From: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Date: Tue, 29 Jun 2021 09:50:16 +0000 (+0200)
Subject: Reorganize #include
X-Git-Tag: v8.20~112^2
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=fe795bf5b373c036a32bd73ab9f6eadf6466fafe;p=users%2Fdwmw2%2Fopenconnect.git

Reorganize #include

- Reorder header files as suggested here:
  https://stackoverflow.com/questions/2762568/c-c-include-header-file-order
  https://softwareengineering.stackexchange.com/questions/325549/c-header-file-order
- Remove duplicates
- Remove unused headers files
- Change "config.h" to <config.h>
- Include <winsock2.h> before openconnect.h, which is not entirely self-contained.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
---

diff --git a/COPYING.LGPL b/COPYING.LGPL
index 602bfc94..551cb4ac 100644
--- a/COPYING.LGPL
+++ b/COPYING.LGPL
@@ -500,5 +500,3 @@ necessary.  Here is a sample; alter the names:
   Ty Coon, President of Vice
 
 That's all there is to it!
-
-
diff --git a/array.c b/array.c
index 195de40b..e6f7bf71 100644
--- a/array.c
+++ b/array.c
@@ -17,25 +17,19 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include "json.h"
+
 #include <unistd.h>
 #include <fcntl.h>
-#include <time.h>
-#include <string.h>
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
 #include <sys/types.h>
-#include <stdarg.h>
-#include <sys/types.h>
-
 #ifdef _WIN32
 #include "win32-ipicmp.h"
 #else
 /* The BSDs require the first two headers before netinet/ip.h
  * (Linux and macOS already #include them within netinet/ip.h)
  */
-#include <sys/types.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
@@ -44,9 +38,13 @@
 #include <netinet/icmp6.h>
 #endif
 
-#include "json.h"
-
-#include "openconnect-internal.h"
+#include <time.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
 
 static struct oc_auth_form *plain_auth_form(void)
 {
@@ -1309,4 +1307,3 @@ int array_bye(struct openconnect_info *vpninfo, const char *reason)
 	free(res_buf);
 	return ret;
 }
-
diff --git a/auth-common.c b/auth-common.c
index 8d7ea39d..40ce666b 100644
--- a/auth-common.c
+++ b/auth-common.c
@@ -17,19 +17,20 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <unistd.h>
 #include <fcntl.h>
+#include <sys/types.h>
+
 #include <time.h>
 #include <string.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <sys/types.h>
 #include <stdarg.h>
 
-#include "openconnect-internal.h"
-
 int xmlnode_is_named(xmlNode *xml_node, const char *name)
 {
 	return !strcmp((char *)xml_node->name, name);
diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index 6e8f9c44..6282f96f 100644
--- a/auth-globalprotect.c
+++ b/auth-globalprotect.c
@@ -17,13 +17,13 @@
 
 #include <config.h>
 
-#include <ctype.h>
-#include <errno.h>
+#include "openconnect-internal.h"
 
 #include <libxml/parser.h>
 #include <libxml/tree.h>
 
-#include "openconnect-internal.h"
+#include <ctype.h>
+#include <errno.h>
 
 struct login_context {
 	char *username;				/* Username that has already succeeded in some form */
diff --git a/auth-html.c b/auth-html.c
index 9bf268e0..eecfd74a 100644
--- a/auth-html.c
+++ b/auth-html.c
@@ -17,12 +17,12 @@
 
 #include <config.h>
 
-#include <errno.h>
+#include "openconnect-internal.h"
 
 #include <libxml/HTMLparser.h>
 #include <libxml/HTMLtree.h>
 
-#include "openconnect-internal.h"
+#include <errno.h>
 
 xmlNodePtr htmlnode_next(xmlNodePtr top, xmlNodePtr node)
 {
diff --git a/auth-juniper.c b/auth-juniper.c
index a5356045..b8be3d2b 100644
--- a/auth-juniper.c
+++ b/auth-juniper.c
@@ -22,25 +22,25 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include <libxml/HTMLparser.h>
+#include <libxml/HTMLtree.h>
+
 #include <unistd.h>
 #include <fcntl.h>
+#include <sys/types.h>
+#ifndef _WIN32
+#include <sys/wait.h>
+#endif
+
 #include <time.h>
 #include <string.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <sys/types.h>
 #include <stdarg.h>
-#include <sys/types.h>
-#ifndef _WIN32
-#include <sys/wait.h>
-#endif
-
-#include <libxml/HTMLparser.h>
-#include <libxml/HTMLtree.h>
-
-#include "openconnect-internal.h"
 
 /* XX: This is actually a lot of duplication with the CSTP version. */
 void oncp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
diff --git a/auth.c b/auth.c
index 49947d76..a77e0979 100644
--- a/auth.c
+++ b/auth.c
@@ -18,13 +18,13 @@
 
 #include <config.h>
 
-#include <stdio.h>
+#include "openconnect-internal.h"
+
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+
 #include <unistd.h>
 #include <fcntl.h>
-#include <time.h>
-#include <string.h>
-#include <ctype.h>
-#include <errno.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #ifndef _WIN32
@@ -33,10 +33,11 @@
 #include <grp.h>
 #endif
 
-#include <libxml/parser.h>
-#include <libxml/tree.h>
-
-#include "openconnect-internal.h"
+#include <stdio.h>
+#include <time.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
 
 static int xmlpost_append_form_opts(struct openconnect_info *vpninfo,
 				    struct oc_auth_form *form, struct oc_text_buf *body);
diff --git a/compat.c b/compat.c
index c0d1a4dc..5ddb97e9 100644
--- a/compat.c
+++ b/compat.c
@@ -17,6 +17,8 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <string.h>
 #include <stdarg.h>
 #include <stdlib.h>
@@ -41,8 +43,6 @@ errno_t _putenv_s(
 #endif
 #endif
 
-#include "openconnect-internal.h"
-
 #ifdef HAVE_SUNOS_BROKEN_TIME
 /*
  * On SunOS, time() goes backwards. Thankfully, gethrtime() doesn't.
diff --git a/cstp.c b/cstp.c
index d9ac12de..2c85d4e2 100644
--- a/cstp.c
+++ b/cstp.c
@@ -18,16 +18,8 @@
 
 #include <config.h>
 
-#include <unistd.h>
-#include <fcntl.h>
-#include <time.h>
-#include <string.h>
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <stdarg.h>
+#include "openconnect-internal.h"
+
 #ifdef HAVE_LZ4
 #include <lz4.h>
 #ifndef HAVE_LZ4_COMPRESS_DEFAULT
@@ -35,12 +27,21 @@
 #endif
 #endif
 
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/types.h>
 #if defined(__linux__)
 /* For TCP_INFO */
 # include <linux/tcp.h>
 #endif
 
-#include "openconnect-internal.h"
+#include <time.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
 
 /*
  * Data packets are encapsulated in the SSL stream as follows:
diff --git a/digest.c b/digest.c
index a860ab87..c91fc2a1 100644
--- a/digest.c
+++ b/digest.c
@@ -17,12 +17,12 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <errno.h>
 #include <string.h>
 #include <ctype.h>
 
-#include "openconnect-internal.h"
-
 #define ALGO_MD5	0
 #define ALGO_MD5_SESS	1
 
diff --git a/dtls.c b/dtls.c
index 6fd1d19c..894a9687 100644
--- a/dtls.c
+++ b/dtls.c
@@ -17,19 +17,20 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <sys/types.h>
+#include "openconnect-internal.h"
+
 #include <unistd.h>
+#include <sys/types.h>
 #include <fcntl.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stdio.h>
 #ifndef _WIN32
 #include <netinet/in.h>
 #include <sys/socket.h>
 #endif
 
-#include "openconnect-internal.h"
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
 
 /*
  * The master-secret is generated randomly by the client. The server
diff --git a/esp-seqno.c b/esp-seqno.c
index d366bc2c..3ba2bf33 100644
--- a/esp-seqno.c
+++ b/esp-seqno.c
@@ -17,13 +17,13 @@
 
 #include <config.h>
 
-#include <stdint.h>
+#include "openconnect-internal.h"
+
 #include <inttypes.h>
+#include <stdint.h>
 #include <stdlib.h>
 #include <errno.h>
 
-#include "openconnect-internal.h"
-
 #define DTLS_EMPTY_BITMAP		(0xFFFFFFFFFFFFFFFFULL)
 
 /* Eventually we're going to have to have more than one incoming ESP
@@ -139,4 +139,3 @@ int verify_packet_seqno(struct openconnect_info *vpninfo,
 		}
 	}
 }
-
diff --git a/esp.c b/esp.c
index 87d87264..56190b17 100644
--- a/esp.c
+++ b/esp.c
@@ -17,16 +17,18 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include "lzo.h"
+
+#include <unistd.h>
+
 #include <stdio.h>
 #include <stdint.h>
-#include <unistd.h>
 #include <string.h>
 #include <stdlib.h>
 #include <errno.h>
 
-#include "openconnect-internal.h"
-#include "lzo.h"
-
 int print_esp_keys(struct openconnect_info *vpninfo, const char *name, struct esp *esp)
 {
 	int i;
diff --git a/f5.c b/f5.c
index 6daae59b..dc094ab3 100644
--- a/f5.c
+++ b/f5.c
@@ -17,23 +17,24 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include "ppp.h"
+
+#include <libxml/HTMLparser.h>
+#include <libxml/HTMLtree.h>
+
 #include <unistd.h>
 #include <fcntl.h>
+#include <sys/types.h>
+
 #include <time.h>
 #include <string.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <sys/types.h>
 #include <stdarg.h>
-#include <sys/types.h>
-
-#include <libxml/HTMLparser.h>
-#include <libxml/HTMLtree.h>
-
-#include "openconnect-internal.h"
-#include "ppp.h"
 
 #define XCAST(x) ((const xmlChar *)(x))
 
diff --git a/fortinet.c b/fortinet.c
index 31895bc3..fa9fc798 100644
--- a/fortinet.c
+++ b/fortinet.c
@@ -17,23 +17,24 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include "ppp.h"
+
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+
 #include <unistd.h>
 #include <fcntl.h>
+#include <sys/types.h>
+
 #include <time.h>
 #include <string.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <sys/types.h>
 #include <stdarg.h>
-#include <sys/types.h>
-
-#include <libxml/parser.h>
-#include <libxml/tree.h>
-
-#include "openconnect-internal.h"
-#include "ppp.h"
 
 /* clthello/svrhello strings for Fortinet DTLS initialization.
  * NB: C string literals implicitly add a final \0 (which is correct for these).
diff --git a/gnutls-dtls.c b/gnutls-dtls.c
index 67d97a23..57e2fc9f 100644
--- a/gnutls-dtls.c
+++ b/gnutls-dtls.c
@@ -18,21 +18,22 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <sys/types.h>
+#include "gnutls.h"
+
+#include <gnutls/dtls.h>
+
 #include <unistd.h>
 #include <fcntl.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stdio.h>
+#include <sys/types.h>
 #ifndef _WIN32
 #include <netinet/in.h>
 #include <sys/socket.h>
 #endif
 
-
-#include <gnutls/dtls.h>
-#include "gnutls.h"
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
 
 #if GNUTLS_VERSION_NUMBER < 0x030400
 # define GNUTLS_CIPHER_CHACHA20_POLY1305 23
diff --git a/gnutls-esp.c b/gnutls-esp.c
index ce2c8456..e350ff79 100644
--- a/gnutls-esp.c
+++ b/gnutls-esp.c
@@ -17,15 +17,16 @@
 
 #include <config.h>
 
-#include <unistd.h>
-#include <string.h>
-#include <stdlib.h>
-#include <errno.h>
+#include "openconnect-internal.h"
 
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 
-#include "openconnect-internal.h"
+#include <unistd.h>
+
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
 
 void destroy_esp_ciphers(struct esp *esp)
 {
diff --git a/gnutls.c b/gnutls.c
index 488dabdc..afa5d917 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -17,15 +17,9 @@
 
 #include <config.h>
 
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <string.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <errno.h>
-#include <stdarg.h>
-#include <stdlib.h>
+#include "openconnect-internal.h"
+
+#include "gnutls.h"
 
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
@@ -39,15 +33,23 @@
 #include <p11-kit/pin.h>
 #endif
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include <string.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <stdlib.h>
+
 #if defined(HAVE_P11KIT) || defined(HAVE_GNUTLS_SYSTEM_KEYS)
 static int gnutls_pin_callback(void *priv, int attempt, const char *uri,
 			       const char *token_label, unsigned int flags,
 			       char *pin, size_t pin_max);
 #endif /* HAVE_P11KIT || HAVE_GNUTLS_SYSTEM_KEYS */
 
-#include "gnutls.h"
-#include "openconnect-internal.h"
-
 /* GnuTLS 2.x lacked this. But GNUTLS_E_UNEXPECTED_PACKET_LENGTH basically
  * does the same thing.
  * https://lists.infradead.org/pipermail/openconnect-devel/2014-March/001726.html
diff --git a/gnutls.h b/gnutls.h
index 3ce7f877..94262cfa 100644
--- a/gnutls.h
+++ b/gnutls.h
@@ -18,12 +18,12 @@
 #ifndef __OPENCONNECT_GNUTLS_H__
 #define __OPENCONNECT_GNUTLS_H__
 
+#include "openconnect-internal.h"
+
 #include <gnutls/gnutls.h>
 #include <gnutls/pkcs12.h>
 #include <gnutls/abstract.h>
 
-#include "openconnect-internal.h"
-
 int load_tpm1_key(struct openconnect_info *vpninfo, struct cert_info *certinfo,
 		  gnutls_datum_t *fdata, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig);
 void release_tpm1_ctx(struct openconnect_info *info, struct cert_info *certinfo);
diff --git a/gnutls_tpm.c b/gnutls_tpm.c
index 9eaf9327..605bb752 100644
--- a/gnutls_tpm.c
+++ b/gnutls_tpm.c
@@ -22,14 +22,15 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <string.h>
-
-#include <gnutls/gnutls.h>
 #include "openconnect-internal.h"
 
 #include "gnutls.h"
 
+#include <gnutls/gnutls.h>
+
+#include <errno.h>
+#include <string.h>
+
 #ifdef HAVE_TROUSERS
 #include <trousers/tss.h>
 #include <trousers/trousers.h>
diff --git a/gnutls_tpm2.c b/gnutls_tpm2.c
index 1f0f0946..5e1d7b4c 100644
--- a/gnutls_tpm2.c
+++ b/gnutls_tpm2.c
@@ -17,13 +17,15 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <string.h>
-
-#include <gnutls/gnutls.h>
 #include "openconnect-internal.h"
+
 #include "gnutls.h"
 
+#include <gnutls/gnutls.h>
+
+#include <errno.h>
+#include <string.h>
+
 #ifdef HAVE_TSS2
 
 #include <libtasn1.h>
diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index 3adcb544..203c5c15 100644
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -48,19 +48,20 @@
  * THE POSSIBILITY OF SUCH DAMAGE.
  ******************************************************************************/
 
-#include "config.h"
+#include <config.h>
 
 #include "openconnect-internal.h"
-#include "gnutls.h"
 
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
+#include "gnutls.h"
 
 #include <tss2/tss2_mu.h>
 #include <tss2/tss2_esys.h>
 #include <tss2/tss2_tctildr.h>
 
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
 struct oc_tpm2_ctx {
 	TSS2_TCTI_CONTEXT *tcti_ctx;
 	TPM2B_PUBLIC pub;
diff --git a/gnutls_tpm2_ibm.c b/gnutls_tpm2_ibm.c
index 7ff6670c..f5186c7b 100644
--- a/gnutls_tpm2_ibm.c
+++ b/gnutls_tpm2_ibm.c
@@ -17,9 +17,10 @@
  * Lesser General Public License for more details.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include "openconnect-internal.h"
+
 #include "gnutls.h"
 
 #include <stdio.h>
diff --git a/gpst.c b/gpst.c
index 0bdaf85f..a8d4c2fe 100644
--- a/gpst.c
+++ b/gpst.c
@@ -17,30 +17,22 @@
 
 #include <config.h>
 
-#include <unistd.h>
-#include <fcntl.h>
-#include <time.h>
-#include <string.h>
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#ifndef _WIN32
-#include <sys/wait.h>
-#endif
-#include <stdarg.h>
+#include "openconnect-internal.h"
+
 #ifdef HAVE_LZ4
 #include <lz4.h>
 #endif
 
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/types.h>
 #ifdef _WIN32
 #include "win32-ipicmp.h"
 #else
+#include <sys/wait.h>
 /* The BSDs require the first two headers before netinet/ip.h
  * (Linux and macOS already #include them within netinet/ip.h)
  */
-#include <sys/types.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
@@ -54,7 +46,13 @@
 # include <linux/tcp.h>
 #endif
 
-#include "openconnect-internal.h"
+#include <time.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
 
 /*
  * Data packets are encapsulated in the SSL stream as follows:
diff --git a/gssapi.c b/gssapi.c
index 6f917149..cf5df1e3 100644
--- a/gssapi.c
+++ b/gssapi.c
@@ -17,11 +17,11 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <errno.h>
 #include <string.h>
 
-#include "openconnect-internal.h"
-
 static void print_gss_err(struct openconnect_info *vpninfo, const char *where,
 			  gss_OID mech, OM_uint32 err_maj, OM_uint32 err_min)
 {
diff --git a/http-auth.c b/http-auth.c
index fe142000..cf263f5b 100644
--- a/http-auth.c
+++ b/http-auth.c
@@ -17,8 +17,11 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <unistd.h>
 #include <fcntl.h>
+
 #include <time.h>
 #include <string.h>
 #include <ctype.h>
@@ -27,8 +30,6 @@
 #include <stdio.h>
 #include <stdarg.h>
 
-#include "openconnect-internal.h"
-
 static int basic_authorization(struct openconnect_info *vpninfo, int proxy,
 			       struct http_auth_state *auth_state,
 			       struct oc_text_buf *hdrbuf)
diff --git a/http.c b/http.c
index aef75f04..d4994347 100644
--- a/http.c
+++ b/http.c
@@ -18,8 +18,13 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include <libxml/uri.h>
+
 #include <unistd.h>
 #include <fcntl.h>
+
 #include <time.h>
 #include <string.h>
 #include <ctype.h>
@@ -28,10 +33,6 @@
 #include <stdio.h>
 #include <stdarg.h>
 
-#include <libxml/uri.h>
-
-#include "openconnect-internal.h"
-
 static int proxy_write(struct openconnect_info *vpninfo, char *buf, size_t len);
 static int proxy_read(struct openconnect_info *vpninfo, char *buf, size_t len);
 
diff --git a/iconv.c b/iconv.c
index 30208300..f9b6deb2 100644
--- a/iconv.c
+++ b/iconv.c
@@ -17,12 +17,13 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <iconv.h>
+
 #include <errno.h>
 #include <string.h>
 
-#include "openconnect-internal.h"
-
 static char *convert_str(struct openconnect_info *vpninfo, iconv_t ic,
 			 char *instr)
 
diff --git a/jni.c b/jni.c
index 4bf9fac1..549247f9 100644
--- a/jni.c
+++ b/jni.c
@@ -15,17 +15,19 @@
 
 #include <config.h>
 
+#include "openconnect.h"
+
+#include <jni.h>
+
+#include <unistd.h>
+#include <sys/types.h>
+
 #include <errno.h>
 #include <stdarg.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <unistd.h>
-#include <sys/types.h>
-
-#include <jni.h>
-#include "openconnect.h"
 
 struct libctx {
 	JNIEnv *jenv;
diff --git a/jsondump.c b/jsondump.c
index f2dfd235..e0e7c713 100644
--- a/jsondump.c
+++ b/jsondump.c
@@ -17,13 +17,13 @@
 
 #include <config.h>
 
-#include <string.h>
-#include <ctype.h>
-#include <errno.h>
+#include "openconnect-internal.h"
 
 #include "json.h"
 
-#include "openconnect-internal.h"
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
 
 /*
  * Copyright (C) 2015 Mirko Pasqualetti  All rights reserved.
@@ -150,4 +150,3 @@ void dump_json(struct openconnect_info *vpninfo, int lvl, json_value *value)
 	dump_json_value(vpninfo, lvl, buf, value, 0);
 	buf_free(buf);
 }
-
diff --git a/library.c b/library.c
index dbd37637..8900944d 100644
--- a/library.c
+++ b/library.c
@@ -18,12 +18,11 @@
 
 #include <config.h>
 
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <ctype.h>
+#include "openconnect-internal.h"
+
+#if defined(OPENCONNECT_GNUTLS)
+#include "gnutls.h"
+#endif
 
 #ifdef HAVE_LIBSTOKEN
 #include <stoken.h>
@@ -32,16 +31,18 @@
 #include <libxml/tree.h>
 #include <zlib.h>
 
-#include "openconnect-internal.h"
-
-#if defined(OPENCONNECT_GNUTLS)
-#include "gnutls.h"
-#endif
-
 #if defined(OPENCONNECT_OPENSSL)
 #include <openssl/bio.h>
 #endif
 
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <ctype.h>
+
 struct openconnect_info *openconnect_vpninfo_new(const char *useragent,
 						 openconnect_validate_peer_cert_vfn validate_peer_cert,
 						 openconnect_write_new_config_vfn write_new_config,
diff --git a/lzo.c b/lzo.c
index c3c2d067..8fbd6b7e 100644
--- a/lzo.c
+++ b/lzo.c
@@ -19,15 +19,15 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
-#include <string.h>
-#include <limits.h>
-
 //#include "avutil.h"
 //#include "avassert.h"
 //#include "common.h"
 //#include "intreadwrite.h"
 #include "lzo.h"
 
+#include <string.h>
+#include <limits.h>
+
 /// Define if we may write up to 12 bytes beyond the output buffer.
 #define OUTBUF_PADDED 1
 /// Define if we may read up to 8 bytes beyond the input buffer.
diff --git a/lzs.c b/lzs.c
index 4967b74c..05409fa7 100644
--- a/lzs.c
+++ b/lzs.c
@@ -17,12 +17,12 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <errno.h>
 #include <string.h>
 #include <stdint.h>
 
-#include "openconnect-internal.h"
-
 #define GET_BITS(bits)							\
 do {									\
 	/* Strictly speaking, this check ought to be on			\
diff --git a/main.c b/main.c
index ba0d44ab..1a4455a8 100644
--- a/main.c
+++ b/main.c
@@ -19,34 +19,28 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #ifdef HAVE_GETLINE
 /* Various BSD systems require this for getline() to be visible */
 #define _WITH_GETLINE
 #endif
 
-#include <stdio.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <signal.h>
-#include <string.h>
-#ifdef HAVE_STRINGS_H
-#include <strings.h>
-#endif
-#include <errno.h>
+#include <getopt.h>
+
 #include <fcntl.h>
 #include <unistd.h>
 #include <inttypes.h>
 #include <sys/types.h>
-#include <getopt.h>
-#include <time.h>
 #include <locale.h>
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif
 
 #ifdef LIBPROXY_HDR
 #include LIBPROXY_HDR
 #endif
 
-#include "openconnect-internal.h"
-
 #ifdef _WIN32
 #include <shlwapi.h>
 #include <wtypes.h>
@@ -57,6 +51,14 @@
 #include <termios.h>
 #endif
 
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+#include <errno.h>
+#include <time.h>
+
 #ifdef HAVE_NL_LANGINFO
 #include <langinfo.h>
 
diff --git a/mainloop.c b/mainloop.c
index 9205587d..0d57db26 100644
--- a/mainloop.c
+++ b/mainloop.c
@@ -17,18 +17,19 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
+#include "openconnect-internal.h"
+
 #include <unistd.h>
-#include <string.h>
 #ifndef _WIN32
 /* for setgroups() */
 # include <sys/types.h>
 # include <grp.h>
 #endif
 
-#include "openconnect-internal.h"
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
 
 int queue_new_packet(struct openconnect_info *vpninfo,
 		     struct pkt_q *q, void *buf, int len)
diff --git a/mtucalc.c b/mtucalc.c
index 7da9ebff..0b96be05 100644
--- a/mtucalc.c
+++ b/mtucalc.c
@@ -16,6 +16,7 @@
  */
 
 #include <config.h>
+
 #include "openconnect-internal.h"
 
 #if defined(__linux__)
diff --git a/ntlm.c b/ntlm.c
index d7e249c4..01f0aff8 100644
--- a/ntlm.c
+++ b/ntlm.c
@@ -17,17 +17,12 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <unistd.h>
 #include <fcntl.h>
-#include <time.h>
-#include <string.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <ctype.h>
 #ifdef HAVE_ALLOCA_H
 #include <alloca.h>
 #endif
@@ -35,7 +30,13 @@
 #include <sys/wait.h>
 #endif
 
-#include "openconnect-internal.h"
+#include <time.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <ctype.h>
 
 #define NTLM_SSO_REQ		2	/* SSO type1 packet sent */
 #define NTLM_MANUAL		3	/* SSO challenge/response sent or skipped; manual next */
diff --git a/nullppp.c b/nullppp.c
index ca13d1ba..3e5cac6f 100644
--- a/nullppp.c
+++ b/nullppp.c
@@ -17,20 +17,20 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+#include "ppp.h"
+
 #include <unistd.h>
 #include <fcntl.h>
+#include <sys/types.h>
+
 #include <time.h>
 #include <string.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <sys/types.h>
 #include <stdarg.h>
-#include <sys/types.h>
-
-#include "openconnect-internal.h"
-#include "ppp.h"
 
 int nullppp_obtain_cookie(struct openconnect_info *vpninfo)
 {
diff --git a/oath.c b/oath.c
index de553f75..8730f64b 100644
--- a/oath.c
+++ b/oath.c
@@ -18,13 +18,13 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include "openconnect-internal.h"
-
 static int b32_char(char in)
 {
 	if (in >= 'A' && in <= 'Z')
diff --git a/oidc.c b/oidc.c
index 11559325..555c35a6 100644
--- a/oidc.c
+++ b/oidc.c
@@ -17,13 +17,13 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include "openconnect-internal.h"
-
 int set_oidc_token(struct openconnect_info *vpninfo, const char *token_str)
 {
 	int ret;
@@ -52,5 +52,3 @@ int set_oidc_token(struct openconnect_info *vpninfo, const char *token_str)
 	vpninfo->token_mode = OC_TOKEN_MODE_OIDC;
 	return 0;
 }
-
-
diff --git a/oncp.c b/oncp.c
index 92bf9ccd..206134eb 100644
--- a/oncp.c
+++ b/oncp.c
@@ -22,19 +22,19 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <unistd.h>
 #include <fcntl.h>
+#include <sys/types.h>
+
 #include <time.h>
 #include <string.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <sys/types.h>
 #include <stdarg.h>
-#include <sys/types.h>
-
-#include "openconnect-internal.h"
 
 static void buf_append_tlv(struct oc_text_buf *buf, uint16_t val, uint32_t len, void *data)
 {
diff --git a/openconnect-internal.h b/openconnect-internal.h
index e03b2ee9..cb67bf6b 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -22,41 +22,18 @@
 
 #define __OPENCONNECT_PRIVATE__
 
+/*
+ * We need to include <winsock2.h> or <winsock.h> before openconnect.h.
+ * Indeed openconnect.h is specifically intended not to be self-sufficient,
+ * so that end-users can choose between <winsock.h> and <winsock2.h>.
+ */
 #ifdef _WIN32
 #include <winsock2.h>
-#include <ws2tcpip.h>
-#ifndef SECURITY_WIN32
-#define SECURITY_WIN32 1
-#endif
-#include <security.h>
-
-#ifndef _Out_cap_c_
-#define _Out_cap_c_(sz)
-#endif
-#ifndef _Ret_bytecount_
-#define _Ret_bytecount_(sz)
-#endif
-#include "wintun.h"
-#else
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/select.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <fcntl.h>
 #endif
 
 #include "openconnect.h"
 
-/* Equivalent of "/dev/null" on Windows.
- * See https://stackoverflow.com/a/44163934
- */
-#ifdef _WIN32
-#define DEVNULL "NUL:"
-#else
-#define DEVNULL "/dev/null"
-#endif
+#include "json.h"
 
 #if defined(OPENCONNECT_OPENSSL)
 #include <openssl/ssl.h>
@@ -67,7 +44,7 @@
 #else
 #define method_const
 #endif
-#endif /* OPENSSL */
+#endif
 
 #if defined(OPENCONNECT_GNUTLS)
 #include <gnutls/gnutls.h>
@@ -81,14 +58,6 @@
 #include <iconv.h>
 #endif
 
-#include <zlib.h>
-#include <stdint.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <string.h>
-#include <errno.h>
-
 #ifdef LIBPROXY_HDR
 #include LIBPROXY_HDR
 #endif
@@ -122,8 +91,47 @@
 #define N_(s) s
 
 #include <libxml/tree.h>
+#include <zlib.h>
 
-#include <json.h>
+#ifdef _WIN32
+#ifndef _Out_cap_c_
+#define _Out_cap_c_(sz)
+#endif
+#ifndef _Ret_bytecount_
+#define _Ret_bytecount_(sz)
+#endif
+#include "wintun.h"
+
+#include <ws2tcpip.h>
+#ifndef SECURITY_WIN32
+#define SECURITY_WIN32 1
+#endif
+#include <security.h>
+#else
+#include <sys/socket.h>
+#include <sys/select.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <fcntl.h>
+#endif
+
+#include <unistd.h>
+#include <sys/time.h>
+#include <sys/types.h>
+
+#include <stdint.h>
+#include <string.h>
+#include <errno.h>
+
+/* Equivalent of "/dev/null" on Windows.
+ * See https://stackoverflow.com/a/44163934
+ */
+#ifdef _WIN32
+#define DEVNULL "NUL:"
+#else
+#define DEVNULL "/dev/null"
+#endif
 
 #define SHA512_SIZE 64
 #define SHA384_SIZE 48
@@ -314,86 +322,6 @@ struct http_auth_state {
 	};
 };
 
-struct vpn_proto {
-	const char *name;
-	const char *pretty_name;
-	const char *description;
-	const char *secure_cookie;
-	const char *udp_protocol;
-	int proto;
-	unsigned int flags;
-	int (*vpn_close_session)(struct openconnect_info *vpninfo, const char *reason);
-
-	/* This does the full authentication, calling back as appropriate */
-	int (*obtain_cookie)(struct openconnect_info *vpninfo);
-
-	/* Establish the TCP connection (and obtain configuration) */
-	int (*tcp_connect)(struct openconnect_info *vpninfo);
-
-	int (*tcp_mainloop)(struct openconnect_info *vpninfo, int *timeout, int readable);
-
-	/* Add headers common to each HTTP request */
-	void (*add_http_headers)(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
-
-	/* Set up the UDP (DTLS) connection. Doesn't actually *start* it. */
-	int (*udp_setup)(struct openconnect_info *vpninfo);
-
-	/* This will actually complete the UDP connection setup/handshake on the wire,
-	   as well as transporting packets */
-	int (*udp_mainloop)(struct openconnect_info *vpninfo, int *timeout, int readable);
-
-	/* Close the connection but leave the session setup so it restarts */
-	void (*udp_close)(struct openconnect_info *vpninfo);
-
-	/* Close and destroy the (UDP) session */
-	void (*udp_shutdown)(struct openconnect_info *vpninfo);
-
-	/* Send probe packets to start or maintain the (UDP) session */
-	int (*udp_send_probes)(struct openconnect_info *vpninfo);
-
-	/* Catch probe packet confirming the (UDP) session */
-	int (*udp_catch_probe)(struct openconnect_info *vpninfo, struct pkt *p);
-};
-
-struct pkt_q {
-	struct pkt *head;
-	struct pkt **tail;
-	int count;
-};
-
-static inline struct pkt *dequeue_packet(struct pkt_q *q)
-{
-	struct pkt *ret = q->head;
-
-	if (ret) {
-		q->head = ret->next;
-		if (!--q->count)
-			q->tail = &q->head;
-	}
-	return ret;
-}
-
-static inline void requeue_packet(struct pkt_q *q, struct pkt *p)
-{
-	p->next = q->head;
-	q->head = p;
-	if (!q->count++)
-		q->tail = &p->next;
-}
-
-static inline int queue_packet(struct pkt_q *q, struct pkt *p)
-{
-	*(q->tail) = p;
-	p->next = NULL;
-	q->tail = &p->next;
-	return ++q->count;
-}
-
-static inline void init_pkt_queue(struct pkt_q *q)
-{
-	q->tail = &q->head;
-}
-
 #define TLS_OVERHEAD 5 /* packet + header */
 #define DTLS_OVERHEAD (1 /* packet + header */ + 13 /* DTLS header */ + \
 	 20 /* biggest supported MAC (SHA1) */ +  32 /* biggest supported IV (AES-256) */ + \
@@ -419,6 +347,8 @@ struct oc_pcsc_ctx;
 struct oc_tpm1_ctx;
 struct oc_tpm2_ctx;
 
+struct openconnect_info;
+
 struct cert_info {
 	struct openconnect_info *vpninfo;
 	char *cert;
@@ -432,6 +362,14 @@ struct cert_info {
 #endif
 };
 
+struct pkt_q {
+	struct pkt *head;
+	struct pkt **tail;
+	int count;
+};
+
+struct vpn_proto;
+
 struct openconnect_info {
 	const struct vpn_proto *proto;
 
@@ -799,6 +737,79 @@ struct openconnect_info {
 	int (*ssl_write)(struct openconnect_info *vpninfo, char *buf, size_t len);
 };
 
+struct vpn_proto {
+	const char *name;
+	const char *pretty_name;
+	const char *description;
+	const char *secure_cookie;
+	const char *udp_protocol;
+	int proto;
+	unsigned int flags;
+	int (*vpn_close_session)(struct openconnect_info *vpninfo, const char *reason);
+
+	/* This does the full authentication, calling back as appropriate */
+	int (*obtain_cookie)(struct openconnect_info *vpninfo);
+
+	/* Establish the TCP connection (and obtain configuration) */
+	int (*tcp_connect)(struct openconnect_info *vpninfo);
+
+	int (*tcp_mainloop)(struct openconnect_info *vpninfo, int *timeout, int readable);
+
+	/* Add headers common to each HTTP request */
+	void (*add_http_headers)(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
+
+	/* Set up the UDP (DTLS) connection. Doesn't actually *start* it. */
+	int (*udp_setup)(struct openconnect_info *vpninfo);
+
+	/* This will actually complete the UDP connection setup/handshake on the wire,
+	   as well as transporting packets */
+	int (*udp_mainloop)(struct openconnect_info *vpninfo, int *timeout, int readable);
+
+	/* Close the connection but leave the session setup so it restarts */
+	void (*udp_close)(struct openconnect_info *vpninfo);
+
+	/* Close and destroy the (UDP) session */
+	void (*udp_shutdown)(struct openconnect_info *vpninfo);
+
+	/* Send probe packets to start or maintain the (UDP) session */
+	int (*udp_send_probes)(struct openconnect_info *vpninfo);
+
+	/* Catch probe packet confirming the (UDP) session */
+	int (*udp_catch_probe)(struct openconnect_info *vpninfo, struct pkt *p);
+};
+
+static inline struct pkt *dequeue_packet(struct pkt_q *q)
+{
+	struct pkt *ret = q->head;
+
+	if (ret) {
+		q->head = ret->next;
+		if (!--q->count)
+			q->tail = &q->head;
+	}
+	return ret;
+}
+
+static inline void requeue_packet(struct pkt_q *q, struct pkt *p)
+{
+	p->next = q->head;
+	q->head = p;
+	if (!q->count++)
+		q->tail = &p->next;
+}
+
+static inline int queue_packet(struct pkt_q *q, struct pkt *p)
+{
+	*(q->tail) = p;
+	p->next = NULL;
+	q->tail = &p->next;
+	return ++q->count;
+}
+
+static inline void init_pkt_queue(struct pkt_q *q)
+{
+	q->tail = &q->head;
+}
 
 static inline struct pkt *alloc_pkt(struct openconnect_info *vpninfo, int len)
 {
diff --git a/openconnect.h b/openconnect.h
index 35c3de73..210481de 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -20,9 +20,9 @@
 #ifndef __OPENCONNECT_H__
 #define __OPENCONNECT_H__
 
-#include <stdint.h>
 #include <sys/types.h>
-#include <unistd.h>
+
+#include <stdint.h>
 
 #ifdef __cplusplus
 extern "C" {
diff --git a/openconnect.rc b/openconnect.rc
index c4165a0d..9a7d7f1a 100644
--- a/openconnect.rc
+++ b/openconnect.rc
@@ -1,3 +1,2 @@
 // application icon
 IDI_ICON1       ICON    DISCARDABLE     "openconnect.ico"
-
diff --git a/openssl-dtls.c b/openssl-dtls.c
index 04d13246..76bcd2f1 100644
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -17,19 +17,20 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <sys/types.h>
+#include "openconnect-internal.h"
+
 #include <unistd.h>
+#include <sys/types.h>
 #include <fcntl.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stdio.h>
 #ifndef _WIN32
 #include <netinet/in.h>
 #include <sys/socket.h>
 #endif
 
-#include "openconnect-internal.h"
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
 
 /* In the very early days there were cases where this wasn't found in
  * the header files but it did still work somehow. I forget the details
diff --git a/openssl-esp.c b/openssl-esp.c
index 0cb65444..459e8c09 100644
--- a/openssl-esp.c
+++ b/openssl-esp.c
@@ -17,16 +17,16 @@
 
 #include <config.h>
 
-#include <unistd.h>
-#include <string.h>
-#include <stdlib.h>
-#include <errno.h>
-
 #include "openconnect-internal.h"
 
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 #define EVP_CIPHER_CTX_free(c) do {				\
diff --git a/openssl-pkcs11.c b/openssl-pkcs11.c
index b6ef792b..f7eb3adc 100644
--- a/openssl-pkcs11.c
+++ b/openssl-pkcs11.c
@@ -17,14 +17,16 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include <openssl/rand.h>
+
+#include <sys/types.h>
+
 #include <errno.h>
 #include <string.h>
-#include <sys/types.h>
 #include <ctype.h>
 
-#include "openconnect-internal.h"
-#include <openssl/rand.h>
-
 #ifdef HAVE_LIBP11 /* And p11-kit */
 
 #include <libp11.h>
diff --git a/openssl.c b/openssl.c
index 0c3936d0..095e29f3 100644
--- a/openssl.c
+++ b/openssl.c
@@ -17,11 +17,6 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <ctype.h>
-
 #include "openconnect-internal.h"
 
 #include <openssl/crypto.h>
@@ -37,6 +32,12 @@
 #include <openssl/ui.h>
 #include <openssl/rsa.h>
 
+#include <sys/types.h>
+
+#include <errno.h>
+#include <string.h>
+#include <ctype.h>
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define X509_up_ref(x) 	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509)
 #define X509_get0_notAfter(x) X509_get_notAfter(x)
diff --git a/ppp.c b/ppp.c
index 21f33eed..721431ae 100644
--- a/ppp.c
+++ b/ppp.c
@@ -17,11 +17,11 @@
 
 #include <config.h>
 
-#include <errno.h>
-
 #include "openconnect-internal.h"
 #include "ppp.h"
 
+#include <errno.h>
+
 static const uint16_t fcstab[256] = {
 	0x0000, 0x1189, 0x2312, 0x329b, 0x4624, 0x57ad, 0x6536, 0x74bf,
 	0x8c48, 0x9dc1, 0xaf5a, 0xbed3, 0xca6c, 0xdbe5, 0xe97e, 0xf8f7,
diff --git a/pulse.c b/pulse.c
index b3dd8e4f..d2d818ab 100644
--- a/pulse.c
+++ b/pulse.c
@@ -17,19 +17,19 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <unistd.h>
 #include <fcntl.h>
+#include <sys/types.h>
+
 #include <time.h>
 #include <string.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <sys/types.h>
 #include <stdarg.h>
-#include <sys/types.h>
-
-#include "openconnect-internal.h"
 
 #define VENDOR_JUNIPER 0xa4c
 #define VENDOR_JUNIPER2 0x583
diff --git a/script.c b/script.c
index 6d1ec72f..7d1864d4 100644
--- a/script.c
+++ b/script.c
@@ -17,21 +17,22 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include <unistd.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <string.h>
 #include <fcntl.h>
-#include <unistd.h>
 #ifndef _WIN32
 #include <sys/wait.h>
 #endif
+
 #include <errno.h>
 #include <ctype.h>
+#include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
 
-#include "openconnect-internal.h"
-
 int script_setenv(struct openconnect_info *vpninfo,
 		  const char *opt, const char *val, int trunc, int append)
 {
diff --git a/ssl.c b/ssl.c
index 1f60d5c0..fa9e1061 100644
--- a/ssl.c
+++ b/ssl.c
@@ -17,17 +17,13 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include <unistd.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <unistd.h>
 #include <inttypes.h>
 #include <fcntl.h>
-#include <string.h>
-#include <stdio.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <time.h>
 #if defined(__linux__) || defined(__ANDROID__)
 #include <sys/vfs.h>
 #elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__OpenBSD__) || defined(__APPLE__)
@@ -45,12 +41,17 @@
 #include <sys/socket.h>
 #endif
 
-#include "openconnect-internal.h"
-
 #ifdef ANDROID_KEYSTORE
 #include <sys/un.h>
 #endif
 
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <time.h>
+
 /* OSX < 1.6 doesn't have AI_NUMERICSERV */
 #ifndef AI_NUMERICSERV
 #define AI_NUMERICSERV 0
diff --git a/sspi.c b/sspi.c
index f0edbb0f..adc44360 100644
--- a/sspi.c
+++ b/sspi.c
@@ -17,11 +17,10 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <string.h>
-
 #include "openconnect-internal.h"
 
+#include <errno.h>
+#include <string.h>
 
 static int sspi_setup(struct openconnect_info *vpninfo, struct http_auth_state *auth_state, const char *service, int proxy)
 {
diff --git a/stoken.c b/stoken.c
index d01dedd0..00a67625 100644
--- a/stoken.c
+++ b/stoken.c
@@ -18,15 +18,15 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include <stoken.h>
+
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include <stoken.h>
-
-#include "openconnect-internal.h"
-
 #ifndef STOKEN_CHECK_VER
 #define STOKEN_CHECK_VER(x,y) 0
 #endif
@@ -333,4 +333,3 @@ int do_gen_stoken_code(struct openconnect_info *vpninfo,
 		return -ENOMEM;
 	return 0;
 }
-
diff --git a/textbuf.c b/textbuf.c
index 05d0bcc2..760d3602 100644
--- a/textbuf.c
+++ b/textbuf.c
@@ -18,6 +18,8 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <unistd.h>
 #include <string.h>
 #include <ctype.h>
@@ -28,8 +30,6 @@
 #include <limits.h>
 #include <stdarg.h>
 
-#include "openconnect-internal.h"
-
 #define BUF_CHUNK_SIZE 4096
 #define OC_BUF_MAX ((unsigned)(16*1024*1024))
 
diff --git a/tun-win32.c b/tun-win32.c
index a9191d0f..1d27bb7f 100644
--- a/tun-win32.c
+++ b/tun-win32.c
@@ -17,6 +17,8 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>
 #include <winioctl.h>
@@ -25,8 +27,6 @@
 #include <errno.h>
 #include <stdio.h>
 
-#include "openconnect-internal.h"
-
 /*
  * TAP-Windows support inspired by http://i3.cs.berkeley.edu/ (v0.2) with
  * permission.
diff --git a/tun.c b/tun.c
index 43a2a518..e5b8a49d 100644
--- a/tun.c
+++ b/tun.c
@@ -17,12 +17,12 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
+#include <unistd.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <string.h>
 #include <fcntl.h>
-#include <unistd.h>
-#include <signal.h>
 #include <sys/wait.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
@@ -31,17 +31,17 @@
 #include <netinet/ip.h>
 #include <net/if.h>
 #include <arpa/inet.h>
-#include <errno.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
 #if defined(__APPLE__) && defined(HAVE_NET_UTUN_H)
 #include <sys/kern_control.h>
 #include <sys/sys_domain.h>
 #include <net/if_utun.h>
 #endif
-
-#include "openconnect-internal.h"
+#include <errno.h>
+#include <ctype.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
 
 /*
  * If an if_tun.h include file was found anywhere (by the Makefile), it's
diff --git a/win32-ipicmp.h b/win32-ipicmp.h
index b31daa28..5c8ebfca 100644
--- a/win32-ipicmp.h
+++ b/win32-ipicmp.h
@@ -16,8 +16,8 @@
 #ifndef __OPENCONNECT_WIN32_IPICMP_H__
 #define __OPENCONNECT_WIN32_IPICMP_H__
 
-#include <stdint.h>
 #include <ws2tcpip.h>
+#include <stdint.h>
 
 /* IPv4 header and flags used in gpst.c */
 
diff --git a/wintun.c b/wintun.c
index b4738a58..42648102 100644
--- a/wintun.c
+++ b/wintun.c
@@ -17,6 +17,8 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>
 #include <winioctl.h>
@@ -28,8 +30,6 @@
 #include <errno.h>
 #include <stdio.h>
 
-#include "openconnect-internal.h"
-
 static WINTUN_CREATE_ADAPTER_FUNC WintunCreateAdapter;
 static WINTUN_DELETE_ADAPTER_FUNC WintunDeleteAdapter;
 static WINTUN_DELETE_POOL_DRIVER_FUNC WintunDeletePoolDriver;
diff --git a/xml.c b/xml.c
index 46219426..bfb87627 100644
--- a/xml.c
+++ b/xml.c
@@ -18,18 +18,20 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
+#include "openconnect-internal.h"
+
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+
 #include <unistd.h>
 #include <fcntl.h>
 #include <sys/types.h>
-#include <libxml/parser.h>
-#include <libxml/tree.h>
+
 #include <string.h>
 #include <ctype.h>
 #include <errno.h>
-
-#include "openconnect-internal.h"
+#include <stdio.h>
+#include <stdlib.h>
 
 static char *fetch_and_trim(xmlNode *node)
 {
diff --git a/yubikey.c b/yubikey.c
index 9d63e03a..024bb749 100644
--- a/yubikey.c
+++ b/yubikey.c
@@ -17,13 +17,13 @@
 
 #include <config.h>
 
+#include "openconnect-internal.h"
+
 #include <ctype.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include "openconnect-internal.h"
-
 #define NAME_TAG	0x71
 #define NAME_LIST_TAG	0x72
 #define KEY_TAG		0x73