From patchwork Tue Dec 7 06:01:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2123 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id SErlD8qTr2HsUgAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:06 -0500 Received: from proxy16.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id qDYILcqTr2GoYAAAalYnBA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:06 -0500 Received: from smtp19.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3b.rsapps.net with LMTPS id MLrAJ8qTr2GoQQAAPj+4aA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:06 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8b5415c8-577f-11ec-ab0a-525400cbaf6c-1-1 Received: from [216.105.38.7] ([216.105.38.7:60310] helo=lists.sourceforge.net) by smtp19.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 44/28-05396-9C39FA16; Tue, 07 Dec 2021 12:03:05 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrD-0000tW-D7; Tue, 07 Dec 2021 17:02:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrB-0000t0-13 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=x9U8z0xyXkwuc8poL+osTgxH1SMyS1Qilk1vUdNuYCA=; b=SFo/+mRqrIfM5K7gZKtIEMevCL jxPGnIcfHrTnBmZFagWUaBF3BvbZiVkTn4Meg21BcPHHM/755BVyTcHdTovVv2pjxfJvNJN7gl9xP VW3CwR0t6X8CoOfh4OUzuYPwpZTtMQCBt5fFjaPB0GO1YB0+g62XTRP+kUAAeexI/NOg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=x9U8z0xyXkwuc8poL+osTgxH1SMyS1Qilk1vUdNuYCA=; b=l1ptUzfnGlxEGfUTLbtQp+htBn /hEA9AOhfJkjMo+3ld6VVts+2fTsaOeK0sxgd44v/DMp9QuAb6S0xaQTRBS/4FYdPgDl73zAeILqm NXe/cFGxW2gBXUujM2OzSkUaaik/F3mzEGtF0vpvzd17wWHYzrcP/cLllvbeEU2U9cnw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr8-007aKC-SX for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Idy-T5 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275909 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:58 +0100 Message-Id: <20211207170211.3275837-9-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This consolidates the MSS fix calculation into a single function instead having it distributed all over the code. It also calculates the real wire overhead without extra sizes for buffer etc. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 5 ++--- src/openvpn/init.c | 3 ++- src/openvpn/mss.c | 40 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/mss.h | 6 ++++ [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr8-007aKC-SX Subject: [Openvpn-devel] [PATCH 08/21] Decouple MSS fix calculation from frame calculation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This consolidates the MSS fix calculation into a single function instead having it distributed all over the code. It also calculates the real wire overhead without extra sizes for buffer etc. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 5 ++--- src/openvpn/init.c | 3 ++- src/openvpn/mss.c | 40 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/mss.h | 6 ++++++ src/openvpn/mtu.c | 9 --------- src/openvpn/mtu.h | 10 ++++++---- src/openvpn/proto.h | 11 ----------- src/openvpn/ssl.c | 3 ++- 8 files changed, 58 insertions(+), 29 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 29efcd3b9..f82386a1d 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1493,7 +1493,7 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) /* possibly alter the TCP MSS */ if (flags & PIP_MSSFIX) { - mss_fixup_ipv4(&ipbuf, MTU_TO_MSS(TUN_MTU_SIZE_DYNAMIC(&c->c2.frame))); + mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix); } /* possibly do NAT on packet */ @@ -1517,8 +1517,7 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) /* possibly alter the TCP MSS */ if (flags & PIP_MSSFIX) { - mss_fixup_ipv6(&ipbuf, - MTU_TO_MSS(TUN_MTU_SIZE_DYNAMIC(&c->c2.frame))); + mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix); } if (!(flags & PIP_OUTGOING) && (flags &(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 85d664ad6..b22ce60af 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -53,6 +53,7 @@ #include "tls_crypt.h" #include "forward.h" #include "auth_token.h" +#include "mss.h" #include "memdbg.h" @@ -4156,7 +4157,7 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f #endif /* initialize dynamic MTU variable */ - frame_init_mssfix(&c->c2.frame, &c->options); + frame_calculate_mssfix(&c->c2.frame, &c->c1.ks.key_type, &c->options); /* bind the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index aa5b68ce9..56dea0292 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -30,6 +30,8 @@ #include "syshead.h" #include "error.h" #include "mss.h" +#include "crypto.h" +#include "ssl_common.h" #include "memdbg.h" /* @@ -204,3 +206,41 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) } } } + +void +frame_calculate_mssfix(struct frame *frame, struct key_type *kt, + const struct options *options) +{ + if (options->ce.mssfix == 0) + { + return; + } + + unsigned int payload_size; + unsigned int overhead; + + + payload_size = frame_calculate_payload_size(frame, options); + + overhead = frame_calculate_protocol_header_size(kt, options, + payload_size, false); + + /* Calculate the number of bytes that the payload differs from the payload + * MTU. This are fragment/compression/ethernet headers */ + unsigned payload_overhead = frame_calculate_payload_overhead(frame, options, true); + + /* We are in a "liberal" position with respect to MSS, + * i.e. we assume that MSS can be calculated from MTU + * by subtracting out only the IP and TCP header sizes + * without options. + * + * (RFC 879, section 7). */ + + /* Add 20 bytes for the IPv4 header and TCP header of the payload, + * the mssfix routes will add 20 extra if payload is IPv6 */ + overhead += 20 + 20; + + /* Calculate the maximum MSS value from the max link layer size specified + * by ce.mssfix */ + frame->mss_fix = options->ce.mssfix - overhead - payload_overhead; +} \ No newline at end of file diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index 41254e2a6..856f4c4e3 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -26,6 +26,8 @@ #include "proto.h" #include "error.h" +#include "mtu.h" +#include "ssl_common.h" void mss_fixup_ipv4(struct buffer *buf, int maxmss); @@ -33,4 +35,8 @@ void mss_fixup_ipv6(struct buffer *buf, int maxmss); void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); +/** Set the --mssfix option. */ +void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, + const struct options *options); + #endif diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 25b943722..e7ff477cd 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -205,15 +205,6 @@ frame_subtract_extra(struct frame *frame, const struct frame *src) frame->extra_tun += src->extra_frame; } -void -frame_init_mssfix(struct frame *frame, const struct options *options) -{ - if (options->ce.mssfix) - { - frame_set_mtu_dynamic(frame, options->ce.mssfix, SET_MTU_UPPER_BOUND); - } -} - void frame_print(const struct frame *frame, int level, diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 5ad0931fd..ae83d3e7a 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -94,6 +94,12 @@ struct frame { int link_mtu; /**< Maximum packet size to be sent over * the external network interface. */ + unsigned int mss_fix; /**< The actual MSS value that should be + * written to the payload packets. This + * is the value for IPv4 TCP packets. For + * IPv6 packets another 20 bytes must + * be subtracted */ + int link_mtu_dynamic; /**< Dynamic MTU value for the external * network interface. */ @@ -152,7 +158,6 @@ struct options; * This is the size to "ifconfig" the tun or tap device. */ #define TUN_MTU_SIZE(f) ((f)->link_mtu - TUN_LINK_DELTA(f)) -#define TUN_MTU_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic - TUN_LINK_DELTA(f)) /* * This is the maximum packet size that we need to be able to @@ -291,9 +296,6 @@ void alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame, const bool tuntap_buffer); -/** Set the --mssfix option. */ -void frame_init_mssfix(struct frame *frame, const struct options *options); - /* * EXTENDED_SOCKET_ERROR_CAPABILITY functions -- print extra error info * on socket errors, such as PMTU size. As of 2003.05.11, only works diff --git a/src/openvpn/proto.h b/src/openvpn/proto.h index f73e50c07..94010a98f 100644 --- a/src/openvpn/proto.h +++ b/src/openvpn/proto.h @@ -247,17 +247,6 @@ struct ip_tcp_udp_hdr { acc -= (u32) >> 16; \ } -/* - * We are in a "liberal" position with respect to MSS, - * i.e. we assume that MSS can be calculated from MTU - * by subtracting out only the IP and TCP header sizes - * without options. - * - * (RFC 879, section 7). - */ -#define MTU_TO_MSS(mtu) (mtu - sizeof(struct openvpn_iphdr) \ - - sizeof(struct openvpn_tcphdr)) - /* * This returns an ip protocol version of packet inside tun * and offset of IP header (via parameter). diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 303e3fe8f..608b30110 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -62,6 +62,7 @@ #include "ssl_ncp.h" #include "ssl_util.h" #include "auth_token.h" +#include "mss.h" #include "memdbg.h" @@ -1893,7 +1894,7 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, options->replay, packet_id_long_form); frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, options->ce.tun_mtu_defined, options->ce.tun_mtu); - frame_init_mssfix(frame, options); + frame_calculate_mssfix(frame, &session->opt->key_type, options); frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); /*