Re: [Openvpn-devel] [PATCH] Use P_DATA_V2 for server->client packets too

2017-11-12 Thread Antonio Quartulli 
Hi,

On 12/11/17 00:03, Steffan Karger wrote:
> P_DATA_V2 introduced the peer-id.  This allows clients to float, but as a
> side-effect 32-bit aligns the encrypted data.  That alignment improves
> performance particularly on cheaper/older CPUs.  So although servers don't
> actually have a peer-id, still use the V2 packet format (with a zero-id)
> for server->client traffic too.
> 
> Signed-off-by: Steffan Karger 
> ---
>  src/openvpn/forward.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
> index 1b7455bb..20e89d34 100644
> --- a/src/openvpn/forward.c
> +++ b/src/openvpn/forward.c
> @@ -496,7 +496,7 @@ encrypt_sign(struct context *c, bool comp_frag)
>  /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id 
> to the
>   * packet before openvpn_encrypt(), so we can authenticate the 
> opcode too.
>   */
> -if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server && 
> c->c2.tls_multi->use_peer_id)
> +if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
>  {
>  tls_prepend_opcode_v2(c->c2.tls_multi, >encrypt_buf);
>  }

NAK.
Although the patch looks good and easy, it is actually missing an
important part: c->c2.tls_multi->use_peer_id is never set to true on the
server.

This should probably happen after parsing "IV_PROTO=" in
prepare_push_reply().


Cheers,

-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Use P_DATA_V2 for server->client packets too

2017-11-11 Thread Steffan Karger 
P_DATA_V2 introduced the peer-id.  This allows clients to float, but as a
side-effect 32-bit aligns the encrypted data.  That alignment improves
performance particularly on cheaper/older CPUs.  So although servers don't
actually have a peer-id, still use the V2 packet format (with a zero-id)
for server->client traffic too.

Signed-off-by: Steffan Karger 
---
 src/openvpn/forward.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 1b7455bb..20e89d34 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -496,7 +496,7 @@ encrypt_sign(struct context *c, bool comp_frag)
 /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to 
the
  * packet before openvpn_encrypt(), so we can authenticate the opcode 
too.
  */
-if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server && 
c->c2.tls_multi->use_peer_id)
+if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
 {
 tls_prepend_opcode_v2(c->c2.tls_multi, >encrypt_buf);
 }
-- 
2.14.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel