)]}'
{"id":"openvpn~1750","triplet_id":"openvpn~master~I1f9d7b5a5ec19bf77c0c212795f583c5ba4c03ac","project":"openvpn","branch":"master","attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2026-06-29 07:58:39.000000000","reason":"Reviewer was added"}},"removed_from_attention_set":{},"hashtags":[],"change_id":"I1f9d7b5a5ec19bf77c0c212795f583c5ba4c03ac","subject":"oob: Wrap the client SERVER_PROBE with tls-auth/tls-crypt","status":"NEW","created":"2026-06-29 07:58:31.000000000","updated":"2026-07-02 12:30:33.000000000","submit_type":"CHERRY_PICK","submittable":false,"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"7b85766775d16e75af8e5df4f517dce9614463d2","_number":1750,"virtual_id_number":1750,"owner":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"actions":{},"labels":{"Code-Review":{"all":[{"value":0,"permitted_voting_range":{"min":-2,"max":2},"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-06-29 07:58:39.000000000","updated_by":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2026-06-29 07:58:39.000000000","updated_by":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"reviewer":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"state":"REVIEWER"}],"messages":[{"id":"f0cbb925b82d77515db2a8dc4a0db6446b316f02","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"date":"2026-06-29 07:58:31.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"196d00bd9daa6ae329bf115eca7b351ecda18678","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"date":"2026-06-29 12:08:26.000000000","message":"Uploaded patch set 2: Patch Set 1 was rebased.","accounts_in_message":[],"_revision_number":2},{"id":"318055cd80c32475d5d1d3c7cf4a152086d3c5cd","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"date":"2026-06-29 12:37:47.000000000","message":"Uploaded patch set 3: Patch Set 2 was rebased.","accounts_in_message":[],"_revision_number":3},{"id":"7b85766775d16e75af8e5df4f517dce9614463d2","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"date":"2026-07-02 12:30:33.000000000","message":"Uploaded patch set 4: Patch Set 3 was rebased.","accounts_in_message":[],"_revision_number":4}],"current_revision_number":4,"current_revision":"35d1eb7016e383b3926210b997e27bd4753eed21","revisions":{"12f4da05d164693c6888eafa9b272cfdd329b77e":{"kind":"REWORK","_number":1,"created":"2026-06-29 07:58:31.000000000","uploader":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"ref":"refs/changes/50/1750/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/50/1750/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/1 \u0026\u0026 git checkout -b change-1750 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/50/1750/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"3c9d06f404680f612acaf7e9bc1f71b34fca7179","subject":"oob: Extract init_tls_wrap_ctx() control-channel wrap helper"}],"author":{"name":"Lev Stipakov","email":"lev@openvpn.net","date":"2026-06-23 07:16:15.000000000","tz":180},"committer":{"name":"Lev Stipakov","email":"lev@openvpn.net","date":"2026-06-29 07:58:03.000000000","tz":180},"subject":"oob: Wrap the client SERVER_PROBE with tls-auth/tls-crypt","message":"oob: Wrap the client SERVER_PROBE with tls-auth/tls-crypt\n\nThe client --server-probe previously sent a plaintext SERVER_PROBE and\nparsed replies by hand, so it only worked against a server with no\ncontrol-channel wrapping. Build a standalone wrapping context for the\nprobe (mirroring the server\u0027s tls_auth_standalone) and route both the\noutgoing probe and the incoming replies through the same control-channel\npath the rest of the code uses:\n\n  - tls_wrap_oob_standalone() wraps the probe payload, applying the\n    tls-auth HMAC or tls-crypt encryption (or nothing, when neither is\n    configured).\n  - read_control_auth() unwraps each reply, verifying the HMAC /\n    decrypting and stripping the opcode + session id, on a per-packet\n    copy of the wrapping context (as tls_pre_decrypt_lite() does).\n\nWith neither tls-auth nor tls-crypt configured the context stays in\nTLS_WRAP_NONE and the on-wire probe is byte-for-byte identical to before,\nso the plaintext case is unchanged.\n\ntls-crypt-v2 is not supported yet: the server only learns the client key\nfrom the WKc carried in the TLS handshake, which an out-of-band probe\ncannot provide. Such configurations skip probing and keep the configured\nremote order.\n\nChange-Id: I1f9d7b5a5ec19bf77c0c212795f583c5ba4c03ac\nSigned-off-by: Lev Stipakov \u003clev@openvpn.net\u003e\n"},"branch":"refs/heads/master"},"6a3bf7c29972a35367a7d971181e56750a3d7b9d":{"kind":"TRIVIAL_REBASE","_number":2,"created":"2026-06-29 12:08:26.000000000","uploader":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"ref":"refs/changes/50/1750/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/50/1750/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/2 \u0026\u0026 git checkout -b change-1750 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/50/1750/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"9760ca98da2c9413eab663f46ace226e6057b1ff","subject":"oob: Extract init_tls_wrap_ctx() control-channel wrap helper"}],"author":{"name":"Lev Stipakov","email":"lev@openvpn.net","date":"2026-06-23 07:16:15.000000000","tz":180},"committer":{"name":"Lev Stipakov","email":"lev@openvpn.net","date":"2026-06-29 11:45:13.000000000","tz":180},"subject":"oob: Wrap the client SERVER_PROBE with tls-auth/tls-crypt","message":"oob: Wrap the client SERVER_PROBE with tls-auth/tls-crypt\n\nThe client --server-probe previously sent a plaintext SERVER_PROBE and\nparsed replies by hand, so it only worked against a server with no\ncontrol-channel wrapping. Build a standalone wrapping context for the\nprobe (mirroring the server\u0027s tls_auth_standalone) and route both the\noutgoing probe and the incoming replies through the same control-channel\npath the rest of the code uses:\n\n  - tls_wrap_oob_standalone() wraps the probe payload, applying the\n    tls-auth HMAC or tls-crypt encryption (or nothing, when neither is\n    configured).\n  - read_control_auth() unwraps each reply, verifying the HMAC /\n    decrypting and stripping the opcode + session id, on a per-packet\n    copy of the wrapping context (as tls_pre_decrypt_lite() does).\n\nWith neither tls-auth nor tls-crypt configured the context stays in\nTLS_WRAP_NONE and the on-wire probe is byte-for-byte identical to before,\nso the plaintext case is unchanged.\n\ntls-crypt-v2 is not supported yet: the server only learns the client key\nfrom the WKc carried in the TLS handshake, which an out-of-band probe\ncannot provide. Such configurations skip probing and keep the configured\nremote order.\n\nChange-Id: I1f9d7b5a5ec19bf77c0c212795f583c5ba4c03ac\nSigned-off-by: Lev Stipakov \u003clev@openvpn.net\u003e\n"},"branch":"refs/heads/master"},"6a79f04723e88b7018a6496c2fe83b87e498e3ed":{"kind":"TRIVIAL_REBASE","_number":3,"created":"2026-06-29 12:37:47.000000000","uploader":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"ref":"refs/changes/50/1750/3","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/50/1750/3","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/3 \u0026\u0026 git checkout -b change-1750 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/50/1750/3","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"637774cfce1046c89940e0cbab8cebe2c82af9f9","subject":"oob: Extract init_tls_wrap_ctx() control-channel wrap helper"}],"author":{"name":"Lev Stipakov","email":"lev@openvpn.net","date":"2026-06-23 07:16:15.000000000","tz":180},"committer":{"name":"Lev Stipakov","email":"lev@openvpn.net","date":"2026-06-29 12:32:06.000000000","tz":180},"subject":"oob: Wrap the client SERVER_PROBE with tls-auth/tls-crypt","message":"oob: Wrap the client SERVER_PROBE with tls-auth/tls-crypt\n\nThe client --server-probe previously sent a plaintext SERVER_PROBE and\nparsed replies by hand, so it only worked against a server with no\ncontrol-channel wrapping. Build a standalone wrapping context for the\nprobe (mirroring the server\u0027s tls_auth_standalone) and route both the\noutgoing probe and the incoming replies through the same control-channel\npath the rest of the code uses:\n\n  - tls_wrap_oob_standalone() wraps the probe payload, applying the\n    tls-auth HMAC or tls-crypt encryption (or nothing, when neither is\n    configured).\n  - read_control_auth() unwraps each reply, verifying the HMAC /\n    decrypting and stripping the opcode + session id, on a per-packet\n    copy of the wrapping context (as tls_pre_decrypt_lite() does).\n\nWith neither tls-auth nor tls-crypt configured the context stays in\nTLS_WRAP_NONE and the on-wire probe is byte-for-byte identical to before,\nso the plaintext case is unchanged.\n\ntls-crypt-v2 is not supported yet: the server only learns the client key\nfrom the WKc carried in the TLS handshake, which an out-of-band probe\ncannot provide. Such configurations skip probing and keep the configured\nremote order.\n\nChange-Id: I1f9d7b5a5ec19bf77c0c212795f583c5ba4c03ac\nSigned-off-by: Lev Stipakov \u003clev@openvpn.net\u003e\n"},"branch":"refs/heads/master"},"35d1eb7016e383b3926210b997e27bd4753eed21":{"kind":"TRIVIAL_REBASE","_number":4,"created":"2026-07-02 12:30:33.000000000","uploader":{"_account_id":1000008,"name":"stipa","display_name":"Lev Stipakov","email":"lstipakov@gmail.com","username":"stipa"},"ref":"refs/changes/50/1750/4","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/50/1750/4","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/4 \u0026\u0026 git checkout -b change-1750 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/50/1750/4","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/50/1750/4 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"d98910685128fd6f92b5bd95e180082a92b4e84f","subject":"oob: Extract init_tls_wrap_ctx() control-channel wrap helper"}],"author":{"name":"Lev Stipakov","email":"lev@openvpn.net","date":"2026-06-23 07:16:15.000000000","tz":180},"committer":{"name":"Lev Stipakov","email":"lev@openvpn.net","date":"2026-07-02 12:11:49.000000000","tz":180},"subject":"oob: Wrap the client SERVER_PROBE with tls-auth/tls-crypt","message":"oob: Wrap the client SERVER_PROBE with tls-auth/tls-crypt\n\nThe client --server-probe previously sent a plaintext SERVER_PROBE and\nparsed replies by hand, so it only worked against a server with no\ncontrol-channel wrapping. Build a standalone wrapping context for the\nprobe (mirroring the server\u0027s tls_auth_standalone) and route both the\noutgoing probe and the incoming replies through the same control-channel\npath the rest of the code uses:\n\n  - tls_wrap_oob_standalone() wraps the probe payload, applying the\n    tls-auth HMAC or tls-crypt encryption (or nothing, when neither is\n    configured).\n  - read_control_auth() unwraps each reply, verifying the HMAC /\n    decrypting and stripping the opcode + session id, on a per-packet\n    copy of the wrapping context (as tls_pre_decrypt_lite() does).\n\nWith neither tls-auth nor tls-crypt configured the context stays in\nTLS_WRAP_NONE and the on-wire probe is byte-for-byte identical to before,\nso the plaintext case is unchanged.\n\ntls-crypt-v2 is not supported yet: the server only learns the client key\nfrom the WKc carried in the TLS handshake, which an out-of-band probe\ncannot provide. Such configurations skip probing and keep the configured\nremote order.\n\nChange-Id: I1f9d7b5a5ec19bf77c0c212795f583c5ba4c03ac\nSigned-off-by: Lev Stipakov \u003clev@openvpn.net\u003e\n"},"branch":"refs/heads/master"}},"requirements":[{"status":"NOT_READY","fallback_text":"All required checks must pass","type":"checks_pass"}],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"NOT_READY","labels":[{"label":"Code-Review","status":"NEED"}]},{"rule_name":"checks~ChecksSubmitRule","status":"NOT_READY","requirements":[{"status":"NOT_READY","fallback_text":"All required checks must pass","type":"checks_pass"}]}],"submit_requirements":[{"name":"Code-Review","status":"UNSATISFIED","is_legacy":true,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX -label:Code-Review\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Code-Review\u003dMAX","-label:Code-Review\u003dMIN"]}},{"name":"checks~ChecksSubmitRule","status":"UNSATISFIED","is_legacy":true,"submittability_expression_result":{"expression":"rule:checks~ChecksSubmitRule","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["checks~ChecksSubmitRule"]}}]}
