)]}'
{"id":"openvpn~1622","triplet_id":"openvpn~master~I055c64ca8b23066e70eea7d7deddfb14f5354c5f","project":"openvpn","branch":"master","attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2026-04-09 01:10:30.000000000","reason":"\u003cGERRIT_ACCOUNT_1000050\u003e replied on the change","reason_account":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"}},"1000009":{"account":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"last_update":"2026-04-06 11:44:47.000000000","reason":"\u003cGERRIT_ACCOUNT_1000050\u003e replied on the change","reason_account":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"}}},"removed_from_attention_set":{"1000050":{"account":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"last_update":"2026-04-09 01:10:30.000000000","reason":"\u003cGERRIT_ACCOUNT_1000050\u003e replied on the change","reason_account":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"}}},"hashtags":[],"change_id":"I055c64ca8b23066e70eea7d7deddfb14f5354c5f","subject":"ssl: use TLS record-sized buffers for key method 2 exchange","status":"NEW","created":"2026-04-06 11:44:06.000000000","updated":"2026-04-09 01:10:57.000000000","submit_type":"CHERRY_PICK","submittable":false,"total_comment_count":22,"unresolved_comment_count":3,"has_review_started":true,"meta_rev_id":"b791faf0fdb645f1493ef611f02a58ea579ba6c8","_number":1622,"virtual_id_number":1622,"owner":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"actions":{},"labels":{"Code-Review":{"all":[{"value":0,"permitted_voting_range":{"min":-2,"max":2},"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},{"value":0,"permitted_voting_range":{"min":-2,"max":2},"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"default_value":0}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-04-06 11:44:06.000000000","updated_by":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2026-04-06 11:44:06.000000000","updated_by":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"reviewer":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"state":"REVIEWER"},{"updated":"2026-04-06 11:44:47.000000000","updated_by":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"reviewer":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"state":"REVIEWER"}],"messages":[{"id":"0395f674d955d3c00630c496a9ab9b9d51efc9b1","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"date":"2026-04-06 11:44:06.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"d47344cd3ebbc31a3e2cc4bc34d03353125c7195","author":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"date":"2026-04-06 11:50:19.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"8d92bcb209a45678c70671878f35c1553181e786","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2026-04-07 00:48:54.000000000","message":"Patch Set 1: Code-Review-1\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"cafb98103ab7761b04898f30b906b085d73e9ffe","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2026-04-07 01:00:30.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"22dfd69e04189f57f9adb5bafb94154fcd65b86f","author":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"date":"2026-04-07 10:26:12.000000000","message":"Patch Set 1:\n\n(2 comments)","accounts_in_message":[],"_revision_number":1},{"id":"8acdcd7315dadb2805fa98f03cc2cb91df3ca554","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2026-04-07 11:54:13.000000000","message":"Patch Set 1:\n\n(2 comments)","accounts_in_message":[],"_revision_number":1},{"id":"ec863163a91e4e7a8f420809e857c8c44d5b70e7","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"date":"2026-04-08 00:49:15.000000000","message":"Uploaded patch set 2.\n\nOutdated Votes:\n* Code-Review-1 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN\")\n","accounts_in_message":[],"_revision_number":2},{"id":"3b98c9bf5489fa5eb86a3cbcc498c722ac2020ee","author":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"date":"2026-04-08 00:54:40.000000000","message":"Patch Set 2:\n\n(2 comments)","accounts_in_message":[],"_revision_number":2},{"id":"06ea93871da9ac7d02c6800e67ecfca95fe7f4bc","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2026-04-08 01:42:01.000000000","message":"Patch Set 2:\n\n(2 comments)","accounts_in_message":[],"_revision_number":2},{"id":"672d2ede8a4c03e93da1d35092fca59877616499","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2026-04-08 02:07:43.000000000","message":"Patch Set 2: Code-Review-1\n\n(5 comments)","accounts_in_message":[],"_revision_number":2},{"id":"15f9c2c4b8e808b4c27c4445aebeb0facc44219f","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"date":"2026-04-09 01:08:10.000000000","message":"Uploaded patch set 3.\n\nOutdated Votes:\n* Code-Review-1 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN\")\n","accounts_in_message":[],"_revision_number":3},{"id":"e8bca8de00f5f868a4f27ef5d33936bcfe753c05","author":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"date":"2026-04-09 01:10:30.000000000","message":"Patch Set 2:\n\n(5 comments)","accounts_in_message":[],"_revision_number":2},{"id":"b791faf0fdb645f1493ef611f02a58ea579ba6c8","author":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"date":"2026-04-09 01:10:57.000000000","message":"Patch Set 3:\n\n(1 comment)","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"445a2f7726e49f062aa307f80c743935f40613a4","revisions":{"175292110206fbf3dec35b4a8a6450e2a8f2cf7f":{"kind":"REWORK","_number":1,"created":"2026-04-06 11:44:06.000000000","uploader":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"ref":"refs/changes/22/1622/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/22/1622/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/1 \u0026\u0026 git checkout -b change-1622 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/22/1622/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"49ff16dd54c5656eedf26194a9879ad90548a7a5","subject":"management: add base64 multi-line input for passwords"}],"author":{"name":"Luca Boccassi","email":"luca.boccassi@gmail.com","date":"2026-03-22 14:39:47.000000000","tz":0},"committer":{"name":"Luca Boccassi","email":"luca.boccassi@gmail.com","date":"2026-04-06 11:40:32.000000000","tz":60},"subject":"Add new helpers to handle key exchange (S_SENT_KEY/S_START) with large passwords","message":"Add new helpers to handle key exchange (S_SENT_KEY/S_START) with large passwords\n\nThe current key exchange uses an intermediate buffer hardcoded\nat 2048 bytes, that cannot handle anything longer, as it gets\nsilently truncated.\n\nThis breaks using JIT use-once tokens for authentications, that\nare becoming common in enterprise devices to reduce attack\nsurfaces, as the tokens are typically long JWT encoded strings.\n\nAdd new helpers that, instead of doing a single 2048 bytes\nread/write from/to the TLS layer, reads/writes all the available\ndata when doing the key method 2 exchange.\nOther stages of the protocol are unaffected. Note that this is\nan intermediary buffer, the TLS layer is already handling\nfragmented/reassembled frames appropriately, so there is no\non-the-wire difference, aside from letting the client send more\ndata.\n\nOlder servers will simply continue to truncate passwords longer\nthan the existing limit, as they are doing currently, so no\nincompatible changes, behaviour stays the same and current valid\npasswords are still valid when the new client uses them.\nWhen an old client talks to a new server, likewise there are no\nchanges, as the previous clients have the embedded limit, so all\nexisting passwords will continue to work.\n\nTested combinations:\n\nold client \u003c--\u003e new server\nnew client \u003c--\u003e old server\nnew client \u003c--\u003e new server\n\nWith the last combination, a large password can be used successfully.\nWith either an old server or old client, existing limits apply and\na clear error is shown in case one tries a password longer than the\nexisting limits.\n\nChange-Id: I055c64ca8b23066e70eea7d7deddfb14f5354c5f\nSigned-off-by: Luca Boccassi \u003cluca.boccassi@gmail.com\u003e\n"},"branch":"refs/heads/master"},"74d3e3d845b9be1f703a20f4b70e82cacae77682":{"kind":"REWORK","_number":2,"created":"2026-04-08 00:49:15.000000000","uploader":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"ref":"refs/changes/22/1622/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/22/1622/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/2 \u0026\u0026 git checkout -b change-1622 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/22/1622/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"798884d6df200c95b2c22de31860f3e35be617f7","subject":"test_buffer: Add test for buf_null_terminate"}],"author":{"name":"Luca Boccassi","email":"luca.boccassi@gmail.com","date":"2026-03-22 14:39:47.000000000","tz":0},"committer":{"name":"Luca Boccassi","email":"luca.boccassi@gmail.com","date":"2026-04-08 00:48:26.000000000","tz":60},"subject":"Add new helpers to handle key exchange (S_SENT_KEY/S_START) with large passwords","message":"Add new helpers to handle key exchange (S_SENT_KEY/S_START) with large passwords\n\nThe current key exchange uses an intermediate buffer hardcoded\nat 2048 bytes, that cannot handle anything longer, as it gets\nsilently truncated.\n\nThis breaks using JIT use-once tokens for authentications, that\nare becoming common in enterprise devices to reduce attack\nsurfaces, as the tokens are typically long JWT encoded strings.\n\nAdd new helpers that, instead of doing a single 2048 bytes\nread/write from/to the TLS layer, reads/writes all the available\ndata when doing the key method 2 exchange.\nOther stages of the protocol are unaffected. Note that this is\nan intermediary buffer, the TLS layer is already handling\nfragmented/reassembled frames appropriately, so there is no\non-the-wire difference, aside from letting the client send more\ndata.\n\nOlder servers will simply continue to truncate passwords longer\nthan the existing limit, as they are doing currently, so no\nincompatible changes, behaviour stays the same and current valid\npasswords are still valid when the new client uses them.\nWhen an old client talks to a new server, likewise there are no\nchanges, as the previous clients have the embedded limit, so all\nexisting passwords will continue to work.\n\nTested combinations:\n\nold client \u003c--\u003e new server\nnew client \u003c--\u003e old server\nnew client \u003c--\u003e new server\n\nWith the last combination, a large password can be used successfully.\nWith either an old server or old client, existing limits apply and\na clear error is shown in case one tries a password longer than the\nexisting limits.\n\nServers after a7f80d402f send a useful and clear error message.\nWith older servers the client will instead print a helpful error\nfor the user, to ensure a good UX in either case.\n\nChange-Id: I055c64ca8b23066e70eea7d7deddfb14f5354c5f\nSigned-off-by: Luca Boccassi \u003cluca.boccassi@gmail.com\u003e\n"},"branch":"refs/heads/master"},"445a2f7726e49f062aa307f80c743935f40613a4":{"kind":"REWORK","_number":3,"created":"2026-04-09 01:08:10.000000000","uploader":{"_account_id":1000050,"name":"Bluca","email":"luca.boccassi@gmail.com","username":"Bluca"},"ref":"refs/changes/22/1622/3","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/22/1622/3","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/3 \u0026\u0026 git checkout -b change-1622 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/22/1622/3","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/22/1622/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"1491fc8e05b01e65aba8b50499407d9af0424d69","subject":"Clarify operator precedence in a \u0026 b ? c : d"}],"author":{"name":"Luca Boccassi","email":"luca.boccassi@gmail.com","date":"2026-03-22 14:39:47.000000000","tz":0},"committer":{"name":"Luca Boccassi","email":"luca.boccassi@gmail.com","date":"2026-04-09 00:53:08.000000000","tz":60},"subject":"ssl: use TLS record-sized buffers for key method 2 exchange","message":"ssl: use TLS record-sized buffers for key method 2 exchange\n\nThe current key exchange uses plaintext_read_buf/plaintext_write_buf\n(sized at TLS_CHANNEL_BUF_SIZE, 2048 bytes) as intermediary buffers\nfor the key method 2 exchange. Passwords or tokens longer than\n~1900 bytes (after accounting for key material, options and peer\ninfo overhead) get silently truncated.\n\nThis breaks using JIT use-once tokens for authentication, which are\nbecoming common in enterprise setups. These tokens are typically\nlong JWT-encoded strings that exceed the 2048-byte buffer.\n\nInstead of increasing TLS_CHANNEL_BUF_SIZE (which would change the\ncontrol channel framing and require both endpoints to be updated),\nintroduce separate key_method_send_buf and key_method_recv_buf\nbuffers in key_state, sized at TLS_RECORD_MAX_SIZE (16384 bytes,\nthe maximum plaintext payload of a single TLS record).\n\nOn the write side, key_method_2_write() assembles the full payload\ninto the 16 KB buffer, which is then passed to the TLS library via\na single key_state_write_plaintext() call. The TLS library creates\none TLS record, and the existing write_outgoing_tls_ciphertext()\nalready splits the resulting ciphertext into properly-sized reliable\ntransport packets.\n\nOn the read side, a single key_state_read_plaintext() call reads\ninto the 16 KB buffer. Since SSL_read/BIO_read returns one TLS\nrecord worth of data per call, this preserves the one-read-per-\nmessage framing assumption used throughout OpenVPN.\n\nAll other control channel messages (push, CR_RESPONSE, etc.)\ncontinue to use the original 2048-byte plaintext_read/write_buf.\n\nWhen the key exchange payload exceeds TLS_CHANNEL_BUF_SIZE and the\nconnection subsequently fails (state never reaches S_ACTIVE), a\ndiagnostic message is printed at key_state teardown to help the\nuser identify that the server may not support large payloads.\n\nProtocol compatibility:\n- old client \u003c-\u003e new server: no change, old limits apply\n- new client \u003c-\u003e old server: large passwords will cause the old\n  server to truncate/fail; a clear error message is shown\n- new client \u003c-\u003e new server: large passwords work\n\nChange-Id: I055c64ca8b23066e70eea7d7deddfb14f5354c5f\nSigned-off-by: Luca Boccassi \u003cluca.boccassi@gmail.com\u003e\n"},"branch":"refs/heads/master"}},"requirements":[{"status":"NOT_READY","fallback_text":"All required checks must pass","type":"checks_pass"}],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"NOT_READY","labels":[{"label":"Code-Review","status":"NEED"}]},{"rule_name":"checks~ChecksSubmitRule","status":"NOT_READY","requirements":[{"status":"NOT_READY","fallback_text":"All required checks must pass","type":"checks_pass"}]}],"submit_requirements":[{"name":"Code-Review","status":"UNSATISFIED","is_legacy":true,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX -label:Code-Review\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Code-Review\u003dMAX","-label:Code-Review\u003dMIN"]}},{"name":"checks~ChecksSubmitRule","status":"UNSATISFIED","is_legacy":true,"submittability_expression_result":{"expression":"rule:checks~ChecksSubmitRule","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["checks~ChecksSubmitRule"]}}]}