Hi,
On 12/11/17 00:03, Steffan Karger wrote:
> P_DATA_V2 introduced the peer-id. This allows clients to float, but as a
> side-effect 32-bit aligns the encrypted data. That alignment improves
> performance particularly on cheaper/older CPUs. So although servers don't
> actually have a peer-id, still use the V2 packet format (with a zero-id)
> for server->client traffic too.
>
> Signed-off-by: Steffan Karger
> ---
> src/openvpn/forward.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
> index 1b7455bb..20e89d34 100644
> --- a/src/openvpn/forward.c
> +++ b/src/openvpn/forward.c
> @@ -496,7 +496,7 @@ encrypt_sign(struct context *c, bool comp_frag)
> /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id
> to the
> * packet before openvpn_encrypt(), so we can authenticate the
> opcode too.
> */
> -if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server &&
> c->c2.tls_multi->use_peer_id)
> +if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
> {
> tls_prepend_opcode_v2(c->c2.tls_multi, >encrypt_buf);
> }
NAK.
Although the patch looks good and easy, it is actually missing an
important part: c->c2.tls_multi->use_peer_id is never set to true on the
server.
This should probably happen after parsing "IV_PROTO=" in
prepare_push_reply().
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel