)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"8b2b30569b1f3acbe1beaf525cff228ebb1f2435","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"74c9e53a_88cefb08","updated":"2025-07-17 09:33:43.000000000","message":"doesn\u0027t build","commit_id":"196ae729234570015c94386a885e4648368c2b4d"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"863327c46747a3bb094f24f408937310a316b224","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"8745362f_edd6e2cf","updated":"2025-08-05 12:26:47.000000000","message":"Before this can proceed anywhere, I need a clear description of the goals and timeline - \"is this for 2.7?  is this for some future thing?  corp support?\".","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"df4dff61d6219b83285cee7f52de8682bb3e347f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"be050bd1_4a567d6b","updated":"2025-07-17 09:43:55.000000000","message":"I think there are still some things that need to be fixed. See comments","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"8feeb0a79b04819a5f428abcc80fb35cd6e9aba0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5e97a71b_d2df9c4c","in_reply_to":"0988c1c4_6a8f2cee","updated":"2025-12-02 17:05:11.000000000","message":"This is more 2.8 stuff but having this in 2.7 would not hurt and potientially have a bigger compatibility for the multipeer scenarios.","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"99148851cafd2e9cada1aa78877ca477d6cc8a1d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"0988c1c4_6a8f2cee","in_reply_to":"8745362f_edd6e2cf","updated":"2025-12-02 17:03:54.000000000","message":"This is to potentially allow two openvpn p2mp instances like two server talk to each other directly","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"334f152f34aa95ea6819e4a33b0196f499fa7dfa","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"26836bc6_0d294f6a","updated":"2025-10-07 15:50:10.000000000","message":"The part that picks the \"peer-id\" pushed and parsed options.c that sets peer-id on receiving peer-id\n\n    if (found \u0026 OPT_P_PEER_ID)\n    {\n        msg(D_PUSH_DEBUG, \"OPTIONS IMPORT: peer-id set\");\n        c-\u003ec2.tls_multi-\u003euse_peer_id \u003d true;\n        c-\u003ec2.tls_multi-\u003etx_peer_id \u003d c-\u003eoptions.peer_id;\n    }\n    \n\nshould probably also be adjusted to set both rx and tx as peer-id as pushed option should set both.","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2da8d2c9c39b513cbbc31f5cb192b313ae6ebdbb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"432c272b_476c93f3","in_reply_to":"26836bc6_0d294f6a","updated":"2025-10-27 13:47:02.000000000","message":"Done","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"d345a39c42b0d8c8adf7f54da85f6ddb7343a0d6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"23fe066a_1fb437de","updated":"2025-11-10 14:49:46.000000000","message":"So this seem to not work correctly in P2p mode.\n\npeer a: openvpn --port 1195 --tls-server --ifconfig 10.173.0.1 255.255.255.0 --topology subnet  --topology subnet --cert ~/nemesis.pem  --key ~/nemesis.pem   --dev tun --verb 4  --tun-mtu 1400 --config ~/fp   --disable-dco\n\npeer b: openvpn --verb 4  --dev tun  --remote nemesis.fritz.box 1195 --config ~/ovpn/confs/fp  --tls-client --cert ~/ovpn/confs/styx-ed25519.pem --key ~/ovpn/confs/styx-ed25519.pem --disable-dco --ifconfig  10.173.0.2 255.255.255.0 \n\n\nThe fp config just has the fingerpints in it.\n\nAnd the negotiated peer ids just don\u0027t make sense. It should be just the same ids with rx and tx swapped but this is is not really that. \n\n2025-11-10 15:48:41 us\u003d782130 Data Channel: cipher \u0027AES-256-GCM\u0027, rx_peer-id: 7762030, tx_peer-id: 5695615\n\n2025-11-10 14:48:41 us\u003d533055 Data Channel: cipher \u0027AES-256-GCM\u0027, rx_peer-id: 7762030, tx_peer-id: 14459670\n\nAlso it seems to *always* use 7762030 in my tests.","commit_id":"ec3d4eb241c1d10d775374f5f28a495ac7d6e748"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f01c2d591676b9a0e20db598cb3e3887b3b2bfe5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"d7e41d80_95aad17e","updated":"2025-12-09 14:05:11.000000000","message":"I accidentially pushed a rebased version to this PR.","commit_id":"f90a0d87a53759dad9c20e9731f3af5f237ece28"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"e9ef3d8f26b12089eb718f2757dfae13bf612ecc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"28e597a2_d4f7f0af","updated":"2026-04-21 15:26:39.000000000","message":"See the maxpeer id check","commit_id":"d8f80ca6d924e0b5c8a9469aeee42dcd08b99af2"}],"src/openvpn/multi.c":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"df4dff61d6219b83285cee7f52de8682bb3e347f","unresolved":true,"context_lines":[{"line_number":1813,"context_line":"    {"},{"line_number":1814,"context_line":"        tls_multi-\u003euse_peer_id \u003d true;"},{"line_number":1815,"context_line":"        o-\u003euse_peer_id \u003d true;"},{"line_number":1816,"context_line":"        uint32_t peer_id \u003d extract_asymmetric_peer_id(peer_info);"},{"line_number":1817,"context_line":"        if (peer_id)"},{"line_number":1818,"context_line":"        {"},{"line_number":1819,"context_line":"            tls_multi-\u003etx_peer_id \u003d peer_id;"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"7be28da8_ce83b435","line":1816,"updated":"2025-07-17 09:43:55.000000000","message":"I am somehow missing the client side/p2p that does the same and also calls extract_asymmetric_peer_id to figure out what peer-id the server wants to use.","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"fb2a91f5448bca36d7a956fd0c96c3bd455c7e57","unresolved":false,"context_lines":[{"line_number":1813,"context_line":"    {"},{"line_number":1814,"context_line":"        tls_multi-\u003euse_peer_id \u003d true;"},{"line_number":1815,"context_line":"        o-\u003euse_peer_id \u003d true;"},{"line_number":1816,"context_line":"        uint32_t peer_id \u003d extract_asymmetric_peer_id(peer_info);"},{"line_number":1817,"context_line":"        if (peer_id)"},{"line_number":1818,"context_line":"        {"},{"line_number":1819,"context_line":"            tls_multi-\u003etx_peer_id \u003d peer_id;"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"d20f4c46_6ddf1dff","line":1816,"in_reply_to":"7be28da8_ce83b435","updated":"2025-08-05 07:56:28.000000000","message":"Acknowledged","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"}],"src/openvpn/push.c":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"df4dff61d6219b83285cee7f52de8682bb3e347f","unresolved":true,"context_lines":[{"line_number":654,"context_line":"    if (tls_multi-\u003euse_peer_id)"},{"line_number":655,"context_line":"    {"},{"line_number":656,"context_line":"        push_option_fmt(gc, push_list, M_USAGE, \"peer-id %d\","},{"line_number":657,"context_line":"                        tls_multi-\u003erx_peer_id);"},{"line_number":658,"context_line":"    }"},{"line_number":659,"context_line":"    /*"},{"line_number":660,"context_line":"     * If server uses --auth-gen-token and we have an auth token"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"ad29de27_05d54fe8","line":657,"updated":"2025-07-17 09:43:55.000000000","message":"This will instruct the client to use that peer-id on both send/receive. The idea was to *not* push peer-id in this scenario but rather have both sides see that if the other peer has ID\u003d in their peerinfo then they both switch to assymmetric peer-id","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2055e30e29b4776a5f310d0cf95344bba10d41f5","unresolved":false,"context_lines":[{"line_number":654,"context_line":"    if (tls_multi-\u003euse_peer_id)"},{"line_number":655,"context_line":"    {"},{"line_number":656,"context_line":"        push_option_fmt(gc, push_list, M_USAGE, \"peer-id %d\","},{"line_number":657,"context_line":"                        tls_multi-\u003erx_peer_id);"},{"line_number":658,"context_line":"    }"},{"line_number":659,"context_line":"    /*"},{"line_number":660,"context_line":"     * If server uses --auth-gen-token and we have an auth token"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"643315b6_ec74dded","line":657,"in_reply_to":"098ded6f_b8a7adfd","updated":"2025-09-29 09:37:04.000000000","message":"Done","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"fb2a91f5448bca36d7a956fd0c96c3bd455c7e57","unresolved":true,"context_lines":[{"line_number":654,"context_line":"    if (tls_multi-\u003euse_peer_id)"},{"line_number":655,"context_line":"    {"},{"line_number":656,"context_line":"        push_option_fmt(gc, push_list, M_USAGE, \"peer-id %d\","},{"line_number":657,"context_line":"                        tls_multi-\u003erx_peer_id);"},{"line_number":658,"context_line":"    }"},{"line_number":659,"context_line":"    /*"},{"line_number":660,"context_line":"     * If server uses --auth-gen-token and we have an auth token"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"dfe60a3c_ec0e72ed","line":657,"in_reply_to":"ad29de27_05d54fe8","updated":"2025-08-05 07:56:28.000000000","message":"ok but what about the mapping? we\u0027re using the current peer-id assigned by the server as index to keep track of the instances, should we implement a different kind of mapping? Of curse on server side I will prepend to the buffer the tx_peer_id (if supported) along with the opcode but yeah the client will keep prepending the old one.","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"8390654e74e78b1c6c5f074bf1b49d08a5521628","unresolved":true,"context_lines":[{"line_number":654,"context_line":"    if (tls_multi-\u003euse_peer_id)"},{"line_number":655,"context_line":"    {"},{"line_number":656,"context_line":"        push_option_fmt(gc, push_list, M_USAGE, \"peer-id %d\","},{"line_number":657,"context_line":"                        tls_multi-\u003erx_peer_id);"},{"line_number":658,"context_line":"    }"},{"line_number":659,"context_line":"    /*"},{"line_number":660,"context_line":"     * If server uses --auth-gen-token and we have an auth token"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"098ded6f_b8a7adfd","line":657,"in_reply_to":"dfe60a3c_ec0e72ed","updated":"2025-08-05 12:22:11.000000000","message":"Yes, but the idea of the protocol is:\n\n- server pushes peer-id: client uses *same* peer-id for send and receive.\n- server pushes nothing but has ID\u003d in its own peer-info, client reconigses that the peer is supporting assymetric peer-id and uses the peer\u0027s ID for sending packets and expecting the id the ID it send in peerinfo for incoming packets.","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"}],"src/openvpn/ssl.c":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"df4dff61d6219b83285cee7f52de8682bb3e347f","unresolved":true,"context_lines":[{"line_number":2040,"context_line":"        iv_proto |\u003d IV_PROTO_DYN_TLS_CRYPT;"},{"line_number":2041,"context_line":""},{"line_number":2042,"context_line":"        buf_printf(\u0026out, \"IV_PROTO\u003d%d\\n\", iv_proto);"},{"line_number":2043,"context_line":"        buf_printf(\u0026out, \"ID\u003d%x\\n\", peer_id);"},{"line_number":2044,"context_line":""},{"line_number":2045,"context_line":"        if (session-\u003eopt-\u003epush_peer_info_detail \u003e 1)"},{"line_number":2046,"context_line":"        {"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"231475b7_833b9982","line":2043,"updated":"2025-07-17 09:43:55.000000000","message":"This need to be guarded by the actual DCO capability. We cannot announce this if the DCO module/implementation then cannot actually support assymetric ID support.","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"fb2a91f5448bca36d7a956fd0c96c3bd455c7e57","unresolved":false,"context_lines":[{"line_number":2040,"context_line":"        iv_proto |\u003d IV_PROTO_DYN_TLS_CRYPT;"},{"line_number":2041,"context_line":""},{"line_number":2042,"context_line":"        buf_printf(\u0026out, \"IV_PROTO\u003d%d\\n\", iv_proto);"},{"line_number":2043,"context_line":"        buf_printf(\u0026out, \"ID\u003d%x\\n\", peer_id);"},{"line_number":2044,"context_line":""},{"line_number":2045,"context_line":"        if (session-\u003eopt-\u003epush_peer_info_detail \u003e 1)"},{"line_number":2046,"context_line":"        {"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"7a3b0954_5bc84265","line":2043,"in_reply_to":"231475b7_833b9982","updated":"2025-08-05 07:56:28.000000000","message":"Acknowledged","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"334f152f34aa95ea6819e4a33b0196f499fa7dfa","unresolved":true,"context_lines":[{"line_number":1176,"context_line":"    ret-\u003eopt \u003d *tls_options;"},{"line_number":1177,"context_line":"    ret-\u003edco_peer_id \u003d -1;"},{"line_number":1178,"context_line":"    ret-\u003euse_asymmetric_peer_id \u003d false;"},{"line_number":1179,"context_line":"    ret-\u003erx_peer_id \u003d MAX_PEER_ID;"},{"line_number":1180,"context_line":"    ret-\u003etx_peer_id \u003d MAX_PEER_ID;"},{"line_number":1181,"context_line":""},{"line_number":1182,"context_line":"    return ret;"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"7b89f526_1248648b","line":1179,"updated":"2025-10-07 15:50:10.000000000","message":"Add comment here that we also use the rx peer id to identify DCO clients as this has become now a important distinction.","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2da8d2c9c39b513cbbc31f5cb192b313ae6ebdbb","unresolved":false,"context_lines":[{"line_number":1176,"context_line":"    ret-\u003eopt \u003d *tls_options;"},{"line_number":1177,"context_line":"    ret-\u003edco_peer_id \u003d -1;"},{"line_number":1178,"context_line":"    ret-\u003euse_asymmetric_peer_id \u003d false;"},{"line_number":1179,"context_line":"    ret-\u003erx_peer_id \u003d MAX_PEER_ID;"},{"line_number":1180,"context_line":"    ret-\u003etx_peer_id \u003d MAX_PEER_ID;"},{"line_number":1181,"context_line":""},{"line_number":1182,"context_line":"    return ret;"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"483a5681_27b0022b","line":1179,"in_reply_to":"7b89f526_1248648b","updated":"2025-10-27 13:47:02.000000000","message":"Done","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"334f152f34aa95ea6819e4a33b0196f499fa7dfa","unresolved":true,"context_lines":[{"line_number":1979,"context_line":"        if (peer_id !\u003d MAX_PEER_ID)"},{"line_number":1980,"context_line":"        {"},{"line_number":1981,"context_line":"            buf_printf(\u0026out, \"ID\u003d%x\\n\", peer_id);"},{"line_number":1982,"context_line":"        }"},{"line_number":1983,"context_line":""},{"line_number":1984,"context_line":"        if (session-\u003eopt-\u003epush_peer_info_detail \u003e 1)"},{"line_number":1985,"context_line":"        {"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"18e30fd6_0e66350f","line":1982,"updated":"2025-10-07 15:50:10.000000000","message":"This is still not guarded by DCO capability. With the current version we still always indicate to the peer that we are always asymmetric peer ID capable even if the underlying DCO module is not able to use a different peer ID for TX.","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2da8d2c9c39b513cbbc31f5cb192b313ae6ebdbb","unresolved":false,"context_lines":[{"line_number":1979,"context_line":"        if (peer_id !\u003d MAX_PEER_ID)"},{"line_number":1980,"context_line":"        {"},{"line_number":1981,"context_line":"            buf_printf(\u0026out, \"ID\u003d%x\\n\", peer_id);"},{"line_number":1982,"context_line":"        }"},{"line_number":1983,"context_line":""},{"line_number":1984,"context_line":"        if (session-\u003eopt-\u003epush_peer_info_detail \u003e 1)"},{"line_number":1985,"context_line":"        {"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"d7cabc51_e6990ae0","line":1982,"in_reply_to":"18e30fd6_0e66350f","updated":"2025-10-27 13:47:02.000000000","message":"Done","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"334f152f34aa95ea6819e4a33b0196f499fa7dfa","unresolved":true,"context_lines":[{"line_number":2162,"context_line":"    }"},{"line_number":2163,"context_line":""},{"line_number":2164,"context_line":"    /* Calculate the asymmetric peer-id */"},{"line_number":2165,"context_line":"    if (multi-\u003erx_peer_id \u003d\u003d MAX_PEER_ID \u0026\u0026 session-\u003eopt-\u003emode !\u003d MODE_SERVER)"},{"line_number":2166,"context_line":"    {"},{"line_number":2167,"context_line":"        uint8_t peerid[3];"},{"line_number":2168,"context_line":"        srand((unsigned)time(NULL));"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"3fb67b50_b42dfeaf","line":2165,"updated":"2025-10-07 15:50:10.000000000","message":"This feel be a very hacky place to set the multi rx peer id. I think there is a better place to do that.","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2da8d2c9c39b513cbbc31f5cb192b313ae6ebdbb","unresolved":true,"context_lines":[{"line_number":2162,"context_line":"    }"},{"line_number":2163,"context_line":""},{"line_number":2164,"context_line":"    /* Calculate the asymmetric peer-id */"},{"line_number":2165,"context_line":"    if (multi-\u003erx_peer_id \u003d\u003d MAX_PEER_ID \u0026\u0026 session-\u003eopt-\u003emode !\u003d MODE_SERVER)"},{"line_number":2166,"context_line":"    {"},{"line_number":2167,"context_line":"        uint8_t peerid[3];"},{"line_number":2168,"context_line":"        srand((unsigned)time(NULL));"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"c0fec251_e0eada21","line":2165,"in_reply_to":"3fb67b50_b42dfeaf","updated":"2025-10-27 13:47:02.000000000","message":"I moved this into tls_multi_init_finalize(), hope that\u0027s fine.","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"aab5d3255c358df12fa9c2d8e882da827666dc14","unresolved":false,"context_lines":[{"line_number":2162,"context_line":"    }"},{"line_number":2163,"context_line":""},{"line_number":2164,"context_line":"    /* Calculate the asymmetric peer-id */"},{"line_number":2165,"context_line":"    if (multi-\u003erx_peer_id \u003d\u003d MAX_PEER_ID \u0026\u0026 session-\u003eopt-\u003emode !\u003d MODE_SERVER)"},{"line_number":2166,"context_line":"    {"},{"line_number":2167,"context_line":"        uint8_t peerid[3];"},{"line_number":2168,"context_line":"        srand((unsigned)time(NULL));"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"826f4e99_d4eca514","line":2165,"in_reply_to":"c0fec251_e0eada21","updated":"2026-01-22 12:47:56.000000000","message":"Done","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"}],"src/openvpn/ssl_ncp.c":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"df4dff61d6219b83285cee7f52de8682bb3e347f","unresolved":true,"context_lines":[{"line_number":428,"context_line":"        multi-\u003euse_peer_id \u003d true;"},{"line_number":429,"context_line":"        multi-\u003euse_asymmetric_peer_id \u003d true;"},{"line_number":430,"context_line":"        multi-\u003erx_peer_id \u003d 0x76706e; /* \u0027v\u0027 \u0027p\u0027 \u0027n\u0027 */"},{"line_number":431,"context_line":"        multi-\u003etx_peer_id \u003d  2033;"},{"line_number":432,"context_line":"    }"},{"line_number":433,"context_line":""},{"line_number":434,"context_line":"    if (iv_proto_peer \u0026 IV_PROTO_CC_EXIT_NOTIFY)"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"5800ddd8_05764f00","line":431,"updated":"2025-07-17 09:43:55.000000000","message":"Why the hardcoded 2033 here? Shouldn\u0027t be also  0x76706e; /* \u0027v\u0027 \u0027p\u0027 \u0027n\u0027 */ ?","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2055e30e29b4776a5f310d0cf95344bba10d41f5","unresolved":false,"context_lines":[{"line_number":428,"context_line":"        multi-\u003euse_peer_id \u003d true;"},{"line_number":429,"context_line":"        multi-\u003euse_asymmetric_peer_id \u003d true;"},{"line_number":430,"context_line":"        multi-\u003erx_peer_id \u003d 0x76706e; /* \u0027v\u0027 \u0027p\u0027 \u0027n\u0027 */"},{"line_number":431,"context_line":"        multi-\u003etx_peer_id \u003d  2033;"},{"line_number":432,"context_line":"    }"},{"line_number":433,"context_line":""},{"line_number":434,"context_line":"    if (iv_proto_peer \u0026 IV_PROTO_CC_EXIT_NOTIFY)"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"4e416967_34f098a3","line":431,"in_reply_to":"1f01bfff_92f0595e","updated":"2025-09-29 09:37:04.000000000","message":"Done","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"fb2a91f5448bca36d7a956fd0c96c3bd455c7e57","unresolved":true,"context_lines":[{"line_number":428,"context_line":"        multi-\u003euse_peer_id \u003d true;"},{"line_number":429,"context_line":"        multi-\u003euse_asymmetric_peer_id \u003d true;"},{"line_number":430,"context_line":"        multi-\u003erx_peer_id \u003d 0x76706e; /* \u0027v\u0027 \u0027p\u0027 \u0027n\u0027 */"},{"line_number":431,"context_line":"        multi-\u003etx_peer_id \u003d  2033;"},{"line_number":432,"context_line":"    }"},{"line_number":433,"context_line":""},{"line_number":434,"context_line":"    if (iv_proto_peer \u0026 IV_PROTO_CC_EXIT_NOTIFY)"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"1f01bfff_92f0595e","line":431,"in_reply_to":"5800ddd8_05764f00","updated":"2025-08-05 07:56:28.000000000","message":"yeah that was just for testing purposes, will fix this.","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"df4dff61d6219b83285cee7f52de8682bb3e347f","unresolved":true,"context_lines":[{"line_number":471,"context_line":"            }"},{"line_number":472,"context_line":"            else"},{"line_number":473,"context_line":"            {"},{"line_number":474,"context_line":"                multi-\u003erx_peer_id \u003d (peerid[0] \u003c\u003c 16) + (peerid[1] \u003c\u003c 8) + peerid[2];"},{"line_number":475,"context_line":"            }"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"        }"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"5a725408_1afd7517","line":474,"updated":"2025-07-17 09:43:55.000000000","message":"Shouldn\u0027t there be code here","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"8390654e74e78b1c6c5f074bf1b49d08a5521628","unresolved":true,"context_lines":[{"line_number":471,"context_line":"            }"},{"line_number":472,"context_line":"            else"},{"line_number":473,"context_line":"            {"},{"line_number":474,"context_line":"                multi-\u003erx_peer_id \u003d (peerid[0] \u003c\u003c 16) + (peerid[1] \u003c\u003c 8) + peerid[2];"},{"line_number":475,"context_line":"            }"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"        }"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"d2c5201c_e34ffb2d","line":474,"in_reply_to":"32efaf15_5871df14","updated":"2025-08-05 12:22:11.000000000","message":"I missing the code that implements the asymmetric peer-id here completely is what I am saying. Either the code to parse the ID\u003dxyz of the peer is completely missing or I overlooked it.","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"fb2a91f5448bca36d7a956fd0c96c3bd455c7e57","unresolved":true,"context_lines":[{"line_number":471,"context_line":"            }"},{"line_number":472,"context_line":"            else"},{"line_number":473,"context_line":"            {"},{"line_number":474,"context_line":"                multi-\u003erx_peer_id \u003d (peerid[0] \u003c\u003c 16) + (peerid[1] \u003c\u003c 8) + peerid[2];"},{"line_number":475,"context_line":"            }"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"        }"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"32efaf15_5871df14","line":474,"in_reply_to":"5a725408_1afd7517","updated":"2025-08-05 07:56:28.000000000","message":"So you\u0027re saying we should keep the peer_id field and also the rx_peer_id and tx_peer_id but use them only if supported?","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2055e30e29b4776a5f310d0cf95344bba10d41f5","unresolved":false,"context_lines":[{"line_number":471,"context_line":"            }"},{"line_number":472,"context_line":"            else"},{"line_number":473,"context_line":"            {"},{"line_number":474,"context_line":"                multi-\u003erx_peer_id \u003d (peerid[0] \u003c\u003c 16) + (peerid[1] \u003c\u003c 8) + peerid[2];"},{"line_number":475,"context_line":"            }"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"        }"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"110f46aa_7a264227","line":474,"in_reply_to":"d2c5201c_e34ffb2d","updated":"2025-09-29 09:37:04.000000000","message":"Done","commit_id":"a768e1ae7690a3eefb1c118b1fe40d1b7a9f0354"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"334f152f34aa95ea6819e4a33b0196f499fa7dfa","unresolved":true,"context_lines":[{"line_number":422,"context_line":"        multi-\u003etx_peer_id \u003d 0x76706e; /* \u0027v\u0027 \u0027p\u0027 \u0027n\u0027 */"},{"line_number":423,"context_line":"    }"},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"    if (tx_peer_id)"},{"line_number":426,"context_line":"    {"},{"line_number":427,"context_line":"        multi-\u003etx_peer_id \u003d tx_peer_id;"},{"line_number":428,"context_line":"    }"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"c5df3a60_53fab78f","line":425,"updated":"2025-10-07 15:50:10.000000000","message":"This also need to take DCO capability into account.","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2da8d2c9c39b513cbbc31f5cb192b313ae6ebdbb","unresolved":false,"context_lines":[{"line_number":422,"context_line":"        multi-\u003etx_peer_id \u003d 0x76706e; /* \u0027v\u0027 \u0027p\u0027 \u0027n\u0027 */"},{"line_number":423,"context_line":"    }"},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"    if (tx_peer_id)"},{"line_number":426,"context_line":"    {"},{"line_number":427,"context_line":"        multi-\u003etx_peer_id \u003d tx_peer_id;"},{"line_number":428,"context_line":"    }"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"74331eed_c592a014","line":425,"in_reply_to":"c5df3a60_53fab78f","updated":"2025-10-27 13:47:02.000000000","message":"Done","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"334f152f34aa95ea6819e4a33b0196f499fa7dfa","unresolved":true,"context_lines":[{"line_number":447,"context_line":"    {"},{"line_number":448,"context_line":"        session-\u003eopt-\u003ecrypto_flags |\u003d CO_USE_TLS_KEY_MATERIAL_EXPORT;"},{"line_number":449,"context_line":""},{"line_number":450,"context_line":"        if (multi-\u003euse_peer_id)"},{"line_number":451,"context_line":"        {"},{"line_number":452,"context_line":"            /* Using a non hardcoded peer-id makes a tiny bit harder to"},{"line_number":453,"context_line":"             * fingerprint packets and also gives each connection a unique"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"1a14b321_0b6cf1e1","line":450,"updated":"2025-10-07 15:50:10.000000000","message":"I think this parts needs to be skipped if we are using/negotiated asymmetric peer-id as it would overwrite both rx and tx ids with the EKM generated ones. Probably move the if (tx_peer_id) above and have this as else path with a comment that asymmetric peer id trumps EKM","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2da8d2c9c39b513cbbc31f5cb192b313ae6ebdbb","unresolved":false,"context_lines":[{"line_number":447,"context_line":"    {"},{"line_number":448,"context_line":"        session-\u003eopt-\u003ecrypto_flags |\u003d CO_USE_TLS_KEY_MATERIAL_EXPORT;"},{"line_number":449,"context_line":""},{"line_number":450,"context_line":"        if (multi-\u003euse_peer_id)"},{"line_number":451,"context_line":"        {"},{"line_number":452,"context_line":"            /* Using a non hardcoded peer-id makes a tiny bit harder to"},{"line_number":453,"context_line":"             * fingerprint packets and also gives each connection a unique"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"c5e954b4_8a6a0a93","line":450,"in_reply_to":"1a14b321_0b6cf1e1","updated":"2025-10-27 13:47:02.000000000","message":"Done","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"}],"src/openvpn/ssl_util.c":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"334f152f34aa95ea6819e4a33b0196f499fa7dfa","unresolved":true,"context_lines":[{"line_number":87,"context_line":"            }"},{"line_number":88,"context_line":"        }"},{"line_number":89,"context_line":"    }"},{"line_number":90,"context_line":"    return 0;"},{"line_number":91,"context_line":"}"},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"const char *"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"aa5446c4_405e7c5e","line":90,"updated":"2025-10-07 15:50:10.000000000","message":"0 is a valid peer id. So I would rather have -1 (and int32_t as return type) or MAX_PEER_ID, MAX_UINT value or similar as not defined.\n\nIn fact the first client that typically connects to a p2mp server is assigned value 0.","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2da8d2c9c39b513cbbc31f5cb192b313ae6ebdbb","unresolved":false,"context_lines":[{"line_number":87,"context_line":"            }"},{"line_number":88,"context_line":"        }"},{"line_number":89,"context_line":"    }"},{"line_number":90,"context_line":"    return 0;"},{"line_number":91,"context_line":"}"},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"const char *"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"c1989b67_8f07aa92","line":90,"in_reply_to":"aa5446c4_405e7c5e","updated":"2025-10-27 13:47:02.000000000","message":"Done","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"88dc2d5c7f430179fa881c77f1cc8b20d01f0550","unresolved":true,"context_lines":[{"line_number":81,"context_line":"        uint32_t peer_id \u003d 0;"},{"line_number":82,"context_line":"        int r \u003d sscanf(optstr, \"ID\u003d%x\", \u0026peer_id);"},{"line_number":83,"context_line":"        {"},{"line_number":84,"context_line":"            if (r \u003d\u003d 1 \u0026\u0026 peer_id \u003c UINT32_MAX)"},{"line_number":85,"context_line":"            {"},{"line_number":86,"context_line":"                return peer_id;"},{"line_number":87,"context_line":"            }"}],"source_content_type":"text/x-csrc","patch_set":10,"id":"e69ce258_d1aeeb07","line":84,"updated":"2026-04-21 15:27:53.000000000","message":"This check should check \u003c MAX_PEER_ID instead of UINT32_MAX since we otherwise still end up with an invalid peer-id","commit_id":"d8f80ca6d924e0b5c8a9469aeee42dcd08b99af2"}],"src/openvpn/ssl_util.h":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"334f152f34aa95ea6819e4a33b0196f499fa7dfa","unresolved":true,"context_lines":[{"line_number":53,"context_line":" */"},{"line_number":54,"context_line":"unsigned int extract_iv_proto(const char *peer_info);"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"uint32_t extract_asymmetric_peer_id(const char *peer_info);"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"/**"},{"line_number":59,"context_line":" * Takes a locally produced OCC string for TLS server mode and modifies as"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"17f8e5bb_aeb5d80c","line":56,"updated":"2025-10-07 15:50:10.000000000","message":"Add doxygen please","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"},{"author":{"_account_id":1000034,"name":"its_Giaan","display_name":"Gianmarco De Gregori","email":"gianmarco@mandelbit.com","username":"its_Giaan"},"change_message_id":"2da8d2c9c39b513cbbc31f5cb192b313ae6ebdbb","unresolved":false,"context_lines":[{"line_number":53,"context_line":" */"},{"line_number":54,"context_line":"unsigned int extract_iv_proto(const char *peer_info);"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"uint32_t extract_asymmetric_peer_id(const char *peer_info);"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"/**"},{"line_number":59,"context_line":" * Takes a locally produced OCC string for TLS server mode and modifies as"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"be89150e_3068de2f","line":56,"in_reply_to":"17f8e5bb_aeb5d80c","updated":"2025-10-27 13:47:02.000000000","message":"Done","commit_id":"816b0f141c576aa0348d75ce5f23de29812c28de"}]}