Re: [Openvpn-devel] [PATCH v2] Add client-only support for peer-id.

[Steffan Karger]

ACK. Code is similar to the full-blown patch for master, and float works
nicely.

-Steffan

On 23-11-14 20:17, Gert Doering wrote:
> This is a reduced version of the peer-id patch from Lev Stipakov
> implementing only the client side bits - send IV_PROTO=2, accept
> "peer-id " as pushed option, support P_DATA_V2 packets.
> 
> v2: remove addition of "struct tls_multi;" to options.h, not needed
> 
> Signed-off-by: Gert Doering 
> ---
>  src/openvpn/init.c   | 12 +++-
>  src/openvpn/options.c|  6 ++
>  src/openvpn/options.h|  4 
>  src/openvpn/ssl.c| 40 +++-
>  src/openvpn/ssl.h|  3 ++-
>  src/openvpn/ssl_common.h |  4 
>  6 files changed, 62 insertions(+), 7 deletions(-)
> 
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index 18f506c..4cfa132 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -1711,7 +1711,8 @@ pull_permission_mask (const struct context *c)
>  | OPT_P_MESSAGES
>  | OPT_P_EXPLICIT_NOTIFY
>  | OPT_P_ECHO
> -| OPT_P_PULL_MODE;
> +| OPT_P_PULL_MODE
> +| OPT_P_PEER_ID;
>  
>if (!c->options.route_nopull)
>  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
> @@ -1790,6 +1791,15 @@ do_deferred_options (struct context *c, const unsigned 
> int found)
>  msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
> modified");
>if (found & OPT_P_SETENV)
>  msg (D_PUSH, "OPTIONS IMPORT: environment modified");
> +
> +#ifdef ENABLE_SSL
> +  if (found & OPT_P_PEER_ID)
> +{
> +  msg (D_PUSH, "OPTIONS IMPORT: peer-id set");
> +  c->c2.tls_multi->use_peer_id = true;
> +  c->c2.tls_multi->peer_id = c->options.peer_id;
> +}
> +#endif
>  }
>  
>  /*
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index d91bb63..5bddca4 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -6996,6 +6996,12 @@ add_option (struct options *options,
>options->persist_mode = 1;
>  }
>  #endif
> +  else if (streq (p[0], "peer-id"))
> +{
> +  VERIFY_PERMISSION (OPT_P_PEER_ID);
> +  options->use_peer_id = true;
> +  options->peer_id = atoi(p[1]);
> +}
>else
>  {
>int i;
> diff --git a/src/openvpn/options.h b/src/openvpn/options.h
> index 2c18838..af9a47f 100644
> --- a/src/openvpn/options.h
> +++ b/src/openvpn/options.h
> @@ -594,6 +594,9 @@ struct options
>bool show_net_up;
>int route_method;
>  #endif
> +
> +  bool use_peer_id;
> +  uint32_t peer_id;
>  };
>  
>  #define streq(x, y) (!strcmp((x), (y)))
> @@ -629,6 +632,7 @@ struct options
>  #define OPT_P_SOCKBUF (1<<25)
>  #define OPT_P_SOCKFLAGS   (1<<26)
>  #define OPT_P_CONNECTION  (1<<27)
> +#define OPT_P_PEER_ID (1<<28)
>  
>  #define OPT_P_DEFAULT   (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
>  
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index 281176e..2373582 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -627,6 +627,8 @@ packet_opcode_name (int op)
>return "P_ACK_V1";
>  case P_DATA_V1:
>return "P_DATA_V1";
> +case P_DATA_V2:
> +  return "P_DATA_V2";
>  default:
>return "P_???";
>  }
> @@ -1053,6 +1055,9 @@ tls_multi_init (struct tls_options *tls_options)
>ret->key_scan[1] = >session[TM_ACTIVE].key[KS_LAME_DUCK];
>ret->key_scan[2] = >session[TM_LAME_DUCK].key[KS_LAME_DUCK];
>  
> +  /* By default not use P_DATA_V2 */
> +  ret->use_peer_id = false;
> +
>return ret;
>  }
>  
> @@ -1828,6 +1833,8 @@ push_peer_info(struct buffer *buf, struct tls_session 
> *session)
>  #ifdef ENABLE_LZO_STUB
>buf_printf (, "IV_LZO_STUB=1\n");
>  #endif
> +  /* support for P_DATA_V2 */
> +  buf_printf(, "IV_PROTO=2\n");
>  
>if (session->opt->push_peer_info_detail >= 2)
>  {
> @@ -2777,8 +2784,9 @@ tls_pre_decrypt (struct tls_multi *multi,
>   key_id = c & P_KEY_ID_MASK;
>}
>  
> -  if (op == P_DATA_V1)
> - {   /* data channel packet */
> +  if ((op == P_DATA_V1) || (op == P_DATA_V2))
> + {
> +   /* data channel packet */
> for (i = 0; i < KEY_SCAN_SIZE; ++i)
>   {
> struct key_state *ks = multi->key_scan[i];
> @@ -2810,7 +2818,19 @@ tls_pre_decrypt (struct tls_multi *multi,
> opt->pid_persist = NULL;
> opt->flags &= multi->opt.crypto_flags_and;
> opt->flags |= multi->opt.crypto_flags_or;
> +
> ASSERT (buf_advance (buf, 1));
> +   if (op == P_DATA_V2)
> + {
> +   if (buf->len < 4)
> + {
> +   msg (D_TLS_ERRORS, "Protocol error: received 
> P_DATA_V2 from %s but length is < 4",
> + print_link_socket_actual (from, ));
> +   goto error;
> + }
> +   ASSERT (buf_advance (buf, 3));
> 

Re: [Openvpn-devel] [PATCH] configure.ac: fix default behavior

[Yegor Yefremov]

On Sat, Nov 22, 2014 at 12:57 PM, Gert Doering  wrote:
> Hiya,
>
> On Sat, Nov 22, 2014 at 11:47:05AM +0100, Arne Schwabe wrote:
>> Almost anybody always turns this feature on, at least all distribution
>> have it on.
>
> Which is indeed a strong argument for removing the conditional... maybe
> quickly discuss this ("anyone strongly opposed?") at the next meeting?

Btw another mismatch:

AC_ARG_ENABLE(
[small],
[AS_HELP_STRING([--enable-small], [enable smaller executable
size (disable OCC, usage message, and verb 4 parm list)
@<:@default=yes@:>@])],
,
[enable_small="no"]
)

Yegor

[Openvpn-devel] [PATCH v2] Add client-only support for peer-id.

[Gert Doering]

This is a reduced version of the peer-id patch from Lev Stipakov
implementing only the client side bits - send IV_PROTO=2, accept
"peer-id " as pushed option, support P_DATA_V2 packets.

v2: remove addition of "struct tls_multi;" to options.h, not needed

Signed-off-by: Gert Doering 
---
 src/openvpn/init.c   | 12 +++-
 src/openvpn/options.c|  6 ++
 src/openvpn/options.h|  4 
 src/openvpn/ssl.c| 40 +++-
 src/openvpn/ssl.h|  3 ++-
 src/openvpn/ssl_common.h |  4 
 6 files changed, 62 insertions(+), 7 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 18f506c..4cfa132 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1711,7 +1711,8 @@ pull_permission_mask (const struct context *c)
 | OPT_P_MESSAGES
 | OPT_P_EXPLICIT_NOTIFY
 | OPT_P_ECHO
-| OPT_P_PULL_MODE;
+| OPT_P_PULL_MODE
+| OPT_P_PEER_ID;

   if (!c->options.route_nopull)
 flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
@@ -1790,6 +1791,15 @@ do_deferred_options (struct context *c, const unsigned 
int found)
 msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
modified");
   if (found & OPT_P_SETENV)
 msg (D_PUSH, "OPTIONS IMPORT: environment modified");
+
+#ifdef ENABLE_SSL
+  if (found & OPT_P_PEER_ID)
+{
+  msg (D_PUSH, "OPTIONS IMPORT: peer-id set");
+  c->c2.tls_multi->use_peer_id = true;
+  c->c2.tls_multi->peer_id = c->options.peer_id;
+}
+#endif
 }

 /*
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index d91bb63..5bddca4 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6996,6 +6996,12 @@ add_option (struct options *options,
   options->persist_mode = 1;
 }
 #endif
+  else if (streq (p[0], "peer-id"))
+{
+  VERIFY_PERMISSION (OPT_P_PEER_ID);
+  options->use_peer_id = true;
+  options->peer_id = atoi(p[1]);
+}
   else
 {
   int i;
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 2c18838..af9a47f 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -594,6 +594,9 @@ struct options
   bool show_net_up;
   int route_method;
 #endif
+
+  bool use_peer_id;
+  uint32_t peer_id;
 };

 #define streq(x, y) (!strcmp((x), (y)))
@@ -629,6 +632,7 @@ struct options
 #define OPT_P_SOCKBUF (1<<25)
 #define OPT_P_SOCKFLAGS   (1<<26)
 #define OPT_P_CONNECTION  (1<<27)
+#define OPT_P_PEER_ID (1<<28)

 #define OPT_P_DEFAULT   (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 281176e..2373582 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -627,6 +627,8 @@ packet_opcode_name (int op)
   return "P_ACK_V1";
 case P_DATA_V1:
   return "P_DATA_V1";
+case P_DATA_V2:
+  return "P_DATA_V2";
 default:
   return "P_???";
 }
@@ -1053,6 +1055,9 @@ tls_multi_init (struct tls_options *tls_options)
   ret->key_scan[1] = >session[TM_ACTIVE].key[KS_LAME_DUCK];
   ret->key_scan[2] = >session[TM_LAME_DUCK].key[KS_LAME_DUCK];

+  /* By default not use P_DATA_V2 */
+  ret->use_peer_id = false;
+
   return ret;
 }

@@ -1828,6 +1833,8 @@ push_peer_info(struct buffer *buf, struct tls_session 
*session)
 #ifdef ENABLE_LZO_STUB
   buf_printf (, "IV_LZO_STUB=1\n");
 #endif
+  /* support for P_DATA_V2 */
+  buf_printf(, "IV_PROTO=2\n");

   if (session->opt->push_peer_info_detail >= 2)
 {
@@ -2777,8 +2784,9 @@ tls_pre_decrypt (struct tls_multi *multi,
key_id = c & P_KEY_ID_MASK;
   }

-  if (op == P_DATA_V1)
-   {   /* data channel packet */
+  if ((op == P_DATA_V1) || (op == P_DATA_V2))
+   {
+ /* data channel packet */
  for (i = 0; i < KEY_SCAN_SIZE; ++i)
{
  struct key_state *ks = multi->key_scan[i];
@@ -2810,7 +2818,19 @@ tls_pre_decrypt (struct tls_multi *multi,
  opt->pid_persist = NULL;
  opt->flags &= multi->opt.crypto_flags_and;
  opt->flags |= multi->opt.crypto_flags_or;
+
  ASSERT (buf_advance (buf, 1));
+ if (op == P_DATA_V2)
+   {
+ if (buf->len < 4)
+   {
+ msg (D_TLS_ERRORS, "Protocol error: received 
P_DATA_V2 from %s but length is < 4",
+   print_link_socket_actual (from, ));
+ goto error;
+   }
+ ASSERT (buf_advance (buf, 3));
+   }
+
  ++ks->n_packets;
  ks->n_bytes += buf->len;
  dmsg (D_TLS_KEYSELECT,
@@ -3375,14 +3395,24 @@ tls_post_encrypt (struct tls_multi *multi, struct 
buffer *buf)
 {
   struct key_state *ks;
   uint8_t *op;
+  uint32_t peer;

   ks = multi->save_ks;
   multi->save_ks = NULL;
   if (buf->len > 0)
 {
   ASSERT (ks);
-  

[Openvpn-devel] [PATCH applied] Re: Modernize sample keys and sample configs

[Gert Doering]

ACK, thanks.

Your patch has been applied to the release/2.3 branch.

commit b77c27a1d945d740c7e7f6b64b1227d5d9077aa5 (release/2.3)

Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Oct 23 00:14:29 2014 +0200

 Modernize sample keys and sample configs

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <54721611.4020...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9271
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH] Peer-id patch v7

[Steffan Karger]

On 23-11-14 16:17, Lev Stipakov wrote:
> Added new packet format P_DATA_V2, which includes peer-id. If server
> supports, client sends all data packets in the new format. When data
> packet arrives, server identifies peer by peer-id. If peer's ip/port has
> changed, server assumes that client has floated, verifies HMAC and
> updates ip/port in internal structs.

ACK

During the hackathon, the group decided that this indeed is a nice way
to support floating clients. I did a code review, but no real testing
(just 'make check', including t_client). Lev, Gert and Arne have however
performed real-life tests with multiple iterations of this patch.

A remaining issue is that the memory usage of a client increases for
each 'float', because generate_prefix(mi) allocates memory on each call,
which will only be free'd when the client disconnects. However, we
agreed to fix that in a separate patch.

-Steffan

Re: [Openvpn-devel] [PATCH applied] Modernize sample keys and sample configs

[Steffan Karger]

Attached the same patch, just cherry-picked to release/2.3, and resolved
the merge conflict in the readme file. Since today the old certs
expired, which will cause 'make check' to fail, this probably just got a
bit more priority.

-Steffan

On 15-11-14 17:56, Gert Doering wrote:
> Your patch has been applied to the master branch.
> 
> commit 335bbe615a03dad9087d754c9dea330e801ee3c3
> Author: Steffan Karger
> Date:   Thu Oct 23 00:14:29 2014 +0200
> 
>  Modernize sample keys and sample configs
> 
>  Signed-off-by: Steffan Karger 
>  Acked-by: Samuli Seppänen 
>  Message-Id: 
> 
>  URL: http://article.gmane.org/gmane.network.openvpn.devel/9226
>  Signed-off-by: Gert Doering 
> 
> 
> --
> kind regards,
> 
> Gert Doering
> 
>From 4b9e8da831755496c9e555e483d278d70171cf7a Mon Sep 17 00:00:00 2001
From: Steffan Karger 
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thu, 23 Oct 2014 00:14:29 +0200
Subject: [PATCH] Modernize sample keys and sample configs

I kept most of the certificate properties equal to the old
certs, since some people's test scripts might rely on them (and
it does not require any creativity from my part).

Changes:
 * Add script to generate fresh test/sample keys
   (but keep sample keys in git for simple testing)
 * Switch from 1024 to 4096 bits RSA CA
 * Switch from 1024 to 2048 bits client/server RSA keys
 * Switch from 1024 to 2048 bits Diffie-Hellman parameters
 * Generate EC client and server cert, but sign with RSA CA
   (lets us test EC <-> RSA interoperability)
 * Remove 3DES cipher from 'sample' config
 * Add 'remote-cert-tls server' to client config
 * Update config files to deprecate nsCertType in favour of the
   keyUsage and extendedKeyUsage extensions.
 * Make naming more consistent

Signed-off-by: Steffan Karger 
---
 sample/sample-config-files/client.conf |  17 ++--
 sample/sample-config-files/loopback-client |   2 +-
 sample/sample-config-files/loopback-server |   3 +-
 sample/sample-config-files/server.conf |   6 +-
 sample/sample-config-files/tls-office.conf |   2 +-
 sample/sample-keys/.gitignore  |   1 +
 sample/sample-keys/README  |  21 +++--
 sample/sample-keys/ca.crt  |  48 ++
 sample/sample-keys/ca.key  |  67 ++
 sample/sample-keys/client-ec.crt   |  85 ++
 sample/sample-keys/client-ec.key   |   5 ++
 sample/sample-keys/client-pass.key |  30 +++
 sample/sample-keys/client.crt  | 126 +-
 sample/sample-keys/client.key  |  43 +
 sample/sample-keys/client.p12  | Bin 0 -> 4533 bytes
 sample/sample-keys/dh1024.pem  |   5 --
 sample/sample-keys/dh2048.pem  |   8 ++
 sample/sample-keys/gen-sample-keys.sh  |  75 
 sample/sample-keys/openssl.cnf | 139 +
 sample/sample-keys/pass.crt|  65 --
 sample/sample-keys/pass.key|  18 
 sample/sample-keys/pkcs12.p12  | Bin 2685 -> 0 bytes
 sample/sample-keys/server-ec.crt   |  96 
 sample/sample-keys/server-ec.key   |   5 ++
 sample/sample-keys/server.crt  | 130 ++-
 sample/sample-keys/server.key  |  43 +
 26 files changed, 781 insertions(+), 259 deletions(-)
 create mode 100644 sample/sample-keys/.gitignore
 create mode 100644 sample/sample-keys/client-ec.crt
 create mode 100644 sample/sample-keys/client-ec.key
 create mode 100644 sample/sample-keys/client-pass.key
 create mode 100644 sample/sample-keys/client.p12
 delete mode 100644 sample/sample-keys/dh1024.pem
 create mode 100644 sample/sample-keys/dh2048.pem
 create mode 100755 sample/sample-keys/gen-sample-keys.sh
 create mode 100644 sample/sample-keys/openssl.cnf
 delete mode 100644 sample/sample-keys/pass.crt
 delete mode 100644 sample/sample-keys/pass.key
 delete mode 100644 sample/sample-keys/pkcs12.p12
 create mode 100644 sample/sample-keys/server-ec.crt
 create mode 100644 sample/sample-keys/server-ec.key

diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf
index 58b2038..050ef60 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
@@ -89,18 +89,19 @@ ca ca.crt
 cert client.crt
 key client.key

-# Verify server certificate by checking
-# that the certicate has the nsCertType
-# field set to "server".  This is an
-# important precaution to protect against
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
 # a potential attack discussed here:
 #  

[Openvpn-devel] [PATCH] Peer-id patch v7

[Lev Stipakov]

Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.

Changes in v7:
A few nitpicks.

Changes in v6:
Fixed: Make sure float won't happen if hmac check failed (regression).
Fixed: Access outside of bounds of array, which has caused memory corruption 
and crash.
Various review fixes.

Changes in v5:
Protection agains replay attack by commiting float changes only after
existing packet processing flow has completed.

If peer floats to an address which is already taken by another active
session, drop float packet, otherwise disconnect existing session.

Changes in v4:
Handles correctly float to an address which is used by another peer.
This also has fixed crash on assert in multi_client_disconnect.

Changes in v3:
Bugfix: If float happens after TLS renegotiation and there are no
data packets between reneg and float, server will not recognize floated client.
---
 src/openvpn/forward.c| 50 -
 src/openvpn/forward.h| 30 ---
 src/openvpn/init.c   | 12 +-
 src/openvpn/mudp.c   | 57 +---
 src/openvpn/mudp.h   |  2 +-
 src/openvpn/multi.c  | 97 ++--
 src/openvpn/multi.h  | 19 ++
 src/openvpn/options.c|  6 +++
 src/openvpn/options.h|  4 ++
 src/openvpn/push.c   | 13 +++
 src/openvpn/ssl.c| 74 
 src/openvpn/ssl.h| 15 +++-
 src/openvpn/ssl_common.h |  4 ++
 13 files changed, 332 insertions(+), 51 deletions(-)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 27b775f..b772d9a 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -722,20 +722,11 @@ read_incoming_link (struct context *c)
   perf_pop ();
 }

-/*
- * Input:  c->c2.buf
- * Output: c->c2.to_tun
- */
-
-void
-process_incoming_link (struct context *c)
+bool
+process_incoming_link_part1 (struct context *c, struct link_socket_info *lsi, 
bool floated)
 {
   struct gc_arena gc = gc_new ();
-  bool decrypt_status;
-  struct link_socket_info *lsi = get_link_socket_info (c);
-  const uint8_t *orig_buf = c->c2.buf.data;
-
-  perf_push (PERF_PROC_IN_LINK);
+  bool decrypt_status = false;

   if (c->c2.buf.len > 0)
 {
@@ -805,7 +796,7 @@ process_incoming_link (struct context *c)
   * will load crypto_options with the correct encryption key
   * and return false.
   */
- if (tls_pre_decrypt (c->c2.tls_multi, >c2.from, >c2.buf, 
>c2.crypto_options))
+ if (tls_pre_decrypt (c->c2.tls_multi, >c2.from, >c2.buf, 
>c2.crypto_options, floated))
{
  interval_action (>c2.tmp_int);

@@ -832,11 +823,25 @@ process_incoming_link (struct context *c)
  /* decryption errors are fatal in TCP mode */
  register_signal (c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- 
decryption error in TCP mode */
  msg (D_STREAM_ERRORS, "Fatal decryption error 
(process_incoming_link), restarting");
- goto done;
}
-
+#else /* ENABLE_CRYPTO */
+  decrypt_status = true;
 #endif /* ENABLE_CRYPTO */
+}
+  else
+{
+  buf_reset (>c2.to_tun);
+}
+  gc_free ();

+  return decrypt_status;
+}
+
+void
+process_incoming_link_part2 (struct context *c, struct link_socket_info *lsi, 
const uint8_t *orig_buf)
+{
+  if (c->c2.buf.len > 0)
+{
 #ifdef ENABLE_FRAGMENT
   if (c->c2.fragment)
fragment_incoming (c->c2.fragment, >c2.buf, >c2.frame_fragment);
@@ -903,9 +908,20 @@ process_incoming_link (struct context *c)
 {
   buf_reset (>c2.to_tun);
 }
- done:
+}
+
+void
+process_incoming_link (struct context *c)
+{
+  perf_push (PERF_PROC_IN_LINK);
+
+  struct link_socket_info *lsi = get_link_socket_info (c);
+  const uint8_t *orig_buf = c->c2.buf.data;
+
+  process_incoming_link_part1(c, lsi, false);   
+  process_incoming_link_part2(c, lsi, orig_buf);
+
   perf_pop ();
-  gc_free ();
 }

 /*
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 1830a00..eccbf36 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -127,12 +127,11 @@ void encrypt_sign (struct context *c, bool comp_frag);
  */
 void read_incoming_link (struct context *c);

-
 /**
- * Process a packet read from the external network interface.
+ * Starts processing a packet read from the external network interface.
  * @ingroup external_multiplexer
  *
- * This function controls the processing of a data channel packet which
+ * This function starts the processing of a data channel packet which
  * has come out of a VPN tunnel.  It's high-level structure is as follows:
  * - Verify that a nonzero length packet has been received from a valid
  *   source address for the given context \a 

[Openvpn-devel] [PATCH applied] Re: polarssl: fix unreachable code

[Gert Doering]

Your patch has been applied to the master branch.

commit 98c5de769d6bcd4822b2fd81ae4f4b05edff5c0e
Author: Yegor Yefremov
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Nov 23 13:21:43 2014 +0100

 polarssl: fix unreachable code

 Signed-off-by: Yegor Yefremov 
 Acked-by: Steffan Karger 
 Message-Id: <1416745303-23641-1-git-send-email-yegorsli...@googlemail.com>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9266
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH] polarssl: fix unreachable code

[Steffan Karger]

ACK. Harmless, but definitely an oversight.

-Steffan

On 23-11-14 13:21, Yegor Yefremov wrote:
> Found via cppcheck and compile-tested.
> 
> Signed-off-by: Yegor Yefremov 
> ---
>  src/openvpn/ssl_polarssl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
> index b026a17..2036885 100644
> --- a/src/openvpn/ssl_polarssl.c
> +++ b/src/openvpn/ssl_polarssl.c
> @@ -846,8 +846,8 @@ key_state_write_plaintext (struct key_state_ssl *ks, 
> struct buffer *buf)
>  
>if (0 == buf->len)
>  {
> -  return 0;
>perf_pop ();
> +  return 0;
>  }
>  
>retval = ssl_write(ks->ctx, BPTR(buf), buf->len);
> 

[Openvpn-devel] [PATCH applied] Re: socket: remove duplicate expression

[Gert Doering]

ACK (obviously correct, Arne just beat me to it).

Your patch has been applied to the master branch.

commit d0ce829fbc2b3656c433e14f2c1c1b3db3b069c7 (master)

Author: Yegor Yefremov
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Nov 22 21:13:35 2014 +0100

 socket: remove duplicate expression

 Signed-off-by: Yegor Yefremov 
 Acked-by: Arne Schwabe 
 Acked-by: Gert Doering 
 Message-Id: <1416687215-26904-1-git-send-email-yegorsli...@googlemail.com>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9263
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering