)]}'
{"id":"openvpn~1315","triplet_id":"openvpn~master~Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c","project":"openvpn","branch":"master","attention_set":{},"removed_from_attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2025-10-31 10:05:53.000000000","reason":"\u003cGERRIT_ACCOUNT_1000003\u003e replied on the change","reason_account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}},"1000002":{"account":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"last_update":"2025-10-31 11:19:20.000000000","reason":"Change was submitted"},"1000001":{"account":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"last_update":"2025-10-31 11:19:20.000000000","reason":"Change was submitted"},"1000030":{"account":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"last_update":"2025-10-31 11:19:20.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c","subject":"Zeroize tls-crypt-v2 client keys","status":"MERGED","created":"2025-10-27 15:56:28.000000000","updated":"2025-10-31 11:19:20.000000000","submitted":"2025-10-31 11:19:20.000000000","submitter":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"1315","meta_rev_id":"56e6cbc34744b2efe990b08c006724a4275183b6","_number":1315,"virtual_id_number":1315,"owner":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"actions":{},"labels":{"Code-Review":{"all":[{"value":0,"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},{"value":0,"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0}},"removable_reviewers":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."}],"reviewers":{"REVIEWER":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2025-10-27 15:56:28.000000000","updated_by":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2025-10-27 15:56:28.000000000","updated_by":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"reviewer":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"state":"REVIEWER"},{"updated":"2025-10-27 15:56:28.000000000","updated_by":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"reviewer":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"state":"REVIEWER"}],"messages":[{"id":"f9df393b792a7f3be79fd8a3cb40c0845b8fdf94","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"date":"2025-10-27 15:56:28.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"54c94a36eb30c6fe3d793578156f6490e99acd64","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-28 11:55:43.000000000","message":"Patch Set 2: Commit message was updated.","accounts_in_message":[],"_revision_number":2},{"id":"812b98fff95a51ff97e058562b7f30f4f51c2ca6","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-10-31 10:05:53.000000000","message":"Patch Set 2: Code-Review+2","accounts_in_message":[],"_revision_number":2},{"id":"56e6cbc34744b2efe990b08c006724a4275183b6","tag":"autogenerated:gerrit:merged","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-31 11:19:20.000000000","message":"Change has been successfully pushed.","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"9f71f906ea95331fd9b269502e92c42d1812dd9e","revisions":{"96be5aa418495671ff0f8eb46ac021cb138f144f":{"kind":"REWORK","_number":1,"created":"2025-10-27 15:56:28.000000000","uploader":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"ref":"refs/changes/15/1315/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/15/1315/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/1 \u0026\u0026 git checkout -b change-1315 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/15/1315/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"a69d9b66502f13354750d8146cd038cc7a26a0bd","subject":"Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0"}],"author":{"name":"Max Fillinger","email":"max@max-fillinger.net","date":"2025-10-27 15:44:00.000000000","tz":60},"committer":{"name":"Max Fillinger","email":"max@max-fillinger.net","date":"2025-10-27 15:44:00.000000000","tz":60},"subject":"Zeroize tls-crypt-v2 client keys","message":"Zeroize tls-crypt-v2 client keys\n\nJoshua Rogers sent in a bug report generated with ZeroPath that the\ntls-crypt-v2 client key is loaded before running the verify script. If\nthe verify script fails, the key is not zeroized.\n\nWhile investigating this report, I found that free_tls_pre_decrypt_state\nnever zeroizes tls_wrap_tmp.original_wrap_keydata. So also when the\ncheck is successful, key data will remain in memory when it is no longer\nneeded.\n\nThis commit moves the tls-crypt-v2-verify check before loading the key.\nIf it fails, original_wrap_keydata is zeroized. Also, in\nfree_tls_pre_decrypt_state, if a key has been loaded,\noriginal_wrap_keydata is zeroized.\n\nChange-Id: Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c\nSigned-off-by: Max Fillinger \u003cmax@max-fillinger.net\u003e\n"},"branch":"refs/heads/master"},"73cf6fc7ea0641b9934fb4ef1d18988a4f133a59":{"kind":"NO_CODE_CHANGE","_number":2,"created":"2025-10-28 11:55:43.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/15/1315/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/15/1315/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/2 \u0026\u0026 git checkout -b change-1315 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/15/1315/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"a69d9b66502f13354750d8146cd038cc7a26a0bd","subject":"Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0"}],"author":{"name":"Max Fillinger","email":"max@max-fillinger.net","date":"2025-10-27 15:44:00.000000000","tz":60},"committer":{"name":"cron2","email":"gert@greenie.muc.de","date":"2025-10-28 11:55:43.000000000","tz":0},"subject":"Zeroize tls-crypt-v2 client keys","message":"Zeroize tls-crypt-v2 client keys\n\nJoshua Rogers sent in a bug report generated with ZeroPath that the\ntls-crypt-v2 client key is loaded before running the verify script. If\nthe verify script fails, the key is not zeroized.\n\nWhile investigating this report, I found that free_tls_pre_decrypt_state\nnever zeroizes tls_wrap_tmp.original_wrap_keydata. So also when the\ncheck is successful, key data will remain in memory when it is no longer\nneeded.\n\nThis commit moves the tls-crypt-v2-verify check before loading the key.\nIf it fails, original_wrap_keydata is zeroized. Also, in\nfree_tls_pre_decrypt_state, if a key has been loaded,\noriginal_wrap_keydata is zeroized.\n\nReported-By: Joshua Rogers \u003ccontact@joshua.hu\u003e\nFound-By: Zeropath\n\nChange-Id: Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c\nSigned-off-by: Max Fillinger \u003cmax@max-fillinger.net\u003e\n"},"branch":"refs/heads/master","description":"Edit commit message"},"9f71f906ea95331fd9b269502e92c42d1812dd9e":{"kind":"TRIVIAL_REBASE_WITH_MESSAGE_UPDATE","_number":3,"created":"2025-10-31 11:19:20.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/15/1315/3","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/15/1315/3","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/3 \u0026\u0026 git checkout -b change-1315 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/15/1315/3","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/15/1315/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"6b0208e962aadf285ecc7ab47cc973a9018e3f24","subject":"PUSH_UPDATE server: invalid read bug-fix and unit-tests improvements"}],"author":{"name":"Max Fillinger","email":"max@max-fillinger.net","date":"2025-10-31 10:08:04.000000000","tz":60},"committer":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2025-10-31 10:22:13.000000000","tz":60},"subject":"Zeroize tls-crypt-v2 client keys","message":"Zeroize tls-crypt-v2 client keys\n\nJoshua Rogers sent in a bug report generated with ZeroPath that the\ntls-crypt-v2 client key is loaded before running the verify script. If\nthe verify script fails, the key is not zeroized.\n\nWhile investigating this report, I found that free_tls_pre_decrypt_state\nnever zeroizes tls_wrap_tmp.original_wrap_keydata. So also when the\ncheck is successful, key data will remain in memory when it is no longer\nneeded.\n\nThis commit moves the tls-crypt-v2-verify check before loading the key.\nIf it fails, original_wrap_keydata is zeroized. Also, in\nfree_tls_pre_decrypt_state, if a key has been loaded,\noriginal_wrap_keydata is zeroized.\n\nReported-By: Joshua Rogers \u003ccontact@joshua.hu\u003e\nFound-by: ZeroPath (https://zeropath.com/)\n\nChange-Id: Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c\nSigned-off-by: Max Fillinger \u003cmax@max-fillinger.net\u003e\nAcked-by: Arne Schwabe \u003carne-openvpn@rfc2549.org\u003e\nGerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1315\nMessage-Id: \u003c20251031100819.24855-1-gert@greenie.muc.de\u003e\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34103.html\nSigned-off-by: Gert Doering \u003cgert@greenie.muc.de\u003e\n"},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}