The diff between v7 and v8 is minimal (printing protocol-options and
initializing key2.n=2 in tls_crypt_v2_init_client_key()), so taking
Heiko's ACK on v7.
I have not really looked hard at the code, relying on Heiko's tests
and compatibility work with OpenVPN 3. Basic stare-at-code for stuff
like memory sanity etc. looks good. Also, it has a unit test :-)
What I have done is subject this to the client/server torture testbed,
with a master+v8 client and master+v8 server (= using dynamic tls-crypt,
and not crashing) and both sides also talking to 2.3/2.4/2.5 peers, with
tls-auth, tls-crypt, tls-crypt-v2 (where supported) - since this all
works now, I'm not worried about breaking compatibility.
In addition, I've tried the auth-token renegotiation / reconnect setup
that excercises renegotiations heavily, and that also succeeds
(reneg-sec 90, token expiry at 300, so quite a bit of successful/failing
renegotiations, having to fall back to reconnect)
In Changes.rst I have adjusted "2.6.0+" to "2.6.1+" (master) and have
moved this to a new "changes in 2.6.1" section (release/2.6).
Your patch has been applied to the master and release/2.6 branch.
commit 6a05768a71ede7a8654fc6f3104f7449509efee0 (master)
commit 202a934fc32673ef865b5cbcb23ad6057ceb2e0b (release/2.6)
Author: Arne Schwabe
Date: Tue Mar 7 16:02:33 2023 +0100
Dynamic tls-crypt for secure soft_reset/session renegotiation
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Acked-by: Heiko Hund <he...@ist.eigentlich.net>
Message-Id: <20230307150233.3551436-1-a...@rfc2549.org>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26341.html
Signed-off-by: Gert Doering <g...@greenie.muc.de>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
