From patchwork Sun Nov 12 06:22:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 78 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director2.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id ywxMJZqDCFqkcgAAgoeIoA for ; Sun, 12 Nov 2017 12:23:38 -0500 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director2.mail.ord1d.rsapps.net (Dovecot) with LMTP id 8zw1JZqDCFq2HAAAgYhSiA ; Sun, 12 Nov 2017 12:23:38 -0500 Received: from smtp20.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net (Dovecot) with LMTP id vCKCApqDCFoLZgAA7h+8OQ ; Sun, 12 Nov 2017 12:23:38 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp20.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Classification-ID: 385b4d5e-c7ce-11e7-a92d-525400b8bfda-1-1 Received: from [216.34.181.88] ([216.34.181.88:51372] helo=lists.sourceforge.net) by smtp20.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5C/B2-12805-A93880A5; Sun, 12 Nov 2017 12:23:38 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eDvyI-0003OM-Pp; Sun, 12 Nov 2017 17:23:02 +0000 Received: from sfi-mx-1.v28.ch3.sourceforge.com ([172.29.28.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eDvyH-0003Nx-9s for openvpn-devel@lists.sourceforge.net; Sun, 12 Nov 2017 17:23:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qc7Z3VU7YYvuN1eGsRqVoSVKVWDu83sQxPNeSSqI2aE=; b=MAATPCnOnZrczx7sxUcsUXppVa 7R8wO1d2nntfhUh94LXtmInS0VgzV2Fx8Z6FtV6s6Y9e3MGo0DtIQ/EuRsOvybLYARCUGfg+wth88 Vp5HiElucrS0teUxqF3wE20yH5PaPBh7/tlpB/7e/ShENcMm7+4D3UTtAFPR3Yj5BU+s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qc7Z3VU7YYvuN1eGsRqVoSVKVWDu83sQxPNeSSqI2aE=; b=hogO9XuelC86TE7s5khtEhgqqs yuTjY/IQB9yudZkZOAr1kZ+ex59+ybMuE33oJgpmwFiVvI85hYI635kiydSdoexGIFdX9KsBv0fT/ F5dJ98F++ItrDPChKWtv8Btq+AIE4tboqHx3xznL3h7GxdcdmS8cNuMGZwHFd8tu1rrg=; Received: from mail-wm0-f68.google.com ([74.125.82.68]) by sfi-mx-1.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eDvyF-000376-JT for openvpn-devel@lists.sourceforge.net; Sun, 12 Nov 2017 17:23:01 +0000 Received: by mail-wm0-f68.google.com with SMTP id r68so10756652wmr.1 for ; Sun, 12 Nov 2017 09:22:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=qc7Z3VU7YYvuN1eGsRqVoSVKVWDu83sQxPNeSSqI2aE=; b=xx39Fdnt6+f5krj8WDsES85arfMPtF62BRAfBuAfcI6zv2yBDYCFUkHOf+M3MuH8na JKMfcEH0Fo/AoG5wDT/QMPB4UHF2zGKB10vi3sPy9hzj34a6R/F1y+ONZycjrDHzxsQK NpEsLfXN6Vf34jGNU7vsVaUCfgULD+fPfsH738E0zxL046aqG+D6EozHzktG9Po9pgeE cFSFtx72xZQ1wSLlP8kk2A2cF3S3j8f/s7hAb6DDv7WDuN10KuoqWP418sep0xKShc5a P3frCgpDRI7ScT43X+7glFLweuHZysZa5aytXVdV00Xy/DtW6ySPVtfHHV4J2BDFxEmk xkKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qc7Z3VU7YYvuN1eGsRqVoSVKVWDu83sQxPNeSSqI2aE=; b=ApG+hF4dBo0/0c6kLH1vQiM1ftCS7Ae3y91v/M2iD3e4SBpFpNAf5BJG7kPK8mJBMc +pj+eVMjzQ1R02gATeeZrGBOAtWeAAXMNXrCIaF6QgirvedtB20lu136QT0700IwYwh7 07geLKlU2VEJjyRmVRa5WyLf2yCLfdhjOXaWYAR1798gyOIxdPrDogYJ5MV+sV+JYRJd CYOuv+9XF0xO6H0XvvuVUSQQGMuUPyd0QeqoM1ChzaMQeTiwezzYQ4lVzVWlaHUhSF/P T/mYiEL8b3OxaDR42oDXSPgDu/ZQWznusho/fWreZR1VOLhURx3M54zVkLTAgkHkIqZc lcLQ== X-Gm-Message-State: AJaThX7tAnTqyEfk7krqZaf7NhP13QxQX59rIgtcPEusnd6//WmwEmKf TTGK43vJo+OxtophTGDRcfL57B+IK2c= X-Google-Smtp-Source: AGs4zMaFWwUI7vQ/k+LGYftwOrcEOI3IyukRTnCvhYEroN1iDn4BnEMHtccjREkBiw+kFwr7lfdH8w== X-Received: by 10.28.142.85 with SMTP id q82mr4360530wmd.155.1510507373333; Sun, 12 Nov 2017 09:22:53 -0800 (PST) Received: from localhost.localdomain (82-94-53-40.ip.xs4all.nl. [82.94.53.40]) by smtp.gmail.com with ESMTPSA id d23sm4858019wma.48.2017.11.12.09.22.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 12 Nov 2017 09:22:52 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 12 Nov 2017 18:22:37 +0100 Message-Id: <20171112172237.8285-1-steffan@karger.me> X-Mailer: git-send-email 2.14.1 In-Reply-To: References: X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source [74.125.82.68 listed in dnsbl.sorbs.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.68 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1eDvyF-000376-JT Subject: [Openvpn-devel] [PATCH v2] Use P_DATA_V2 for server->client packets too X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox P_DATA_V2 introduced the peer-id. This allows clients to float, but as a side-effect 32-bit aligns the encrypted data. That alignment improves performance particularly on cheaper/older CPUs. So although servers don't actually have a peer-id, still use the V2 packet format (with a zero-id) for server->client traffic too. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli --- v2: actually enable P_DATA_V2... Now tested with: 2.4<>2.4 (V2), 2.4-srv<>2.3-clt (V2), 2.3-srv<>2.4-clt (V1), 2.4-srv<>2.2-clt (V1) src/openvpn/forward.c | 4 ++-- src/openvpn/push.c | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 1b7455bb..a868a8ff 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -496,7 +496,7 @@ encrypt_sign(struct context *c, bool comp_frag) /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the * packet before openvpn_encrypt(), so we can authenticate the opcode too. */ - if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server && c->c2.tls_multi->use_peer_id) + if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id) { tls_prepend_opcode_v2(c->c2.tls_multi, &b->encrypt_buf); } @@ -512,7 +512,7 @@ encrypt_sign(struct context *c, bool comp_frag) /* Do packet administration */ if (c->c2.tls_multi) { - if (c->c2.buf.len > 0 && (c->c2.tls_multi->opt.server || !c->c2.tls_multi->use_peer_id)) + if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id) { tls_prepend_opcode_v1(c->c2.tls_multi, &c->c2.buf); } diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 5947a31f..16a4101f 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -366,6 +366,7 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", tls_multi->peer_id); } + tls_multi->use_peer_id = true; } /* Push cipher if client supports Negotiable Crypto Parameters */