Re: [Openvpn-devel] [PATCH] Restore pre-NCP frame parameters for new sessions

Tue, 09 May 2017 04:08:56 -0700 

Hi,

On 09-05-17 12:46, David Sommerseth wrote:
> On 08/05/17 23:44, Steffan Karger wrote:
>> As reported in trac #879, as of the introduction of NCP we always adjust
>> the frame parameters on session negotiations, but do not reset the frame
>> state for a new session on an existing state instance.  That caused the
>> frame parameters to be reduced for each reconnect, resulting in smaller
>> and smaller packet size limits until no traffic could go through the
>> tunnel at all.  This patch resolves that omission.
> 
> 
> Only glared at the code changes, and it makes sense to me.  I'll try to
> run a few tests to see if I can reproduce this issue.  If others can
> help test this patch, that will also help tremendously - and I'll try to
> remember to add a Tested-by: tag in the commit log too for all those
> confirming this fix.

The two reporters on trac confirm this fix works for them.

> A little nit-pick below though.
> 
> 
>> Trac: #879
>> Signed-off-by: Steffan Karger <stef...@karger.me>
>> ---
>>  src/openvpn/forward.c | 7 +++++++
>>  src/openvpn/init.c    | 2 ++
>>  src/openvpn/openvpn.h | 3 ++-
>>  src/openvpn/ssl.c     | 9 +--------
>>  src/openvpn/ssl.h     | 8 ++++++++
>>  5 files changed, 20 insertions(+), 9 deletions(-)
>>
>> diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
>> index 8102e94..2f3f3c5 100644
>> --- a/src/openvpn/forward.c
>> +++ b/src/openvpn/forward.c
>> @@ -866,9 +866,16 @@ process_incoming_link_part1(struct context *c, struct 
>> link_socket_info *lsi, boo
>>               * will load crypto_options with the correct encryption key
>>               * and return false.
>>               */
>> +            uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
>>              if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, 
>> &co,
>>                                  floated, &ad_start))
>>              {
> 
> Wouldn't it make more sense to move the opcode declaration to inside the
> if (tls_pre_decrypt(...)) block?  I can do that on-the-fly though.
> 

That won't work, because tls_pre_decrypt() alters buf.

-Steffan

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to