Re: [Openvpn-devel] [PATCH v103] dco-win: implement ovpn-dco support in P2P Windows code path

Thu, 25 Aug 2022 04:31:10 -0700 

Hi,

On Mon, Aug 22, 2022 at 11:56:47AM +0300, Lev Stipakov wrote:
> From: Antonio Quartulli <[email protected]>
> 
> With this change it is possible to use ovpn-dco-win when running OpenVPN
> in client or P2P mode.
> 
> Signed-off-by: Arne Schwabe <[email protected]>
> Signed-off-by: Lev Stipakov <[email protected]>
> Signed-off-by: Antonio Quartulli <[email protected]>
> ---
>  Changes from v102:
>  * use "windows-driver ovpn-dco" without trailing "-win", since
>    "windows" is already implied by option name.

I have received sufficient test reports to be happy about it.  The change
for v102 makes sense.

Alas, there is one change in v101 that I initiated which I'm now no
longer happy about:

> @@ -3434,6 +3436,10 @@ options_postprocess_setdefault_ncpciphers(struct 
> options *o)
>          /* custom --data-ciphers set, keep list */
>          return;
>      }
> +    else if (dco_enabled(o))
> +    {
> +        o->ncp_ciphers = dco_get_supported_ciphers();
> +    }
>      else if (cipher_valid("CHACHA20-POLY1305"))
>      {
>          o->ncp_ciphers = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";

This change does the right thing for DCO-enabled *Windows* builds, but
it does bad things for DCO-enabled FreeBSD, because of

const char *
dco_get_supported_ciphers()
{
    return "none:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
}

in dco_freebsd.c - so with the above change, we'd advertise "NONE!" as
cipher we're willing to accept.  Which is a hard no for the *default*
setting...

I still think using dco_get_supported_ciphers() to set the default
on Windows is a good idea (because "no none" there) - so I'd suggest
to do this:

> +#ifdef _WIN32
> +    /* CHACHA-POLY availability on DCO for Windows depends on system wide
> +     * availability -> query DCO layer for default --data-ciphers set
> +     */
> +    else if (dco_enabled(o))
> +    {
> +        o->ncp_ciphers = dco_get_supported_ciphers();
> +    }
> +#endif

sorry for adding more complications.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             [email protected]

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel























					Reply via email to