From patchwork Fri Nov 24 02:58:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 93 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director3.mail.ord1d.rsapps.net ([172.28.255.1]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id S37jAOQlGFpIZwAAgoeIoA for ; Fri, 24 Nov 2017 09:00:04 -0500 Received: from director8.mail.ord1c.rsapps.net ([172.28.255.1]) by director3.mail.ord1d.rsapps.net (Dovecot) with LMTP id qwCiAOQlGFoKGgAAkXNnRw ; Fri, 24 Nov 2017 09:00:04 -0500 Received: from smtp42.gate.ord1a ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director8.mail.ord1c.rsapps.net (Dovecot) with LMTP id 3v/2A+MlGFrjQgAAPBwpBw ; Fri, 24 Nov 2017 09:00:04 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp42.gate.ord1a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=fox-it.com X-Classification-ID: c49c4840-d11f-11e7-af92-001e4f11f049-1-1 Received: from [216.34.181.88] ([216.34.181.88:35688] helo=lists.sourceforge.net) by smtp42.gate.ord1a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 9B/0E-10631-3E5281A5; Fri, 24 Nov 2017 09:00:03 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eIEVY-0002tA-LF; Fri, 24 Nov 2017 13:59:08 +0000 Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eIEVX-0002t4-K1 for openvpn-devel@lists.sourceforge.net; Fri, 24 Nov 2017 13:59:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=u6f9GX3QcuB5o/ABh6HfT+VUL9dhDAvjRDlU9I3QZ0U=; b=EI8DIPUUYCAB/MtuPdjxVhDwr5 Z7HVynNq7FscQtiytGkwgONmTfoiLPmC3OSMfb0CumvE2EhY9mce6WNmFbPzZt1Yld/fNex/4qMr2 rxDs82tV6VH9amRdNnX/ZqdRzlBVTjYYxcRAX+FXeH69rJBCCU3mBGaEH3b/27T63l0Q=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject: CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=u6f9GX3QcuB5o/ABh6HfT+VUL9dhDAvjRDlU9I3QZ0U=; b=VGA5GmQ/VIVoHb3Qpte0bZk0j6 8qsHCnkPHGZ3c3wDOO0VZIyj6XAf3s5LxJsCClHyPisSu75o3bRYV5jD5FJN4RHF3bvxF4RRW8AgU FSlR338OodyE7cAE20Kthzrx5xjUot7Jkp+yWhqlVh6JTgM3eb4M40+cGMbo2oLY4nKg=; Received: from ns2.fox-it.com ([178.250.144.131]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89) id 1eIEVV-0005WF-VF for openvpn-devel@lists.sourceforge.net; Fri, 24 Nov 2017 13:59:07 +0000 Received: from FOXDFT52.FOX.local (unknown [10.0.0.129]) by ns2.fox-it.com (Postfix) with ESMTPS id 7F7771C4F49; Fri, 24 Nov 2017 14:58:59 +0100 (CET) Received: from steffan-fox.fox.local (10.0.3.167) by FOXDFT52.FOX.local (10.0.0.129) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 24 Nov 2017 14:58:58 +0100 From: Steffan Karger To: Date: Fri, 24 Nov 2017 14:58:23 +0100 Message-ID: <1511531903-19349-1-git-send-email-steffan.karger@fox-it.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <20171124130640.GK631@greenie.muc.de> References: <20171124130640.GK631@greenie.muc.de> MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT52.FOX.local (10.0.0.129) To FOXDFT52.FOX.local (10.0.0.129) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1eIEVV-0005WF-VF Subject: [Openvpn-devel] [PATCH v3] Use P_DATA_V2 for server->client packets too X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Steffan Karger P_DATA_V2 introduced the peer-id. This allows clients to float, but as a side-effect 32-bit aligns the encrypted data. That alignment improves performance particularly on cheaper/older CPUs. So although servers don't actually have a peer-id, still use the V2 packet format (with a zero-id) for server->client traffic too. Signed-off-by: Steffan Karger --- v2: actually enable P_DATA_V2... Now tested with: 2.4<>2.4 (V2), 2.4-srv<>2.3-clt (V2), 2.3-srv<>2.4-clt (V1), 2.4-srv<>2.2-clt (V1) v3: move "use_peer_id = true" inside "if IV_PROTO >= 2" (thanks Gert) src/openvpn/forward.c | 4 ++-- src/openvpn/push.c | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 1b7455b..a868a8f 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -496,7 +496,7 @@ encrypt_sign(struct context *c, bool comp_frag) /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the * packet before openvpn_encrypt(), so we can authenticate the opcode too. */ - if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server && c->c2.tls_multi->use_peer_id) + if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id) { tls_prepend_opcode_v2(c->c2.tls_multi, &b->encrypt_buf); } @@ -512,7 +512,7 @@ encrypt_sign(struct context *c, bool comp_frag) /* Do packet administration */ if (c->c2.tls_multi) { - if (c->c2.buf.len > 0 && (c->c2.tls_multi->opt.server || !c->c2.tls_multi->use_peer_id)) + if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id) { tls_prepend_opcode_v1(c->c2.tls_multi, &c->c2.buf); } diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 5947a31..e7aecbb 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -365,6 +365,7 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, { push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", tls_multi->peer_id); + tls_multi->use_peer_id = true; } }