In addition to the thorough review from Steffan, I have tortured this patch on the client and server side (read: patched client talking to an old server, old clients talking to a patched server, patched client talking to patched server, with/without NCP) and everything succeeded/failed as expected.
I have actually seen the handshake happen between openssl client and server, and mbedtls 2.24.0 (gentoo) client / openssl server (I have not checked if the handshake had any actual *effect*, just if I could see it in the PUSH_REPLY message, and that ping worked afterwards). "PUSH_REPLY ... cipher none,key-derivation tls-ekm" looks weird :-) Your patch has been applied to the master branch. commit 6dc09d0d4520483716530e12a444b156720cdfcc Author: Arne Schwabe Date: Fri Oct 9 13:54:53 2020 +0200 Implement generating data channel keys via EKM/RFC 5705 Signed-off-by: Arne Schwabe <a...@rfc2549.org> Acked-by: Steffan Karger <steffan.kar...@foxcrypto.com> Message-Id: <20201009115453.4279-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21187.html Signed-off-by: Gert Doering <g...@greenie.muc.de> -- kind regards, Gert Doering _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel