devinfo_data))
{
/* Check if a system reboot is required. */
check_reboot(hDevInfoList, &devinfo_data, pbRebootRequired);
}
else
{
- msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_REMOVE) failed", __FUNCTION__);
+ msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_REMOVE) failed",
+ __FUNCTION__);
}
}
else
@@ -912,11 +833,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
static DWORD
-execute_on_first_adapter(
- _In_opt_ HWND hwndParent,
- _In_ LPCGUID pguidAdapter,
- _In_ devop_func_t funcOperation,
- _Inout_ LPBOOL pbRebootRequired)
+execute_on_first_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter,
+ _In_ devop_func_t funcOperation, _Inout_ LPBOOL pbRebootRequired)
{
DWORD dwResult;
@@ -926,14 +844,8 @@
}
/* Create a list of network devices. */
- HDEVINFO hDevInfoList = SetupDiGetClassDevsEx(
- &GUID_DEVCLASS_NET,
- NULL,
- hwndParent,
- DIGCF_PRESENT,
- NULL,
- NULL,
- NULL);
+ HDEVINFO hDevInfoList = SetupDiGetClassDevsEx(&GUID_DEVCLASS_NET, NULL, hwndParent,
+ DIGCF_PRESENT, NULL, NULL, NULL);
if (hDevInfoList == INVALID_HANDLE_VALUE)
{
dwResult = GetLastError();
@@ -942,7 +854,8 @@
}
/* Retrieve information associated with a device information set. */
- SP_DEVINFO_LIST_DETAIL_DATA devinfo_list_detail_data = { .cbSize = sizeof(SP_DEVINFO_LIST_DETAIL_DATA) };
+ SP_DEVINFO_LIST_DETAIL_DATA devinfo_list_detail_data = { .cbSize = sizeof(
+ SP_DEVINFO_LIST_DETAIL_DATA) };
if (!SetupDiGetDeviceInfoListDetail(hDevInfoList, &devinfo_list_detail_data))
{
dwResult = GetLastError();
@@ -955,10 +868,7 @@
{
/* Get the device from the list. */
SP_DEVINFO_DATA devinfo_data = { .cbSize = sizeof(SP_DEVINFO_DATA) };
- if (!SetupDiEnumDeviceInfo(
- hDevInfoList,
- dwIndex,
- &devinfo_data))
+ if (!SetupDiEnumDeviceInfo(hDevInfoList, dwIndex, &devinfo_data))
{
if (GetLastError() == ERROR_NO_MORE_ITEMS)
{
@@ -972,7 +882,8 @@
else
{
/* Something is wrong with this device. Skip it. */
- msg(M_WARN | M_ERRNO, "%s: SetupDiEnumDeviceInfo(%u) failed", __FUNCTION__, dwIndex);
+ msg(M_WARN | M_ERRNO, "%s: SetupDiEnumDeviceInfo(%u) failed", __FUNCTION__,
+ dwIndex);
continue;
}
}
@@ -1001,23 +912,19 @@
DWORD
-tap_delete_adapter(
- _In_opt_ HWND hwndParent,
- _In_ LPCGUID pguidAdapter,
- _Inout_ LPBOOL pbRebootRequired)
+tap_delete_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter,
+ _Inout_ LPBOOL pbRebootRequired)
{
return execute_on_first_adapter(hwndParent, pguidAdapter, delete_device, pbRebootRequired);
}
DWORD
-tap_enable_adapter(
- _In_opt_ HWND hwndParent,
- _In_ LPCGUID pguidAdapter,
- _In_ BOOL bEnable,
- _Inout_ LPBOOL pbRebootRequired)
+tap_enable_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter, _In_ BOOL bEnable,
+ _Inout_ LPBOOL pbRebootRequired)
{
- return execute_on_first_adapter(hwndParent, pguidAdapter, bEnable ? enable_device : disable_device, pbRebootRequired);
+ return execute_on_first_adapter(hwndParent, pguidAdapter,
+ bEnable ? enable_device : disable_device, pbRebootRequired);
}
/* stripped version of ExecCommand in interactive.c */
@@ -1037,8 +944,8 @@
/* CreateProcess needs a modifiable cmdline: make a copy */
cmdline_dup = _wcsdup(cmdline);
- if (cmdline_dup && CreateProcessW(NULL, cmdline_dup, NULL, NULL, FALSE,
- proc_flags, NULL, NULL, &si, &pi))
+ if (cmdline_dup
+ && CreateProcessW(NULL, cmdline_dup, NULL, NULL, FALSE, proc_flags, NULL, NULL, &si, &pi))
{
WaitForSingleObject(pi.hProcess, INFINITE);
if (!GetExitCodeProcess(pi.hProcess, &exit_code))
@@ -1059,10 +966,7 @@
}
DWORD
-tap_set_adapter_name(
- _In_ LPCGUID pguidAdapter,
- _In_ LPCWSTR szName,
- _In_ BOOL bSilent)
+tap_set_adapter_name(_In_ LPCGUID pguidAdapter, _In_ LPCWSTR szName, _In_ BOOL bSilent)
{
DWORD dwResult;
int msg_flag = bSilent ? M_WARN : M_NONFATAL;
@@ -1083,23 +987,16 @@
/* Render registry key path. */
WCHAR szRegKey[ADAPTER_REGKEY_PATH_MAX];
- swprintf_s(
- szRegKey, _countof(szRegKey),
- szAdapterRegKeyPathTemplate,
- szDevClassNetId,
- szAdapterId);
+ swprintf_s(szRegKey, _countof(szRegKey), szAdapterRegKeyPathTemplate, szDevClassNetId,
+ szAdapterId);
/* Open network adapter registry key. */
HKEY hKey = NULL;
- dwResult = RegOpenKeyEx(
- HKEY_LOCAL_MACHINE,
- szRegKey,
- 0,
- KEY_QUERY_VALUE,
- &hKey);
+ dwResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, szRegKey, 0, KEY_QUERY_VALUE, &hKey);
if (dwResult != ERROR_SUCCESS)
{
- SetLastError(dwResult); /* MSDN does not mention RegOpenKeyEx() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(dwResult); /* MSDN does not mention RegOpenKeyEx() to set GetLastError(). But
+ we do have an error code. Set last error manually. */
msg(msg_flag, "%s: RegOpenKeyEx(HKLM, \"%ls\") failed", __FUNCTION__, szRegKey);
goto cleanup_szAdapterId;
}
@@ -1142,10 +1039,8 @@
DWORD
-tap_list_adapters(
- _In_opt_ HWND hwndParent,
- _In_opt_ LPCWSTR szzHwIDs,
- _Out_ struct tap_adapter_node **ppAdapter)
+tap_list_adapters(_In_opt_ HWND hwndParent, _In_opt_ LPCWSTR szzHwIDs,
+ _Out_ struct tap_adapter_node **ppAdapter)
{
DWORD dwResult;
@@ -1155,14 +1050,8 @@
}
/* Create a list of network devices. */
- HDEVINFO hDevInfoList = SetupDiGetClassDevsEx(
- &GUID_DEVCLASS_NET,
- NULL,
- hwndParent,
- DIGCF_PRESENT,
- NULL,
- NULL,
- NULL);
+ HDEVINFO hDevInfoList = SetupDiGetClassDevsEx(&GUID_DEVCLASS_NET, NULL, hwndParent,
+ DIGCF_PRESENT, NULL, NULL, NULL);
if (hDevInfoList == INVALID_HANDLE_VALUE)
{
dwResult = GetLastError();
@@ -1171,7 +1060,8 @@
}
/* Retrieve information associated with a device information set. */
- SP_DEVINFO_LIST_DETAIL_DATA devinfo_list_detail_data = { .cbSize = sizeof(SP_DEVINFO_LIST_DETAIL_DATA) };
+ SP_DEVINFO_LIST_DETAIL_DATA devinfo_list_detail_data = { .cbSize = sizeof(
+ SP_DEVINFO_LIST_DETAIL_DATA) };
if (!SetupDiGetDeviceInfoListDetail(hDevInfoList, &devinfo_list_detail_data))
{
dwResult = GetLastError();
@@ -1190,10 +1080,7 @@
{
/* Get the device from the list. */
SP_DEVINFO_DATA devinfo_data = { .cbSize = sizeof(SP_DEVINFO_DATA) };
- if (!SetupDiEnumDeviceInfo(
- hDevInfoList,
- dwIndex,
- &devinfo_data))
+ if (!SetupDiEnumDeviceInfo(hDevInfoList, dwIndex, &devinfo_data))
{
if (GetLastError() == ERROR_NO_MORE_ITEMS)
{
@@ -1202,7 +1089,8 @@
else
{
/* Something is wrong with this device. Skip it. */
- msg(M_WARN | M_ERRNO, "%s: SetupDiEnumDeviceInfo(%u) failed", __FUNCTION__, dwIndex);
+ msg(M_WARN | M_ERRNO, "%s: SetupDiEnumDeviceInfo(%u) failed", __FUNCTION__,
+ dwIndex);
continue;
}
}
@@ -1210,12 +1098,8 @@
/* Get device hardware ID(s). */
DWORD dwDataType = REG_NONE;
LPWSTR szzDeviceHardwareIDs = NULL;
- dwResult = get_device_reg_property(
- hDevInfoList,
- &devinfo_data,
- SPDRP_HARDWAREID,
- &dwDataType,
- (LPVOID)&szzDeviceHardwareIDs);
+ dwResult = get_device_reg_property(hDevInfoList, &devinfo_data, SPDRP_HARDWAREID,
+ &dwDataType, (LPVOID)&szzDeviceHardwareIDs);
if (dwResult != ERROR_SUCCESS)
{
/* Something is wrong with this device. Skip it. */
@@ -1271,48 +1155,42 @@
/* Render registry key path. */
WCHAR szRegKey[ADAPTER_REGKEY_PATH_MAX];
- swprintf_s(
- szRegKey, _countof(szRegKey),
- szAdapterRegKeyPathTemplate,
- szDevClassNetId,
- szAdapterId);
+ swprintf_s(szRegKey, _countof(szRegKey), szAdapterRegKeyPathTemplate, szDevClassNetId,
+ szAdapterId);
/* Open network adapter registry key. */
HKEY hKey = NULL;
- dwResult = RegOpenKeyEx(
- HKEY_LOCAL_MACHINE,
- szRegKey,
- 0,
- KEY_READ,
- &hKey);
+ dwResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, szRegKey, 0, KEY_READ, &hKey);
if (dwResult != ERROR_SUCCESS)
{
- SetLastError(dwResult); /* MSDN does not mention RegOpenKeyEx() to set GetLastError(). But we do have an error code. Set last error manually. */
+ SetLastError(dwResult); /* MSDN does not mention RegOpenKeyEx() to set GetLastError().
+ But we do have an error code. Set last error manually. */
msg(M_WARN | M_ERRNO, "%s: RegOpenKeyEx(HKLM, \"%ls\") failed", __FUNCTION__, szRegKey);
goto cleanup_szAdapterId;
}
/* Read adapter name. */
LPWSTR szName = NULL;
- dwResult = get_reg_string(
- hKey,
- L"Name",
- &szName);
+ dwResult = get_reg_string(hKey, L"Name", &szName);
if (dwResult != ERROR_SUCCESS)
{
SetLastError(dwResult);
- msg(M_WARN | M_ERRNO, "%s: Cannot determine %ls adapter name", __FUNCTION__, szAdapterId);
+ msg(M_WARN | M_ERRNO, "%s: Cannot determine %ls adapter name", __FUNCTION__,
+ szAdapterId);
goto cleanup_hKey;
}
/* Append to the list. */
size_t hwid_size = (wcszlen(szzDeviceHardwareIDs) + 1) * sizeof(WCHAR);
size_t name_size = (wcslen(szName) + 1) * sizeof(WCHAR);
- struct tap_adapter_node *node = (struct tap_adapter_node *)malloc(sizeof(struct tap_adapter_node) + hwid_size + name_size);
+ struct tap_adapter_node *node = (struct tap_adapter_node *)malloc(
+ sizeof(struct tap_adapter_node) + hwid_size + name_size);
if (node == NULL)
{
- msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, sizeof(struct tap_adapter_node) + hwid_size + name_size);
- dwResult = ERROR_OUTOFMEMORY; goto cleanup_szName;
+ msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__,
+ sizeof(struct tap_adapter_node) + hwid_size + name_size);
+ dwResult = ERROR_OUTOFMEMORY;
+ goto cleanup_szName;
}
memcpy(&node->guid, &guidAdapter, sizeof(GUID));
@@ -1351,8 +1229,7 @@
void
-tap_free_adapter_list(
- _In_ struct tap_adapter_node *pAdapterList)
+tap_free_adapter_list(_In_ struct tap_adapter_node *pAdapterList)
{
/* Iterate over all nodes of the list. */
while (pAdapterList)
@@ -49,12 +49,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
DWORD
-tap_create_adapter(
- _In_opt_ HWND hwndParent,
- _In_opt_ LPCWSTR szDeviceDescription,
- _In_ LPCWSTR szHwId,
- _Inout_ LPBOOL pbRebootRequired,
- _Out_ LPGUID pguidAdapter);
+tap_create_adapter(_In_opt_ HWND hwndParent, _In_opt_ LPCWSTR szDeviceDescription,
+ _In_ LPCWSTR szHwId, _Inout_ LPBOOL pbRebootRequired, _Out_ LPGUID pguidAdapter);
/**
@@ -76,10 +72,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
DWORD
-tap_delete_adapter(
- _In_opt_ HWND hwndParent,
- _In_ LPCGUID pguidAdapter,
- _Inout_ LPBOOL pbRebootRequired);
+tap_delete_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter,
+ _Inout_ LPBOOL pbRebootRequired);
/**
@@ -103,11 +97,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
DWORD
-tap_enable_adapter(
- _In_opt_ HWND hwndParent,
- _In_ LPCGUID pguidAdapter,
- _In_ BOOL bEnable,
- _Inout_ LPBOOL pbRebootRequired);
+tap_enable_adapter(_In_opt_ HWND hwndParent, _In_ LPCGUID pguidAdapter, _In_ BOOL bEnable,
+ _Inout_ LPBOOL pbRebootRequired);
/**
@@ -123,10 +114,7 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
**/
DWORD
-tap_set_adapter_name(
- _In_ LPCGUID pguidAdapter,
- _In_ LPCWSTR szName,
- _In_ BOOL bSilent);
+tap_set_adapter_name(_In_ LPCGUID pguidAdapter, _In_ LPCWSTR szName, _In_ BOOL bSilent);
/**
@@ -134,9 +122,9 @@
*/
struct tap_adapter_node
{
- GUID guid; /**< Adapter GUID */
- LPWSTR szzHardwareIDs; /**< Device hardware ID(s) */
- LPWSTR szName; /**< Adapter name */
+ GUID guid; /**< Adapter GUID */
+ LPWSTR szzHardwareIDs; /**< Device hardware ID(s) */
+ LPWSTR szName; /**< Adapter name */
struct tap_adapter_node *pNext; /**< Pointer to next adapter */
};
@@ -162,10 +150,8 @@
* @return ERROR_SUCCESS on success; Win32 error code otherwise
*/
DWORD
-tap_list_adapters(
- _In_opt_ HWND hwndParent,
- _In_opt_ LPCWSTR szzHwIDs,
- _Out_ struct tap_adapter_node **ppAdapterList);
+tap_list_adapters(_In_opt_ HWND hwndParent, _In_opt_ LPCWSTR szzHwIDs,
+ _Out_ struct tap_adapter_node **ppAdapterList);
/**
@@ -173,8 +159,6 @@
*
* @param pAdapterList A pointer to the first adapter in the list to free.
*/
-void
-tap_free_adapter_list(
- _In_ struct tap_adapter_node *pAdapterList);
+void tap_free_adapter_list(_In_ struct tap_adapter_node *pAdapterList);
#endif /* ifndef TAP_H */
@@ -49,7 +49,7 @@
crypto_unload_provider("legacy", legacy);
crypto_unload_provider("default", def);
#endif
-#else /* ifdef NTLM */
+#else /* ifdef NTLM */
msg(M_FATAL, "NTLM support not compiled in");
#endif
}
@@ -10,7 +10,7 @@
static int
setup(void **state)
{
- int *answer = malloc(sizeof(int));
+ int *answer = malloc(sizeof(int));
*answer = 42;
*state = answer;
@@ -29,7 +29,7 @@
static void
null_test_success(void **state)
{
- (void) state;
+ (void)state;
}
static void
@@ -39,8 +39,7 @@
assert_int_equal(*answer, 42);
}
-__attribute__((unused))
-static void
+__attribute__((unused)) static void
failing_test(void **state)
{
/* This tests fails to test that make check fails */
@@ -53,7 +52,7 @@
const struct CMUnitTest tests[] = {
cmocka_unit_test(null_test_success),
cmocka_unit_test_setup_teardown(int_test_success, setup, teardown),
-/* cmocka_unit_test(failing_test), */
+ /* cmocka_unit_test(failing_test), */
};
return cmocka_run_group_tests_name("success_test", tests, NULL, NULL);
@@ -11,7 +11,7 @@
static void
test_true(void **state)
{
- (void) state;
+ (void)state;
}
@@ -52,12 +52,11 @@
"srXMaPe0lAea4etMSZsjIRPwGRMXBrwbRmb6iN2Cq40867HdaJoAryYig7IiDwSX\n"
"htCbOA6sX+60+FEOYDEx5cmkogl633Pw7LJ3ICkyzIrUSEt6BOT1Gsc1eQ==\n"
"-----END CERTIFICATE-----\n";
-static const char *const key1 =
- "-----BEGIN PRIVATE KEY-----\n"
- "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5Xpw/lLvBrWjAWDq\n"
- "L6dm/4a1or6AQ6O3yXYgw78B23ihRANCAAR4SRvnSuGdJmPitKbqcFbcgyzsMBlh\n"
- "4wWOrty4I0ZlIXxY2qEnyb3YKz4OdMGzpK7FLfQZehHg6LGblcLs4EW7\n"
- "-----END PRIVATE KEY-----\n";
+static const char *const key1 = "-----BEGIN PRIVATE KEY-----\n"
+ "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5Xpw/lLvBrWjAWDq\n"
+ "L6dm/4a1or6AQ6O3yXYgw78B23ihRANCAAR4SRvnSuGdJmPitKbqcFbcgyzsMBlh\n"
+ "4wWOrty4I0ZlIXxY2qEnyb3YKz4OdMGzpK7FLfQZehHg6LGblcLs4EW7\n"
+ "-----END PRIVATE KEY-----\n";
static const char *const hash1 = "A4B74F1D68AF50691F62CBD675E24C8655369567";
static const char *const cname1 = "ovpn-test-ec1";
@@ -104,35 +103,34 @@
"F6MgVGSxl6eylJgDYckvJiAbmcp2PD/LRQQOxQA0yqeAMg2cbdvclETuYD6zoFfu\n"
"Y8aO7dvDlw==\n"
"-----END CERTIFICATE-----\n";
-static const char *const key3 =
- "-----BEGIN PRIVATE KEY-----\n"
- "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n"
- "IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n"
- "4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n"
- "x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n"
- "PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n"
- "LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n"
- "DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n"
- "v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n"
- "EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n"
- "slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n"
- "BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n"
- "U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n"
- "YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n"
- "k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n"
- "LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n"
- "UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJeQAGAS6nQr9G8/617r+GwJnzRtxC6Vl\n"
- "4OF5BJRsD70oX4CFOOlycMoJ8tzcYVH7NI8KVocjxb+QW82hqSvEwSsvnwwn3eOW\n"
- "nr5u5vIHmQKBgCuc3lL6Dl1ntdZgEIdau0cUjXDoFUo589TwxBDIID/4gaZxoMJP\n"
- "hPFXAVDxMDPw4azyjSB/47tPKTUsuYcnMfT8kynIujOEwnSPLcLgxQU5kgM/ynuw\n"
- "qhNpQOwaVRMc7f2RTCMXPBYDpNE/GJn5eu8JWGLpZovEreBeoHX0VffvAoGAVrWn\n"
- "+3mxykhzaf+oyg3KDNysG+cbq+tlDVVE+K5oG0kePVYX1fjIBQmJ+QhdJ3y9jCbB\n"
- "UVveqzeZVXqHEw/kgoD4aZZmsdZfnVnpRa5/y9o1ZDUr50n+2nzUe/u/ijlb77iK\n"
- "Is04gnGJNoI3ZWhdyrSNfXjcYH+bKClu9OM4n7kCgYAorc3PAX7M0bsQrrqYxUS8\n"
- "56UU0YdhAgYitjM7Fm/0iIm0vDpSevxL9js4HnnsSMVR77spCBAGOCCZrTcI3Ejg\n"
- "xKDYzh1xlfMRjJBuBu5Pd55ZAv9NXFGpsX5SO8fDZQJMwpcbQH36+UdqRRFDpjJ0\n"
- "ZbX6nKcJ7jciJVKJds59Jg==\n"
- "-----END PRIVATE KEY-----\n";
+static const char *const key3 = "-----BEGIN PRIVATE KEY-----\n"
+ "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n"
+ "IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n"
+ "4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n"
+ "x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n"
+ "PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n"
+ "LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n"
+ "DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n"
+ "v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n"
+ "EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n"
+ "slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n"
+ "BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n"
+ "U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n"
+ "YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n"
+ "k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n"
+ "LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n"
+ "UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJeQAGAS6nQr9G8/617r+GwJnzRtxC6Vl\n"
+ "4OF5BJRsD70oX4CFOOlycMoJ8tzcYVH7NI8KVocjxb+QW82hqSvEwSsvnwwn3eOW\n"
+ "nr5u5vIHmQKBgCuc3lL6Dl1ntdZgEIdau0cUjXDoFUo589TwxBDIID/4gaZxoMJP\n"
+ "hPFXAVDxMDPw4azyjSB/47tPKTUsuYcnMfT8kynIujOEwnSPLcLgxQU5kgM/ynuw\n"
+ "qhNpQOwaVRMc7f2RTCMXPBYDpNE/GJn5eu8JWGLpZovEreBeoHX0VffvAoGAVrWn\n"
+ "+3mxykhzaf+oyg3KDNysG+cbq+tlDVVE+K5oG0kePVYX1fjIBQmJ+QhdJ3y9jCbB\n"
+ "UVveqzeZVXqHEw/kgoD4aZZmsdZfnVnpRa5/y9o1ZDUr50n+2nzUe/u/ijlb77iK\n"
+ "Is04gnGJNoI3ZWhdyrSNfXjcYH+bKClu9OM4n7kCgYAorc3PAX7M0bsQrrqYxUS8\n"
+ "56UU0YdhAgYitjM7Fm/0iIm0vDpSevxL9js4HnnsSMVR77spCBAGOCCZrTcI3Ejg\n"
+ "xKDYzh1xlfMRjJBuBu5Pd55ZAv9NXFGpsX5SO8fDZQJMwpcbQH36+UdqRRFDpjJ0\n"
+ "ZbX6nKcJ7jciJVKJds59Jg==\n"
+ "-----END PRIVATE KEY-----\n";
static const char *const hash3 = "2463628674E362578113F508BA05F29EF142E979";
static const char *const cname3 = "ovpn-test-rsa1";
@@ -162,4 +160,4 @@
static const char *const hash4 = "E1401D4497C944783E3D62CDBD2A1F69F5E5071E";
#define cname4 cname3 /* same CN as that of cert3 */
-#endif /* CERT_DATA_H */
+#endif /* CERT_DATA_H */
@@ -42,8 +42,7 @@
}
char *
-management_query_pk_sig(struct management *man, const char *b64_data,
- const char *algorithm)
+management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
{
return NULL;
}
@@ -71,8 +71,7 @@
}
void
-x_msg_va(const unsigned int flags, const char *format,
- va_list arglist)
+x_msg_va(const unsigned int flags, const char *format, va_list arglist)
{
if (flags & M_FATAL)
{
@@ -107,7 +106,7 @@
/* Keep compiler happy. Should not happen, mock_assert() does not return */
exit(1);
}
-#else /* ifndef NO_CMOCKA */
+#else /* ifndef NO_CMOCKA */
void
assert_failed(const char *filename, int line, const char *condition)
{
@@ -35,13 +35,10 @@
extern bool fatal_error_triggered;
extern char mock_msg_buf[MOCK_MSG_BUF];
-void
-mock_set_debug_level(int level);
+void mock_set_debug_level(int level);
-int
-mock_get_debug_level(void);
+int mock_get_debug_level(void);
-void
-mock_set_print_debug_level(int level);
+void mock_set_print_debug_level(int level);
#endif /* MOCK_MSG */
@@ -37,8 +37,8 @@
#include "ssl_verify.h"
int
-parse_line(const char *line, char **p, const int n, const char *file,
- const int line_num, int msglevel, struct gc_arena *gc)
+parse_line(const char *line, char **p, const int n, const char *file, const int line_num,
+ int msglevel, struct gc_arena *gc)
{
/* Dummy function to get the linker happy, should never be called */
assert_true(false);
@@ -56,14 +56,14 @@
size_t siglen = 0;
int ret = 0;
- OSSL_PARAM params[2] = {OSSL_PARAM_END};
+ OSSL_PARAM params[2] = { OSSL_PARAM_END };
const char *mdname = "SHA256";
if (EVP_PKEY_get_id(privkey) == EVP_PKEY_RSA)
{
const char *padmode = "pss"; /* RSA_PSS: for all other params, use defaults */
- params[0] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE,
- (char *)padmode, 0);
+ params[0] =
+ OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, (char *)padmode, 0);
params[1] = OSSL_PARAM_construct_end();
}
else if (EVP_PKEY_get_id(privkey) == EVP_PKEY_EC)
@@ -79,8 +79,7 @@
EVP_PKEY_CTX *pctx = NULL;
EVP_MD_CTX *mctx = EVP_MD_CTX_new();
- if (!mctx
- || EVP_DigestSignInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, privkey, params) <= 0)
+ if (!mctx || EVP_DigestSignInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, privkey, params) <= 0)
{
/* cmocka assert output for these kinds of failures is hardly explanatory,
* print a message and assert in caller. */
@@ -115,7 +114,7 @@
mctx = EVP_MD_CTX_new();
pctx = NULL;
if (!mctx
- || EVP_DigestVerifyInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, pubkey, params) <= 0)
+ || EVP_DigestVerifyInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, pubkey, params) <= 0)
{
print_error("Failed to initialize EVP_DigestVerifyInit_ex()");
goto done;
@@ -15,15 +15,15 @@
#include "test_common.h"
/* Defines for use in the tests and the mock parse_line() */
-#define PATH1 "/s p a c e"
-#define PATH2 "/foo bar/baz"
-#define PARAM1 "param1"
-#define PARAM2 "param two"
-#define SCRIPT_CMD "\"" PATH1 PATH2 "\"" PARAM1 "\"" PARAM2 "\""
+#define PATH1 "/s p a c e"
+#define PATH2 "/foo bar/baz"
+#define PARAM1 "param1"
+#define PARAM2 "param two"
+#define SCRIPT_CMD "\"" PATH1 PATH2 "\"" PARAM1 "\"" PARAM2 "\""
int
-__wrap_parse_line(const char *line, char **p, const int n, const char *file,
- const int line_num, int msglevel, struct gc_arena *gc)
+__wrap_parse_line(const char *line, char **p, const int n, const char *file, const int line_num,
+ int msglevel, struct gc_arena *gc)
{
p[0] = PATH1 PATH2;
p[1] = PARAM1;
@@ -201,10 +201,10 @@
argv_printf_cat(&a, "%s", PARAM2);
argv_printf_cat(&a, "%d", -1);
argv_printf_cat(&a, "%u", -1);
- argv_printf_cat(&a, "%lu", 1L );
+ argv_printf_cat(&a, "%lu", 1L);
output = argv_str(&a, &gc, PA_BRACKET);
assert_string_equal(output, "[" PATH1 PATH2 "] [" PARAM1 "] [" PARAM2 "]"
- " [-1] [4294967295] [1]");
+ " [-1] [4294967295] [1]");
argv_free(&a);
gc_free(&gc);
@@ -36,7 +36,8 @@
#include "auth_token.c"
#include "test_common.h"
-struct test_context {
+struct test_context
+{
struct tls_multi multi;
struct key_type kt;
struct user_pass up;
@@ -52,10 +53,10 @@
void
auth_set_client_reason(struct tls_multi *multi, const char *reason)
{
-
}
-static const char *now0key0 = "SESS_ID_AT_0123456789abcdefAAAAAAAAAAAAAAAAAAAAAE5JsQJOVfo8jnI3RL3tBaR5NkE4yPfcylFUHmHSc5Bu";
+static const char *now0key0 =
+ "SESS_ID_AT_0123456789abcdefAAAAAAAAAAAAAAAAAAAAAE5JsQJOVfo8jnI3RL3tBaR5NkE4yPfcylFUHmHSc5Bu";
static const char *zeroinline = "-----BEGIN OpenVPN auth-token server key-----\n"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n"
@@ -63,21 +64,24 @@
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n"
"-----END OpenVPN auth-token server key-----";
-static const char *allx01inline = "-----BEGIN OpenVPN auth-token server key-----\n"
- "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n"
- "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n"
- "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=\n"
- "-----END OpenVPN auth-token server key-----";
+static const char *allx01inline =
+ "-----BEGIN OpenVPN auth-token server key-----\n"
+ "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n"
+ "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n"
+ "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=\n"
+ "-----END OpenVPN auth-token server key-----";
-static const char *random_key = "-----BEGIN OpenVPN auth-token server key-----\n"
- "+mmmf7IQ5cymtMVjKYTWk8IOcYanRlpQmV9Tb3EjkHYxueBVDg3yqRgzeBlVGzNLD//rAPiOVhau\n"
- "3NDBjNOQB8951bfs7Cc2mYfay92Bh2gRJ5XEM/DMfzCWN+7uU6NWoTTHr4FuojnIQtjtqVAj/JS9\n"
- "w+dTSp/vYHl+c7uHd19uVRu/qLqV85+rm4tUGIjO7FfYuwyPqwmhuIsi3hs9QkSimh888FmBpoKY\n"
- "/tbKVTJZmSERKti9KEwtV2eVAR0znN5KW7lCB3mHVAhN7bUpcoDjfCzYIFARxwswTFu9gFkwqUMY\n"
- "I1KUOgIsVNs4llACioeXplYekWETR+YkJwDc/A==\n"
- "-----END OpenVPN auth-token server key-----";
+static const char *random_key =
+ "-----BEGIN OpenVPN auth-token server key-----\n"
+ "+mmmf7IQ5cymtMVjKYTWk8IOcYanRlpQmV9Tb3EjkHYxueBVDg3yqRgzeBlVGzNLD//rAPiOVhau\n"
+ "3NDBjNOQB8951bfs7Cc2mYfay92Bh2gRJ5XEM/DMfzCWN+7uU6NWoTTHr4FuojnIQtjtqVAj/JS9\n"
+ "w+dTSp/vYHl+c7uHd19uVRu/qLqV85+rm4tUGIjO7FfYuwyPqwmhuIsi3hs9QkSimh888FmBpoKY\n"
+ "/tbKVTJZmSERKti9KEwtV2eVAR0znN5KW7lCB3mHVAhN7bUpcoDjfCzYIFARxwswTFu9gFkwqUMY\n"
+ "I1KUOgIsVNs4llACioeXplYekWETR+YkJwDc/A==\n"
+ "-----END OpenVPN auth-token server key-----";
-static const char *random_token = "SESS_ID_AT_ThhRItzOKNKrh3dfAAAAAFwzHpwAAAAAXDMenDdrq0RoH3dkA1f7O3wO+7kZcx2DusVZrRmFlWQM9HOb";
+static const char *random_token =
+ "SESS_ID_AT_ThhRItzOKNKrh3dfAAAAAFwzHpwAAAAAXDMenDdrq0RoH3dkA1f7O3wO+7kZcx2DusVZrRmFlWQM9HOb";
static int
@@ -87,7 +91,7 @@
*state = ctx;
struct key_parameters key = { 0 };
- key.hmac_size = MAX_HMAC_KEY_LENGTH; /* 64 byte of 0 */
+ key.hmac_size = MAX_HMAC_KEY_LENGTH; /* 64 byte of 0 */
ctx->kt = auth_token_kt();
if (!ctx->kt.digest)
@@ -115,7 +119,7 @@
static int
teardown(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
free_key_ctx(&ctx->multi.opt.auth_token_key);
wipe_auth_token(&ctx->multi);
@@ -129,23 +133,21 @@
static void
auth_token_basic_test(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
generate_auth_token(&ctx->up, &ctx->multi);
strcpy(ctx->up.password, ctx->multi.auth_token);
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
}
static void
auth_token_fail_invalid_key(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
generate_auth_token(&ctx->up, &ctx->multi);
strcpy(ctx->up.password, ctx->multi.auth_token);
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
/* Change auth-token key */
struct key_parameters key;
@@ -161,15 +163,13 @@
memset(&key.hmac, 0, sizeof(key.hmac));
free_key_ctx(&ctx->multi.opt.auth_token_key);
init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST");
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
-
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
}
static void
auth_token_test_timeout(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
now = 100000;
generate_auth_token(&ctx->up, &ctx->multi);
@@ -179,33 +179,31 @@
ctx->multi.auth_token_initial = NULL;
/* No time has passed */
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
/* Token before validity, should be rejected */
now = 100000 - 100;
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED);
+ AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED);
/* Token no valid for renegotiate_seconds but still for renewal_time */
- now = 100000 + 2*ctx->session->opt->renegotiate_seconds - 20;
+ now = 100000 + 2 * ctx->session->opt->renegotiate_seconds - 20;
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED);
+ AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED);
- now = 100000 + 2*ctx->session->opt->auth_token_renewal - 20;
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
+ now = 100000 + 2 * ctx->session->opt->auth_token_renewal - 20;
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
/* Token past validity, should be rejected */
- now = 100000 + 2*ctx->session->opt->renegotiate_seconds + 20;
+ now = 100000 + 2 * ctx->session->opt->renegotiate_seconds + 20;
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED);
+ AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED);
/* But not when we reached our timeout */
now = 100000 + ctx->session->opt->auth_token_lifetime + 1;
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED);
+ AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED);
free(ctx->multi.auth_token_initial);
ctx->multi.auth_token_initial = NULL;
@@ -223,26 +221,25 @@
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED);
+ AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED);
ctx->multi.opt.auth_token_lifetime = 0;
/* Non expiring token should be fine */
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
}
static void
zerohmac(char *token)
{
- char *hmacstart = token + AUTH_TOKEN_SESSION_ID_LEN
- + strlen(SESSION_ID_PREFIX) + 2*sizeof(uint64_t);
+ char *hmacstart =
+ token + AUTH_TOKEN_SESSION_ID_LEN + strlen(SESSION_ID_PREFIX) + 2 * sizeof(uint64_t);
memset(hmacstart, 0x8d, strlen(hmacstart));
}
static void
auth_token_test_known_keys(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
now = 0;
/* Preload the session id so the same session id is used here */
@@ -257,8 +254,7 @@
assert_string_equal(now0key0, ctx->multi.auth_token);
strcpy(ctx->up.password, ctx->multi.auth_token);
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
}
static const char *lastsesion_statevalue;
@@ -274,13 +270,12 @@
void
auth_token_test_session_mismatch(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
/* Generate first auth token and check it is correct */
generate_auth_token(&ctx->up, &ctx->multi);
strcpy(ctx->up.password, ctx->multi.auth_token);
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
char *token_sessiona = strdup(ctx->multi.auth_token);
@@ -289,8 +284,7 @@
generate_auth_token(&ctx->up, &ctx->multi);
strcpy(ctx->up.password, ctx->multi.auth_token);
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
assert_int_not_equal(0, memcmp(ctx->multi.auth_token_initial + strlen(SESSION_ID_PREFIX),
token_sessiona + strlen(SESSION_ID_PREFIX),
@@ -306,39 +300,37 @@
static void
auth_token_test_empty_user(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
CLEAR(ctx->up.username);
now = 0;
generate_auth_token(&ctx->up, &ctx->multi);
strcpy(ctx->up.password, ctx->multi.auth_token);
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK);
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
now = 100000;
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED);
+ AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED);
strcpy(ctx->up.username, "test user name");
now = 0;
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_VALID_EMPTYUSER);
+ AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_VALID_EMPTYUSER);
strcpy(ctx->up.username, "test user name");
now = 100000;
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED|AUTH_TOKEN_VALID_EMPTYUSER);
+ AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED | AUTH_TOKEN_VALID_EMPTYUSER);
zerohmac(ctx->up.password);
- assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
- 0);
+ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), 0);
}
static void
auth_token_test_env(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
struct key_state *ks = &ctx->multi.session[TM_ACTIVE].key[KS_PRIMARY];
@@ -356,15 +348,16 @@
add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
assert_string_equal(lastsesion_statevalue, "Authenticated");
- ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED;
+ ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED;
add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
assert_string_equal(lastsesion_statevalue, "Expired");
- ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_VALID_EMPTYUSER;
+ ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_VALID_EMPTYUSER;
add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
assert_string_equal(lastsesion_statevalue, "AuthenticatedEmptyUser");
- ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED|AUTH_TOKEN_VALID_EMPTYUSER;
+ ks->auth_token_state_flags =
+ AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED | AUTH_TOKEN_VALID_EMPTYUSER;
add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
assert_string_equal(lastsesion_statevalue, "ExpiredEmptyUser");
}
@@ -372,7 +365,7 @@
static void
auth_token_test_random_keys(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
now = 0x5c331e9c;
/* Preload the session id so the same session id is used here */
@@ -397,7 +390,7 @@
static void
auth_token_test_key_load(void **state)
{
- struct test_context *ctx = (struct test_context *) *state;
+ struct test_context *ctx = (struct test_context *)*state;
free_key_ctx(&ctx->multi.opt.auth_token_key);
auth_token_init_secret(&ctx->multi.opt.auth_token_key, zeroinline, true);
@@ -43,13 +43,13 @@
assert_false(strprefix("12", "123"));
}
-#define testsep ","
+#define testsep ","
#define testnosep ""
-#define teststr1 "one"
-#define teststr2 "two"
-#define teststr3 "three"
+#define teststr1 "one"
+#define teststr2 "two"
+#define teststr3 "three"
-#define assert_buf_equals_str(buf, str) \
+#define assert_buf_equals_str(buf, str) \
assert_int_equal(BLEN(buf), strlen(str)); \
assert_memory_equal(BPTR(buf), str, BLEN(buf));
@@ -82,9 +82,7 @@
test_buffer_format_hex_ex(void **state)
{
const int input_size = 10;
- const uint8_t input[] = {
- 0x01, 0x00, 0xff, 0x10, 0xff, 0x00, 0xf0, 0x0f, 0x09, 0x0a
- };
+ const uint8_t input[] = { 0x01, 0x00, 0xff, 0x10, 0xff, 0x00, 0xf0, 0x0f, 0x09, 0x0a };
char *output;
struct gc_arena gc = gc_new();
@@ -113,7 +111,8 @@
gc_free(&gc);
}
-struct test_buffer_list_aggregate_ctx {
+struct test_buffer_list_aggregate_ctx
+{
struct buffer_list *empty;
struct buffer_list *one_two_three;
struct buffer_list *zero_length_strings;
@@ -123,7 +122,7 @@
static int
test_buffer_list_setup(void **state)
{
- struct test_buffer_list_aggregate_ctx *ctx = calloc(1, sizeof(*ctx));
+ struct test_buffer_list_aggregate_ctx *ctx = calloc(1, sizeof(*ctx));
ctx->empty = buffer_list_new();
ctx->one_two_three = buffer_list_new();
@@ -188,8 +187,7 @@
/* Aggregate the first two elements
* (add 1 to max_len to test if "three" is not sneaked in too)
*/
- buffer_list_aggregate_separator(ctx->one_two_three, strlen(expected) + 1,
- testsep);
+ buffer_list_aggregate_separator(ctx->one_two_three, strlen(expected) + 1, testsep);
assert_int_equal(ctx->one_two_three->size, 2);
struct buffer *buf = buffer_list_peek(ctx->one_two_three);
assert_buf_equals_str(buf, expected);
@@ -201,11 +199,10 @@
struct test_buffer_list_aggregate_ctx *ctx = *state;
/* Aggregate all */
- buffer_list_aggregate_separator(ctx->one_two_three, 1<<16, testsep);
+ buffer_list_aggregate_separator(ctx->one_two_three, 1 << 16, testsep);
assert_int_equal(ctx->one_two_three->size, 1);
struct buffer *buf = buffer_list_peek(ctx->one_two_three);
- assert_buf_equals_str(buf,
- teststr1 testsep teststr2 testsep teststr3 testsep);
+ assert_buf_equals_str(buf, teststr1 testsep teststr2 testsep teststr3 testsep);
}
static void
@@ -214,7 +211,7 @@
struct test_buffer_list_aggregate_ctx *ctx = *state;
/* Aggregate all */
- buffer_list_aggregate_separator(ctx->one_two_three, 1<<16, testnosep);
+ buffer_list_aggregate_separator(ctx->one_two_three, 1 << 16, testnosep);
assert_int_equal(ctx->one_two_three->size, 1);
struct buffer *buf = buffer_list_peek(ctx->one_two_three);
assert_buf_equals_str(buf, teststr1 teststr2 teststr3);
@@ -227,7 +224,7 @@
struct buffer_list *bl_zerolen = ctx->zero_length_strings;
/* Aggregate all */
- buffer_list_aggregate_separator(bl_zerolen, 1<<16, testnosep);
+ buffer_list_aggregate_separator(bl_zerolen, 1 << 16, testnosep);
assert_int_equal(bl_zerolen->size, 1);
struct buffer *buf = buffer_list_peek(bl_zerolen);
assert_buf_equals_str(buf, "");
@@ -240,7 +237,7 @@
struct buffer_list *bl_emptybuffers = ctx->empty_buffers;
/* Aggregate all */
- buffer_list_aggregate_separator(bl_emptybuffers, 1<<16, testnosep);
+ buffer_list_aggregate_separator(bl_emptybuffers, 1 << 16, testnosep);
assert_int_equal(bl_emptybuffers->size, 1);
struct buffer *buf = buffer_list_peek(bl_emptybuffers);
assert_int_equal(BLEN(buf), 0);
@@ -344,11 +341,12 @@
assert_string_equal(buf, "There.is...a.nice......year.old.tr..ee.");
strcpy(buf, "There is \x01 a 'nice' \"1234\"\n year old \ntr\x7f ee!");
- assert_false(string_mod(buf, CC_ALPHA|CC_DIGIT|CC_NEWLINE|CC_SINGLE_QUOTE, CC_DOUBLE_QUOTE|CC_BLANK, '.'));
+ assert_false(string_mod(buf, CC_ALPHA | CC_DIGIT | CC_NEWLINE | CC_SINGLE_QUOTE,
+ CC_DOUBLE_QUOTE | CC_BLANK, '.'));
assert_string_equal(buf, "There.is...a.'nice'..1234.\n.year.old.\ntr..ee.");
strcpy(buf, "There is a \\'nice\\' \"1234\" [*] year old \ntree!");
- assert_false(string_mod(buf, CC_PRINT, CC_BACKSLASH|CC_ASTERISK, '.'));
+ assert_false(string_mod(buf, CC_PRINT, CC_BACKSLASH | CC_ASTERISK, '.'));
assert_string_equal(buf, "There is a .'nice.' \"1234\" [.] year old .tree!");
}
@@ -360,7 +358,7 @@
struct buffer buf = alloc_buf_gc(1024, &gc);
- const char test1[] = "There is a nice 1234\x00 year old tree!";
+ const char test1[] = "There is a nice 1234\x00 year old tree!";
buf_write(&buf, test1, sizeof(test1));
/* allow the null bytes and string but not the ! */
@@ -432,7 +430,7 @@
struct gc_arena gc = gc_new();
struct buffer buf = alloc_buf_gc(1024, &gc);
- const char test1[] = "There is a nice 1234 year old tree!\n\r";
+ const char test1[] = "There is a nice 1234 year old tree!\n\r";
buf_write(&buf, test1, sizeof(test1));
buf_chomp(&buf);
/* Check that our own method agrees */
@@ -440,7 +438,7 @@
assert_string_equal(BSTR(&buf), "There is a nice 1234 year old tree!");
struct buffer buf2 = alloc_buf_gc(1024, &gc);
- const char test2[] = "CR_RESPONSE,MTIx\x0a\x00";
+ const char test2[] = "CR_RESPONSE,MTIx\x0a\x00";
buf_write(&buf2, test2, sizeof(test2));
buf_chomp(&buf2);
@@ -461,26 +459,19 @@
cmocka_unit_test(test_buffer_printf_catrunc),
cmocka_unit_test(test_buffer_format_hex_ex),
cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_empty,
- test_buffer_list_setup,
- test_buffer_list_teardown),
+ test_buffer_list_setup, test_buffer_list_teardown),
cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_noop,
- test_buffer_list_setup,
- test_buffer_list_teardown),
+ test_buffer_list_setup, test_buffer_list_teardown),
cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_two,
- test_buffer_list_setup,
- test_buffer_list_teardown),
+ test_buffer_list_setup, test_buffer_list_teardown),
cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_all,
- test_buffer_list_setup,
- test_buffer_list_teardown),
+ test_buffer_list_setup, test_buffer_list_teardown),
cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_nosep,
- test_buffer_list_setup,
- test_buffer_list_teardown),
+ test_buffer_list_setup, test_buffer_list_teardown),
cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_zerolen,
- test_buffer_list_setup,
- test_buffer_list_teardown),
+ test_buffer_list_setup, test_buffer_list_teardown),
cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_emptybuffers,
- test_buffer_list_setup,
- test_buffer_list_teardown),
+ test_buffer_list_setup, test_buffer_list_teardown),
cmocka_unit_test(test_buffer_free_gc_one),
cmocka_unit_test(test_buffer_free_gc_two),
cmocka_unit_test(test_buffer_gc_realloc),
@@ -156,7 +156,7 @@
const size_t seed_len = strlen(seedstr);
- const unsigned char *secret = (const unsigned char *) ipsumlorem;
+ const unsigned char *secret = (const unsigned char *)ipsumlorem;
size_t secret_len = strlen((const char *)secret);
@@ -168,18 +168,16 @@
assert_false(ret);
#else
assert_true(ret);
- uint8_t good_prf[32] = {0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69,
- 0x27, 0x91, 0x6a, 0xcf, 0xc2, 0xd5, 0x92, 0xfb,
- 0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14, 0x59, 0xe6,
- 0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67};
+ uint8_t good_prf[32] = { 0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69, 0x27, 0x91, 0x6a,
+ 0xcf, 0xc2, 0xd5, 0x92, 0xfb, 0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14,
+ 0x59, 0xe6, 0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67 };
assert_memory_equal(good_prf, out, sizeof(out));
#endif
}
-static uint8_t testkey[20] = {0x0b, 0x00};
-static uint8_t goodhash[20] = {0x58, 0xea, 0x5a, 0xf0, 0x42, 0x94, 0xe9, 0x17,
- 0xed, 0x84, 0xb9, 0xf0, 0x83, 0x30, 0x23, 0xae,
- 0x8b, 0xa7, 0x7e, 0xb8};
+static uint8_t testkey[20] = { 0x0b, 0x00 };
+static uint8_t goodhash[20] = { 0x58, 0xea, 0x5a, 0xf0, 0x42, 0x94, 0xe9, 0x17, 0xed, 0x84,
+ 0xb9, 0xf0, 0x83, 0x30, 0x23, 0xae, 0x8b, 0xa7, 0x7e, 0xb8 };
static void
crypto_test_hmac(void **state)
@@ -192,8 +190,8 @@
memcpy(key, testkey, sizeof(key));
hmac_ctx_init(hmac, key, "SHA1");
- hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
- hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
+ hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
+ hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
uint8_t hash[20];
hmac_ctx_final(hmac, hash);
@@ -203,8 +201,8 @@
/* try again */
hmac_ctx_reset(hmac);
- hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
- hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
+ hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
+ hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
hmac_ctx_final(hmac, hash);
assert_memory_equal(hash, goodhash, sizeof(hash));
@@ -213,8 +211,8 @@
memset(key, 0x55, sizeof(key));
hmac_ctx_reset(hmac);
- hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
- hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
+ hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
+ hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
hmac_ctx_final(hmac, hash);
assert_memory_equal(hash, goodhash, sizeof(hash));
@@ -481,22 +479,16 @@
crypto_test_hkdf_expand_testa1(void **state)
{
/* RFC 5889 A.1 Test Case 1 */
- uint8_t prk[32] =
- {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
- 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
- 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
- 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
+ uint8_t prk[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f,
+ 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f,
+ 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };
- uint8_t info[10] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5,
- 0xf6, 0xf7, 0xf8, 0xf9};
+ uint8_t info[10] = { 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 };
- uint8_t okm[42] =
- {0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
- 0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
- 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
- 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
- 0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
- 0x58, 0x65};
+ uint8_t okm[42] = { 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f,
+ 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a,
+ 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34,
+ 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65 };
uint8_t out[42];
ovpn_hkdf_expand(prk, info, sizeof(info), out, sizeof(out));
@@ -508,39 +500,28 @@
crypto_test_hkdf_expand_testa2(void **state)
{
/* RFC 5889 A.2 Test Case 2 */
- uint8_t prk[32] =
- {0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a,
- 0x06, 0x10, 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c,
- 0xef, 0x76, 0x00, 0x14, 0x90, 0x46, 0x71, 0x01,
- 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44};
+ uint8_t prk[32] = { 0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a, 0x06, 0x10, 0x4c,
+ 0x9c, 0xeb, 0x35, 0xb4, 0x5c, 0xef, 0x76, 0x00, 0x14, 0x90, 0x46,
+ 0x71, 0x01, 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44 };
- uint8_t info[80] =
- {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
- 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
- 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
- 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
- 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
- 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
- 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
- 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
- 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
- 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff};
+ uint8_t info[80] = { 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb,
+ 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+ 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3,
+ 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+ 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb,
+ 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+ 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff };
const int L = 82;
- uint8_t okm[82] =
- {0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1,
- 0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34,
- 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
- 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c,
- 0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72,
- 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
- 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8,
- 0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71,
- 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
- 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f,
- 0x1d, 0x87};
+ uint8_t okm[82] = { 0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, 0xc8, 0xe7, 0xf7, 0x8c,
+ 0x59, 0x6a, 0x49, 0x34, 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
+ 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, 0x59, 0x04, 0x5a, 0x99,
+ 0xca, 0xc7, 0x82, 0x72, 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
+ 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, 0x36, 0x77, 0x93, 0xa9,
+ 0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
+ 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87 };
- uint8_t out[82] = {0xaa};
+ uint8_t out[82] = { 0xaa };
ovpn_hkdf_expand(prk, info, sizeof(info), out, L);
assert_memory_equal(out, okm, L);
@@ -550,22 +531,17 @@
crypto_test_hkdf_expand_testa3(void **state)
{
/* RFC 5889 A.3 Test Case 3 */
- uint8_t prk[32] =
- {0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16,
- 0x7f, 0x33, 0xa9, 0x1d, 0x6f, 0x64, 0x8b, 0xdf,
- 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, 0x63, 0x77,
- 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04};
+ uint8_t prk[32] = { 0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16, 0x7f, 0x33, 0xa9,
+ 0x1d, 0x6f, 0x64, 0x8b, 0xdf, 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb,
+ 0x63, 0x77, 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04 };
uint8_t info[] = {};
int L = 42;
- uint8_t okm[42] =
- {0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f,
- 0x71, 0x5f, 0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31,
- 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e,
- 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d,
- 0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a,
- 0x96, 0xc8};
+ uint8_t okm[42] = { 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f, 0x80,
+ 0x2a, 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1,
+ 0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d,
+ 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8 };
uint8_t out[42];
ovpn_hkdf_expand(prk, info, 0, out, L);
@@ -579,23 +555,17 @@
/* tests the HDKF with a label/okm that OpenVPN itself uses in OpenSSL 3
* HDKF unit test*/
- uint8_t prk[32] =
- {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
- 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
- 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
- 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
+ uint8_t prk[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f,
+ 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f,
+ 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };
- uint8_t info[18] =
- {0x00, 0x1b, 0x0e, 0x6f, 0x76, 0x70, 0x6e, 0x20,
- 0x75, 0x6e, 0x69, 0x74, 0x20, 0x74, 0x65, 0x73,
- 0x74, 0x00};
+ uint8_t info[18] = { 0x00, 0x1b, 0x0e, 0x6f, 0x76, 0x70, 0x6e, 0x20, 0x75,
+ 0x6e, 0x69, 0x74, 0x20, 0x74, 0x65, 0x73, 0x74, 0x00 };
int L = 27;
- uint8_t okm[27] =
- {0x87, 0x5a, 0x8e, 0xec, 0x18, 0x55, 0x63, 0x80,
- 0xb8, 0xd9, 0x33, 0xed, 0x32, 0x3c, 0x2d, 0xf8,
- 0xe8, 0xec, 0xcf, 0x49, 0x72, 0xe6, 0x83, 0xf0,
- 0x6a, 0x83, 0xac };
+ uint8_t okm[27] = { 0x87, 0x5a, 0x8e, 0xec, 0x18, 0x55, 0x63, 0x80, 0xb8,
+ 0xd9, 0x33, 0xed, 0x32, 0x3c, 0x2d, 0xf8, 0xe8, 0xec,
+ 0xcf, 0x49, 0x72, 0xe6, 0x83, 0xf0, 0x6a, 0x83, 0xac };
uint8_t out[27];
ovpn_hkdf_expand(prk, info, sizeof(info), out, L);
@@ -606,19 +576,16 @@
void
crypto_test_ovpn_label_expand(void **state)
{
- uint8_t secret[32] =
- {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
- 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
- 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
- 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
+ uint8_t secret[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f,
+ 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f,
+ 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };
- const uint8_t *label = (const uint8_t *) ("unit test");
+ const uint8_t *label = (const uint8_t *)("unit test");
uint8_t out[16];
ovpn_expand_label(secret, sizeof(secret), label, 9, NULL, 0, out, sizeof(out));
- uint8_t out_expected[16] =
- {0x18, 0x5e, 0xaa, 0x1c, 0x7f, 0x22, 0x8a, 0xb8,
- 0xeb, 0x29, 0x77, 0x32, 0x14, 0xd9, 0x20, 0x46};
+ uint8_t out_expected[16] = { 0x18, 0x5e, 0xaa, 0x1c, 0x7f, 0x22, 0x8a, 0xb8,
+ 0xeb, 0x29, 0x77, 0x32, 0x14, 0xd9, 0x20, 0x46 };
assert_memory_equal(out, out_expected, 16);
}
@@ -630,15 +597,13 @@
* openvpn_PRF ifdef maze */
bool
-ossl_expand_label(const uint8_t *secret, size_t secret_len,
- const uint8_t *label, size_t label_len,
- const uint8_t *context, size_t context_len,
- uint8_t *out, uint16_t out_len)
+ossl_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len,
+ const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len)
{
OSSL_LIB_CTX *libctx = NULL;
const char *properties = NULL;
- const uint8_t *label_prefix = (const uint8_t *) ("ovpn ");
+ const uint8_t *label_prefix = (const uint8_t *)("ovpn ");
const size_t label_prefix_len = 5;
EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_TLS1_3_KDF, properties);
@@ -657,15 +622,12 @@
int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY;
*p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode);
- *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
- (char *) mdname, 0);
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
- (unsigned char *) secret, hashlen);
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX,
- (unsigned char *) label_prefix,
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, (char *)mdname, 0);
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (unsigned char *)secret, hashlen);
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, (unsigned char *)label_prefix,
label_prefix_len);
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL,
- (unsigned char *) label, label_len);
+ *p++ =
+ OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, (unsigned char *)label, label_len);
*p++ = OSSL_PARAM_construct_end();
@@ -680,13 +642,11 @@
void
crypto_test_ovpn_expand_openssl3(void **state)
{
- uint8_t secret[32] =
- {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
- 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
- 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
- 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
+ uint8_t secret[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f,
+ 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f,
+ 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };
- const uint8_t *label = (const uint8_t *) ("unit test");
+ const uint8_t *label = (const uint8_t *)("unit test");
const size_t labellen = 9;
uint8_t out[27];
@@ -725,11 +685,10 @@
init_key_type(&data->kt, "AES-128-GCM", "none", true, false);
/* have an epoch key that uses 0x23 for the key for all bytes */
- struct epoch_key epoch1send = { .epoch = 1, .epoch_key = {0x23} };
- struct epoch_key epoch1recv = { .epoch = 1, .epoch_key = {0x27} };
+ struct epoch_key epoch1send = { .epoch = 1, .epoch_key = { 0x23 } };
+ struct epoch_key epoch1recv = { .epoch = 1, .epoch_key = { 0x27 } };
- epoch_init_key_ctx(&data->co, &data->kt, &epoch1send,
- &epoch1recv, *num_future_keys);
+ epoch_init_key_ctx(&data->co, &data->kt, &epoch1send, &epoch1recv, *num_future_keys);
*state = data;
return 0;
@@ -913,7 +872,7 @@
void
epoch_test_derive_data_key(void **state)
{
- struct epoch_key e17 = { .epoch = 17, .epoch_key = { 19, 12 }};
+ struct epoch_key e17 = { .epoch = 17, .epoch_key = { 19, 12 } };
struct key_type kt = { 0 };
struct key_parameters key_parameters = { 0 };
init_key_type(&kt, "AES-192-GCM", "none", true, false);
@@ -924,13 +883,12 @@
assert_int_equal(key_parameters.cipher_size, 24);
assert_int_equal(key_parameters.hmac_size, 12);
- uint8_t exp_cipherkey[24] =
- {0xed, 0x85, 0x33, 0xdb, 0x1c, 0x28, 0xac, 0xe4,
- 0x18, 0xe9, 0x00, 0x6a, 0xb2, 0x9c, 0x17, 0x41,
- 0x7d, 0x60, 0xeb, 0xe6, 0xcd, 0x90, 0xbf, 0x0a};
+ uint8_t exp_cipherkey[24] = { 0xed, 0x85, 0x33, 0xdb, 0x1c, 0x28, 0xac, 0xe4,
+ 0x18, 0xe9, 0x00, 0x6a, 0xb2, 0x9c, 0x17, 0x41,
+ 0x7d, 0x60, 0xeb, 0xe6, 0xcd, 0x90, 0xbf, 0x0a };
- uint8_t exp_impl_iv[12] =
- {0x86, 0x89, 0x0a, 0xab, 0xf0, 0x32, 0xcb, 0x59, 0xf4, 0xcf, 0xa3, 0x4e};
+ uint8_t exp_impl_iv[12] = { 0x86, 0x89, 0x0a, 0xab, 0xf0, 0x32,
+ 0xcb, 0x59, 0xf4, 0xcf, 0xa3, 0x4e };
assert_memory_equal(key_parameters.cipher, exp_cipherkey, sizeof(exp_cipherkey));
assert_memory_equal(key_parameters.hmac, exp_impl_iv, sizeof(exp_impl_iv));
@@ -960,20 +918,16 @@
cmocka_unit_test(crypto_test_ovpn_expand_openssl3),
cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_generation,
crypto_test_epoch_setup,
- crypto_test_epoch_teardown,
- &prestate_num16),
+ crypto_test_epoch_teardown, &prestate_num16),
cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_rotation,
crypto_test_epoch_setup,
- crypto_test_epoch_teardown,
- &prestate_num13),
+ crypto_test_epoch_teardown, &prestate_num13),
cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_receive_lookup,
crypto_test_epoch_setup,
- crypto_test_epoch_teardown,
- &prestate_num13),
+ crypto_test_epoch_teardown, &prestate_num13),
cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_overflow,
crypto_test_epoch_setup,
- crypto_test_epoch_teardown,
- &prestate_num32),
+ crypto_test_epoch_teardown, &prestate_num32),
cmocka_unit_test(epoch_test_derive_data_key)
};
@@ -31,7 +31,7 @@
#include "xkey_common.h"
#include "cert_data.h"
-#if defined(HAVE_XKEY_PROVIDER) && defined (ENABLE_CRYPTOAPI)
+#if defined(HAVE_XKEY_PROVIDER) && defined(ENABLE_CRYPTOAPI)
#include <setjmp.h>
#include <cmocka.h>
#include <openssl/bio.h>
@@ -42,19 +42,18 @@
#include "test_common.h"
#include <cryptoapi.h>
-#include <cryptoapi.c> /* pull-in the whole file to test static functions */
+#include <cryptoapi.c> /* pull-in the whole file to test static functions */
struct management *management; /* global */
static OSSL_PROVIDER *prov[2];
/* mock a management function that xkey_provider needs */
char *
-management_query_pk_sig(struct management *man, const char *b64_data,
- const char *algorithm)
+management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
{
- (void) man;
- (void) b64_data;
- (void) algorithm;
+ (void)man;
+ (void)b64_data;
+ (void)algorithm;
return NULL;
}
@@ -73,14 +72,12 @@
OSSL_LIB_CTX *tls_libctx;
#ifndef _countof
-#define _countof(x) sizeof((x))/sizeof(*(x))
+#define _countof(x) sizeof((x)) / sizeof(*(x))
#endif
/* test data */
-static const uint8_t test_hash[] = {
- 0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b, 0xae,
- 0xc0, 0xb7, 0x96, 0xf9, 0x66, 0x4d, 0x5f, 0xd0, 0xb7
-};
+static const uint8_t test_hash[] = { 0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b,
+ 0xae, 0xc0, 0xb7, 0x96, 0xf9, 0x66, 0x4d, 0x5f, 0xd0, 0xb7 };
/* valid test strings to test with and without embedded and trailing spaces */
static const char *valid_str[] = {
@@ -101,13 +98,13 @@
*/
static struct test_cert
{
- const char *const cert; /* certificate as PEM */
- const char *const key; /* key as unencrypted PEM */
- const char *const cname; /* common-name */
- const char *const issuer; /* issuer common-name */
- const char *const friendly_name; /* identifies certs loaded to the store -- keep unique */
- const char *hash; /* SHA1 fingerprint */
- int valid; /* nonzero if certificate has not expired */
+ const char *const cert; /* certificate as PEM */
+ const char *const key; /* key as unencrypted PEM */
+ const char *const cname; /* common-name */
+ const char *const issuer; /* issuer common-name */
+ const char *const friendly_name; /* identifies certs loaded to the store -- keep unique */
+ const char *hash; /* SHA1 fingerprint */
+ int valid; /* nonzero if certificate has not expired */
} certs[5];
static bool certs_loaded;
@@ -118,11 +115,11 @@
init_cert_data(void)
{
struct test_cert certs_local[] = {
- {cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", hash1, 1},
- {cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", hash2, 1},
- {cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", hash3, 1},
- {cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", hash4, 0},
- {0}
+ { cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", hash1, 1 },
+ { cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", hash2, 1 },
+ { cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", hash3, 1 },
+ { cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", hash4, 0 },
+ { 0 }
};
assert(sizeof(certs_local) == sizeof(certs));
memcpy(certs, certs_local, sizeof(certs_local));
@@ -144,20 +141,21 @@
static void
import_certs(void **state)
{
- (void) state;
+ (void)state;
if (certs_loaded)
{
return;
}
init_cert_data();
- user_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER
- |CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
+ user_store =
+ CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
+ CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
assert_non_null(user_store);
for (struct test_cert *c = certs; c->cert; c++)
{
/* Convert PEM cert & key to pkcs12 and import */
- const char *pass = "opensesame"; /* some password */
- const wchar_t *wpass = L"opensesame"; /* same as a wide string */
+ const char *pass = "opensesame"; /* some password */
+ const wchar_t *wpass = L"opensesame"; /* same as a wide string */
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
@@ -191,7 +189,7 @@
return;
}
- CRYPT_DATA_BLOB blob = {.cbData = 0, .pbData = NULL};
+ CRYPT_DATA_BLOB blob = { .cbData = 0, .pbData = NULL };
int len = i2d_PKCS12(p12, &blob.pbData); /* pbData will be allocated by OpenSSL */
if (len <= 0)
{
@@ -200,7 +198,7 @@
}
blob.cbData = len;
- DWORD flags = PKCS12_ALLOW_OVERWRITE_KEY|PKCS12_ALWAYS_CNG_KSP;
+ DWORD flags = PKCS12_ALLOW_OVERWRITE_KEY | PKCS12_ALWAYS_CNG_KSP;
HCERTSTORE tmp_store = PFXImportCertStore(&blob, wpass, flags);
PKCS12_free(p12);
OPENSSL_free(blob.pbData);
@@ -228,7 +226,7 @@
static int
cleanup(void **state)
{
- (void) state;
+ (void)state;
struct gc_arena gc = gc_new();
if (user_store) /* delete all certs we imported */
{
@@ -260,7 +258,7 @@
static void
test_find_cert_bythumb(void **state)
{
- (void) state;
+ (void)state;
char select_string[64];
struct gc_arena gc = gc_new();
const CERT_CONTEXT *ctx;
@@ -293,7 +291,7 @@
static void
test_find_cert_byname(void **state)
{
- (void) state;
+ (void)state;
char select_string[64];
struct gc_arena gc = gc_new();
const CERT_CONTEXT *ctx;
@@ -326,7 +324,7 @@
static void
test_find_cert_byissuer(void **state)
{
- (void) state;
+ (void)state;
char select_string[64];
struct gc_arena gc = gc_new();
const CERT_CONTEXT *ctx;
@@ -359,7 +357,7 @@
static int
setup_xkey_provider(void **state)
{
- (void) state;
+ (void)state;
/* Initialize providers in a way matching what OpenVPN core does */
tls_libctx = OSSL_LIB_CTX_new();
prov[0] = OSSL_PROVIDER_load(tls_libctx, "default");
@@ -374,7 +372,7 @@
static int
teardown_xkey_provider(void **state)
{
- (void) state;
+ (void)state;
for (size_t i = 0; i < _countof(prov); i++)
{
if (prov[i])
@@ -396,7 +394,7 @@
void
test_cryptoapi_sign(void **state)
{
- (void) state;
+ (void)state;
char select_string[64];
X509 *x509 = NULL;
EVP_PKEY *privkey = NULL;
@@ -430,7 +428,7 @@
void
test_ssl_ctx_use_cryptoapicert(void **state)
{
- (void) state;
+ (void)state;
char select_string[64];
import_certs(state); /* a no-op if already imported */
@@ -454,7 +452,8 @@
/* Use OpenSSL to check that the cert and private key in ssl_ctx "match" */
if (!SSL_CTX_check_private_key(ssl_ctx))
{
- fail_msg("Certificate and private key in ssl_ctx do not match for <%s>", c->friendly_name);
+ fail_msg("Certificate and private key in ssl_ctx do not match for <%s>",
+ c->friendly_name);
return;
}
@@ -466,7 +465,7 @@
test_parse_hexstring(void **state)
{
unsigned char hash[255];
- (void) state;
+ (void)state;
for (int i = 0; i < _countof(valid_str); i++)
{
@@ -512,4 +511,4 @@
return 0;
}
-#endif /* ifdef HAVE_XKEY_PROVIDER */
+#endif /* ifdef HAVE_XKEY_PROVIDER */
@@ -44,14 +44,18 @@
{
struct gc_arena gc = gc_new();
- const char *input = "V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server";
+ const char *input =
+ "V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server";
const char *output = options_string_compat_lzo(input, &gc);
- assert_string_equal(output, "V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo");
+ assert_string_equal(
+ output,
+ "V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo");
/* This string is has a much too small link-mtu so we should fail on it" */
- input = "V4,dev-type tun,link-mtu 2,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server";
+ input =
+ "V4,dev-type tun,link-mtu 2,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server";
output = options_string_compat_lzo(input, &gc);
@@ -64,11 +68,14 @@
assert_string_equal(input, output);
- input = "V4,dev-type tun,link-mtu 999,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server";
+ input =
+ "V4,dev-type tun,link-mtu 999,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server";
output = options_string_compat_lzo(input, &gc);
/* 999 -> 1000, 3 to 4 chars */
- assert_string_equal(output, "V4,dev-type tun,link-mtu 1000,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo");
+ assert_string_equal(
+ output,
+ "V4,dev-type tun,link-mtu 1000,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo");
gc_free(&gc);
}
@@ -110,7 +117,6 @@
}
-
struct word
{
const char *word;
@@ -121,7 +127,7 @@
static uint32_t
word_hash_function(const void *key, uint32_t iv)
{
- const char *str = (const char *) key;
+ const char *str = (const char *)key;
const int len = strlen(str);
return hash_func((const uint8_t *)str, len, iv);
}
@@ -161,11 +167,10 @@
static void
test_list(void **state)
{
-
-/*
- * Test the hash code by implementing a simple
- * word frequency algorithm.
- */
+ /*
+ * Test the hash code by implementing a simple
+ * word frequency algorithm.
+ */
struct gc_arena gc = gc_new();
struct hash *hash = hash_init(10000, get_random(), word_hash_function, word_compare_function);
@@ -174,7 +179,7 @@
printf("hash_init n_buckets=%d mask=0x%08x\n", hash->n_buckets, hash->mask);
char wordfile[PATH_MAX] = { 0 };
- openvpn_test_get_srcdir_dir(wordfile, PATH_MAX, "/../../../COPYRIGHT.GPL" );
+ openvpn_test_get_srcdir_dir(wordfile, PATH_MAX, "/../../../COPYRIGHT.GPL");
FILE *words = fopen(wordfile, "r");
assert_non_null(words);
@@ -200,7 +205,7 @@
c = buf[bi++];
if (isalnum(c) || c == '_')
{
- assert_true(wbi < (int) sizeof(wordbuf));
+ assert_true(wbi < (int)sizeof(wordbuf));
wordbuf[wbi++] = c;
}
else
@@ -209,13 +214,13 @@
{
wordcount++;
- ASSERT(wbi < (int) sizeof(wordbuf));
+ ASSERT(wbi < (int)sizeof(wordbuf));
wordbuf[wbi++] = '\0';
/* word is parsed from stdin */
/* does it already exist in table? */
- struct word *w = (struct word *) hash_lookup(hash, wordbuf);
+ struct word *w = (struct word *)hash_lookup(hash, wordbuf);
if (w)
{
@@ -230,13 +235,13 @@
w->word = string_alloc(wordbuf, &gc);
w->n = 1;
assert_true(hash_add(hash, w->word, w, false));
- assert_true(hash_add(nhash, w->word, (void *) ((ptr_type )(random() & 0x0F) + 1), false));
+ assert_true(hash_add(nhash, w->word,
+ (void *)((ptr_type)(random() & 0x0F) + 1), false));
}
}
wbi = 0;
}
- }
- while (c);
+ } while (c);
}
assert_int_equal(wordcount, 2971);
@@ -261,7 +266,7 @@
while ((he = hash_iterator_next(&hi)))
{
- struct word *w = (struct word *) he->value;
+ struct word *w = (struct word *)he->value;
/*printf("%6d '%s'\n", w->n, w->word); */
++count;
/* check a few words to match prior results */
@@ -269,19 +274,19 @@
{
assert_int_equal(w->n, 49);
}
- else if (!strcmp(w->word, "redistribute"))
+ else if (!strcmp(w->word, "redistribute"))
{
assert_int_equal(w->n, 5);
}
- else if (!strcmp(w->word, "circumstances"))
+ else if (!strcmp(w->word, "circumstances"))
{
assert_int_equal(w->n, 1);
}
- else if (!strcmp(w->word, "so"))
+ else if (!strcmp(w->word, "so"))
{
assert_int_equal(w->n, 8);
}
- else if (!strcmp(w->word, "BECAUSE"))
+ else if (!strcmp(w->word, "BECAUSE"))
{
assert_int_equal(w->n, 1);
}
@@ -296,12 +301,12 @@
{
for (ptr_type i = 1; i <= 16; ++i)
{
- struct hash_element *item = hash_lookup_by_value(nhash, (void *) i);
- hash_remove_by_value(nhash, (void *) i);
+ struct hash_element *item = hash_lookup_by_value(nhash, (void *)i);
+ hash_remove_by_value(nhash, (void *)i);
/* check item got removed if it was present before */
if (item)
{
- assert_null(hash_lookup_by_value(nhash, (void *) i));
+ assert_null(hash_lookup_by_value(nhash, (void *)i));
}
}
}
@@ -378,14 +383,12 @@
mock_set_debug_level(saved_log_level);
}
-const struct CMUnitTest misc_tests[] = {
- cmocka_unit_test(test_compat_lzo_string),
- cmocka_unit_test(test_auth_fail_temp_no_flags),
- cmocka_unit_test(test_auth_fail_temp_flags),
- cmocka_unit_test(test_auth_fail_temp_flags_msg),
- cmocka_unit_test(test_list),
- cmocka_unit_test(test_atoi_variants)
-};
+const struct CMUnitTest misc_tests[] = { cmocka_unit_test(test_compat_lzo_string),
+ cmocka_unit_test(test_auth_fail_temp_no_flags),
+ cmocka_unit_test(test_auth_fail_temp_flags),
+ cmocka_unit_test(test_auth_fail_temp_flags_msg),
+ cmocka_unit_test(test_list),
+ cmocka_unit_test(test_atoi_variants) };
int
main(void)
@@ -46,8 +46,7 @@
/* Define this function here as dummy since including the ssl_*.c files
* leads to having to include even more unrelated code */
bool
-key_state_export_keying_material(struct tls_session *session,
- const char *label, size_t label_size,
+key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size,
void *ekm, size_t ekm_size)
{
ASSERT(0);
@@ -72,8 +71,7 @@
bool have_blowfish = cipher_valid("BF-CBC");
assert_string_equal(mutate_ncp_cipher_list("none", &gc), "none");
- assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:none", &gc),
- "AES-256-GCM:none");
+ assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:none", &gc), "AES-256-GCM:none");
assert_string_equal(mutate_ncp_cipher_list(aes_ciphers, &gc), aes_ciphers);
@@ -85,8 +83,7 @@
if (have_chacha && have_blowfish)
{
assert_string_equal(mutate_ncp_cipher_list(bf_chacha, &gc), bf_chacha);
- assert_string_equal(mutate_ncp_cipher_list("BF-CBC:CHACHA20-POLY1305", &gc),
- bf_chacha);
+ assert_string_equal(mutate_ncp_cipher_list("BF-CBC:CHACHA20-POLY1305", &gc), bf_chacha);
}
else
{
@@ -98,14 +95,14 @@
aes_ciphers);
/* Check that optional ciphers work */
- assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", &gc),
- aes_ciphers);
+ assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", &gc), aes_ciphers);
/* All unsupported should still yield an empty list */
assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL);
/* If the last is optional, previous invalid ciphers should be ignored */
- assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL);
+ assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc),
+ NULL);
/* We do not support CCM ciphers */
assert_ptr_equal(mutate_ncp_cipher_list("AES-256-GCM:AES-128-CCM", &gc), NULL);
@@ -126,19 +123,19 @@
assert_ptr_equal(mutate_ncp_cipher_list("AES-256-GCM:vollbit", &gc), NULL);
assert_ptr_equal(mutate_ncp_cipher_list("", &gc), NULL);
- assert_ptr_equal(mutate_ncp_cipher_list(
- "ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:"
- "ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:"
- "ChaCha20-Poly1305", &gc), NULL);
+ assert_ptr_equal(mutate_ncp_cipher_list("ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:"
+ "ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:"
+ "ChaCha20-Poly1305",
+ &gc),
+ NULL);
#ifdef ENABLE_CRYPTO_OPENSSL
- assert_string_equal(mutate_ncp_cipher_list("id-aes128-GCM:id-aes256-GCM",
- &gc), "AES-128-GCM:AES-256-GCM");
+ assert_string_equal(mutate_ncp_cipher_list("id-aes128-GCM:id-aes256-GCM", &gc),
+ "AES-128-GCM:AES-256-GCM");
#else
if (have_blowfish)
{
- assert_string_equal(mutate_ncp_cipher_list("BLOWFISH-CBC",
- &gc), "BF-CBC");
+ assert_string_equal(mutate_ncp_cipher_list("BLOWFISH-CBC", &gc), "BF-CBC");
}
#endif
gc_free(&gc);
@@ -192,37 +189,28 @@
const char *serverlist = "CHACHA20_POLY1305:AES-128-GCM";
const char *serverlistbfcbc = "CHACHA20_POLY1305:AES-128-GCM:BF-CBC:none";
- best_cipher = ncp_get_best_cipher(serverlist,
- "IV_YOLO=NO\nIV_BAR=7",
- "BF-CBC", &gc);
+ best_cipher = ncp_get_best_cipher(serverlist, "IV_YOLO=NO\nIV_BAR=7", "BF-CBC", &gc);
assert_ptr_equal(best_cipher, NULL);
- best_cipher = ncp_get_best_cipher(serverlistbfcbc,
- "IV_YOLO=NO\nIV_BAR=7",
- "BF-CBC", &gc);
+ best_cipher = ncp_get_best_cipher(serverlistbfcbc, "IV_YOLO=NO\nIV_BAR=7", "BF-CBC", &gc);
assert_string_equal(best_cipher, "BF-CBC");
- best_cipher = ncp_get_best_cipher(serverlist,
- "IV_NCP=1\nIV_BAR=7",
- "AES-128-GCM", &gc);
+ best_cipher = ncp_get_best_cipher(serverlist, "IV_NCP=1\nIV_BAR=7", "AES-128-GCM", &gc);
assert_string_equal(best_cipher, "AES-128-GCM");
- best_cipher = ncp_get_best_cipher(serverlist, NULL,
- "AES-128-GCM", &gc);
+ best_cipher = ncp_get_best_cipher(serverlist, NULL, "AES-128-GCM", &gc);
assert_string_equal(best_cipher, "AES-128-GCM");
- best_cipher = ncp_get_best_cipher(serverlist, NULL,
- "none", &gc);
+ best_cipher = ncp_get_best_cipher(serverlist, NULL, "none", &gc);
assert_ptr_equal(best_cipher, NULL);
- best_cipher = ncp_get_best_cipher(serverlistbfcbc, NULL,
- "none", &gc);
+ best_cipher = ncp_get_best_cipher(serverlistbfcbc, NULL, "none", &gc);
assert_string_equal(best_cipher, "none");
best_cipher = ncp_get_best_cipher(serverlist, NULL, NULL, &gc);
@@ -240,28 +228,23 @@
const char *serverlist = "CHACHA20_POLY1305:AES-128-GCM:AES-256-GCM";
- best_cipher = ncp_get_best_cipher(serverlist,
- "IV_YOLO=NO\nIV_NCP=2\nIV_BAR=7",
- "BF-CBC", &gc);
+ best_cipher = ncp_get_best_cipher(serverlist, "IV_YOLO=NO\nIV_NCP=2\nIV_BAR=7", "BF-CBC", &gc);
assert_string_equal(best_cipher, "AES-128-GCM");
/* Best cipher is in --cipher of client */
- best_cipher = ncp_get_best_cipher(serverlist, "IV_NCP=2\nIV_BAR=7",
- "CHACHA20_POLY1305", &gc);
+ best_cipher = ncp_get_best_cipher(serverlist, "IV_NCP=2\nIV_BAR=7", "CHACHA20_POLY1305", &gc);
assert_string_equal(best_cipher, "CHACHA20_POLY1305");
/* Best cipher is in --cipher of client */
- best_cipher = ncp_get_best_cipher(serverlist, "IV_CIPHERS=AES-128-GCM",
- "AES-256-CBC", &gc);
+ best_cipher = ncp_get_best_cipher(serverlist, "IV_CIPHERS=AES-128-GCM", "AES-256-CBC", &gc);
assert_string_equal(best_cipher, "AES-128-GCM");
/* IV_NCP=2 should be ignored if IV_CIPHERS is sent */
- best_cipher = ncp_get_best_cipher(serverlist,
- "IV_FOO=7\nIV_CIPHERS=AES-256-GCM\nIV_NCP=2",
+ best_cipher = ncp_get_best_cipher(serverlist, "IV_FOO=7\nIV_CIPHERS=AES-256-GCM\nIV_NCP=2",
"AES-256-CBC", &gc);
assert_string_equal(best_cipher, "AES-256-GCM");
@@ -312,11 +295,14 @@
if (have_chacha)
{
- assert_string_equal(o.ncp_ciphers, "BF-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC:AES-256-CBC");
+ assert_string_equal(
+ o.ncp_ciphers,
+ "BF-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC:AES-256-CBC");
}
else
{
- assert_string_equal(o.ncp_ciphers, "BF-CBC:AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC");
+ assert_string_equal(o.ncp_ciphers,
+ "BF-CBC:AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC");
}
assert_string_equal(o.ncp_ciphers_conf, "BF-CBC:DEFAULT:AES-128-CBC:AES-256-CBC");
@@ -326,7 +312,8 @@
if (have_chacha)
{
- assert_string_equal(o.ncp_ciphers, "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC:AES-192-CBC");
+ assert_string_equal(o.ncp_ciphers,
+ "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC:AES-192-CBC");
}
else
{
@@ -340,7 +327,8 @@
if (have_chacha)
{
- assert_string_equal(o.ncp_ciphers, "AES-192-GCM:AES-128-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305");
+ assert_string_equal(o.ncp_ciphers,
+ "AES-192-GCM:AES-128-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305");
}
else
{
@@ -355,7 +343,7 @@
test_ncp_expand(void **state)
{
bool have_chacha = cipher_valid("CHACHA20-POLY1305");
- struct options o = {0};
+ struct options o = { 0 };
o.gc = gc_new();
struct gc_arena gc = gc_new();
@@ -110,12 +110,10 @@
printf("\n");
return net_route_v4_add(NULL, &dst, prefixlen, NULL, iface, 0, metric);
-
}
static int
-net__route_v4_add_gw(const char *dst_str, int prefixlen, const char *gw_str,
- int metric)
+net__route_v4_add_gw(const char *dst_str, int prefixlen, const char *gw_str, int metric)
{
in_addr_t dst, gw;
int ret;
@@ -140,8 +138,7 @@
dst = ntohl(dst);
gw = ntohl(gw);
- printf("CMD: ip route add %s/%d dev %s via %s", dst_str, prefixlen, iface,
- gw_str);
+ printf("CMD: ip route add %s/%d dev %s via %s", dst_str, prefixlen, iface, gw_str);
if (metric > 0)
{
printf(" metric %d", metric);
@@ -176,12 +173,10 @@
printf("\n");
return net_route_v6_add(NULL, &dst, prefixlen, NULL, iface, 0, metric);
-
}
static int
-net__route_v6_add_gw(const char *dst_str, int prefixlen, const char *gw_str,
- int metric)
+net__route_v6_add_gw(const char *dst_str, int prefixlen, const char *gw_str, int metric)
{
struct in6_addr dst, gw;
int ret;
@@ -203,8 +198,7 @@
return -1;
}
- printf("CMD: ip -6 route add %s/%d dev %s via %s", dst_str, prefixlen,
- iface, gw_str);
+ printf("CMD: ip -6 route add %s/%d dev %s via %s", dst_str, prefixlen, iface, gw_str);
if (metric > 0)
{
printf(" metric %d", metric);
@@ -36,8 +36,10 @@
#include "reliable.h"
#include "test_common.h"
-struct test_packet_id_write_data {
- struct {
+struct test_packet_id_write_data
+{
+ struct
+ {
uint32_t buf_id;
uint32_t buf_time;
} test_buf_data;
@@ -49,15 +51,14 @@
static int
test_packet_id_write_setup(void **state)
{
- struct test_packet_id_write_data *data =
- calloc(1, sizeof(struct test_packet_id_write_data));
+ struct test_packet_id_write_data *data = calloc(1, sizeof(struct test_packet_id_write_data));
if (!data)
{
return -1;
}
- data->test_buf.data = (void *) &data->test_buf_data;
+ data->test_buf.data = (void *)&data->test_buf_data;
data->test_buf.capacity = sizeof(data->test_buf_data);
data->gc = gc_new();
@@ -162,7 +163,6 @@
static void
test_get_num_output_sequenced_available(void **state)
{
-
struct reliable *rel = malloc(sizeof(struct reliable));
reliable_init(rel, 100, 50, 8, false);
@@ -180,14 +180,14 @@
/* test ids close to int/unsigned int barrier */
rel->array[5].active = true;
- rel->array[5].packet_id = (0x80000000u -3);
+ rel->array[5].packet_id = (0x80000000u - 3);
rel->array[6].active = false;
- rel->packet_id = (0x80000000u -1);
+ rel->packet_id = (0x80000000u - 1);
assert_int_equal(6, reliable_get_num_output_sequenced_available(rel));
rel->array[5].active = true;
- rel->array[5].packet_id = (0x80000000u -3);
+ rel->array[5].packet_id = (0x80000000u - 3);
rel->packet_id = 0x80000001u;
assert_int_equal(4, reliable_get_num_output_sequenced_available(rel));
@@ -195,7 +195,7 @@
/* test wrapping */
rel->array[5].active = true;
- rel->array[5].packet_id = (0xffffffffu -3);
+ rel->array[5].packet_id = (0xffffffffu - 3);
rel->array[6].active = false;
rel->packet_id = (0xffffffffu - 1);
@@ -223,7 +223,7 @@
assert_true(packet_id_write_epoch(&data->pis, 0x23, &buf));
assert_int_equal(buf.len, 8);
- uint8_t expected_header[8] = { 0x00, 0x23, 0, 0, 0, 0, 0, 1};
+ uint8_t expected_header[8] = { 0x00, 0x23, 0, 0, 0, 0, 0, 1 };
assert_memory_equal(BPTR(&buf), expected_header, 8);
/* too small buffer should error out */
@@ -234,7 +234,7 @@
data->pis.id = 0xfa079ab9d2e8;
struct buffer buf_48 = alloc_buf_gc(128, &data->gc);
assert_true(packet_id_write_epoch(&data->pis, 0xfffe, &buf_48));
- uint8_t expected_header_48[8] = { 0xff, 0xfe, 0xfa, 0x07, 0x9a, 0xb9, 0xd2, 0xe9};
+ uint8_t expected_header_48[8] = { 0xff, 0xfe, 0xfa, 0x07, 0x9a, 0xb9, 0xd2, 0xe9 };
assert_memory_equal(BPTR(&buf_48), expected_header_48, 8);
/* test writing/checking the 48 bit per epoch packet counter
@@ -242,7 +242,7 @@
data->pis.id = 0xfffffffffffe;
struct buffer buf_of = alloc_buf_gc(128, &data->gc);
assert_true(packet_id_write_epoch(&data->pis, 0xf00f, &buf_of));
- uint8_t expected_header_of[8] = { 0xf0, 0x0f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
+ uint8_t expected_header_of[8] = { 0xf0, 0x0f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
assert_memory_equal(BPTR(&buf_of), expected_header_of, 8);
/* This is go over 2^48 - 1 and should error out. */
@@ -264,9 +264,9 @@
static void
test_copy_acks_to_lru(void **state)
{
- struct reliable_ack ack = { .len = 4, .packet_id = {2, 1, 3, 2} };
+ struct reliable_ack ack = { .len = 4, .packet_id = { 2, 1, 3, 2 } };
- struct reliable_ack mru_ack = {0 };
+ struct reliable_ack mru_ack = { 0 };
/* Test copying to empty ack structure */
copy_acks_to_mru(&ack, &mru_ack, 4);
@@ -292,7 +292,7 @@
/* Adding just two packets shoudl ignore the 42 in array and
* reorder the order in the MRU */
- struct reliable_ack ack2 = { .len = 3, .packet_id = {3, 2, 42} };
+ struct reliable_ack ack2 = { .len = 3, .packet_id = { 3, 2, 42 } };
copy_acks_to_mru(&ack2, &mru_ack2, 2);
assert_int_equal(mru_ack2.packet_id[0], 3);
assert_int_equal(mru_ack2.packet_id[1], 2);
@@ -313,12 +313,12 @@
assert_int_equal(mru_ack.packet_id[1], 1);
assert_int_equal(mru_ack.packet_id[2], 3);
- struct reliable_ack ack3 = { .len = 7, .packet_id = {5, 6, 7, 8, 9, 10, 11}};
+ struct reliable_ack ack3 = { .len = 7, .packet_id = { 5, 6, 7, 8, 9, 10, 11 } };
/* Adding multiple acks tests if the a full array is handled correctly */
copy_acks_to_mru(&ack3, &mru_ack, 7);
- struct reliable_ack expected_ack = { .len = 8, .packet_id = {5, 6, 7, 8, 9, 10, 11, 2}};
+ struct reliable_ack expected_ack = { .len = 8, .packet_id = { 5, 6, 7, 8, 9, 10, 11, 2 } };
assert_int_equal(mru_ack.len, expected_ack.len);
assert_memory_equal(mru_ack.packet_id, expected_ack.packet_id, sizeof(expected_ack.packet_id));
@@ -329,26 +329,19 @@
{
openvpn_unit_test_setup();
const struct CMUnitTest tests[] = {
- cmocka_unit_test_setup_teardown(test_packet_id_write_short,
- test_packet_id_write_setup,
+ cmocka_unit_test_setup_teardown(test_packet_id_write_short, test_packet_id_write_setup,
test_packet_id_write_teardown),
- cmocka_unit_test_setup_teardown(test_packet_id_write_long,
- test_packet_id_write_setup,
+ cmocka_unit_test_setup_teardown(test_packet_id_write_long, test_packet_id_write_setup,
test_packet_id_write_teardown),
cmocka_unit_test_setup_teardown(test_packet_id_write_short_prepend,
- test_packet_id_write_setup,
- test_packet_id_write_teardown),
+ test_packet_id_write_setup, test_packet_id_write_teardown),
cmocka_unit_test_setup_teardown(test_packet_id_write_long_prepend,
- test_packet_id_write_setup,
+ test_packet_id_write_setup, test_packet_id_write_teardown),
+ cmocka_unit_test_setup_teardown(test_packet_id_write_short_wrap, test_packet_id_write_setup,
test_packet_id_write_teardown),
- cmocka_unit_test_setup_teardown(test_packet_id_write_short_wrap,
- test_packet_id_write_setup,
+ cmocka_unit_test_setup_teardown(test_packet_id_write_long_wrap, test_packet_id_write_setup,
test_packet_id_write_teardown),
- cmocka_unit_test_setup_teardown(test_packet_id_write_long_wrap,
- test_packet_id_write_setup,
- test_packet_id_write_teardown),
- cmocka_unit_test_setup_teardown(test_packet_id_write_epoch,
- test_packet_id_write_setup,
+ cmocka_unit_test_setup_teardown(test_packet_id_write_epoch, test_packet_id_write_setup,
test_packet_id_write_teardown),
cmocka_unit_test(test_get_num_output_sequenced_available),
@@ -39,8 +39,8 @@
#include "test_common.h"
#define token_name "Test Token"
-#define PIN "12345"
-#define HASHSIZE 20
+#define PIN "12345"
+#define HASHSIZE 20
struct management *management; /* global */
@@ -58,8 +58,8 @@
/* stubs for some unused functions instead of pulling in too many dependencies */
int
-parse_line(const char *line, char **p, const int n, const char *file,
- const int line_num, int msglevel, struct gc_arena *gc)
+parse_line(const char *line, char **p, const int n, const char *file, const int line_num,
+ int msglevel, struct gc_arena *gc)
{
assert_true(0);
return 0;
@@ -91,45 +91,43 @@
void
query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo)
{
- (void) prompt;
- (void) prompt_len;
- (void) resp;
- (void) resp_len;
- (void) echo;
+ (void)prompt;
+ (void)prompt_len;
+ (void)resp;
+ (void)resp_len;
+ (void)echo;
assert_true(0);
}
void
purge_user_pass(struct user_pass *up, const bool force)
{
- (void) force;
+ (void)force;
secure_memzero(up, sizeof(*up));
}
char *
-management_query_pk_sig(struct management *man, const char *b64_data,
- const char *algorithm)
+management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
{
- (void) man;
- (void) b64_data;
- (void) algorithm;
+ (void)man;
+ (void)b64_data;
+ (void)algorithm;
return NULL;
}
-int
-digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey);
+int digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey);
/* Test certificate database: data for cert1, cert2 .. key1, key2 etc.
* are defined in cert_data.h
*/
static struct test_cert
{
- const char *const cert; /* certificate as PEM */
- const char *const key; /* key as unencrypted PEM */
- const char *const cname; /* common-name */
- const char *const issuer; /* issuer common-name */
- const char *const friendly_name; /* identifies certs loaded to the store -- keep unique */
- uint8_t hash[HASHSIZE]; /* SHA1 fingerprint: computed and filled in later */
- char *p11_id; /* PKCS#11 id -- filled in later */
+ const char *const cert; /* certificate as PEM */
+ const char *const key; /* key as unencrypted PEM */
+ const char *const cname; /* common-name */
+ const char *const issuer; /* issuer common-name */
+ const char *const friendly_name; /* identifies certs loaded to the store -- keep unique */
+ uint8_t hash[HASHSIZE]; /* SHA1 fingerprint: computed and filled in later */
+ char *p11_id; /* PKCS#11 id -- filled in later */
} certs[5];
static bool pkcs11_id_management;
@@ -144,11 +142,11 @@
init_cert_data(void)
{
struct test_cert certs_local[] = {
- {cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", {0}, NULL},
- {cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", {0}, NULL},
- {cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", {0}, NULL},
- {cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", {0}, NULL},
- {0}
+ { cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", { 0 }, NULL },
+ { cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", { 0 }, NULL },
+ { cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", { 0 }, NULL },
+ { cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", { 0 }, NULL },
+ { 0 }
};
assert(sizeof(certs_local) == sizeof(certs));
memcpy(certs, certs_local, sizeof(certs_local));
@@ -159,9 +157,9 @@
get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix,
const unsigned int flags, const char *unused)
{
- (void) unused;
+ (void)unused;
bool ret = true;
- if (!strcmp(prefix, "pkcs11-id-request") && flags&GET_USER_PASS_NEED_STR)
+ if (!strcmp(prefix, "pkcs11-id-request") && flags & GET_USER_PASS_NEED_STR)
{
assert_true(pkcs11_id_management);
strncpynt(up->password, pkcs11_id_current, sizeof(up->password));
@@ -195,15 +193,16 @@
static int
init(void **state)
{
- (void) state;
+ (void)state;
- umask(0077); /* ensure all files and directories we create get user only access */
+ umask(0077); /* ensure all files and directories we create get user only access */
char config[256];
init_cert_data();
if (!mkdtemp(softhsm2_tokens_path))
{
- fail_msg("make tmpdir using template <%s> failed (error = %d)", softhsm2_tokens_path, errno);
+ fail_msg("make tmpdir using template <%s> failed (error = %d)", softhsm2_tokens_path,
+ errno);
}
int fd = mkstemp(softhsm2_conf_path);
@@ -211,8 +210,7 @@
{
fail_msg("make tmpfile using template <%s> failed (error = %d)", softhsm2_conf_path, errno);
}
- snprintf(config, sizeof(config), "directories.tokendir=%s/",
- softhsm2_tokens_path);
+ snprintf(config, sizeof(config), "directories.tokendir=%s/", softhsm2_tokens_path);
assert_int_equal(write(fd, config, strlen(config)), strlen(config));
close(fd);
@@ -260,14 +258,16 @@
argv_free(&a);
a = argv_new();
/* Use numcerts+1 as a unique id of the object -- same id for matching cert and key */
- argv_printf(&a, "%s --provider %s --load-certificate %s --label \"%s\" --id %08x --login --write",
- P11TOOL_PATH, SOFTHSM2_MODULE_PATH, cert, c->friendly_name, num_certs+1);
+ argv_printf(
+ &a, "%s --provider %s --load-certificate %s --label \"%s\" --id %08x --login --write",
+ P11TOOL_PATH, SOFTHSM2_MODULE_PATH, cert, c->friendly_name, num_certs + 1);
assert_true(openvpn_execve_check(&a, es, 0, "Failed to upload certificate into token"));
argv_free(&a);
a = argv_new();
- argv_printf(&a, "%s --provider %s --load-privkey %s --label \"%s\" --id %08x --login --write",
- P11TOOL_PATH, SOFTHSM2_MODULE_PATH, key, c->friendly_name, num_certs+1);
+ argv_printf(&a,
+ "%s --provider %s --load-privkey %s --label \"%s\" --id %08x --login --write",
+ P11TOOL_PATH, SOFTHSM2_MODULE_PATH, key, c->friendly_name, num_certs + 1);
assert_true(openvpn_execve_check(&a, es, 0, "Failed to upload key into token"));
assert_int_equal(ftruncate(cert_fd, 0), 0);
@@ -288,7 +288,7 @@
static int
cleanup(void **state)
{
- (void) state;
+ (void)state;
struct argv a = argv_new();
argv_printf(&a, "%s --delete-token --token \"%s\"", SOFTHSM2_UTIL_PATH, token_name);
@@ -410,7 +410,7 @@
static void
test_tls_ctx_use_pkcs11(void **state)
{
- (void) state;
+ (void)state;
struct tls_root_ctx tls_ctx = {};
uint8_t sha1[HASHSIZE];
for (struct test_cert *c = certs; c->cert; c++)
@@ -451,7 +451,8 @@
#else
if (!SSL_CTX_check_private_key(tls_ctx.ctx))
{
- fail_msg("Certificate and private key in ssl_ctx do not match for <%s>", c->friendly_name);
+ fail_msg("Certificate and private key in ssl_ctx do not match for <%s>",
+ c->friendly_name);
return;
}
#endif
@@ -472,10 +473,8 @@
{
openvpn_unit_test_setup();
const struct CMUnitTest tests[] = {
- cmocka_unit_test_setup_teardown(test_pkcs11_ids, setup_pkcs11,
- teardown_pkcs11),
- cmocka_unit_test_setup_teardown(test_tls_ctx_use_pkcs11, setup_pkcs11,
- teardown_pkcs11),
+ cmocka_unit_test_setup_teardown(test_pkcs11_ids, setup_pkcs11, teardown_pkcs11),
+ cmocka_unit_test_setup_teardown(test_tls_ctx_use_pkcs11, setup_pkcs11, teardown_pkcs11),
cmocka_unit_test_setup_teardown(test_tls_ctx_use_pkcs11__management, setup_pkcs11,
teardown_pkcs11),
};
@@ -44,8 +44,8 @@
#include "reliable.h"
int
-parse_line(const char *line, char **p, const int n, const char *file,
- const int line_num, int msglevel, struct gc_arena *gc)
+parse_line(const char *line, char **p, const int n, const char *file, const int line_num,
+ int msglevel, struct gc_arena *gc)
{
/* Dummy function to get the linker happy, should never be called */
assert_true(false);
@@ -55,8 +55,7 @@
/* Define this function here as dummy since including the ssl_*.c files
* leads to having to include even more unrelated code */
bool
-key_state_export_keying_material(struct tls_session *session,
- const char *label, size_t label_size,
+key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size,
void *ekm, size_t ekm_size)
{
ASSERT(0);
@@ -89,104 +88,73 @@
"-----END OpenVPN Static key V1-----\n"
"</tls-auth>\n";
-const uint8_t client_reset_v2_none[] =
-{ 0x38, 0x68, 0x91, 0x92, 0x3f, 0xa3, 0x10, 0x34,
- 0x37, 0x00, 0x00, 0x00, 0x00, 0x00 };
+const uint8_t client_reset_v2_none[] = { 0x38, 0x68, 0x91, 0x92, 0x3f, 0xa3, 0x10,
+ 0x34, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00 };
-const uint8_t client_reset_v2_tls_auth[] =
-{ 0x38, 0xde, 0x69, 0x4c, 0x5c, 0x7b, 0xfb, 0xa2,
- 0x74, 0x93, 0x53, 0x7c, 0x1d, 0xed, 0x4e, 0x78,
- 0x15, 0x29, 0xae, 0x7c, 0xfe, 0x4b, 0x8c, 0x6d,
- 0x6b, 0x2b, 0x51, 0xf0, 0x5a, 0x00, 0x00, 0x00,
- 0x01, 0x61, 0xd3, 0xbf, 0x6c, 0x00, 0x00, 0x00,
- 0x00, 0x00};
+const uint8_t client_reset_v2_tls_auth[] = { 0x38, 0xde, 0x69, 0x4c, 0x5c, 0x7b, 0xfb, 0xa2, 0x74,
+ 0x93, 0x53, 0x7c, 0x1d, 0xed, 0x4e, 0x78, 0x15, 0x29,
+ 0xae, 0x7c, 0xfe, 0x4b, 0x8c, 0x6d, 0x6b, 0x2b, 0x51,
+ 0xf0, 0x5a, 0x00, 0x00, 0x00, 0x01, 0x61, 0xd3, 0xbf,
+ 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00 };
-const uint8_t client_reset_v2_tls_crypt[] =
-{0x38, 0xf4, 0x19, 0xcb, 0x12, 0xd1, 0xf9, 0xe4,
- 0x8f, 0x00, 0x00, 0x00, 0x01, 0x61, 0xd3, 0xf8,
- 0xe1, 0x33, 0x02, 0x06, 0xf5, 0x68, 0x02, 0xbe,
- 0x44, 0xfb, 0xed, 0x90, 0x50, 0x64, 0xe3, 0xdb,
- 0x43, 0x41, 0x6b, 0xec, 0x5e, 0x52, 0x67, 0x19,
- 0x46, 0x2b, 0x7e, 0xb9, 0x0c, 0x96, 0xde, 0xfc,
- 0x9b, 0x05, 0xc4, 0x48, 0x79, 0xf7};
+const uint8_t client_reset_v2_tls_crypt[] = {
+ 0x38, 0xf4, 0x19, 0xcb, 0x12, 0xd1, 0xf9, 0xe4, 0x8f, 0x00, 0x00, 0x00, 0x01, 0x61,
+ 0xd3, 0xf8, 0xe1, 0x33, 0x02, 0x06, 0xf5, 0x68, 0x02, 0xbe, 0x44, 0xfb, 0xed, 0x90,
+ 0x50, 0x64, 0xe3, 0xdb, 0x43, 0x41, 0x6b, 0xec, 0x5e, 0x52, 0x67, 0x19, 0x46, 0x2b,
+ 0x7e, 0xb9, 0x0c, 0x96, 0xde, 0xfc, 0x9b, 0x05, 0xc4, 0x48, 0x79, 0xf7
+};
/* Valid tls-auth client CONTROL_V1 packet with random server id */
const uint8_t client_ack_tls_auth_randomid[] = {
- 0x20, 0x14, 0x01, 0x4e, 0xbc, 0x80, 0xc6, 0x14,
- 0x2b, 0x7b, 0xc8, 0x76, 0xfb, 0xc5, 0x2e, 0x27,
- 0xb1, 0xc5, 0x07, 0x35, 0x5b, 0xb6, 0x00, 0x6b,
- 0xae, 0x71, 0xba, 0x4e, 0x38, 0x00, 0x00, 0x00,
- 0x03, 0x61, 0xd3, 0xff, 0x53, 0x00, 0x00, 0x00,
- 0x00, 0x01, 0x16, 0x03, 0x01, 0x01, 0x0c, 0x01,
- 0x00, 0x01, 0x08, 0x03, 0x03, 0x8c, 0xaa, 0xac,
- 0x3a, 0x1a, 0x07, 0xbd, 0xe7, 0xb7, 0x50, 0x06,
- 0x9b, 0x94, 0x0c, 0x34, 0x4b, 0x5a, 0x35, 0xca,
- 0xc4, 0x79, 0xbd, 0xc9, 0x09, 0xb0, 0x7b, 0xd9,
- 0xee, 0xbb, 0x7d, 0xe7, 0x25, 0x20, 0x39, 0x38,
- 0xe2, 0x18, 0x33, 0x36, 0x14, 0x9f, 0x34, 0xf0,
- 0x44, 0x59, 0x96, 0x8d, 0x0e, 0xd2, 0x47, 0x76,
- 0x64, 0x88, 0x59, 0xe9, 0x38, 0x03, 0x97, 0x96,
- 0x98, 0x45, 0xfb, 0xf5, 0xff, 0x23, 0x00, 0x32,
- 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x2c,
- 0xc0, 0x30, 0x00, 0x9f, 0xcc, 0xa9, 0xcc, 0xa8,
- 0xcc, 0xaa, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e,
- 0xc0, 0x24, 0xc0, 0x28, 0x00, 0x6b, 0xc0, 0x23,
- 0xc0, 0x27, 0x00, 0x67, 0xc0, 0x0a, 0xc0, 0x14,
- 0x00, 0x39, 0xc0, 0x09, 0xc0, 0x13, 0x00, 0x33,
- 0x00, 0xff, 0x01, 0x00, 0x00, 0x8d, 0x00, 0x0b,
- 0x00, 0x04, 0x03, 0x00, 0x01, 0x02, 0x00, 0x0a,
- 0x00, 0x0c, 0x00, 0x0a, 0x00, 0x1d, 0x00, 0x17,
- 0x00, 0x1e, 0x00, 0x19, 0x00, 0x18, 0x00, 0x16,
- 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x0d,
- 0x00, 0x30, 0x00, 0x2e, 0x04, 0x03, 0x05, 0x03,
- 0x06, 0x03, 0x08, 0x07, 0x08, 0x08, 0x08, 0x09,
- 0x08, 0x0a, 0x08, 0x0b, 0x08, 0x04, 0x08, 0x05,
- 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01,
- 0x03, 0x03, 0x02, 0x03, 0x03, 0x01, 0x02, 0x01,
- 0x03, 0x02, 0x02, 0x02, 0x04, 0x02, 0x05, 0x02,
- 0x06, 0x02, 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03,
- 0x04, 0x03, 0x03, 0x00, 0x2d, 0x00, 0x02, 0x01,
- 0x01, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00,
- 0x1d, 0x00, 0x20, 0x0e, 0xc9, 0x7a, 0xff, 0x58,
- 0xdb, 0x56, 0xf6, 0x40, 0xd1, 0xed, 0xdb, 0x91,
- 0x81, 0xd6, 0xef, 0x83, 0x86, 0x8a, 0xb2, 0x3d,
- 0x88, 0x92, 0x3f, 0xd8, 0x51, 0x9c, 0xd6, 0x26,
- 0x56, 0x33, 0x6b
+ 0x20, 0x14, 0x01, 0x4e, 0xbc, 0x80, 0xc6, 0x14, 0x2b, 0x7b, 0xc8, 0x76, 0xfb, 0xc5, 0x2e, 0x27,
+ 0xb1, 0xc5, 0x07, 0x35, 0x5b, 0xb6, 0x00, 0x6b, 0xae, 0x71, 0xba, 0x4e, 0x38, 0x00, 0x00, 0x00,
+ 0x03, 0x61, 0xd3, 0xff, 0x53, 0x00, 0x00, 0x00, 0x00, 0x01, 0x16, 0x03, 0x01, 0x01, 0x0c, 0x01,
+ 0x00, 0x01, 0x08, 0x03, 0x03, 0x8c, 0xaa, 0xac, 0x3a, 0x1a, 0x07, 0xbd, 0xe7, 0xb7, 0x50, 0x06,
+ 0x9b, 0x94, 0x0c, 0x34, 0x4b, 0x5a, 0x35, 0xca, 0xc4, 0x79, 0xbd, 0xc9, 0x09, 0xb0, 0x7b, 0xd9,
+ 0xee, 0xbb, 0x7d, 0xe7, 0x25, 0x20, 0x39, 0x38, 0xe2, 0x18, 0x33, 0x36, 0x14, 0x9f, 0x34, 0xf0,
+ 0x44, 0x59, 0x96, 0x8d, 0x0e, 0xd2, 0x47, 0x76, 0x64, 0x88, 0x59, 0xe9, 0x38, 0x03, 0x97, 0x96,
+ 0x98, 0x45, 0xfb, 0xf5, 0xff, 0x23, 0x00, 0x32, 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x2c,
+ 0xc0, 0x30, 0x00, 0x9f, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e,
+ 0xc0, 0x24, 0xc0, 0x28, 0x00, 0x6b, 0xc0, 0x23, 0xc0, 0x27, 0x00, 0x67, 0xc0, 0x0a, 0xc0, 0x14,
+ 0x00, 0x39, 0xc0, 0x09, 0xc0, 0x13, 0x00, 0x33, 0x00, 0xff, 0x01, 0x00, 0x00, 0x8d, 0x00, 0x0b,
+ 0x00, 0x04, 0x03, 0x00, 0x01, 0x02, 0x00, 0x0a, 0x00, 0x0c, 0x00, 0x0a, 0x00, 0x1d, 0x00, 0x17,
+ 0x00, 0x1e, 0x00, 0x19, 0x00, 0x18, 0x00, 0x16, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x30, 0x00, 0x2e, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08, 0x07, 0x08, 0x08, 0x08, 0x09,
+ 0x08, 0x0a, 0x08, 0x0b, 0x08, 0x04, 0x08, 0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01,
+ 0x03, 0x03, 0x02, 0x03, 0x03, 0x01, 0x02, 0x01, 0x03, 0x02, 0x02, 0x02, 0x04, 0x02, 0x05, 0x02,
+ 0x06, 0x02, 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, 0x2d, 0x00, 0x02, 0x01,
+ 0x01, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x0e, 0xc9, 0x7a, 0xff, 0x58,
+ 0xdb, 0x56, 0xf6, 0x40, 0xd1, 0xed, 0xdb, 0x91, 0x81, 0xd6, 0xef, 0x83, 0x86, 0x8a, 0xb2, 0x3d,
+ 0x88, 0x92, 0x3f, 0xd8, 0x51, 0x9c, 0xd6, 0x26, 0x56, 0x33, 0x6b
};
/* This is a truncated packet as we do not care for the TLS payload in the
* unit test */
-const uint8_t client_control_with_ack[] = {
- 0x20, 0x78, 0x19, 0xbf, 0x2e, 0xbc, 0xd1, 0x9a,
- 0x45, 0x01, 0x00, 0x00, 0x00, 0x00, 0xea,
- 0xfe, 0xbf, 0xa4, 0x41, 0x8a, 0xe3, 0x1b,
- 0x00, 0x00, 0x00, 0x01, 0x16, 0x03, 0x01
-};
+const uint8_t client_control_with_ack[] = { 0x20, 0x78, 0x19, 0xbf, 0x2e, 0xbc, 0xd1, 0x9a,
+ 0x45, 0x01, 0x00, 0x00, 0x00, 0x00, 0xea, 0xfe,
+ 0xbf, 0xa4, 0x41, 0x8a, 0xe3, 0x1b, 0x00, 0x00,
+ 0x00, 0x01, 0x16, 0x03, 0x01 };
-const uint8_t client_ack_none_random_id[] = {
- 0x28, 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79,
- 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0xdd,
- 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e
-};
+const uint8_t client_ack_none_random_id[] = { 0x28, 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79,
+ 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0xdd, 0x85,
+ 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e };
struct tls_auth_standalone
init_tas_auth(int key_direction)
{
struct tls_auth_standalone tas = { 0 };
- struct frame frame = { {.headroom = 200, .payload_size = 1400}, 0};
+ struct frame frame = { { .headroom = 200, .payload_size = 1400 }, 0 };
tas.frame = frame;
tas.tls_wrap.mode = TLS_WRAP_AUTH;
/* we ignore packet ids on for the first packet check */
- tas.tls_wrap.opt.flags |= (CO_IGNORE_PACKET_ID|CO_PACKET_ID_LONG_FORM);
+ tas.tls_wrap.opt.flags |= (CO_IGNORE_PACKET_ID | CO_PACKET_ID_LONG_FORM);
struct key_type tls_crypt_kt;
init_key_type(&tls_crypt_kt, "none", "SHA1", true, false);
- crypto_read_openvpn_key(&tls_crypt_kt, &tas.tls_wrap.opt.key_ctx_bi,
- static_key, true, key_direction,
- "Control Channel Authentication", "tls-auth",
- NULL);
+ crypto_read_openvpn_key(&tls_crypt_kt, &tas.tls_wrap.opt.key_ctx_bi, static_key, true,
+ key_direction, "Control Channel Authentication", "tls-auth", NULL);
tas.workbuf = alloc_buf(1600);
return tas;
@@ -197,11 +165,10 @@
{
struct tls_auth_standalone tas = { 0 };
tas.tls_wrap.mode = TLS_WRAP_CRYPT;
- tas.tls_wrap.opt.flags |= (CO_IGNORE_PACKET_ID|CO_PACKET_ID_LONG_FORM);
+ tas.tls_wrap.opt.flags |= (CO_IGNORE_PACKET_ID | CO_PACKET_ID_LONG_FORM);
- tls_crypt_init_key(&tas.tls_wrap.opt.key_ctx_bi,
- &tas.tls_wrap.original_wrap_keydata, static_key,
- true, server);
+ tls_crypt_init_key(&tas.tls_wrap.opt.key_ctx_bi, &tas.tls_wrap.original_wrap_keydata,
+ static_key, true, server);
tas.workbuf = alloc_buf(1600);
tas.tls_wrap.work = alloc_buf(1600);
@@ -248,7 +215,7 @@
free_tls_pre_decrypt_state(&state);
/* flip a byte in various places */
- for (int i = 0; i<sizeof(client_reset_v2_tls_crypt); i++)
+ for (int i = 0; i < sizeof(client_reset_v2_tls_crypt); i++)
{
buf_reset_len(&buf);
buf_write(&buf, client_reset_v2_tls_crypt, sizeof(client_reset_v2_tls_crypt));
@@ -391,7 +358,7 @@
assert_int_equal(ack.len, 1);
assert_int_equal(ack.packet_id[0], 0);
- struct session_id expected_id = { .id = {0xea, 0xfe, 0xbf, 0xa4, 0x41, 0x8a, 0xe3, 0x1b }};
+ struct session_id expected_id = { .id = { 0xea, 0xfe, 0xbf, 0xa4, 0x41, 0x8a, 0xe3, 0x1b } };
assert_memory_equal(&sid, &expected_id, SID_SIZE);
buf_reset_len(&buf);
@@ -405,7 +372,7 @@
assert_int_equal(ack.len, 1);
assert_int_equal(ack.packet_id[0], 0);
- struct session_id expected_id2 = { .id = {0xdd, 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e }};
+ struct session_id expected_id2 = { .id = { 0xdd, 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e } };
assert_memory_equal(&sid, &expected_id2, SID_SIZE);
buf_reset_len(&buf);
@@ -484,7 +451,7 @@
ASSERT(md_valid("SHA256"));
hmac_ctx_t *hmac_ctx = hmac_ctx_new();
- uint8_t key[SHA256_DIGEST_LENGTH] = {1, 2, 3, 0};
+ uint8_t key[SHA256_DIGEST_LENGTH] = { 1, 2, 3, 0 };
hmac_ctx_init(hmac_ctx, key, "SHA256");
return hmac_ctx;
@@ -502,28 +469,30 @@
addr.addr.in4.sin_addr.s_addr = ntohl(0xff000ff);
addr.addr.in4.sin_port = ntohs(1195);
- struct session_id client_id = { {0, 1, 2, 3, 4, 5, 6, 7}};
+ struct session_id client_id = { { 0, 1, 2, 3, 4, 5, 6, 7 } };
now = 1005;
struct session_id server_id = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 0);
- struct session_id expected_server_id = {{0x84, 0x73, 0x52, 0x2b, 0x5b, 0xa9, 0x2a, 0x70}};
+ struct session_id expected_server_id = { { 0x84, 0x73, 0x52, 0x2b, 0x5b, 0xa9, 0x2a, 0x70 } };
/* We have to deal with different structs here annoyingly */
/* Linux has an unsigned short int as family_t and this is field is always
* stored in host endianness even though the rest of the struct isn't...,
* so Linux little endian differs from all BSD and Linux big endian */
- if (sizeof(addr.addr.in4.sin_family) == sizeof(unsigned short int)
- && ntohs(AF_INET) != AF_INET)
+ if (sizeof(addr.addr.in4.sin_family) == sizeof(unsigned short int) && ntohs(AF_INET) != AF_INET)
{
- struct session_id linuxle = {{0x8b, 0xeb, 0x3d, 0x20, 0x14, 0x53, 0xbe, 0x0a }};
+ struct session_id linuxle = { { 0x8b, 0xeb, 0x3d, 0x20, 0x14, 0x53, 0xbe, 0x0a } };
expected_server_id = linuxle;
}
assert_memory_equal(expected_server_id.id, server_id.id, SID_SIZE);
- struct session_id server_id_m1 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -1);
- struct session_id server_id_p1 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 1);
- struct session_id server_id_p2 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 2);
+ struct session_id server_id_m1 =
+ calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -1);
+ struct session_id server_id_p1 =
+ calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 1);
+ struct session_id server_id_p2 =
+ calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 2);
assert_memory_not_equal(expected_server_id.id, server_id_m1.id, SID_SIZE);
assert_memory_not_equal(expected_server_id.id, server_id_p1.id, SID_SIZE);
@@ -532,10 +501,13 @@
* and shifts the ids by one */
now = 1062;
- struct session_id server_id2_m2 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -2);
- struct session_id server_id2_m1 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -1);
+ struct session_id server_id2_m2 =
+ calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -2);
+ struct session_id server_id2_m1 =
+ calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -1);
struct session_id server_id2 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 0);
- struct session_id server_id2_p1 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 1);
+ struct session_id server_id2_p1 =
+ calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 1);
assert_memory_equal(server_id2_m2.id, server_id_m1.id, SID_SIZE);
assert_memory_equal(server_id2_m1.id, expected_server_id.id, SID_SIZE);
@@ -553,19 +525,20 @@
struct tls_auth_standalone tas = { 0 };
struct tls_pre_decrypt_state state = { 0 };
- struct session_id client_id = {{0, 1, 2, 3, 4, 5, 6, 7}};
- struct session_id server_id = {{8, 9, 0, 9, 8, 7, 6, 2}};
+ struct session_id client_id = { { 0, 1, 2, 3, 4, 5, 6, 7 } };
+ struct session_id server_id = { { 8, 9, 0, 9, 8, 7, 6, 2 } };
enum first_packet_verdict verdict;
tas.tls_wrap.mode = TLS_WRAP_NONE;
- struct frame frame = { {.headroom = 200, .payload_size = 1400}, 0};
+ struct frame frame = { { .headroom = 200, .payload_size = 1400 }, 0 };
tas.frame = frame;
tas.workbuf = alloc_buf(1600);
uint8_t header = 0 | (P_CONTROL_HARD_RESET_CLIENT_V2 << P_OPCODE_SHIFT);
- struct buffer buf = tls_reset_standalone(&tas.tls_wrap, &tas, &client_id, &server_id, header, false);
+ struct buffer buf =
+ tls_reset_standalone(&tas.tls_wrap, &tas, &client_id, &server_id, header, false);
verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
@@ -573,7 +546,8 @@
/* Assure repeated generation of reset is deterministic/stateless*/
assert_memory_equal(state.peer_session_id.id, client_id.id, SID_SIZE);
- struct buffer buf2 = tls_reset_standalone(&tas.tls_wrap, &tas, &client_id, &server_id, header, false);
+ struct buffer buf2 =
+ tls_reset_standalone(&tas.tls_wrap, &tas, &client_id, &server_id, header, false);
assert_int_equal(BLEN(&buf), BLEN(&buf2));
assert_memory_equal(BPTR(&buf), BPTR(&buf2), BLEN(&buf));
@@ -592,14 +566,15 @@
packet_id_init(&tas_client.tls_wrap.opt.packet_id, 5, 5, "UNITTEST", 0);
- struct session_id client_id = {{0xab, 1, 2, 3, 4, 5, 6, 0xcd}};
- struct session_id server_id = {{8, 9, 0xa, 0xc, 8, 7, 6, 2}};
+ struct session_id client_id = { { 0xab, 1, 2, 3, 4, 5, 6, 0xcd } };
+ struct session_id server_id = { { 8, 9, 0xa, 0xc, 8, 7, 6, 2 } };
uint8_t header = 0 | (P_CONTROL_HARD_RESET_CLIENT_V2 << P_OPCODE_SHIFT);
now = 0x22446688;
reset_packet_id_send(&tas_client.tls_wrap.opt.packet_id.send);
- struct buffer buf = tls_reset_standalone(&tas_client.tls_wrap, &tas_client, &client_id, &server_id, header, false);
+ struct buffer buf = tls_reset_standalone(&tas_client.tls_wrap, &tas_client, &client_id,
+ &server_id, header, false);
enum first_packet_verdict verdict = tls_pre_decrypt_lite(&tas_server, &state, &from, &buf);
assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
@@ -608,7 +583,8 @@
/* Assure repeated generation of reset is deterministic/stateless*/
reset_packet_id_send(&tas_client.tls_wrap.opt.packet_id.send);
- struct buffer buf2 = tls_reset_standalone(&tas_client.tls_wrap, &tas_client, &client_id, &server_id, header, false);
+ struct buffer buf2 = tls_reset_standalone(&tas_client.tls_wrap, &tas_client, &client_id,
+ &server_id, header, false);
assert_int_equal(BLEN(&buf), BLEN(&buf2));
assert_memory_equal(BPTR(&buf), BPTR(&buf2), BLEN(&buf));
@@ -644,7 +620,7 @@
assert_string_equal(BSTR(&cmd4), "valid one again");
assert_int_equal(cmd5.len, 0);
- const uint8_t nonull[6] = { 'n', 'o', ' ', 'N', 'U', 'L'};
+ const uint8_t nonull[6] = { 'n', 'o', ' ', 'N', 'U', 'L' };
struct buffer nonull_buf = alloc_buf_gc(1024, &gc);
buf_write(&nonull_buf, nonull, sizeof(nonull));
@@ -658,18 +634,16 @@
main(void)
{
openvpn_unit_test_setup();
- const struct CMUnitTest tests[] = {
- cmocka_unit_test(test_tls_decrypt_lite_none),
- cmocka_unit_test(test_tls_decrypt_lite_auth),
- cmocka_unit_test(test_tls_decrypt_lite_crypt),
- cmocka_unit_test(test_parse_ack),
- cmocka_unit_test(test_calc_session_id_hmac_static),
- cmocka_unit_test(test_verify_hmac_none),
- cmocka_unit_test(test_verify_hmac_tls_auth),
- cmocka_unit_test(test_generate_reset_packet_plain),
- cmocka_unit_test(test_generate_reset_packet_tls_auth),
- cmocka_unit_test(test_extract_control_message)
- };
+ const struct CMUnitTest tests[] = { cmocka_unit_test(test_tls_decrypt_lite_none),
+ cmocka_unit_test(test_tls_decrypt_lite_auth),
+ cmocka_unit_test(test_tls_decrypt_lite_crypt),
+ cmocka_unit_test(test_parse_ack),
+ cmocka_unit_test(test_calc_session_id_hmac_static),
+ cmocka_unit_test(test_verify_hmac_none),
+ cmocka_unit_test(test_verify_hmac_tls_auth),
+ cmocka_unit_test(test_generate_reset_packet_plain),
+ cmocka_unit_test(test_generate_reset_packet_tls_auth),
+ cmocka_unit_test(test_extract_control_message) };
#if defined(ENABLE_CRYPTO_OPENSSL)
OpenSSL_add_all_algorithms();
@@ -45,7 +45,7 @@
static int mgmt_callback_called;
#ifndef _countof
-#define _countof(x) sizeof((x))/sizeof(*(x))
+#define _countof(x) sizeof((x)) / sizeof(*(x))
#endif
static OSSL_PROVIDER *prov[2];
@@ -70,7 +70,7 @@
"MCowBQYDK2VwAyEA+q5xjF5hGyyqYZidJdz/0saEQabL3N4wIZJBxNGbgJE=\n"
"-----END PUBLIC KEY-----";
-static const char *pubkeys[] = {pubkey1, pubkey2, pubkey3};
+static const char *pubkeys[] = { pubkey1, pubkey2, pubkey3 };
static const char *prov_name = "ovpn.xkey";
@@ -84,11 +84,10 @@
"bG9yZSBtYWduYSBhbGlxdWEu";
/* Sha256 digest of test_msg excluding NUL terminator */
-static const uint8_t test_digest[] = {
- 0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b, 0xae,
- 0xc0, 0xb7, 0x96, 0xf9, 0x66, 0x4d, 0x5f, 0xd0, 0xb7, 0xdb, 0xf3,
- 0x3a, 0xbf, 0x02, 0xcc, 0x78, 0x61, 0x83, 0x20, 0x20, 0xee
-};
+static const uint8_t test_digest[] = { 0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6,
+ 0x57, 0x0b, 0xae, 0xc0, 0xb7, 0x96, 0xf9, 0x66,
+ 0x4d, 0x5f, 0xd0, 0xb7, 0xdb, 0xf3, 0x3a, 0xbf,
+ 0x02, 0xcc, 0x78, 0x61, 0x83, 0x20, 0x20, 0xee };
static const char *test_digest_b64 = "dzhlAB6WSMZXC67At5b5Zk1f0Lfb8zq/Asx4YYMgIO4=";
@@ -97,10 +96,9 @@
* --- the smallest size of the actual signature with the above
* keys.
*/
-static const uint8_t good_sig[] = {
- 0xd8, 0xa7, 0xd9, 0x81, 0xd8, 0xaa, 0xd8, 0xad, 0x20, 0xd9, 0x8a, 0xd8,
- 0xa7, 0x20, 0xd8, 0xb3, 0xd9, 0x85, 0xd8, 0xb3, 0xd9, 0x85, 0x0
-};
+static const uint8_t good_sig[] = { 0xd8, 0xa7, 0xd9, 0x81, 0xd8, 0xaa, 0xd8, 0xad,
+ 0x20, 0xd9, 0x8a, 0xd8, 0xa7, 0x20, 0xd8, 0xb3,
+ 0xd9, 0x85, 0xd8, 0xb3, 0xd9, 0x85, 0x0 };
static const char *good_sig_b64 = "2KfZgdiq2K0g2YrYpyDYs9mF2LPZhQA=";
@@ -153,8 +151,7 @@
* the management client.
*/
char *
-management_query_pk_sig(struct management *man, const char *b64_data,
- const char *algorithm)
+management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
{
char *out = NULL;
@@ -195,7 +192,7 @@
{
assert_true(OSSL_PROVIDER_available(NULL, prov_name));
- const char *algs[] = {"RSA", "ECDSA"};
+ const char *algs[] = { "RSA", "ECDSA" };
for (size_t i = 0; i < _countof(algs); i++)
{
@@ -206,7 +203,7 @@
EVP_SIGNATURE_free(sig);
}
- const char *names[] = {"RSA", "EC"};
+ const char *names[] = { "RSA", "EC" };
for (size_t i = 0; i < _countof(names); i++)
{
@@ -225,7 +222,7 @@
uint8_t *sig = NULL;
size_t siglen = 0;
- OSSL_PARAM params[6] = {OSSL_PARAM_END};
+ OSSL_PARAM params[6] = { OSSL_PARAM_END };
const char *mdname = "SHA256";
const char *padmode = "pss";
@@ -233,11 +230,15 @@
if (EVP_PKEY_get_id(pkey) == EVP_PKEY_RSA)
{
- params[0] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, (char *)mdname, 0);
- params[1] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, (char *)padmode, 0);
- params[2] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, (char *)saltlen, 0);
+ params[0] =
+ OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, (char *)mdname, 0);
+ params[1] =
+ OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, (char *)padmode, 0);
+ params[2] =
+ OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, (char *)saltlen, 0);
/* same digest for mgf1 */
- params[3] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, (char *)saltlen, 0);
+ params[3] =
+ OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, (char *)saltlen, 0);
params[4] = OSSL_PARAM_construct_end();
}
else if (EVP_PKEY_get_id(pkey) == EVP_PKEY_ED25519)
@@ -250,8 +251,7 @@
EVP_PKEY_CTX *pctx = NULL;
EVP_MD_CTX *mctx = EVP_MD_CTX_new();
- if (!mctx
- || EVP_DigestSignInit_ex(mctx, &pctx, mdname, NULL, NULL, pkey, params) <= 0)
+ if (!mctx || EVP_DigestSignInit_ex(mctx, &pctx, mdname, NULL, NULL, pkey, params) <= 0)
{
fail_msg("Failed to initialize EVP_DigestSignInit_ex()");
goto done;
@@ -291,7 +291,7 @@
EVP_PKEY *privkey = xkey_load_management_key(NULL, pubkey);
assert_true(privkey != NULL);
- management->settings.flags = MF_EXTERNAL_KEY|MF_EXTERNAL_KEY_PSSPAD;
+ management->settings.flags = MF_EXTERNAL_KEY | MF_EXTERNAL_KEY_PSSPAD;
/* first without digest support in management client */
again:
@@ -328,8 +328,8 @@
}
static int
-xkey_sign(void *handle, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen, XKEY_SIGALG s)
+xkey_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen,
+ XKEY_SIGALG s)
{
if (!sig)
{
@@ -386,7 +386,8 @@
pubkey = load_pubkey(pubkeys[i]);
assert_true(pubkey != NULL);
- EVP_PKEY *privkey = xkey_load_generic_key(NULL, (void *)dummy, pubkey, xkey_sign, xkey_free);
+ EVP_PKEY *privkey =
+ xkey_load_generic_key(NULL, (void *)dummy, pubkey, xkey_sign, xkey_free);
assert_true(privkey != NULL);
xkey_sign_called = 0;
@@ -14,36 +14,17 @@
unsigned int
pull_permission_mask(const struct context *c)
{
- unsigned int flags =
- OPT_P_UP
- | OPT_P_ROUTE_EXTRAS
- | OPT_P_SOCKBUF
- | OPT_P_SOCKFLAGS
- | OPT_P_SETENV
- | OPT_P_SHAPER
- | OPT_P_TIMER
- | OPT_P_COMP
- | OPT_P_PERSIST
- | OPT_P_MESSAGES
- | OPT_P_EXPLICIT_NOTIFY
- | OPT_P_ECHO
- | OPT_P_PULL_MODE
- | OPT_P_PEER_ID
- | OPT_P_NCP
- | OPT_P_PUSH_MTU
- | OPT_P_ROUTE
- | OPT_P_DHCPDNS;
+ unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS
+ | OPT_P_SETENV | OPT_P_SHAPER | OPT_P_TIMER | OPT_P_COMP | OPT_P_PERSIST
+ | OPT_P_MESSAGES | OPT_P_EXPLICIT_NOTIFY | OPT_P_ECHO | OPT_P_PULL_MODE
+ | OPT_P_PEER_ID | OPT_P_NCP | OPT_P_PUSH_MTU | OPT_P_ROUTE | OPT_P_DHCPDNS;
return flags;
}
bool
-apply_push_options(struct context *c,
- struct options *options,
- struct buffer *buf,
- unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es,
- bool is_update)
+apply_push_options(struct context *c, struct options *options, struct buffer *buf,
+ unsigned int permission_mask, unsigned int *option_types_found,
+ struct env_set *es, bool is_update)
{
char line[OPTION_PARM_SIZE];
@@ -80,10 +61,8 @@
}
int
-process_incoming_push_msg(struct context *c,
- const struct buffer *buffer,
- bool honor_received_options,
- unsigned int permission_mask,
+process_incoming_push_msg(struct context *c, const struct buffer *buffer,
+ bool honor_received_options, unsigned int permission_mask,
unsigned int *option_types_found)
{
struct buffer buf = *buffer;
@@ -92,16 +71,13 @@
{
return PUSH_MSG_REQUEST;
}
- else if (honor_received_options
- && buf_string_compare_advance(&buf, push_reply_cmd))
+ else if (honor_received_options && buf_string_compare_advance(&buf, push_reply_cmd))
{
return PUSH_MSG_REPLY;
}
- else if (honor_received_options
- && buf_string_compare_advance(&buf, push_update_cmd))
+ else if (honor_received_options && buf_string_compare_advance(&buf, push_update_cmd))
{
- return process_incoming_push_update(c, permission_mask,
- option_types_found, &buf);
+ return process_incoming_push_update(c, permission_mask, option_types_found, &buf);
}
else
{
@@ -116,11 +92,14 @@
{
struct context *c = *state;
struct buffer buf = alloc_buf(256);
- const char *update_msg = "PUSH_UPDATE,dhcp-option DNS 8.8.8.8, route 0.0.0.0 0.0.0.0 10.10.10.1";
+ const char *update_msg =
+ "PUSH_UPDATE,dhcp-option DNS 8.8.8.8, route 0.0.0.0 0.0.0.0 10.10.10.1";
buf_write(&buf, update_msg, strlen(update_msg));
unsigned int option_types_found = 0;
- assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_UPDATE);
+ assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c),
+ &option_types_found),
+ PUSH_MSG_UPDATE);
free_buf(&buf);
}
@@ -134,7 +113,9 @@
buf_write(&buf, update_msg, strlen(update_msg));
unsigned int option_types_found = 0;
- assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_ERROR);
+ assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c),
+ &option_types_found),
+ PUSH_MSG_ERROR);
free_buf(&buf);
}
@@ -149,7 +130,9 @@
buf_write(&buf, update_msg, strlen(update_msg));
unsigned int option_types_found = 0;
- assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_ERROR);
+ assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c),
+ &option_types_found),
+ PUSH_MSG_ERROR);
free_buf(&buf);
}
@@ -163,7 +146,9 @@
buf_write(&buf, update_msg, strlen(update_msg));
unsigned int option_types_found = 0;
- assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_UPDATE);
+ assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c),
+ &option_types_found),
+ PUSH_MSG_UPDATE);
free_buf(&buf);
}
@@ -177,7 +162,9 @@
buf_write(&buf, update_msg, strlen(update_msg));
unsigned int option_types_found = 0;
- assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_ERROR);
+ assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c),
+ &option_types_found),
+ PUSH_MSG_ERROR);
free_buf(&buf);
}
@@ -191,7 +178,9 @@
buf_write(&buf, update_msg, strlen(update_msg));
unsigned int option_types_found = 0;
- assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_ERROR);
+ assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c),
+ &option_types_found),
+ PUSH_MSG_ERROR);
free_buf(&buf);
}
@@ -201,11 +190,14 @@
{
struct context *c = *state;
struct buffer buf = alloc_buf(256);
- const char *update_msg = "PUSH_UPDATE,-dhcp-option, route 10.10.10.0, dhcp-option DNS 1.1.1.1, route 10.11.12.0, dhcp-option DOMAIN corp.local, keepalive 10 60";
+ const char *update_msg =
+ "PUSH_UPDATE,-dhcp-option, route 10.10.10.0, dhcp-option DNS 1.1.1.1, route 10.11.12.0, dhcp-option DOMAIN corp.local, keepalive 10 60";
buf_write(&buf, update_msg, strlen(update_msg));
unsigned int option_types_found = 0;
- assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_UPDATE);
+ assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c),
+ &option_types_found),
+ PUSH_MSG_UPDATE);
free_buf(&buf);
}
@@ -215,11 +207,14 @@
{
struct context *c = *state;
struct buffer buf = alloc_buf(256);
- const char *update_msg = "PUSH_UPDATE,-dhcp-option,dhcp-option DNS 8.8.8.8,redirect-gateway local,route 192.168.1.0 255.255.255.0";
+ const char *update_msg =
+ "PUSH_UPDATE,-dhcp-option,dhcp-option DNS 8.8.8.8,redirect-gateway local,route 192.168.1.0 255.255.255.0";
buf_write(&buf, update_msg, strlen(update_msg));
unsigned int option_types_found = 0;
- assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c), &option_types_found), PUSH_MSG_UPDATE);
+ assert_int_equal(process_incoming_push_msg(c, &buf, c->options.pull, pull_permission_mask(c),
+ &option_types_found),
+ PUSH_MSG_UPDATE);
free_buf(&buf);
}
@@ -249,7 +244,8 @@
cmocka_unit_test_setup_teardown(test_incoming_push_message_basic, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_error1, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_error2, setup, teardown),
- cmocka_unit_test_setup_teardown(test_incoming_push_message_not_updatable_option, setup, teardown),
+ cmocka_unit_test_setup_teardown(test_incoming_push_message_not_updatable_option, setup,
+ teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_1, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_bad_format, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_mix, setup, teardown),
@@ -159,7 +159,7 @@
static int
init(void **state)
{
- (void) state;
+ (void)state;
global_state.gc = gc_new();
global_state.certfile = platform_create_temp_file(get_tmp_dir(), "cert", &global_state.gc);
global_state.keyfile = platform_create_temp_file(get_tmp_dir(), "key", &global_state.gc);
@@ -180,7 +180,7 @@
static int
cleanup(void **state)
{
- (void) state;
+ (void)state;
unlink(global_state.certfile);
unlink(global_state.keyfile);
gc_free(&global_state.gc);
@@ -220,7 +220,7 @@
static void
test_load_certificate_and_key(void **state)
{
- (void) state;
+ (void)state;
struct tls_root_ctx ctx = { 0 };
/* test loading of inlined cert and key.
@@ -242,11 +242,11 @@
static void
test_load_certificate_and_key_uri(void **state)
{
- (void) state;
+ (void)state;
#if !defined(HAVE_OPENSSL_STORE)
skip();
-#else /* HAVE_OPENSSL_STORE */
+#else /* HAVE_OPENSSL_STORE */
struct tls_root_ctx ctx = { 0 };
const char *certfile = global_state.certfile;
@@ -306,7 +306,6 @@
frame->buf.tailroom = overhead;
frame->tun_mtu = tls_mtu;
-
}
static void
@@ -333,7 +332,6 @@
/* Test encryption, decryption for all packet sizes */
for (int i = 1; i <= frame.buf.payload_size; ++i)
{
-
/* msg(M_INFO, "TESTING ENCRYPT/DECRYPT of packet length=%d", i); */
/*
@@ -413,7 +411,6 @@
static void
check_aead_limits(struct crypto_options *co, bool chachapoly)
{
-
/* Check that we correctly react when we have a nearing AEAD limits */
/* manually increase the send counter to be past
@@ -445,9 +442,8 @@
{
/* Check always against the GCM usage limit here to see if that
* check works */
- assert_true(aead_usage_limit_reached((1ull << 36),
- &co->key_ctx_bi.encrypt,
- co->packet_id.send.id));
+ assert_true(
+ aead_usage_limit_reached((1ull << 36), &co->key_ctx_bi.encrypt, co->packet_id.send.id));
return;
}
@@ -464,10 +460,9 @@
static struct crypto_options
-init_crypto_options(const char *cipher, const char *auth, bool epoch,
- struct key2 *statickey)
+init_crypto_options(const char *cipher, const char *auth, bool epoch, struct key2 *statickey)
{
- struct key2 key2 = { .n = 2};
+ struct key2 key2 = { .n = 2 };
if (statickey)
{
@@ -488,7 +483,7 @@
if (epoch)
{
- struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 }};
+ struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 } };
memcpy(e1.epoch_key, key2.keys[0].cipher, sizeof(e1.epoch_key));
co.flags |= CO_EPOCH_DATA_KEY_FORMAT;
epoch_init_key_ctx(&co, &kt, &e1, &e1, 5);
@@ -633,11 +628,11 @@
static struct key2
create_key(void)
{
- struct key2 key2 = {.n = 2};
+ struct key2 key2 = { .n = 2 };
- const uint8_t key[] =
- {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', '0', '1', '2', '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F',
- 'G', 'H', 'j', 'k', 'u', 'c', 'h', 'e', 'n', 'l'};
+ const uint8_t key[] = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', '0', '1', '2',
+ '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F',
+ 'G', 'H', 'j', 'k', 'u', 'c', 'h', 'e', 'n', 'l' };
static_assert(sizeof(key) == 32, "Size of key should be 32 bytes");
@@ -647,7 +642,7 @@
for (int i = 0; i < sizeof(key2.keys); i++)
{
- keydata[i] = (uint8_t) (key[i % sizeof(key)] ^ i);
+ keydata[i] = (uint8_t)(key[i % sizeof(key)] ^ i);
}
ASSERT(memcpy(key2.keys[0].cipher, keydata, sizeof(key2.keys[0].cipher)));
@@ -663,8 +658,7 @@
{
struct key2 key2 = create_key();
- struct crypto_options co = init_crypto_options("AES-256-GCM", "none", epoch,
- &key2);
+ struct crypto_options co = init_crypto_options("AES-256-GCM", "none", epoch, &key2);
struct gc_arena gc = gc_new();
@@ -716,41 +710,40 @@
if (epoch)
{
- uint8_t packetid1[8] = {0, 0x04, 0, 0, 0, 0, 0, 1};
+ uint8_t packetid1[8] = { 0, 0x04, 0, 0, 0, 0, 0, 1 };
assert_memory_equal(BPTR(&buf), packetid1, 8);
}
else
{
- uint8_t packetid1[4] = {0, 0, 0, 1};
+ uint8_t packetid1[4] = { 0, 0, 0, 1 };
assert_memory_equal(BPTR(&buf), packetid1, 4);
}
if (epoch)
{
uint8_t *tag_location = BEND(&buf) - OPENVPN_AEAD_TAG_LENGTH;
- const uint8_t exp_tag_epoch[16] =
- {0x0f, 0xff, 0xf5, 0x91, 0x3d, 0x39, 0xd7, 0x5b,
- 0x18, 0x57, 0x3b, 0x57, 0x48, 0x58, 0x9a, 0x7d};
+ const uint8_t exp_tag_epoch[16] = { 0x0f, 0xff, 0xf5, 0x91, 0x3d, 0x39, 0xd7, 0x5b,
+ 0x18, 0x57, 0x3b, 0x57, 0x48, 0x58, 0x9a, 0x7d };
assert_memory_equal(tag_location, exp_tag_epoch, OPENVPN_AEAD_TAG_LENGTH);
}
else
{
uint8_t *tag_location = BPTR(&buf) + 4;
- const uint8_t exp_tag_noepoch[16] =
- {0x1f, 0xdd, 0x90, 0x8f, 0x0e, 0x9d, 0xc2, 0x5e, 0x79, 0xd8, 0x32, 0x02, 0x0d, 0x58, 0xe7, 0x3f};
+ const uint8_t exp_tag_noepoch[16] = { 0x1f, 0xdd, 0x90, 0x8f, 0x0e, 0x9d, 0xc2, 0x5e,
+ 0x79, 0xd8, 0x32, 0x02, 0x0d, 0x58, 0xe7, 0x3f };
assert_memory_equal(tag_location, exp_tag_noepoch, OPENVPN_AEAD_TAG_LENGTH);
}
/* Check some bytes at the beginning of the encrypted part */
if (epoch)
{
- const uint8_t bytesat14[6] = {0x36, 0xaa, 0xb4, 0xd4, 0x9c, 0xe6};
+ const uint8_t bytesat14[6] = { 0x36, 0xaa, 0xb4, 0xd4, 0x9c, 0xe6 };
assert_memory_equal(BPTR(&buf) + 14, bytesat14, sizeof(bytesat14));
}
else
{
- const uint8_t bytesat30[6] = {0xa8, 0x2e, 0x6b, 0x17, 0x06, 0xd9};
+ const uint8_t bytesat30[6] = { 0xa8, 0x2e, 0x6b, 0x17, 0x06, 0xd9 };
assert_memory_equal(BPTR(&buf) + 30, bytesat30, sizeof(bytesat30));
}
@@ -39,8 +39,7 @@
/* Define this function here as dummy since including the ssl_*.c files
* leads to having to include even more unrelated code */
bool
-key_state_export_keying_material(struct tls_session *session,
- const char *label, size_t label_size,
+key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size,
void *ekm, size_t ekm_size)
{
memset(ekm, 0xba, ekm_size);
@@ -48,22 +47,22 @@
}
-#define TESTBUF_SIZE 128
+#define TESTBUF_SIZE 128
/* Defines for use in the tests and the mock parse_line() */
-#define PATH1 "/s p a c e"
-#define PATH2 "/foo bar/baz"
-#define PARAM1 "param1"
-#define PARAM2 "param two"
+#define PATH1 "/s p a c e"
+#define PATH2 "/foo bar/baz"
+#define PARAM1 "param1"
+#define PARAM2 "param two"
-static const char *test_server_key = \
+static const char *test_server_key =
"-----BEGIN OpenVPN tls-crypt-v2 server key-----\n"
"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n"
"MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n"
"YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8=\n"
"-----END OpenVPN tls-crypt-v2 server key-----\n";
-static const char *test_client_key = \
+static const char *test_client_key =
"-----BEGIN OpenVPN tls-crypt-v2 client key-----\n"
"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n"
"MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n"
@@ -81,7 +80,7 @@
/* Has custom metadata of AABBCCDD (base64) */
-static const char *test_client_key_metadata = \
+static const char *test_client_key_metadata =
"-----BEGIN OpenVPN tls-crypt-v2 client key-----\n"
"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n"
"MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n"
@@ -98,8 +97,8 @@
"-----END OpenVPN tls-crypt-v2 client key-----\n";
int
-__wrap_parse_line(const char *line, char **p, const int n, const char *file,
- const int line_num, int msglevel, struct gc_arena *gc)
+__wrap_parse_line(const char *line, char **p, const int n, const char *file, const int line_num,
+ int msglevel, struct gc_arena *gc)
{
p[0] = PATH1 PATH2;
p[1] = PARAM1;
@@ -141,7 +140,8 @@
return true;
}
-struct test_tls_crypt_context {
+struct test_tls_crypt_context
+{
struct crypto_options co;
struct key_type kt;
struct buffer source;
@@ -156,8 +156,10 @@
struct test_tls_crypt_context *ctx = calloc(1, sizeof(*ctx));
*state = ctx;
- struct key_parameters key = { .cipher = { 0 }, .hmac = { 0 },
- .hmac_size = MAX_HMAC_KEY_LENGTH, .cipher_size = MAX_CIPHER_KEY_LENGTH };
+ struct key_parameters key = { .cipher = { 0 },
+ .hmac = { 0 },
+ .hmac_size = MAX_HMAC_KEY_LENGTH,
+ .cipher_size = MAX_CIPHER_KEY_LENGTH };
ctx->kt = tls_crypt_kt();
if (!ctx->kt.cipher || !ctx->kt.digest)
@@ -187,8 +189,7 @@
static int
test_tls_crypt_teardown(void **state)
{
- struct test_tls_crypt_context *ctx =
- (struct test_tls_crypt_context *)*state;
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state;
free_buf(&ctx->source);
free_buf(&ctx->ciphertext);
@@ -216,7 +217,7 @@
static void
tls_crypt_loopback(void **state)
{
- struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state;
skip_if_tls_crypt_not_supported(ctx);
@@ -224,8 +225,7 @@
assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext));
assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped));
- assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped),
- BLEN(&ctx->source));
+ assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), BLEN(&ctx->source));
}
@@ -235,8 +235,7 @@
static void
test_tls_crypt_secure_reneg_key(void **state)
{
- struct test_tls_crypt_context *ctx =
- (struct test_tls_crypt_context *)*state;
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state;
struct gc_arena gc = gc_new();
@@ -255,19 +254,19 @@
tls_crypt_wrap(&ctx->source, &rctx->work, &rctx->opt);
assert_int_equal(buf_len(&ctx->source) + 40, buf_len(&rctx->work));
- uint8_t expected_ciphertext[] = {
- 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xe3, 0x19, 0x27, 0x7f, 0x1c, 0x8d, 0x6e, 0x6a,
- 0x77, 0x96, 0xa8, 0x55, 0x33, 0x7b, 0x9c, 0xfb, 0x56, 0xe1, 0xf1, 0x3a, 0x87, 0x0e, 0x66, 0x47,
- 0xdf, 0xa1, 0x95, 0xc9, 0x2c, 0x17, 0xa0, 0x15, 0xba, 0x49, 0x67, 0xa1, 0x1d, 0x55, 0xea, 0x1a,
- 0x06, 0xa7
- };
+ uint8_t expected_ciphertext[] = { 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xe3, 0x19,
+ 0x27, 0x7f, 0x1c, 0x8d, 0x6e, 0x6a, 0x77, 0x96, 0xa8, 0x55,
+ 0x33, 0x7b, 0x9c, 0xfb, 0x56, 0xe1, 0xf1, 0x3a, 0x87, 0x0e,
+ 0x66, 0x47, 0xdf, 0xa1, 0x95, 0xc9, 0x2c, 0x17, 0xa0, 0x15,
+ 0xba, 0x49, 0x67, 0xa1, 0x1d, 0x55, 0xea, 0x1a, 0x06, 0xa7 };
assert_memory_equal(BPTR(&rctx->work), expected_ciphertext, buf_len(&rctx->work));
tls_wrap_free(&session.tls_wrap_reneg);
/* Use previous tls-crypt key as 0x00, with xor we should have the same key
* and expect the same result */
session.tls_wrap.mode = TLS_WRAP_CRYPT;
- memset(&session.tls_wrap.original_wrap_keydata.keys, 0x00, sizeof(session.tls_wrap.original_wrap_keydata.keys));
+ memset(&session.tls_wrap.original_wrap_keydata.keys, 0x00,
+ sizeof(session.tls_wrap.original_wrap_keydata.keys));
session.tls_wrap.original_wrap_keydata.n = 2;
tls_session_generate_dynamic_tls_crypt_key(&session);
@@ -278,7 +277,8 @@
tls_wrap_free(&session.tls_wrap_reneg);
/* XOR should not force a different key */
- memset(&session.tls_wrap.original_wrap_keydata.keys, 0x42, sizeof(session.tls_wrap.original_wrap_keydata.keys));
+ memset(&session.tls_wrap.original_wrap_keydata.keys, 0x42,
+ sizeof(session.tls_wrap.original_wrap_keydata.keys));
tls_session_generate_dynamic_tls_crypt_key(&session);
tls_crypt_wrap(&ctx->source, &rctx->work, &rctx->opt);
@@ -302,7 +302,7 @@
static void
tls_crypt_loopback_zero_len(void **state)
{
- struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state;
skip_if_tls_crypt_not_supported(ctx);
@@ -312,8 +312,7 @@
assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext));
assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped));
- assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped),
- BLEN(&ctx->source));
+ assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), BLEN(&ctx->source));
}
/**
@@ -322,20 +321,19 @@
static void
tls_crypt_loopback_max_len(void **state)
{
- struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state;
skip_if_tls_crypt_not_supported(ctx);
buf_clear(&ctx->source);
- assert_non_null(buf_write_alloc(&ctx->source,
- TESTBUF_SIZE - BLEN(&ctx->ciphertext) - tls_crypt_buf_overhead()));
+ assert_non_null(buf_write_alloc(&ctx->source, TESTBUF_SIZE - BLEN(&ctx->ciphertext)
+ - tls_crypt_buf_overhead()));
assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co));
assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext));
assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped));
- assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped),
- BLEN(&ctx->source));
+ assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), BLEN(&ctx->source));
}
/**
@@ -344,13 +342,13 @@
static void
tls_crypt_fail_msg_too_long(void **state)
{
- struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state;
skip_if_tls_crypt_not_supported(ctx);
buf_clear(&ctx->source);
- assert_non_null(buf_write_alloc(&ctx->source,
- TESTBUF_SIZE - BLEN(&ctx->ciphertext) - tls_crypt_buf_overhead() + 1));
+ assert_non_null(buf_write_alloc(&ctx->source, TESTBUF_SIZE - BLEN(&ctx->ciphertext)
+ - tls_crypt_buf_overhead() + 1));
assert_false(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co));
}
@@ -361,13 +359,15 @@
static void
tls_crypt_fail_invalid_key(void **state)
{
- struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state;
skip_if_tls_crypt_not_supported(ctx);
/* Change decrypt key */
- struct key_parameters key = { .cipher = { 1 }, .hmac = { 1 },
- .cipher_size = MAX_CIPHER_KEY_LENGTH, .hmac_size = MAX_HMAC_KEY_LENGTH };
+ struct key_parameters key = { .cipher = { 1 },
+ .hmac = { 1 },
+ .cipher_size = MAX_CIPHER_KEY_LENGTH,
+ .hmac_size = MAX_HMAC_KEY_LENGTH };
free_key_ctx(&ctx->co.key_ctx_bi.decrypt);
init_key_ctx(&ctx->co.key_ctx_bi.decrypt, &key, &ctx->kt, false, "TEST");
@@ -382,7 +382,7 @@
static void
tls_crypt_fail_replay(void **state)
{
- struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state;
skip_if_tls_crypt_not_supported(ctx);
@@ -402,7 +402,7 @@
static void
tls_crypt_ignore_replay(void **state)
{
- struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *)*state;
skip_if_tls_crypt_not_supported(ctx);
@@ -416,7 +416,8 @@
assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
}
-struct test_tls_crypt_v2_context {
+struct test_tls_crypt_v2_context
+{
struct gc_arena gc;
struct key2 server_key2;
struct key_ctx_bi server_keys;
@@ -436,17 +437,15 @@
ctx->gc = gc_new();
/* Slightly longer buffers to be able to test too-long data */
- ctx->metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN+16, &ctx->gc);
- ctx->unwrapped_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN+16,
- &ctx->gc);
- ctx->wkc = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN+16, &ctx->gc);
+ ctx->metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN + 16, &ctx->gc);
+ ctx->unwrapped_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN + 16, &ctx->gc);
+ ctx->wkc = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN + 16, &ctx->gc);
/* Generate server key */
rand_bytes((void *)ctx->server_key2.keys, sizeof(ctx->server_key2.keys));
ctx->server_key2.n = 2;
struct key_type kt = tls_crypt_kt();
- init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2,
- KEY_DIRECTION_BIDIRECTIONAL, &kt,
+ init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2, KEY_DIRECTION_BIDIRECTIONAL, &kt,
"tls-crypt-v2 server key");
/* Generate client key */
@@ -459,8 +458,7 @@
static int
test_tls_crypt_v2_teardown(void **state)
{
- struct test_tls_crypt_v2_context *ctx =
- (struct test_tls_crypt_v2_context *) *state;
+ struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state;
free_key_ctx_bi(&ctx->server_keys);
free_key_ctx_bi(&ctx->client_key);
@@ -478,27 +476,20 @@
static void
tls_crypt_v2_wrap_unwrap_no_metadata(void **state)
{
- struct test_tls_crypt_v2_context *ctx =
- (struct test_tls_crypt_v2_context *) *state;
+ struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state;
- struct buffer wrapped_client_key = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN,
- &ctx->gc);
- assert_true(tls_crypt_v2_wrap_client_key(&wrapped_client_key,
- &ctx->client_key2,
- &ctx->metadata,
- &ctx->server_keys.encrypt,
- &ctx->gc));
+ struct buffer wrapped_client_key = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN, &ctx->gc);
+ assert_true(tls_crypt_v2_wrap_client_key(&wrapped_client_key, &ctx->client_key2, &ctx->metadata,
+ &ctx->server_keys.encrypt, &ctx->gc));
- struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN,
- &ctx->gc);
+ struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, &ctx->gc);
struct key2 unwrapped_client_key2 = { 0 };
- assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2,
- &unwrap_metadata,
- wrapped_client_key,
- &ctx->server_keys.decrypt));
+ assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, &unwrap_metadata,
+ wrapped_client_key, &ctx->server_keys.decrypt));
- assert_true(0 == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys,
- sizeof(ctx->client_key2.keys)));
+ assert_true(0
+ == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys,
+ sizeof(ctx->client_key2.keys)));
}
/**
@@ -508,26 +499,21 @@
static void
tls_crypt_v2_wrap_unwrap_max_metadata(void **state)
{
- struct test_tls_crypt_v2_context *ctx =
- (struct test_tls_crypt_v2_context *) *state;
+ struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state;
- uint8_t *metadata =
- buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN);
+ uint8_t *metadata = buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN);
assert_true(rand_bytes(metadata, TLS_CRYPT_V2_MAX_METADATA_LEN));
- assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2,
- &ctx->metadata,
- &ctx->server_keys.encrypt,
- &ctx->gc));
+ assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, &ctx->metadata,
+ &ctx->server_keys.encrypt, &ctx->gc));
- struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN,
- &ctx->gc);
+ struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, &ctx->gc);
struct key2 unwrapped_client_key2 = { 0 };
- assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2,
- &unwrap_metadata, ctx->wkc,
+ assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, &unwrap_metadata, ctx->wkc,
&ctx->server_keys.decrypt));
- assert_true(0 == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys,
- sizeof(ctx->client_key2.keys)));
+ assert_true(0
+ == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys,
+ sizeof(ctx->client_key2.keys)));
assert_true(buf_equal(&ctx->metadata, &unwrap_metadata));
struct tls_wrap_ctx wrap_ctx = {
@@ -545,14 +531,11 @@
static void
tls_crypt_v2_wrap_too_long_metadata(void **state)
{
- struct test_tls_crypt_v2_context *ctx =
- (struct test_tls_crypt_v2_context *) *state;
+ struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state;
- assert_true(buf_inc_len(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN+1));
- assert_false(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2,
- &ctx->metadata,
- &ctx->server_keys.encrypt,
- &ctx->gc));
+ assert_true(buf_inc_len(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN + 1));
+ assert_false(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, &ctx->metadata,
+ &ctx->server_keys.encrypt, &ctx->gc));
}
/**
@@ -562,28 +545,22 @@
static void
tls_crypt_v2_wrap_unwrap_wrong_key(void **state)
{
- struct test_tls_crypt_v2_context *ctx =
- (struct test_tls_crypt_v2_context *) *state;
+ struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state;
- assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2,
- &ctx->metadata,
- &ctx->server_keys.encrypt,
- &ctx->gc));
+ assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, &ctx->metadata,
+ &ctx->server_keys.encrypt, &ctx->gc));
/* Change server key */
struct key_type kt = tls_crypt_kt();
free_key_ctx_bi(&ctx->server_keys);
memset(&ctx->server_key2.keys, 0, sizeof(ctx->server_key2.keys));
- init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2,
- KEY_DIRECTION_BIDIRECTIONAL, &kt,
+ init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2, KEY_DIRECTION_BIDIRECTIONAL, &kt,
"wrong tls-crypt-v2 server key");
struct key2 unwrapped_client_key2 = { 0 };
- assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2,
- &ctx->unwrapped_metadata,
- ctx->wkc,
- &ctx->server_keys.decrypt));
+ assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, &ctx->unwrapped_metadata,
+ ctx->wkc, &ctx->server_keys.decrypt));
const struct key2 zero = { 0 };
assert_true(0 == memcmp(&unwrapped_client_key2, &zero, sizeof(zero)));
@@ -597,23 +574,17 @@
static void
tls_crypt_v2_wrap_unwrap_dst_too_small(void **state)
{
- struct test_tls_crypt_v2_context *ctx =
- (struct test_tls_crypt_v2_context *) *state;
+ struct test_tls_crypt_v2_context *ctx = (struct test_tls_crypt_v2_context *)*state;
- uint8_t *metadata =
- buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN);
+ uint8_t *metadata = buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN);
assert_true(rand_bytes(metadata, TLS_CRYPT_V2_MAX_METADATA_LEN));
- assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2,
- &ctx->metadata,
- &ctx->server_keys.encrypt,
- &ctx->gc));
+ assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, &ctx->metadata,
+ &ctx->server_keys.encrypt, &ctx->gc));
struct key2 unwrapped_client_key2 = { 0 };
- struct buffer unwrapped_metadata =
- alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN-1, &ctx->gc);
- assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2,
- &unwrapped_metadata, ctx->wkc,
- &ctx->server_keys.decrypt));
+ struct buffer unwrapped_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN - 1, &ctx->gc);
+ assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, &unwrapped_metadata,
+ ctx->wkc, &ctx->server_keys.decrypt));
const struct key2 zero = { 0 };
assert_true(0 == memcmp(&unwrapped_client_key2, &zero, sizeof(zero)));
@@ -626,8 +597,7 @@
const char *filename = "testfilename.key";
expect_string(__wrap_buffer_write_file, filename, filename);
- expect_memory(__wrap_buffer_write_file, pem, test_server_key,
- strlen(test_server_key));
+ expect_memory(__wrap_buffer_write_file, pem, test_server_key, strlen(test_server_key));
will_return(__wrap_buffer_write_file, true);
tls_crypt_v2_write_server_key_file(filename);
@@ -640,8 +610,7 @@
/* Test writing the client key */
expect_string(__wrap_buffer_write_file, filename, filename);
- expect_memory(__wrap_buffer_write_file, pem, test_client_key,
- strlen(test_client_key));
+ expect_memory(__wrap_buffer_write_file, pem, test_client_key, strlen(test_client_key));
will_return(__wrap_buffer_write_file, true);
/* Key generation re-reads the created file as a sanity check */
@@ -667,8 +636,7 @@
expect_string(__wrap_buffer_read_from_file, filename, filename);
will_return(__wrap_buffer_read_from_file, test_client_key_metadata);
- tls_crypt_v2_write_client_key_file(filename, b64metadata, test_server_key,
- true);
+ tls_crypt_v2_write_client_key_file(filename, b64metadata, test_server_key, true);
}
int
@@ -676,44 +644,31 @@
{
openvpn_unit_test_setup();
const struct CMUnitTest tests[] = {
- cmocka_unit_test_setup_teardown(tls_crypt_loopback,
- test_tls_crypt_setup,
+ cmocka_unit_test_setup_teardown(tls_crypt_loopback, test_tls_crypt_setup,
test_tls_crypt_teardown),
- cmocka_unit_test_setup_teardown(tls_crypt_loopback_zero_len,
- test_tls_crypt_setup,
+ cmocka_unit_test_setup_teardown(tls_crypt_loopback_zero_len, test_tls_crypt_setup,
test_tls_crypt_teardown),
- cmocka_unit_test_setup_teardown(tls_crypt_loopback_max_len,
- test_tls_crypt_setup,
+ cmocka_unit_test_setup_teardown(tls_crypt_loopback_max_len, test_tls_crypt_setup,
test_tls_crypt_teardown),
- cmocka_unit_test_setup_teardown(tls_crypt_fail_msg_too_long,
- test_tls_crypt_setup,
+ cmocka_unit_test_setup_teardown(tls_crypt_fail_msg_too_long, test_tls_crypt_setup,
test_tls_crypt_teardown),
- cmocka_unit_test_setup_teardown(tls_crypt_fail_invalid_key,
- test_tls_crypt_setup,
+ cmocka_unit_test_setup_teardown(tls_crypt_fail_invalid_key, test_tls_crypt_setup,
test_tls_crypt_teardown),
- cmocka_unit_test_setup_teardown(tls_crypt_fail_replay,
- test_tls_crypt_setup,
+ cmocka_unit_test_setup_teardown(tls_crypt_fail_replay, test_tls_crypt_setup,
test_tls_crypt_teardown),
- cmocka_unit_test_setup_teardown(tls_crypt_ignore_replay,
- test_tls_crypt_setup,
+ cmocka_unit_test_setup_teardown(tls_crypt_ignore_replay, test_tls_crypt_setup,
test_tls_crypt_teardown),
cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_no_metadata,
- test_tls_crypt_v2_setup,
- test_tls_crypt_v2_teardown),
+ test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown),
cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_max_metadata,
- test_tls_crypt_v2_setup,
- test_tls_crypt_v2_teardown),
+ test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown),
cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_too_long_metadata,
- test_tls_crypt_v2_setup,
- test_tls_crypt_v2_teardown),
- cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_wrong_key,
- test_tls_crypt_v2_setup,
+ test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown),
+ cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_wrong_key, test_tls_crypt_v2_setup,
test_tls_crypt_v2_teardown),
cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_dst_too_small,
- test_tls_crypt_v2_setup,
- test_tls_crypt_v2_teardown),
- cmocka_unit_test_setup_teardown(test_tls_crypt_secure_reneg_key,
- test_tls_crypt_setup,
+ test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown),
+ cmocka_unit_test_setup_teardown(test_tls_crypt_secure_reneg_key, test_tls_crypt_setup,
test_tls_crypt_teardown),
cmocka_unit_test(test_tls_crypt_v2_write_server_key_file),
cmocka_unit_test(test_tls_crypt_v2_write_client_key_file),
@@ -64,19 +64,16 @@
assert_true(0);
}
bool
-management_query_user_pass(struct management *man,
- struct user_pass *up,
- const char *type,
- const unsigned int flags,
- const char *static_challenge)
+management_query_user_pass(struct management *man, struct user_pass *up, const char *type,
+ const unsigned int flags, const char *static_challenge)
{
assert_true(0);
return false;
}
/* stubs for some unused functions instead of pulling in too many dependencies */
int
-parse_line(const char *line, char **p, const int n, const char *file,
- const int line_num, int msglevel, struct gc_arena *gc)
+parse_line(const char *line, char **p, const int n, const char *file, const int line_num,
+ int msglevel, struct gc_arena *gc)
{
assert_true(0);
return 0;
@@ -162,7 +159,9 @@
/*FIXME: query_user_exec() called even though nothing queued */
will_return(query_user_exec_builtin, true);
/* FIXME? content after first two lines just ignored */
- assert_true(get_user_pass_cr(&up, "#iuser and 커뮤니티\n//ipasswörd!\nsome other content\nnot relevant", "UT", flags, NULL));
+ assert_true(
+ get_user_pass_cr(&up, "#iuser and 커뮤니티\n//ipasswörd!\nsome other content\nnot relevant",
+ "UT", flags, NULL));
assert_true(up.defined);
assert_string_equal(up.username, "#iuser and 커뮤니티");
assert_string_equal(up.password, "//ipasswörd!");
@@ -250,7 +249,7 @@
unsigned int flags = 0;
char authfile[PATH_MAX] = { 0 };
- openvpn_test_get_srcdir_dir(authfile, PATH_MAX, "input/user_pass.txt" );
+ openvpn_test_get_srcdir_dir(authfile, PATH_MAX, "input/user_pass.txt");
/*FIXME: query_user_exec() called even though nothing queued */
will_return(query_user_exec_builtin, true);
@@ -292,7 +291,8 @@
const char *challenge = "CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN";
unsigned int flags = GET_USER_PASS_DYNAMIC_CHALLENGE;
- expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN");
+ expect_string(query_user_exec_builtin, query_user[i].prompt,
+ "CHALLENGE: Please enter token PIN");
will_return(query_user_exec_builtin, "challenge_response");
will_return(query_user_exec_builtin, true);
assert_true(get_user_pass_cr(&up, NULL, "UT", flags, challenge));
@@ -314,7 +314,8 @@
expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Password:");
will_return(query_user_exec_builtin, "cpassword");
will_return(query_user_exec_builtin, true);
- expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN");
+ expect_string(query_user_exec_builtin, query_user[i].prompt,
+ "CHALLENGE: Please enter token PIN");
will_return(query_user_exec_builtin, "challenge_response");
will_return(query_user_exec_builtin, true);
assert_true(get_user_pass_cr(&up, NULL, "UT", flags, challenge));
@@ -332,7 +333,8 @@
expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Password:");
will_return(query_user_exec_builtin, "c1password");
will_return(query_user_exec_builtin, true);
- expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN");
+ expect_string(query_user_exec_builtin, query_user[i].prompt,
+ "CHALLENGE: Please enter token PIN");
will_return(query_user_exec_builtin, "0123456");
will_return(query_user_exec_builtin, true);
assert_true(get_user_pass_cr(&up, NULL, "UT", flags, challenge));
@@ -343,11 +345,12 @@
reset_user_pass(&up);
- flags = GET_USER_PASS_STATIC_CHALLENGE|GET_USER_PASS_INLINE_CREDS;
+ flags = GET_USER_PASS_STATIC_CHALLENGE | GET_USER_PASS_INLINE_CREDS;
/*FIXME: query_user_exec() called even though nothing queued */
will_return(query_user_exec_builtin, true);
- expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN");
+ expect_string(query_user_exec_builtin, query_user[i].prompt,
+ "CHALLENGE: Please enter token PIN");
will_return(query_user_exec_builtin, "challenge_response");
will_return(query_user_exec_builtin, true);
assert_true(get_user_pass_cr(&up, "iuser\nipassword", "UT", flags, challenge));
@@ -12,7 +12,6 @@
static void
pass_any_null_param__returns_null(void **state)
{
-
char DUMMY[] = "DUMMY";
assert_null(searchandreplace(NULL, DUMMY, DUMMY));
@@ -23,7 +22,6 @@
static void
pass_any_empty_string__returns_null(void **state)
{
-
char DUMMY[] = "DUMMY";
char EMPTY[] = "";