In addition to the thorough review from Steffan, I have tortured
this patch on the client and server side (read: patched client
talking to an old server, old clients talking to a patched server,
patched client talking to patched server, with/without NCP) and
everything succeeded/failed as expected.
I have actually seen the handshake happen between openssl client
and server, and mbedtls 2.24.0 (gentoo) client / openssl server
(I have not checked if the handshake had any actual *effect*, just
if I could see it in the PUSH_REPLY message, and that ping worked
afterwards).
"PUSH_REPLY ... cipher none,key-derivation tls-ekm" looks weird :-)
Your patch has been applied to the master branch.
commit 6dc09d0d4520483716530e12a444b156720cdfcc
Author: Arne Schwabe
Date: Fri Oct 9 13:54:53 2020 +0200
Implement generating data channel keys via EKM/RFC 5705
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Steffan Karger <[email protected]>
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg21187.html
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
