Hi, I totally want to have this, and overall the changes all make sense (so ACK for the refactoring part, needs a few windows held side by side in addition to tkdiff... :-) ), but something puzzles me...
On Tue, Nov 22, 2016 at 08:57:11PM +0100, Steffan Karger wrote: [..] > @@ -2320,6 +2318,26 @@ key_method_2_read (struct buffer *buf, struct context > *c, struct tls_session *se > /* Peer does not support NCP */ > session->opt->ncp_enabled = false; > } > + > + /* "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. > + * Allows non-NCP client to upgrade their cipher individually. */ > + char *remote_cipher = options_string_extract_option (options, "cipher", > &gc); > + if (c->options.ncp_enabled && !session->opt->ncp_enabled && remote_cipher > && > + 0 != strcmp(c->options.ciphername, remote_cipher)) > + { This looks totally logical and all, until I try to compile it - and then the compiler ruins the day for me... ../../../openvpn/src/openvpn/ssl.c: In function 'key_method_2_read': ../../../openvpn/src/openvpn/ssl.c:2313:7: error: 'c' undeclared (first use in this function) if (c->options.ncp_enabled && !session->opt->ncp_enabled && remote_cipher && ^ ... and I can not seriously argue with it here... - there is no "c". (David pointed out that *his* patch brings in the "c" here, but that one didn't receive enough love yet, so is not in *my* tree...) So - this needs to be sorted out. There is another catch here - options_string_extract_option() is wrapped in an #ifdef ENABLE_OCC, which is turned off if you configure --enable-small (so linking breaks). That second catch can be easily fixed by wrapping this whole code new code block in #ifdef ENABLE_OCC as well (if the data is just not enable in this case) or by moving the "extract" function after the corresponding #endif... Finally, moving over tls_limit_reneg_bytes() broke the whitespace in weird ways - it got mangled to tls_limit_reneg_bytes (session->opt->key_type.cipher, &session->opt->renegotiate_bytes); while it was tls_limit_reneg_bytes (session->opt->key_type.cipher, &session->opt->renegotiate_bytes); (I could fix that on the fly, and also the #ifdef ENABLE_OCC, but not the "c" one) "Can I have a v5, please...?" gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel