)]}'
{"id":"openvpn~1067","triplet_id":"openvpn~master~I6752dcd5aff3e5cea2b439366479e86751a1c403","project":"openvpn","branch":"master","attention_set":{},"removed_from_attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2025-08-23 16:01:55.000000000","reason":"Change was submitted"},"1000001":{"account":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"last_update":"2025-08-23 16:01:55.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"I6752dcd5aff3e5cea2b439366479e86751a1c403","subject":"Check message id/acked ids too when doing sessionid cookie checks","status":"MERGED","created":"2025-06-25 12:38:07.000000000","updated":"2025-08-26 11:59:57.000000000","submitted":"2025-08-23 16:01:55.000000000","submitter":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"total_comment_count":8,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"1067","meta_rev_id":"99c8e0da13b34693834e0784c665907f009b87aa","_number":1067,"virtual_id_number":1067,"owner":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"actions":{},"labels":{"Code-Review":{"all":[{"value":0,"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},{"value":0,"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},{"value":0,"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2025-06-25 12:38:08.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2025-06-25 12:38:08.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"state":"REVIEWER"},{"updated":"2025-08-13 14:01:34.000000000","updated_by":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"reviewer":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"state":"CC"},{"updated":"2025-08-19 13:59:56.000000000","updated_by":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"reviewer":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"state":"REVIEWER"}],"messages":[{"id":"43e027a55ec1e21bd2b5b7cd3e635b7118b4dcc7","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-06-25 12:38:07.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"9bd42fc2ea8ac1e1e0419eb0511c9c3e2942abbe","tag":"autogenerated:gerrit:setWorkInProgress","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-06-25 12:38:20.000000000","message":"Set Work In Progress","accounts_in_message":[],"_revision_number":1},{"id":"8dc6ac12f4fc804bd94d83348fc6f6f7b4b62283","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-06-26 08:11:26.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"10e4feae2c5efe551fb367d6b00fd022555262c9","tag":"autogenerated:gerrit:setReadyForReview","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-06-26 08:11:35.000000000","message":"Set Ready For Review","accounts_in_message":[],"_revision_number":2},{"id":"0ce8cd0299fe59653b623aa0f39ebf25341ff1eb","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-06-26 08:14:23.000000000","message":"Uploaded patch set 3.","accounts_in_message":[],"_revision_number":3},{"id":"f53b9687a1206d30d65e328d2963ff504d2966df","author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"date":"2025-07-22 14:59:07.000000000","message":"Patch Set 3: Code-Review-1\n\n(1 comment)","accounts_in_message":[],"_revision_number":3},{"id":"c339de3f211cd6799ecfdc1e91881763685d1cdd","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-07-28 11:51:23.000000000","message":"Uploaded patch set 4.\n\nOutdated Votes:\n* Code-Review-1 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN\")\n","accounts_in_message":[],"_revision_number":4},{"id":"e03c78662b465d9c6ae4f8f45c49e3ff644e5332","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-08-06 12:23:17.000000000","message":"Uploaded patch set 5.","accounts_in_message":[],"_revision_number":5},{"id":"ae8260a326e471a54007156c75b5babe226013a9","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-08-06 12:25:58.000000000","message":"Patch Set 5:\n\n(1 comment)","accounts_in_message":[],"_revision_number":5},{"id":"f79bc885c6d314dc115040ea42dbd9c504f14284","author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"date":"2025-08-13 14:01:34.000000000","message":"Patch Set 5:\n\n(3 comments)","accounts_in_message":[],"_revision_number":5},{"id":"c95289a671abcb944e2e9471eefe530d64ea0655","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-08-15 13:58:49.000000000","message":"Uploaded patch set 6.","accounts_in_message":[],"_revision_number":6},{"id":"c08c780b1cb577b794cbc387c206d52ba3cc7266","author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"date":"2025-08-19 13:59:56.000000000","message":"Patch Set 6: Code-Review+2\n\n(2 comments)","accounts_in_message":[],"_revision_number":6},{"id":"5c374002a1dfb9b99a32f5715d21121d05d7912a","tag":"autogenerated:gerrit:merged","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-08-23 16:01:55.000000000","message":"Change has been successfully pushed.","accounts_in_message":[],"_revision_number":7},{"id":"99c8e0da13b34693834e0784c665907f009b87aa","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-08-26 11:59:57.000000000","message":"Patch Set 7:\n\n(1 comment)","accounts_in_message":[],"_revision_number":7}],"current_revision_number":7,"current_revision":"518e122b42739b0dbb54e7169a8a3aadb4773125","revisions":{"b3371d956878e5e401bf70fdf317e260d8c0ba5b":{"kind":"REWORK","_number":1,"created":"2025-06-25 12:38:07.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/67/1067/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/67/1067/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/1 \u0026\u0026 git checkout -b change-1067 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/67/1067/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"1d3c2b67a73a0aa011c13e62f876d24e49d41df0","subject":"dco linux: avoid redefining ovpn enums"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-06-25 12:37:27.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-06-25 12:37:27.000000000","tz":120},"subject":"Check message-id too when doing sessionid cookie","message":"Check message-id too when doing sessionid cookie\n\nThis fixes that control packets on a floating client can trigger\ncreating a new session in rare instances.\n\nChange-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403\n"},"branch":"refs/heads/master"},"b9acea31fd5932bf01cc1a3d9aee861951b0d799":{"kind":"REWORK","_number":2,"created":"2025-06-26 08:11:26.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/67/1067/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/67/1067/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/2 \u0026\u0026 git checkout -b change-1067 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/67/1067/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"1d3c2b67a73a0aa011c13e62f876d24e49d41df0","subject":"dco linux: avoid redefining ovpn enums"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-06-25 12:37:27.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-06-26 08:11:12.000000000","tz":120},"subject":"Check message id/acked ids too when doing sessionid cookie checks","message":"Check message id/acked ids too when doing sessionid cookie checks\n\nThis fixes that control packets on a floating client can trigger\ncreating a new session in special circumstances:\n\nTo trigger this circumstance a connection needs to\n\n- starts on IP A\n- successfully floats to IP B by data packet\n- then has a control packet from IP A before any\n  data packet can trigger the float back to IP A\n\nand all of this needs to happen in the 60s time\nthat hmac cookie is valid in the default\nconfiguration.\n\nIn this scenario we would trigger a new connection as the HMAC\nsession id would be valid.\n\nThis patch adds checking also of the message-id and acked ids to\ndiscern packet from the initial three-way handshake where these\nids 0 or 1 from any later packet.\n\nThis will now trigger (at verb 4 or higher) a messaged like:\n\n   Packet (P_ACK_V1) with invalid or missing SID\n\ninstead.\n\nReported-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\nTested-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\n\nChange-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"06edba3fe8fa91db5804432aec8a4e698956a65c":{"kind":"REWORK","_number":3,"created":"2025-06-26 08:14:23.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/67/1067/3","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/67/1067/3","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/3 \u0026\u0026 git checkout -b change-1067 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/67/1067/3","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"1d3c2b67a73a0aa011c13e62f876d24e49d41df0","subject":"dco linux: avoid redefining ovpn enums"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-06-25 12:37:27.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-06-26 08:14:09.000000000","tz":120},"subject":"Check message id/acked ids too when doing sessionid cookie checks","message":"Check message id/acked ids too when doing sessionid cookie checks\n\nThis fixes that control packets on a floating client can trigger\ncreating a new session in special circumstances:\n\nTo trigger this circumstance a connection needs to\n\n- starts on IP A\n- successfully floats to IP B by data packet\n- then has a control packet from IP A before any\n  data packet can trigger the float back to IP A\n\nand all of this needs to happen in the 60s time\nthat hmac cookie is valid in the default\nconfiguration.\n\nIn this scenario we would trigger a new connection as the HMAC\nsession id would be valid.\n\nThis patch adds checking also of the message-id and acked ids to\ndiscern packet from the initial three-way handshake where these\nids 0 or 1 from any later packet.\n\nThis will now trigger (at verb 4 or higher) a messaged like:\n\n   Packet (P_ACK_V1) with invalid or missing SID\n\ninstead.\n\nReported-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\nTested-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\n\nChange-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"6851210a2a35cdf1c2d95eb6c0886591ea93588c":{"kind":"REWORK","_number":4,"created":"2025-07-28 11:51:23.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/67/1067/4","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/67/1067/4","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/4 \u0026\u0026 git checkout -b change-1067 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/67/1067/4","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/4 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"1d3c2b67a73a0aa011c13e62f876d24e49d41df0","subject":"dco linux: avoid redefining ovpn enums"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-06-25 12:37:27.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-07-28 11:50:58.000000000","tz":120},"subject":"Check message id/acked ids too when doing sessionid cookie checks","message":"Check message id/acked ids too when doing sessionid cookie checks\n\nThis fixes that control packets on a floating client can trigger\ncreating a new session in special circumstances:\n\nTo trigger this circumstance a connection needs to\n\n- starts on IP A\n- successfully floats to IP B by data packet\n- then has a control packet from IP A before any\n  data packet can trigger the float back to IP A\n\nand all of this needs to happen in the 60s time\nthat hmac cookie is valid in the default\nconfiguration.\n\nIn this scenario we would trigger a new connection as the HMAC\nsession id would be valid.\n\nThis patch adds checking also of the message-id and acked ids to\ndiscern packet from the initial three-way handshake where these\nids 0 or 1 from any later packet.\n\nThis will now trigger (at verb 4 or higher) a messaged like:\n\n   Packet (P_ACK_V1) with invalid or missing SID\n\ninstead.\n\nAlso remove a few duplicated free_tls_pre_decrypt_state in test_ssl.\n\nReported-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\nTested-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\n\nChange-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"436c36d98717d0c1183d87c56591da41b1d3e8d0":{"kind":"REWORK","_number":5,"created":"2025-08-06 12:23:17.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/67/1067/5","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/67/1067/5","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/5 \u0026\u0026 git checkout -b change-1067 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/5 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/5 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/5 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/67/1067/5","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/5 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"75f9bd37ae94ad2e126f68276cee52fc8af3079f","subject":"Remove uncrustify config and reformat-all.sh"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-06-25 12:37:27.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-08-06 12:22:53.000000000","tz":120},"subject":"Check message id/acked ids too when doing sessionid cookie checks","message":"Check message id/acked ids too when doing sessionid cookie checks\n\nThis fixes that control packets on a floating client can trigger\ncreating a new session in special circumstances:\n\nTo trigger this circumstance a connection needs to\n\n- starts on IP A\n- successfully floats to IP B by data packet\n- then has a control packet from IP A before any\n  data packet can trigger the float back to IP A\n\nand all of this needs to happen in the 60s time\nthat hmac cookie is valid in the default\nconfiguration.\n\nIn this scenario we would trigger a new connection as the HMAC\nsession id would be valid.\n\nThis patch adds checking also of the message-id and acked ids to\ndiscern packet from the initial three-way handshake where these\nids 0 or 1 from any later packet.\n\nThis will now trigger (at verb 4 or higher) a messaged like:\n\n   Packet (P_ACK_V1) with invalid or missing SID\n\ninstead.\n\nAlso remove a few duplicated free_tls_pre_decrypt_state in test_ssl.\n\nReported-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\nTested-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\n\nChange-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"947af07e5f0f9e5fff602868d68d9526783b7475":{"kind":"REWORK","_number":6,"created":"2025-08-15 13:58:49.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/67/1067/6","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/67/1067/6","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/6 \u0026\u0026 git checkout -b change-1067 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/6 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/6 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/6 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/67/1067/6","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/6 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"c4f4f26d48babdf4f15a6cde837317c7216abbba","subject":"GHA: limit \u0027Deploy Doxygen documentation\u0027 to main repo only"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-06-25 12:37:27.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-08-15 13:58:38.000000000","tz":120},"subject":"Check message id/acked ids too when doing sessionid cookie checks","message":"Check message id/acked ids too when doing sessionid cookie checks\n\nThis fixes that control packets on a floating client can trigger\ncreating a new session in special circumstances:\n\nTo trigger this circumstance a connection needs to\n\n- starts on IP A\n- successfully floats to IP B by data packet\n- then has a control packet from IP A before any\n  data packet can trigger the float back to IP A\n\nand all of this needs to happen in the 60s time\nthat hmac cookie is valid in the default\nconfiguration.\n\nIn this scenario we would trigger a new connection as the HMAC\nsession id would be valid.\n\nThis patch adds checking also of the message-id and acked ids to\ndiscern packet from the initial three-way handshake where these\nids 0 or 1 from any later packet.\n\nThis will now trigger (at verb 4 or higher) a messaged like:\n\n   Packet (P_ACK_V1) with invalid or missing SID\n\ninstead.\n\nAlso remove a few duplicated free_tls_pre_decrypt_state in test_ssl.\n\nReported-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\nTested-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\n\nChange-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"518e122b42739b0dbb54e7169a8a3aadb4773125":{"kind":"TRIVIAL_REBASE_WITH_MESSAGE_UPDATE","_number":7,"created":"2025-08-23 16:01:55.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/67/1067/7","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/67/1067/7","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/7 \u0026\u0026 git checkout -b change-1067 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/7 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/7 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/7 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/67/1067/7","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/67/1067/7 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"5c4744f28e2adb3fc8f6fb3b3c8ffe22636eb0a0","subject":"Clean up documentation for --tun-mtu-max"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-08-19 21:22:09.000000000","tz":120},"committer":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2025-08-23 15:53:52.000000000","tz":120},"subject":"Check message id/acked ids too when doing sessionid cookie checks","message":"Check message id/acked ids too when doing sessionid cookie checks\n\nThis fixes that control packets on a floating client can trigger\ncreating a new session in special circumstances:\n\nTo trigger this circumstance a connection needs to\n\n- starts on IP A\n- successfully floats to IP B by data packet\n- then has a control packet from IP A before any\n  data packet can trigger the float back to IP A\n\nand all of this needs to happen in the 60s time\nthat hmac cookie is valid in the default\nconfiguration.\n\nIn this scenario we would trigger a new connection as the HMAC\nsession id would be valid.\n\nThis patch adds checking also of the message-id and acked ids to\ndiscern packet from the initial three-way handshake where these\nids are 0 or 1 from any later packet.\n\nThis will now trigger (at verb 4 or higher) a messaged like:\n\n   Packet (P_ACK_V1) with invalid or missing SID\n\ninstead.\n\nAlso remove a few duplicated free_tls_pre_decrypt_state in test_ssl.\n\nReported-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\nTested-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\n\nChange-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\nAcked-by: MaxF \u003cmax@max-fillinger.net\u003e\nMessage-Id: \u003c20250819212214.16218-1-gert@greenie.muc.de\u003e\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32626.html\nSigned-off-by: Gert Doering \u003cgert@greenie.muc.de\u003e\n"},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}