)]}'
{"id":"openvpn~1478","triplet_id":"openvpn~master~I704c560fa23c03237d0f8adc30908a617265a5a1","project":"openvpn","branch":"master","attention_set":{"1000041":{"account":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"last_update":"2026-03-02 15:06:28.000000000","reason":"\u003cGERRIT_ACCOUNT_1000003\u003e replied on the change","reason_account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}}},"removed_from_attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2026-03-02 15:06:28.000000000","reason":"\u003cGERRIT_ACCOUNT_1000003\u003e replied on the change","reason_account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}}},"hashtags":["mailsubmitted"],"change_id":"I704c560fa23c03237d0f8adc30908a617265a5a1","subject":"tls: reject incoming reneg request if primary key is not fully valid","status":"NEW","created":"2026-01-19 18:40:03.000000000","updated":"2026-03-09 13:33:48.000000000","submit_type":"CHERRY_PICK","submittable":false,"total_comment_count":4,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"b433451096a456128eacca8bae3d101b93ee41d9","_number":1478,"virtual_id_number":1478,"owner":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"actions":{},"labels":{"Code-Review":{"approved":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"all":[{"value":2,"date":"2026-03-02 15:06:28.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"default_value":0}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-01-19 18:40:04.000000000","updated_by":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2026-01-19 18:40:04.000000000","updated_by":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"reviewer":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"state":"REVIEWER"}],"messages":[{"id":"9ca01e92491ba9a7952f853d3833ff9e6b9ec5e0","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"date":"2026-01-19 18:40:03.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"669aecf67481645b4c62a581012d7736cf13e49a","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"date":"2026-02-16 08:41:46.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"f897d3a5284e7b9dffb8b81d00b64820efbc2aab","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2026-02-16 14:32:19.000000000","message":"Patch Set 2: Code-Review+2\n\n(2 comments)","accounts_in_message":[],"_revision_number":2},{"id":"d215c0c848653c6ad37aa66be6630a2508369892","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"date":"2026-02-17 08:10:25.000000000","message":"Uploaded patch set 3.\n\nOutdated Votes:\n* Code-Review+2 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN\")\n","accounts_in_message":[],"_revision_number":3},{"id":"c8820a5b3cb6984be08bd80f58f0ec24e9e210ed","author":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"date":"2026-02-17 08:10:55.000000000","message":"Patch Set 3:\n\n(2 comments)","accounts_in_message":[],"_revision_number":3},{"id":"abcb5152be1fad99da9517bd930a9e2184d66a63","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2026-03-02 15:06:28.000000000","message":"Patch Set 3: Code-Review+2","accounts_in_message":[],"_revision_number":3},{"id":"b433451096a456128eacca8bae3d101b93ee41d9","tag":"autogenerated:gerrit:setHashtag","author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"date":"2026-03-09 13:33:48.000000000","message":"Hashtag added: mailsubmitted","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"e3676dbba60cf1e453dae83018200bf362eb604f","revisions":{"1f2912ab74d78d347dc4e89e4bf31872f63ea0fb":{"kind":"REWORK","_number":1,"created":"2026-01-19 18:40:03.000000000","uploader":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"ref":"refs/changes/78/1478/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/78/1478/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/1 \u0026\u0026 git checkout -b change-1478 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/78/1478/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"2cc00e80bca26c1c7129fa45e48714ca68b56b28","subject":"socket: Avoid conversion warning in get_addr_generic"}],"author":{"name":"Ralf Lici","email":"ralf@mandelbit.com","date":"2026-01-19 18:16:42.000000000","tz":60},"committer":{"name":"Ralf Lici","email":"ralf@mandelbit.com","date":"2026-01-19 18:39:48.000000000","tz":60},"subject":"tls_multi_process: promote lame duck key to primary after reneg","message":"tls_multi_process: promote lame duck key to primary after reneg\n\nWhen a key is negotiated, the transition window logic imposes a delay\nbefore fully adopting the new key. The auth_deferred_expire field\nindicates the interval we must wait before considering the key fully\nusable (see tls_select_encryption_key). However, in an unfortunate\nscenario where the remote peer uses a reneg-sec interval lower than our\nhandshake window or lower than half of our reneg-sec interval, we end up\ninitializing every key with an auth_deferred_expire value that never\nexpires. This leads to selecting the wrong key when invoking\ntls_select_encryption_key.\n\nTo ensure we always have a fully valid key, whenever a renegotiation\nhappens, promote the old key even if its auth_deferred_expire has not\nyet expired.\n\nChange-Id: I704c560fa23c03237d0f8adc30908a617265a5a1\n"},"branch":"refs/heads/master"},"4993426e50a4a0f2a29cc5dc901927518029a30b":{"kind":"REWORK","_number":2,"created":"2026-02-16 08:41:46.000000000","uploader":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"ref":"refs/changes/78/1478/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/78/1478/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/2 \u0026\u0026 git checkout -b change-1478 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/78/1478/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"6f9ab9647cf0a3bc53e42e609437f892ce009e7a","subject":"port-share: log incoming connections at verb 3 only"}],"author":{"name":"Ralf Lici","email":"ralf@mandelbit.com","date":"2026-01-19 18:16:42.000000000","tz":60},"committer":{"name":"Ralf Lici","email":"ralf@mandelbit.com","date":"2026-02-16 08:11:11.000000000","tz":60},"subject":"tls: reject incoming reneg request if primary key is not fully valid","message":"tls: reject incoming reneg request if primary key is not fully valid\n\nAn incoming P_CONTROL_SOFT_RESET_V1 can arrive while the primary key is\nalready in S_GENERATED_KEYS but no longer fully authorized. This can\nhappen when deferred auth later expires/fails, or when mid-session auth\nchecks deauthenticate the key without demoting its TLS state.\n\nThis patch keeps read_control_auth as the first gate, then rejects the\nincoming renegotiation request unless the primary key is KS_AUTH_TRUE\nand its auth_deferred_expire gate has passed.\n\nChange-Id: I704c560fa23c03237d0f8adc30908a617265a5a1\nSigned-off-by: Ralf Lici \u003cralf@mandelbit.com\u003e\n"},"branch":"refs/heads/master"},"e3676dbba60cf1e453dae83018200bf362eb604f":{"kind":"REWORK","_number":3,"created":"2026-02-17 08:10:25.000000000","uploader":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"ref":"refs/changes/78/1478/3","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/78/1478/3","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/3 \u0026\u0026 git checkout -b change-1478 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/78/1478/3","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/78/1478/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"6f9ab9647cf0a3bc53e42e609437f892ce009e7a","subject":"port-share: log incoming connections at verb 3 only"}],"author":{"name":"Ralf Lici","email":"ralf@mandelbit.com","date":"2026-01-19 18:16:42.000000000","tz":60},"committer":{"name":"Ralf Lici","email":"ralf@mandelbit.com","date":"2026-02-17 08:09:49.000000000","tz":60},"subject":"tls: reject incoming reneg request if primary key is not fully valid","message":"tls: reject incoming reneg request if primary key is not fully valid\n\nIncoming P_CONTROL_SOFT_RESET_V1 can arrive while the active key is not\nyet fully valid for renegotiation. This includes the window where we are\nstill waiting for auth_deferred_expire (derived from handshake/reneg\ntiming), as well as cases where deferred or mid-session auth later\nleaves the key non-authenticated even though state is S_GENERATED_KEYS.\n\nThis patch keeps read_control_auth as the first gate, then rejects the\nincoming renegotiation requests unless the primary key is KS_AUTH_TRUE\nand auth_deferred_expire has passed.\n\nChange-Id: I704c560fa23c03237d0f8adc30908a617265a5a1\nSigned-off-by: Ralf Lici \u003cralf@mandelbit.com\u003e\n"},"branch":"refs/heads/master"}},"requirements":[{"status":"NOT_READY","fallback_text":"All required checks must pass","type":"checks_pass"}],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"OK","labels":[{"label":"Code-Review","status":"OK","applied_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}}]},{"rule_name":"checks~ChecksSubmitRule","status":"NOT_READY","requirements":[{"status":"NOT_READY","fallback_text":"All required checks must pass","type":"checks_pass"}]}],"submit_requirements":[{"name":"Code-Review","status":"SATISFIED","is_legacy":true,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX","-label:Code-Review\u003dMIN"],"failing_atoms":[]}},{"name":"checks~ChecksSubmitRule","status":"UNSATISFIED","is_legacy":true,"submittability_expression_result":{"expression":"rule:checks~ChecksSubmitRule","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["checks~ChecksSubmitRule"]}}]}