GitList

Browse code

Use P_DATA_V2 for server->client packets too

P_DATA_V2 introduced the peer-id. This allows clients to float, but as a
side-effect 32-bit aligns the encrypted data. That alignment improves
performance particularly on cheaper/older CPUs. So although servers don't
actually have a peer-id, still use the V2 packet format (with a zero-id)
for server->client traffic too.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1511531903-19349-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1511531903-19349-1-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Steffan Karger authored on 2017/11/24 22:58:23
Showing 2 changed files

src/openvpn/forward.c

History View file @ 3b9cce6

@@ -496,7 +496,7 @@ encrypt_sign(struct context *c, bool comp_frag)
         /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
          * packet before openvpn_encrypt(), so we can authenticate the opcode too.
          */
-        if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server && c->c2.tls_multi->use_peer_id)
+        if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
         {
             tls_prepend_opcode_v2(c->c2.tls_multi, &b->encrypt_buf);
         }
@@ -512,7 +512,7 @@ encrypt_sign(struct context *c, bool comp_frag)
     /* Do packet administration */
     if (c->c2.tls_multi)
     {
-        if (c->c2.buf.len > 0 && (c->c2.tls_multi->opt.server || !c->c2.tls_multi->use_peer_id))
+        if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
         {
             tls_prepend_opcode_v1(c->c2.tls_multi, &c->c2.buf);
         }

src/openvpn/push.c

History View file @ 3b9cce6

@@ -365,6 +365,7 @@ prepare_push_reply(struct context *c, struct gc_arena *gc,
         {
             push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
                             tls_multi->peer_id);
+            tls_multi->use_peer_id = true;
         }
     }
 

...	...	@@ -496,7 +496,7 @@ encrypt_sign(struct context *c, bool comp_frag)
496	496	/* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
497	497	* packet before openvpn_encrypt(), so we can authenticate the opcode too.
498	498	*/
499		- if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server && c->c2.tls_multi->use_peer_id)
	499	+ if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
500	500	{
501	501	tls_prepend_opcode_v2(c->c2.tls_multi, &b->encrypt_buf);
502	502	}
...	...	@@ -512,7 +512,7 @@ encrypt_sign(struct context *c, bool comp_frag)
512	512	/* Do packet administration */
513	513	if (c->c2.tls_multi)
514	514	{
515		- if (c->c2.buf.len > 0 && (c->c2.tls_multi->opt.server \|\| !c->c2.tls_multi->use_peer_id))
	515	+ if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
516	516	{
517	517	tls_prepend_opcode_v1(c->c2.tls_multi, &c->c2.buf);
518	518	}

...	...	@@ -365,6 +365,7 @@ prepare_push_reply(struct context c, struct gc_arena gc,
365	365	{
366	366	push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
367	367	tls_multi->peer_id);
	368	+ tls_multi->use_peer_id = true;
368	369	}
369	370	}
370	371