From 72327ec5d19983ddad646cc1e227579be1a8fdb3 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sun, 7 May 2017 17:19:37 +0200
Subject: [PATCH] XXX Restore pre-NCP frame parameters for new sessions
---
src/openvpn/forward.c | 7 +++++++
src/openvpn/init.c | 2 ++
src/openvpn/openvpn.h | 3 ++-
src/openvpn/ssl.c | 9 +--------
src/openvpn/ssl.h | 8 ++++++++
5 files changed, 20 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 8102e94..2f3f3c5 100644
a
|
b
|
process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo |
866 | 866 | * will load crypto_options with the correct encryption key |
867 | 867 | * and return false. |
868 | 868 | */ |
| 869 | uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; |
869 | 870 | if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, |
870 | 871 | floated, &ad_start)) |
871 | 872 | { |
| 873 | /* Restore pre-NCP frame parameters */ |
| 874 | if (is_hard_reset(opcode, c->options.key_method)) |
| 875 | { |
| 876 | c->c2.frame = c->c2.frame_initial; |
| 877 | } |
| 878 | |
872 | 879 | interval_action(&c->c2.tmp_int); |
873 | 880 | |
874 | 881 | /* reset packet received timer if TLS packet */ |
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 4c78d0b..607e2a5 100644
a
|
b
|
init_instance(struct context *c, const struct env_set *env, const unsigned int f |
4069 | 4069 | c->c2.did_open_tun = do_open_tun(c); |
4070 | 4070 | } |
4071 | 4071 | |
| 4072 | c->c2.frame_initial = c->c2.frame; |
| 4073 | |
4072 | 4074 | /* print MTU info */ |
4073 | 4075 | do_print_data_channel_mtu_parms(c); |
4074 | 4076 | |
diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index 893296e..f8682d1 100644
a
|
b
|
struct context_2 |
263 | 263 | struct link_socket_actual from; /* address of incoming datagram */ |
264 | 264 | |
265 | 265 | /* MTU frame parameters */ |
266 | | struct frame frame; |
| 266 | struct frame frame; /* Active frame parameters */ |
| 267 | struct frame frame_initial; /* Restored on new session */ |
267 | 268 | |
268 | 269 | #ifdef ENABLE_FRAGMENT |
269 | 270 | /* Object to handle advanced MTU negotiation and datagram fragmentation */ |
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 1033e58..630b77f 100644
a
|
b
|
print_key_id(struct tls_multi *multi, struct gc_arena *gc) |
832 | 832 | return BSTR(&out); |
833 | 833 | } |
834 | 834 | |
835 | | /* |
836 | | * Given a key_method, return true if op |
837 | | * represents the required form of hard_reset. |
838 | | * |
839 | | * If key_method = 0, return true if any |
840 | | * form of hard reset is used. |
841 | | */ |
842 | | static bool |
| 835 | bool |
843 | 836 | is_hard_reset(int op, int key_method) |
844 | 837 | { |
845 | 838 | if (!key_method || key_method == 1) |
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index ed1344e..03688ca 100644
a
|
b
|
void show_tls_performance_stats(void); |
591 | 591 | /*#define EXTRACT_X509_FIELD_TEST*/ |
592 | 592 | void extract_x509_field_test(void); |
593 | 593 | |
| 594 | /** |
| 595 | * Given a key_method, return true if opcode represents the required form of |
| 596 | * hard_reset. |
| 597 | * |
| 598 | * If key_method == 0, return true if any form of hard reset is used. |
| 599 | */ |
| 600 | bool is_hard_reset(int op, int key_method); |
| 601 | |
594 | 602 | #endif /* ENABLE_CRYPTO */ |
595 | 603 | |
596 | 604 | #endif /* ifndef OPENVPN_SSL_H */ |