From patchwork Tue Dec 7 06:01:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2125 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 6GJENMyTr2ENUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:08 -0500 Received: from proxy18.mail.iad3b.rsapps.net ([172.31.255.6]) by director12.mail.ord1d.rsapps.net with LMTP id kPg2J8yTr2GhVQAAIasKDg (envelope-from ) for ; Tue, 07 Dec 2021 12:03:08 -0500 Received: from smtp23.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3b.rsapps.net with LMTPS id 8A24Dc2Tr2F+aQAA3NpJmQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8ccceb5a-577f-11ec-864c-525400aa5716-1-1 Received: from [216.105.38.7] ([216.105.38.7:60348] helo=lists.sourceforge.net) by smtp23.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 79/36-27394-CC39FA16; Tue, 07 Dec 2021 12:03:08 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrC-0000tG-HW; Tue, 07 Dec 2021 17:02:22 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrA-0000sn-2C for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=8vMA6hMfcqpYIOJrhu1psGvo1zRNeuWdLDl4bLvEE/8=; b=Xk8Ou/pemVZKxQoOFZFygDWalY tkePJw8loXaVLUN+7xTVCGPAeswwKfRFevEdMUZ5loBTar2M+h8qDnq6wloCLpPDhusjDJXjmOf5C mhlk/P7/Rh5FoHNHxpC7cswGBwQOtX5efCfcNRiXk3l85Thw7BX+gnuDicTRcTiKIOiw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8vMA6hMfcqpYIOJrhu1psGvo1zRNeuWdLDl4bLvEE/8=; b=exbds7pmlyvDrN66wfQcf4CyuB 8Gh57AV+5XZxt/M1SXo20Y52nzYo1Std6Bj3C7APq67YGqNrakvpfDEmq8ffJc741j7ATR3Yj0luZ Uu80kq0w/XgjsIvDYBKeIZWx+4TGwAyrh+nqUeidgegvfvGZ83bv88ftMea5ta/MT9wk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr8-007aK7-Ct for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:19 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Idd-8e for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275886 invoked by uid 10006); Tue, 07 Dec 2021 17:02:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:51 +0100 Message-Id: <20211207170211.3275837-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This argument is never used apart from a unit test. Remove this argument as a small cleanup. Signed-off-by: Arne Schwabe --- src/openvpn/buffer.c | 7 +++---- src/openvpn/buffer.h | 4 +--- src/openvpn/manage.c | 4 ++-- src/openvpn/ssl.c | 2 +- tests/unit_tests/openvpn/test_b [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr8-007aK7-Ct Subject: [Openvpn-devel] [PATCH 01/21] Remove max_size from buffer_list_new X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This argument is never used apart from a unit test. Remove this argument as a small cleanup. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/buffer.c | 7 +++---- src/openvpn/buffer.h | 4 +--- src/openvpn/manage.c | 4 ++-- src/openvpn/ssl.c | 2 +- tests/unit_tests/openvpn/test_buffer.c | 22 ++++------------------ 5 files changed, 11 insertions(+), 28 deletions(-) diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 486a77548..e9afb6d6a 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -1171,11 +1171,10 @@ valign4(const struct buffer *buf, const char *file, const int line) * struct buffer_list */ struct buffer_list * -buffer_list_new(const int max_size) +buffer_list_new() { struct buffer_list *ret; ALLOC_OBJ_CLEAR(ret, struct buffer_list); - ret->max_size = max_size; ret->size = 0; return ret; } @@ -1229,7 +1228,7 @@ struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size) { struct buffer_entry *e = NULL; - if (data && (!ol->max_size || ol->size < ol->max_size)) + if (data) { ALLOC_OBJ_CLEAR(e, struct buffer_entry); @@ -1359,7 +1358,7 @@ buffer_list_file(const char *fn, int max_line_len) char *line = (char *) malloc(max_line_len); if (line) { - bl = buffer_list_new(0); + bl = buffer_list_new(); while (fgets(line, max_line_len, fp) != NULL) { buffer_list_push(bl, line); diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 8cc03c08f..619c3a95d 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -1102,11 +1102,9 @@ struct buffer_list /** * Allocate an empty buffer list of capacity \c max_size. * - * @param max_size the capacity of the list to allocate - * * @return the new list */ -struct buffer_list *buffer_list_new(const int max_size); +struct buffer_list *buffer_list_new(); /** * Frees a buffer list and all the buffers in it. diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 28315b82a..1f408f0b5 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -878,7 +878,7 @@ in_extra_reset(struct man_connection *mc, const int mode) } if (mode == IER_NEW) { - mc->in_extra = buffer_list_new(0); + mc->in_extra = buffer_list_new(); } } } @@ -2507,7 +2507,7 @@ man_connection_init(struct management *man) * command output from/to the socket. */ man->connection.in = command_line_new(1024); - man->connection.out = buffer_list_new(0); + man->connection.out = buffer_list_new(); /* * Initialize event set for standalone usage, when we are diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 0d811f24e..05096ee0a 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3989,7 +3989,7 @@ tls_send_payload(struct tls_multi *multi, { if (!ks->paybuf) { - ks->paybuf = buffer_list_new(0); + ks->paybuf = buffer_list_new(); } buffer_list_push_data(ks->paybuf, data, (size_t)size); ret = true; diff --git a/tests/unit_tests/openvpn/test_buffer.c b/tests/unit_tests/openvpn/test_buffer.c index 5e854c22e..ac701669f 100644 --- a/tests/unit_tests/openvpn/test_buffer.c +++ b/tests/unit_tests/openvpn/test_buffer.c @@ -67,18 +67,18 @@ static int test_buffer_list_setup(void **state) { struct test_buffer_list_aggregate_ctx *ctx = calloc(1, sizeof(*ctx)); - ctx->empty = buffer_list_new(0); + ctx->empty = buffer_list_new(); - ctx->one_two_three = buffer_list_new(3); + ctx->one_two_three = buffer_list_new(); buffer_list_push(ctx->one_two_three, teststr1); buffer_list_push(ctx->one_two_three, teststr2); buffer_list_push(ctx->one_two_three, teststr3); - ctx->zero_length_strings = buffer_list_new(2); + ctx->zero_length_strings = buffer_list_new(); buffer_list_push(ctx->zero_length_strings, ""); buffer_list_push(ctx->zero_length_strings, ""); - ctx->empty_buffers = buffer_list_new(2); + ctx->empty_buffers = buffer_list_new(); uint8_t data = 0; buffer_list_push_data(ctx->empty_buffers, &data, 0); buffer_list_push_data(ctx->empty_buffers, &data, 0); @@ -100,17 +100,6 @@ test_buffer_list_teardown(void **state) return 0; } -static void -test_buffer_list_full(void **state) -{ - struct test_buffer_list_aggregate_ctx *ctx = *state; - - /* list full */ - assert_int_equal(ctx->one_two_three->size, 3); - buffer_list_push(ctx->one_two_three, teststr4); - assert_int_equal(ctx->one_two_three->size, 3); -} - static void test_buffer_list_aggregate_separator_empty(void **state) { @@ -247,9 +236,6 @@ main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test(test_buffer_strprefix), - cmocka_unit_test_setup_teardown(test_buffer_list_full, - test_buffer_list_setup, - test_buffer_list_teardown), cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_empty, test_buffer_list_setup, test_buffer_list_teardown), From patchwork Tue Dec 7 06:01:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2122 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 6AgGLMmTr2HSUgAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:05 -0500 Received: from proxy3.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id kAanDcqTr2G9SgAAovjBpQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:06 -0500 Received: from smtp25.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1d.rsapps.net with LMTPS id 6JR/DcqTr2FTCQAA7WKfLA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:06 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8aefb132-577f-11ec-8d6d-52540081550e-1-1 Received: from [216.105.38.7] ([216.105.38.7:50656] helo=lists.sourceforge.net) by smtp25.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 74/22-22155-8C39FA16; Tue, 07 Dec 2021 12:03:05 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrB-0002nF-Dv; Tue, 07 Dec 2021 17:02:21 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrA-0002ms-2T for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iWaIDVFcgpXpH9xklCrk4y6mmbz0bXjWMXmb6lvtf4s=; b=fy839WqnVhZ5rbtxr3C8ulvgT+ G2ko0vXr4Lo773Kkt6fIsRPBWWMxRRJWZ2QhEPmC0r1szJ+0rIzKgTHiXIeo2HZz50rArz3FYzA6X ivPZqE471nT66tVts99m2/QOsiBkRjYswP8r1Og/wOrua2tylLi4SzoqwjNi7ektG/xA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=iWaIDVFcgpXpH9xklCrk4y6mmbz0bXjWMXmb6lvtf4s=; b=mvoxgo6g+CNlrzx6WfZ6ISPWLv u1bLvKJ88ChpvpzHr1pWq9bhkgv3f4wCtFi4I9hhKCJCu2mwVzF+yC5PO/oqCug57ctr4avfsz8Hi Ee+AeIU4mOydSkp0OvIySqZwOCRJqniT+/K1Y6es4NRywzpqA4RRNhmbiIvif1WTHDfU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr8-007aK8-7y for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:19 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Idh-Be for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275889 invoked by uid 10006); Tue, 07 Dec 2021 17:02:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:52 +0100 Message-Id: <20211207170211.3275837-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This options might have been useful in the past but nowadays it has a very unclear semantics, so better remove/deprecate it. Signed-off-by: Arne Schwabe --- doc/man-sections/link-options.rst | 7 ++++++- src/openvpn/options.c | 4 +--- 2 files changed, 7 insertions(+), 4 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr8-007aK8-7y Subject: [Openvpn-devel] [PATCH 02/21] Deprecate link-mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This options might have been useful in the past but nowadays it has a very unclear semantics, so better remove/deprecate it. Signed-off-by: Arne Schwabe --- doc/man-sections/link-options.rst | 7 ++++++- src/openvpn/options.c | 4 +--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 32e72a1b7..b1ae4e75a 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -82,10 +82,15 @@ the local and the remote host. ping-restart 60 # Argument: timeout --link-mtu n - Sets an upper bound on the size of UDP packets which are sent between + **DEPRECATED** Sets an upper bound on the size of UDP packets which are sent between OpenVPN peers. *It's best not to set this parameter unless you know what you're doing.* + Due to variable header size of IP header (20 bytes for IPv4 and 40 bytes + for IPv6) and dynamically negotiated data channel cipher, this option + is not reliable. It is recommended to set tun-mtu with enough headroom + instead. + --local host Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all diff --git a/src/openvpn/options.c b/src/openvpn/options.c index b840b767b..c1663b264 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2111,9 +2111,7 @@ options_postprocess_verify_ce(const struct options *options, */ if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined) { - msg(M_USAGE, - "only one of --tun-mtu or --link-mtu may be defined (note that " - "--ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT); + msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined"); } if (!proto_is_udp(ce->proto) && options->mtu_test) From patchwork Tue Dec 7 06:01:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2132 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.1]) by backend41.mail.ord1d.rsapps.net with LMTP id 4JCDH8+Tr2ELUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:11 -0500 Received: from proxy19.mail.iad3a.rsapps.net ([172.27.255.1]) by director11.mail.ord1d.rsapps.net with LMTP id 8GsgAdCTr2EidwAAvGGmqA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:12 -0500 Received: from smtp23.gate.iad3a ([172.27.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3a.rsapps.net with LMTPS id mCCSGY+Sr2GTZAAAXy6Yeg (envelope-from ) for ; Tue, 07 Dec 2021 11:57:51 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8e8a1ff8-577f-11ec-9dd0-52540033eb40-1-1 Received: from [216.105.38.7] ([216.105.38.7:36826] helo=lists.sourceforge.net) by smtp23.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B7/91-26857-FC39FA16; Tue, 07 Dec 2021 12:03:11 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrK-0002qq-6Q; Tue, 07 Dec 2021 17:02:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrF-0002oq-MV for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=VfKKI4xQ2zPbYgAIPtQ6sKdoTIaiSZ2/1KI7O8SSDNM=; b=jLRIHdU73/aOxsvDPb5L8JECMZ qMjuKiBWDZx4Zx8e8tQN8k7Oj/oQgoawcTqIs0pT3RfRU/waJzkM80xAEjIxmXRbgHpTh630UukMM OPBMu7vW4s+iEyFVYWmAxtZKlaAhyakqNL/Rg9eZxmswYSfIla9gvUg1FLluG3mLthHg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=VfKKI4xQ2zPbYgAIPtQ6sKdoTIaiSZ2/1KI7O8SSDNM=; b=C8AlPxVp9DNmNIQnZ4czhlM812 MCXntsImGvXFLkc2bBsaWoB4U3+t1zYDoDAzzmB4sDWWMwhEOOTclgoXdfAswnKz+aEPkPSHWQQfu qDMuFusMwtuwewdO0gn6QdNMDg9h9efbvirBBKhlC85j9MjBDZNNGwG11oR6wuobMNEU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrD-0006Mo-Qc for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Idk-Ei for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275894 invoked by uid 10006); Tue, 07 Dec 2021 17:02:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:53 +0100 Message-Id: <20211207170211.3275837-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The align_adjust variable was only set to a non-zero value when no cipher was used for the data channel. Since we no longer want to optimise non encrypted data channel traffic, remove this optimisatio [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrD-0006Mo-Qc Subject: [Openvpn-devel] [PATCH 03/21] Remove align_adjust frame code X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The align_adjust variable was only set to a non-zero value when no cipher was used for the data channel. Since we no longer want to optimise non encrypted data channel traffic, remove this optimisation and simplify the code. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/crypto.c | 4 ++-- src/openvpn/forward.c | 2 +- src/openvpn/fragment.c | 2 +- src/openvpn/init.c | 13 ------------- src/openvpn/mtu.c | 9 ++------- src/openvpn/mtu.h | 38 ++++++++------------------------------ src/openvpn/socket.c | 3 +-- src/openvpn/win32.c | 2 +- 8 files changed, 16 insertions(+), 57 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 36f880433..cd791ab8a 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -370,7 +370,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, ASSERT(ad_start >= buf->data && ad_start <= BPTR(buf)); - ASSERT(buf_init(&work, FRAME_HEADROOM_ADJ(frame, FRAME_HEADROOM_MARKER_DECRYPT))); + ASSERT(buf_init(&work, FRAME_HEADROOM(frame))); /* IV and Packet ID required for this mode */ ASSERT(packet_id_initialized(&opt->packet_id)); @@ -533,7 +533,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, int outlen; /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ - ASSERT(buf_init(&work, FRAME_HEADROOM_ADJ(frame, FRAME_HEADROOM_MARKER_DECRYPT))); + ASSERT(buf_init(&work, FRAME_HEADROOM(frame))); /* read the IV from the packet */ if (buf->len < iv_size) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 41ef12e30..29efcd3b9 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -803,7 +803,7 @@ read_incoming_link(struct context *c) perf_push(PERF_READ_IN_LINK); c->c2.buf = c->c2.buffers->read_link_buf; - ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM_ADJ(&c->c2.frame, FRAME_HEADROOM_MARKER_READ_LINK))); + ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); status = link_socket_read(c->c2.link_socket, &c->c2.buf, diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index aba611fa0..6f8fb4476 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -214,7 +214,7 @@ fragment_incoming(struct fragment_master *f, struct buffer *buf, frag->defined = true; frag->max_frag_size = size; frag->map = 0; - ASSERT(buf_init(&frag->buf, FRAME_HEADROOM_ADJ(frame, FRAME_HEADROOM_MARKER_FRAGMENT))); + ASSERT(buf_init(&frag->buf, FRAME_HEADROOM(frame))); } /* copy the data to fragment buffer */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f8a13fdfa..0009bcb72 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2461,19 +2461,6 @@ frame_finalize_options(struct context *c, const struct options *o) o = &c->options; } - /* - * Set adjustment factor for buffer alignment when no - * cipher is used. - */ - if (!cipher_defined(c->c1.ks.key_type.cipher)) - { - frame_align_to_extra_frame(&c->c2.frame); - frame_or_align_flags(&c->c2.frame, - FRAME_HEADROOM_MARKER_FRAGMENT - |FRAME_HEADROOM_MARKER_READ_LINK - |FRAME_HEADROOM_MARKER_READ_STREAM); - } - frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN); frame_finalize(&c->c2.frame, o->ce.link_mtu_defined, diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index e4143e267..0ab716d7a 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -42,12 +42,11 @@ void alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame, - const bool tuntap_buffer, - const unsigned int align_mask) + const bool tuntap_buffer) { /* allocate buffer for overlapped I/O */ *buf = alloc_buf(BUF_SIZE(frame)); - ASSERT(buf_init(buf, FRAME_HEADROOM_ADJ(frame, align_mask))); + ASSERT(buf_init(buf, FRAME_HEADROOM(frame))); buf->len = tuntap_buffer ? MAX_RW_SIZE_TUN(frame) : MAX_RW_SIZE_LINK(frame); ASSERT(buf_safe(buf, 0)); } @@ -153,10 +152,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); buf_printf(&out, " EL:%d", frame->extra_link); - if (frame->align_flags && frame->align_adjust) - { - buf_printf(&out, " AF:%u/%d", frame->align_flags, frame->align_adjust); - } buf_printf(&out, " ]"); msg(level, "%s", out.data); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 7b18b3621..72a9e515b 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -121,17 +121,10 @@ struct frame { int extra_link; /**< Maximum number of bytes in excess of * external network interface's MTU that - * might be read from or written to it. */ - - /* - * Alignment control - */ -#define FRAME_HEADROOM_MARKER_DECRYPT (1<<0) -#define FRAME_HEADROOM_MARKER_FRAGMENT (1<<1) -#define FRAME_HEADROOM_MARKER_READ_LINK (1<<2) -#define FRAME_HEADROOM_MARKER_READ_STREAM (1<<3) - unsigned int align_flags; - int align_adjust; + * might be read from or written to it. + * + * Used by peer-id (3) and + * socks UDP (10) */ }; /* Forward declarations, to prevent includes */ @@ -184,8 +177,7 @@ struct options; * Control buffer headroom allocations to allow for efficient prepending. */ #define FRAME_HEADROOM_BASE(f) (TUN_LINK_DELTA(f) + (f)->extra_buffer + (f)->extra_link) -#define FRAME_HEADROOM(f) frame_headroom(f, 0) -#define FRAME_HEADROOM_ADJ(f, fm) frame_headroom(f, fm) +#define FRAME_HEADROOM(f) frame_headroom(f) /* * Max size of a buffer used to build a packet for output to @@ -227,8 +219,7 @@ void frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags); */ void alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame, - const bool tuntap_buffer, - const unsigned int align_mask); + const bool tuntap_buffer); /** Set the --mssfix option. */ void frame_init_mssfix(struct frame *frame, const struct options *options); @@ -252,11 +243,10 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); * headroom and alignment issues. */ static inline int -frame_headroom(const struct frame *f, const unsigned int flag_mask) +frame_headroom(const struct frame *f) { const int offset = FRAME_HEADROOM_BASE(f); - const int adjust = (flag_mask & f->align_flags) ? f->align_adjust : 0; - const int delta = ((PAYLOAD_ALIGN << 24) - (offset + adjust)) & (PAYLOAD_ALIGN - 1); + const int delta = ((PAYLOAD_ALIGN << 24) - offset) & (PAYLOAD_ALIGN - 1); return offset + delta; } @@ -300,18 +290,6 @@ frame_add_to_extra_buffer(struct frame *frame, const int increment) frame->extra_buffer += increment; } -static inline void -frame_align_to_extra_frame(struct frame *frame) -{ - frame->align_adjust = frame->extra_frame + frame->extra_link; -} - -static inline void -frame_or_align_flags(struct frame *frame, const unsigned int flag_mask) -{ - frame->align_flags |= flag_mask; -} - static inline bool frame_defined(const struct frame *frame) { diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 72062cd08..df7367469 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1645,8 +1645,7 @@ socket_frame_init(const struct frame *frame, struct link_socket *sock) #else alloc_buf_sock_tun(&sock->stream_buf_data, frame, - false, - FRAME_HEADROOM_MARKER_READ_STREAM); + false); stream_buf_init(&sock->stream_buf, &sock->stream_buf_data, diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index fd1246cde..1dc1c5e77 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -186,7 +186,7 @@ overlapped_io_init(struct overlapped_io *o, } /* allocate buffer for overlapped I/O */ - alloc_buf_sock_tun(&o->buf_init, frame, tuntap_buffer, 0); + alloc_buf_sock_tun(&o->buf_init, frame, tuntap_buffer); } void From patchwork Tue Dec 7 06:01:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2130 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id osYUJM2Tr2EXUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id uN8SBc6Tr2EragAAeJ7fFg (envelope-from ) for ; Tue, 07 Dec 2021 12:03:10 -0500 Received: from smtp29.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id gGn7ELuTr2H7BQAAgKDEHA (envelope-from ) for ; Tue, 07 Dec 2021 12:02:51 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp29.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8d306f2c-577f-11ec-8ce6-525400f257a9-1-1 Received: from [216.105.38.7] ([216.105.38.7:50766] helo=lists.sourceforge.net) by smtp29.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E0/96-16728-CC39FA16; Tue, 07 Dec 2021 12:03:08 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrB-0002nA-51; Tue, 07 Dec 2021 17:02:21 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrA-0002mr-1z for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=M2goepgmVA/pQCB3Hxit6oFQPtizhSBnDj0pf0wCwIc=; b=kn7lfF/SOYpK4XV+vzgEKq5uc7 jDQPmDz/en1i7nR77v17CE7RwiHoe8PnsdZTzOta7a1OdxNN/OG45DzA4k/iFsp7iTqJXWN4ejyw7 CJdA/Q5MybUlkNLY/v8pT7yGiSJqtd2O533jxObmHEpcAp7W1Lj1NK8ppye/HAxW1TtE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=M2goepgmVA/pQCB3Hxit6oFQPtizhSBnDj0pf0wCwIc=; b=Qw+2zU2vnDoDBEX3ylSPepbiRB 5Zj9E3FNoOBBDJeBJGJ8d6xqMvdXCQ3cXP0zGRLCWEe2QpZ7DKppjl+AGnXIjsvfUY7sh7s8chjVQ Bn/FihhpirOho1Y+LyqRXxnOOkwK/NwWZlel7E/3tKyB0tVm57ob7zykcaeEGH+aaorg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr8-007aKA-HN for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:19 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Idn-I4 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275897 invoked by uid 10006); Tue, 07 Dec 2021 17:02:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:54 +0100 Message-Id: <20211207170211.3275837-5-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When tls_deauthenticate is called (e.g. by management kicking of a client) the key auth state is changed to KS_AUTH_FALSE while the key state is still in S_GENERATED_KEYS. This triggers the assertion. [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr8-007aKA-HN Subject: [Openvpn-devel] [PATCH 04/21] Fix triggering assertion of ks->authticated after tls_deauthenticate X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox When tls_deauthenticate is called (e.g. by management kicking of a client) the key auth state is changed to KS_AUTH_FALSE while the key state is still in S_GENERATED_KEYS. This triggers the assertion. Remove the assertions and instead check that the auth state is KS_AUTH_TRUE Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ssl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 05096ee0a..8cbb129d2 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3276,9 +3276,9 @@ handle_data_channel_packet(struct tls_multi *multi, * active side is the client which initiates connections). */ if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id + && ks->authenticated == KS_AUTH_TRUE && (floated || link_socket_actual_match(from, &ks->remote_addr))) { - ASSERT(ks->authenticated == KS_AUTH_TRUE); if (!ks->crypto_options.key_ctx_bi.initialized) { msg(D_MULTI_DROPPED, @@ -3861,9 +3861,8 @@ struct key_state *tls_select_encryption_key(struct tls_multi *multi) for (int i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = get_key_scan(multi, i); - if (ks->state >= S_GENERATED_KEYS) + if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE) { - ASSERT(ks->authenticated == KS_AUTH_TRUE); ASSERT(ks->crypto_options.key_ctx_bi.initialized); if (!ks_select) From patchwork Tue Dec 7 06:01:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2126 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id uM+AAc2Tr2EHUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 Received: from proxy12.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id OL2bHs2Tr2HWYAAAalYnBA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 Received: from smtp38.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3b.rsapps.net with LMTPS id EAC7Fs2Tr2FyWAAAEsW3lA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8ce46c08-577f-11ec-8d84-5254006f0979-1-1 Received: from [216.105.38.7] ([216.105.38.7:46990] helo=lists.sourceforge.net) by smtp38.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 13/7A-22704-CC39FA16; Tue, 07 Dec 2021 12:03:08 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrF-0003Pz-MQ; Tue, 07 Dec 2021 17:02:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrD-0003Oq-3v for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UU01vcahRQ91pcaFpt73062qPWir57MVr5/t1cyyEFM=; b=e6LZvxF2T/dfZBRHugovIaLxYJ aLQM83BBd/MDsyxyn8LIYgCW7sl9OdjrNYihbdzCL7dz5OsOzeb7OZiVRPy/m6vzcPUaI1yjCHsZu QEvVIKMxngPWho8RwJyGQiWeP4MK2ytn29bqW/2UXFWXudzTnyUzAN2sTG7C/4TOYIvg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UU01vcahRQ91pcaFpt73062qPWir57MVr5/t1cyyEFM=; b=Ez0W5sSDIhQPp+bKJMeqnncdL+ 0roq+MsF+wzqP6swd6wR3k5TYpQhMnrsE3QsnflBkEnlejA8MYRJ/TxSdj49RjEuiNiZXexTbi+wB kfI6BMBIJtIdDCz6CLmQjrKSdqrDxUSYI7zZjr3CN4PQmIoUSWxNW1lfoavkq3BzGDFc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrD-0006Mp-JF for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:24 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Idq-Kp for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275900 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:55 +0100 Message-Id: <20211207170211.3275837-6-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/mtu.h | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 72a9e515b..c1148c317 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -28,7 +28,7 @@ Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrD-0006Mp-JF Subject: [Openvpn-devel] [PATCH 05/21] Document frame related function and variables a bit more X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- src/openvpn/mtu.h | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 72a9e515b..c1148c317 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -28,7 +28,7 @@ /* * - * Packet maninipulation routes such as encrypt, decrypt, compress, decompress + * Packet manipulation routes such as encrypt, decrypt, compress, decompress * are passed a frame buffer that looks like this: * * [extra_frame bytes] [mtu bytes] [extra_frame_bytes] [compression overflow bytes] @@ -117,7 +117,12 @@ struct frame { int extra_tun; /**< Maximum number of bytes in excess of * the tun/tap MTU that might be read * from or written to the virtual - * tun/tap network interface. */ + * tun/tap network interface. + * + * Only set with the option --tun-mtu-extra + * which defaults to 0 for tun and 32 + * (\c TAP_MTU_EXTRA_DEFAULT) for tap. + * */ int extra_link; /**< Maximum number of bytes in excess of * external network interface's MTU that @@ -177,11 +182,22 @@ struct options; * Control buffer headroom allocations to allow for efficient prepending. */ #define FRAME_HEADROOM_BASE(f) (TUN_LINK_DELTA(f) + (f)->extra_buffer + (f)->extra_link) +/* Same as FRAME_HEADROOM_BASE but rounded up to next multiple of PAYLOAD_ALIGN */ #define FRAME_HEADROOM(f) frame_headroom(f) /* * Max size of a buffer used to build a packet for output to * the TCP/UDP port. + * + * the FRAME_HEADROOM_BASE(f) * 2 should not be necessary but it looks that at + * some point in the past we seem to have lost the information what parts of + * the extra space we need to have before the data and which we need after + * the data. So we ensure we have the FRAME_HEADROOM before and after the + * actual data. + * + * Most of our code only prepends headers but compression needs the extra bytes + * *after* the data as compressed data might end up larger than the original + * data (and max compression overhead is part of extra_buffer) */ #define BUF_SIZE(f) (TUN_MTU_SIZE(f) + FRAME_HEADROOM_BASE(f) * 2) @@ -246,6 +262,8 @@ static inline int frame_headroom(const struct frame *f) { const int offset = FRAME_HEADROOM_BASE(f); + /* These two lines just pad offset to next multiple of PAYLOAD_ALIGN in + * a complicated and confusing way */ const int delta = ((PAYLOAD_ALIGN << 24) - offset) & (PAYLOAD_ALIGN - 1); return offset + delta; } From patchwork Tue Dec 7 06:01:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2124 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id InANOcuTr2EHUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:07 -0500 Received: from proxy11.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id qC8TGsyTr2GydgAAvGGmqA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:08 -0500 Received: from smtp33.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.iad3b.rsapps.net with LMTPS id AKEFE8yTr2HPbwAARNREpw (envelope-from ) for ; Tue, 07 Dec 2021 12:03:08 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8b99738e-577f-11ec-ab03-525400fb5834-1-1 Received: from [216.105.38.7] ([216.105.38.7:46948] helo=lists.sourceforge.net) by smtp33.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D5/24-09544-AC39FA16; Tue, 07 Dec 2021 12:03:06 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrF-0003Pb-FB; Tue, 07 Dec 2021 17:02:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudr9-0003OI-N1 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rk1ZzxsYPDFlcR1mPcZF4/mp5njnNauJs600apm/HqQ=; b=aeeOJut4CExTtXMBjdbBH5mh4l Ecj3yAJLUlJaCxKqXKiVWzbP6LnQyZskE9QbWct1vYoj3va+Lf0TXE3Ln3/mkM4xrj0HrzAgsiy0A 954qQ9aGR64QIYftAnUB+BooEzVRB872hd555HNNG/SbZU7T85n8mGMkId6JcKay2/zU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=rk1ZzxsYPDFlcR1mPcZF4/mp5njnNauJs600apm/HqQ=; b=F5BQEDUANX0nMeoomPVv7DyDzP JdYHH1b5Y4MwTeR7fIYMJettMCbwPcb3D7q6YT5T9i2RF80F6it3B2+HFd1hRuYWaBdL+Trv3wEuO GNeHdC3S4cxdIb/WS/FTXKFWM2X5T7Wfes8jyw9GzfFnax/IbSOfu5c604fBcmcQiXvw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr8-007aKB-N6 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Idt-OD for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275903 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:56 +0100 Message-Id: <20211207170211.3275837-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This code is probably from a time when we could not set the MTU on the Windows tap6 driver. Nowadays we can set the MTU on this device, so this code is a noop now. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 10 src/openvpn/ssl.c | 2 +- src/openvpn/tun.c | 1 - src/openvpn/tun.h | 4 ---- 4 files changed, 1 insertion(+), 16 de [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr8-007aKB-N6 Subject: [Openvpn-devel] [PATCH 06/21] Remove post_open_mtu code X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This code is probably from a time when we could not set the MTU on the Windows tap6 driver. Nowadays we can set the MTU on this device, so this code is a noop now. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/init.c | 10 ---------- src/openvpn/ssl.c | 2 +- src/openvpn/tun.c | 1 - src/openvpn/tun.h | 4 ---- 4 files changed, 1 insertion(+), 16 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 0009bcb72..85d664ad6 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1809,16 +1809,6 @@ do_open_tun(struct context *c) c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx); } - /* - * Did tun/tap driver give us an MTU? - */ - if (c->c1.tuntap->post_open_mtu) - { - frame_set_mtu_dynamic(&c->c2.frame, - c->c1.tuntap->post_open_mtu, - SET_MTU_TUN | SET_MTU_UPPER_BOUND); - } - ret = true; static_context = c; #ifndef TARGET_ANDROID diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 8cbb129d2..303e3fe8f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1897,7 +1897,7 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); /* - * mssfix uses data channel framing, which at this point contains + * mssfix uses data channel framing, which at this poipnt contains * actual overhead. Fragmentation logic uses frame_fragment, which * still contains worst case overhead. Replace it with actual overhead * to prevent unneeded fragmentation. diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 75d5eaf7b..12bdd2005 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -6071,7 +6071,6 @@ tuntap_get_mtu(struct tuntap *tt) &mtu, sizeof(mtu), &mtu, sizeof(mtu), &len, NULL)) { - tt->post_open_mtu = (int)mtu; msg(D_MTU_INFO, "TAP-Windows MTU=%d", (int)mtu); } } diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index aa1e47b5a..d4657537c 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -214,10 +214,6 @@ struct tuntap #endif /* used for printing status info only */ unsigned int rwflags_debug; - - /* Some TUN/TAP drivers like to be ioctled for mtu - * after open */ - int post_open_mtu; }; static inline bool From patchwork Tue Dec 7 06:01:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2136 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id CNhyDNOTr2FBUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:15 -0500 Received: from proxy18.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id qDCeKdOTr2FVbAAApN4f7A (envelope-from ) for ; Tue, 07 Dec 2021 12:03:15 -0500 Received: from smtp29.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3b.rsapps.net with LMTPS id wB9iItOTr2FwaQAA3NpJmQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:15 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp29.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 90e4f8a4-577f-11ec-941d-525400534f55-1-1 Received: from [216.105.38.7] ([216.105.38.7:60516] helo=lists.sourceforge.net) by smtp29.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6B/ED-08843-3D39FA16; Tue, 07 Dec 2021 12:03:15 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrI-0000wO-HE; Tue, 07 Dec 2021 17:02:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrF-0000uk-9w for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+VtInGkMlo1tN7GkcdRQjEDiZbtn5JXaqx56CenNXaw=; b=POdTNHrBYqHIRjK6LjDTJ2WT5E L2GkIME6sB1dwjpUOLt8Q1POzFhdA4AB6HYSWZSKuopZO/1fXpPsfIjltWuIMI02dF5PamPCt79Wg yui1KH24672AmLNAn0G2PWA5a0sGlf1EzRt0xGSa/lhttS/Il7tJaWOA7aC1yqFEs3eI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+VtInGkMlo1tN7GkcdRQjEDiZbtn5JXaqx56CenNXaw=; b=cGmWnxN4IjRClyjkLaSEnSMY/W A+24XgbpZ/8vB9DFKnLeLCzX0wVNpgtPAOBPZFP9RARudsVb/Yy4+Q0pbXmA3gEXIfc3hep5EwACh 7L+TGbLclElTR3DkPU+tywaFQHOf+/SSZQHCn+MjWe7tiY/JX5jlj83LuRGPt4LvE/Nk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrD-0006Mq-H9 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Idw-Qd for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275906 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:57 +0100 Message-Id: <20211207170211.3275837-8-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: These functions are intended to lay the groundwork to later replace the distributed frame calculations and centralise the calculation in one place. Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 55 ++++++++++++++++++++++++++++++ src/openvpn/crypto.h | 18 ++++++++++ src/openvpn/mtu.c | 80 ++++++++++++++++++++++++++++++++ [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrD-0006Mq-H9 Subject: [Openvpn-devel] [PATCH 07/21] Add helper functions to calculate header/payload sizes X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox These functions are intended to lay the groundwork to later replace the distributed frame calculations and centralise the calculation in one place. Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 55 ++++++++++++++++++++++++++++++ src/openvpn/crypto.h | 18 ++++++++++ src/openvpn/mtu.c | 80 ++++++++++++++++++++++++++++++++++++++++++++ src/openvpn/mtu.h | 54 ++++++++++++++++++++++++++++++ 4 files changed, 207 insertions(+) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index cd791ab8a..249c4212d 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -667,6 +667,61 @@ openvpn_decrypt(struct buffer *buf, struct buffer work, return ret; } +unsigned int +calculate_crypto_overhead(const struct key_type *kt, + bool packet_id, + bool packet_id_long_form, + unsigned int payload_size, + bool occ) +{ + unsigned int crypto_overhead = 0; + + /* No encryption */ + if (packet_id) + { + crypto_overhead += packet_id_size(packet_id_long_form); + } + + if (cipher_kt_mode_aead(kt->cipher)) + { + /* For AEAD ciphers, we basically use a stream cipher/CTR for + * the encryption, so no overhead apart from the extra bytes + * we add */ + crypto_overhead += cipher_kt_tag_size(kt->cipher); + + if (occ) + { + /* the frame calculation of old clients adds these to the link-mtu + * even though they are not part of the actual packet */ + crypto_overhead += cipher_kt_iv_size(kt->cipher); + crypto_overhead += cipher_kt_block_size(kt->cipher); + } + } + else + { + if (cipher_defined(kt->cipher)) + { + /* CBC, OFB or CFB mode */ + /* This is a worst case upper bound of needing to add + * a full extra block for padding when the payload + * is exactly a multiple of the block size */ + if (occ || (cipher_kt_mode_cbc(kt->cipher) && + (payload_size % cipher_kt_block_size(kt->cipher) == 0))) + { + crypto_overhead += cipher_kt_block_size(kt->cipher); + } + /* IV is always added (no-iv has been removed a while ago) */ + crypto_overhead += cipher_kt_iv_size(kt->cipher); + } + if (md_defined(kt->digest)) + { + crypto_overhead += md_kt_size(kt->digest); + } + } + + return crypto_overhead; +} + void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index ad3543c1c..5a67b7ac1 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -415,6 +415,24 @@ void crypto_adjust_frame_parameters(struct frame *frame, bool packet_id, bool packet_id_long_form); +/** Calculate the maximum overhead that our encryption has + * on a packet. This does not include needed additional buffer size + * + * @param kt Struct with the crypto algorithm to use + * @param packet_id Whether packet_id is used + * @param packet_id_long_form Whether the packet id has the long form + * @param payload_size payload size, only used if occ is false + * @param occ if true calculates the overhead for crypto in the same + * incorrect way as all previous OpenVPN versions did, to + * end up with identical numbers for OCC compatibility + */ +unsigned int +calculate_crypto_overhead(const struct key_type *kt, + bool packet_id, + bool packet_id_long_form, + unsigned int payload_size, + bool occ); + /** Return the worst-case OpenVPN crypto overhead (in bytes) */ unsigned int crypto_max_overhead(void); diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 0ab716d7a..25b943722 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -35,6 +35,7 @@ #include "integer.h" #include "mtu.h" #include "options.h" +#include "crypto.h" #include "memdbg.h" @@ -51,6 +52,85 @@ alloc_buf_sock_tun(struct buffer *buf, ASSERT(buf_safe(buf, 0)); } +size_t +frame_calculate_protocol_header_size(const struct key_type *kt, + const struct options *options, + unsigned int payload_size, + bool occ) +{ + /* Sum of all the overhead that reduces the usable packet size */ + size_t header_size = 0; + + /* A socks proxy adds 10 byte of extra header to each packet */ + if (options->ce.socks_proxy_server && proto_is_udp(options->ce.proto)) + { + header_size += 10; + } + + /* TCP stream based packets have a 16 bit length field */ + if (proto_is_tcp(options->ce.proto)) + { + header_size += 2; + } + + /* Add the opcode and peerid */ + header_size += options->use_peer_id ? 4 : 1; + + /* Add the crypto overhead */ + bool packet_id = options->replay; + bool packet_id_long_form = !tlsmode || cipher_kt_mode_ofb_cfb(kt->cipher); + + /* For figuring out the crypto overhead, we need to use the real payload + * including all extra headers that also get encrypted */ + header_size += calculate_crypto_overhead(kt, packet_id, + packet_id_long_form, + payload_size, occ); + return header_size; +} + + +size_t +frame_calculate_payload_overhead(const struct frame *frame, + const struct options *options, + bool extra_tun) +{ + size_t overhead = 0; + + /* This is the overhead of tap device that is not included in the MTU itself + * i.e. Ethernet header that we still need to transmit as part of the + * payload*/ + if (extra_tun) + { + overhead += frame->extra_tun; + } + +#if defined(USE_COMP) + /* v1 Compression schemes add 1 byte header. V2 only adds a header when it + * does not increase the packet length. We ignore the unlikely escaping + * for tap here */ + if (options->comp.alg == COMP_ALG_LZ4 || options->comp.alg == COMP_ALG_STUB + || options->comp.alg == COMP_ALG_LZO) + { + overhead += 1; + } +#endif +#if defined(ENABLE_FRAGMENT) + if (options->ce.fragment) + { + overhead += 4; + } +#endif + return overhead; +} + +size_t +frame_calculate_payload_size(const struct frame *frame, const struct options *options) +{ + size_t payload_size = options->ce.tun_mtu; + payload_size += frame_calculate_payload_overhead(frame, options, true); + return payload_size; +} + void frame_finalize(struct frame *frame, bool link_mtu_defined, diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index c1148c317..5ad0931fd 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -221,6 +221,60 @@ void set_mtu_discover_type(socket_descriptor_t sd, int mtu_type, sa_family_t pro int translate_mtu_discover_type_name(const char *name); +/** + * Calculates the size of the payload according to tun-mtu and tap overhead. + * This also includes compression and fragmentation overhead if they are + * enabled. + * + * * [IP][UDP][OPENVPN PROTOCOL HEADER][ **PAYLOAD incl compression header** ] + * @param frame + * @param options + * @return + */ +size_t +frame_calculate_payload_size(const struct frame *frame, + const struct options *options); + +/** + * Calculates the size of the payload overhead according to tun-mtu and + * tap overhead. This all the overhead that is considered part of the payload + * itself. The compression and fragmentation header and extra header from tap + * are considered part of this overhead that increases the payload larger than + * tun-mtu. + * + * * [IP][UDP][OPENVPN PROTOCOL HEADER][ **PAYLOAD incl compression header** ] + * @param frame + * @param options + * @param extra_tun + * @return + */ +size_t +frame_calculate_payload_overhead(const struct frame *frame, + const struct options *options, + bool extra_tun); + +/* forward declaration of key_type */ +struct key_type; + +/** + * Calculates the size of the OpenVPN protocol header. This includes + * the crypto IV/tag/HMAC but does not include the IP encapsulation + * + * + * [IP][UDP][ **OPENVPN PROTOCOL HEADER**][PAYLOAD incl compression header] + * + * @param kt the key_type to use to calculate the crypto overhead + * @param options the options struct to be used to calculate + * @param payload_size the payload size, ignored if occ is true + * @param occ if the calculation should be done for occ compatibility + * @return size of the overhead in bytes + */ +size_t +frame_calculate_protocol_header_size(const struct key_type *kt, + const struct options *options, + unsigned int payload_size, + bool occ); + /* * frame_set_mtu_dynamic and flags */ From patchwork Tue Dec 7 06:01:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2123 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id SErlD8qTr2HsUgAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:06 -0500 Received: from proxy16.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id qDYILcqTr2GoYAAAalYnBA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:06 -0500 Received: from smtp19.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3b.rsapps.net with LMTPS id MLrAJ8qTr2GoQQAAPj+4aA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:06 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8b5415c8-577f-11ec-ab0a-525400cbaf6c-1-1 Received: from [216.105.38.7] ([216.105.38.7:60310] helo=lists.sourceforge.net) by smtp19.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 44/28-05396-9C39FA16; Tue, 07 Dec 2021 12:03:05 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrD-0000tW-D7; Tue, 07 Dec 2021 17:02:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrB-0000t0-13 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=x9U8z0xyXkwuc8poL+osTgxH1SMyS1Qilk1vUdNuYCA=; b=SFo/+mRqrIfM5K7gZKtIEMevCL jxPGnIcfHrTnBmZFagWUaBF3BvbZiVkTn4Meg21BcPHHM/755BVyTcHdTovVv2pjxfJvNJN7gl9xP VW3CwR0t6X8CoOfh4OUzuYPwpZTtMQCBt5fFjaPB0GO1YB0+g62XTRP+kUAAeexI/NOg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=x9U8z0xyXkwuc8poL+osTgxH1SMyS1Qilk1vUdNuYCA=; b=l1ptUzfnGlxEGfUTLbtQp+htBn /hEA9AOhfJkjMo+3ld6VVts+2fTsaOeK0sxgd44v/DMp9QuAb6S0xaQTRBS/4FYdPgDl73zAeILqm NXe/cFGxW2gBXUujM2OzSkUaaik/F3mzEGtF0vpvzd17wWHYzrcP/cLllvbeEU2U9cnw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr8-007aKC-SX for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Idy-T5 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275909 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:58 +0100 Message-Id: <20211207170211.3275837-9-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This consolidates the MSS fix calculation into a single function instead having it distributed all over the code. It also calculates the real wire overhead without extra sizes for buffer etc. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 5 ++--- src/openvpn/init.c | 3 ++- src/openvpn/mss.c | 40 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/mss.h | 6 ++++ [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr8-007aKC-SX Subject: [Openvpn-devel] [PATCH 08/21] Decouple MSS fix calculation from frame calculation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This consolidates the MSS fix calculation into a single function instead having it distributed all over the code. It also calculates the real wire overhead without extra sizes for buffer etc. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 5 ++--- src/openvpn/init.c | 3 ++- src/openvpn/mss.c | 40 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/mss.h | 6 ++++++ src/openvpn/mtu.c | 9 --------- src/openvpn/mtu.h | 10 ++++++---- src/openvpn/proto.h | 11 ----------- src/openvpn/ssl.c | 3 ++- 8 files changed, 58 insertions(+), 29 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 29efcd3b9..f82386a1d 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1493,7 +1493,7 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) /* possibly alter the TCP MSS */ if (flags & PIP_MSSFIX) { - mss_fixup_ipv4(&ipbuf, MTU_TO_MSS(TUN_MTU_SIZE_DYNAMIC(&c->c2.frame))); + mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix); } /* possibly do NAT on packet */ @@ -1517,8 +1517,7 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) /* possibly alter the TCP MSS */ if (flags & PIP_MSSFIX) { - mss_fixup_ipv6(&ipbuf, - MTU_TO_MSS(TUN_MTU_SIZE_DYNAMIC(&c->c2.frame))); + mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix); } if (!(flags & PIP_OUTGOING) && (flags &(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 85d664ad6..b22ce60af 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -53,6 +53,7 @@ #include "tls_crypt.h" #include "forward.h" #include "auth_token.h" +#include "mss.h" #include "memdbg.h" @@ -4156,7 +4157,7 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f #endif /* initialize dynamic MTU variable */ - frame_init_mssfix(&c->c2.frame, &c->options); + frame_calculate_mssfix(&c->c2.frame, &c->c1.ks.key_type, &c->options); /* bind the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index aa5b68ce9..56dea0292 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -30,6 +30,8 @@ #include "syshead.h" #include "error.h" #include "mss.h" +#include "crypto.h" +#include "ssl_common.h" #include "memdbg.h" /* @@ -204,3 +206,41 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) } } } + +void +frame_calculate_mssfix(struct frame *frame, struct key_type *kt, + const struct options *options) +{ + if (options->ce.mssfix == 0) + { + return; + } + + unsigned int payload_size; + unsigned int overhead; + + + payload_size = frame_calculate_payload_size(frame, options); + + overhead = frame_calculate_protocol_header_size(kt, options, + payload_size, false); + + /* Calculate the number of bytes that the payload differs from the payload + * MTU. This are fragment/compression/ethernet headers */ + unsigned payload_overhead = frame_calculate_payload_overhead(frame, options, true); + + /* We are in a "liberal" position with respect to MSS, + * i.e. we assume that MSS can be calculated from MTU + * by subtracting out only the IP and TCP header sizes + * without options. + * + * (RFC 879, section 7). */ + + /* Add 20 bytes for the IPv4 header and TCP header of the payload, + * the mssfix routes will add 20 extra if payload is IPv6 */ + overhead += 20 + 20; + + /* Calculate the maximum MSS value from the max link layer size specified + * by ce.mssfix */ + frame->mss_fix = options->ce.mssfix - overhead - payload_overhead; +} \ No newline at end of file diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index 41254e2a6..856f4c4e3 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -26,6 +26,8 @@ #include "proto.h" #include "error.h" +#include "mtu.h" +#include "ssl_common.h" void mss_fixup_ipv4(struct buffer *buf, int maxmss); @@ -33,4 +35,8 @@ void mss_fixup_ipv6(struct buffer *buf, int maxmss); void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); +/** Set the --mssfix option. */ +void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, + const struct options *options); + #endif diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 25b943722..e7ff477cd 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -205,15 +205,6 @@ frame_subtract_extra(struct frame *frame, const struct frame *src) frame->extra_tun += src->extra_frame; } -void -frame_init_mssfix(struct frame *frame, const struct options *options) -{ - if (options->ce.mssfix) - { - frame_set_mtu_dynamic(frame, options->ce.mssfix, SET_MTU_UPPER_BOUND); - } -} - void frame_print(const struct frame *frame, int level, diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 5ad0931fd..ae83d3e7a 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -94,6 +94,12 @@ struct frame { int link_mtu; /**< Maximum packet size to be sent over * the external network interface. */ + unsigned int mss_fix; /**< The actual MSS value that should be + * written to the payload packets. This + * is the value for IPv4 TCP packets. For + * IPv6 packets another 20 bytes must + * be subtracted */ + int link_mtu_dynamic; /**< Dynamic MTU value for the external * network interface. */ @@ -152,7 +158,6 @@ struct options; * This is the size to "ifconfig" the tun or tap device. */ #define TUN_MTU_SIZE(f) ((f)->link_mtu - TUN_LINK_DELTA(f)) -#define TUN_MTU_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic - TUN_LINK_DELTA(f)) /* * This is the maximum packet size that we need to be able to @@ -291,9 +296,6 @@ void alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame, const bool tuntap_buffer); -/** Set the --mssfix option. */ -void frame_init_mssfix(struct frame *frame, const struct options *options); - /* * EXTENDED_SOCKET_ERROR_CAPABILITY functions -- print extra error info * on socket errors, such as PMTU size. As of 2003.05.11, only works diff --git a/src/openvpn/proto.h b/src/openvpn/proto.h index f73e50c07..94010a98f 100644 --- a/src/openvpn/proto.h +++ b/src/openvpn/proto.h @@ -247,17 +247,6 @@ struct ip_tcp_udp_hdr { acc -= (u32) >> 16; \ } -/* - * We are in a "liberal" position with respect to MSS, - * i.e. we assume that MSS can be calculated from MTU - * by subtracting out only the IP and TCP header sizes - * without options. - * - * (RFC 879, section 7). - */ -#define MTU_TO_MSS(mtu) (mtu - sizeof(struct openvpn_iphdr) \ - - sizeof(struct openvpn_tcphdr)) - /* * This returns an ip protocol version of packet inside tun * and offset of IP header (via parameter). diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 303e3fe8f..608b30110 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -62,6 +62,7 @@ #include "ssl_ncp.h" #include "ssl_util.h" #include "auth_token.h" +#include "mss.h" #include "memdbg.h" @@ -1893,7 +1894,7 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, options->replay, packet_id_long_form); frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, options->ce.tun_mtu_defined, options->ce.tun_mtu); - frame_init_mssfix(frame, options); + frame_calculate_mssfix(frame, &session->opt->key_type, options); frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); /* From patchwork Tue Dec 7 06:01:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2140 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id QA/2D9aTr2FYUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:18 -0500 Received: from proxy20.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id OKYwLdaTr2HKYAAAalYnBA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:18 -0500 Received: from smtp6.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.iad3b.rsapps.net with LMTPS id mPG/JNaTr2GRKgAAcDxLoQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:18 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 92261414-577f-11ec-9e41-5254000d607e-1-1 Received: from [216.105.38.7] ([216.105.38.7:43520] helo=lists.sourceforge.net) by smtp6.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7E/2D-29509-5D39FA16; Tue, 07 Dec 2021 12:03:17 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrK-0002qb-1b; Tue, 07 Dec 2021 17:02:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrF-0002ou-MU for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=37nb5gAI16fQDPGyi0msTodefXWlOQ8Rn5Q0Ghudu08=; b=mkxnfE0mwCYNyjp0SI1HtfIGUc jOEW/WciWC1LRbkeaXIbuhvUCZ5XESJ1CRMwThFlTh5xZnAygV4cK2mOWvXUgT8yHdFbCj8YMHgtN WjQDdCflXwzznD0U+DGr2a88Bxu/rOtOHwTn+jTLBsvyBDkMkbhueb8DcwmcEG42smus=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=37nb5gAI16fQDPGyi0msTodefXWlOQ8Rn5Q0Ghudu08=; b=lrFCkpt09G01AtwgE217//NzDs Acvs3jbSvC2i3xd+ZOREngpq9J0AFTLgB2zWZgbt0NbjTwhkdpM5AmU9Jc8wPTIHVu5mWWlm0p89f FoCCPT2/e106/APfF6N2mWD4MkYXtDyuF30SBUkrkPj3JqApCtrJIVkC6pgifhfumQRY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrD-0006Mr-I1 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr1-000Ie2-W1 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:11 +0100 Received: (nullmailer pid 3275912 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:01:59 +0100 Message-Id: <20211207170211.3275837-10-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Use the functions that directly compute the link mtu instead relying on the frame logic. Signed-off-by: Arne Schwabe --- src/openvpn/mtu.c | 50 +++++++++- src/openvpn/mtu.h | 11 +++ src/openvpn/options.c | 51 tests/unit_tests/openvpn/Makefile.am | 6 +- tests/ [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrD-0006Mr-I1 Subject: [Openvpn-devel] [PATCH 09/21] Rework occ link-mtu calculation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Use the functions that directly compute the link mtu instead relying on the frame logic. Signed-off-by: Arne Schwabe --- src/openvpn/mtu.c | 50 +++++++++- src/openvpn/mtu.h | 11 +++ src/openvpn/options.c | 51 ---------- tests/unit_tests/openvpn/Makefile.am | 6 +- tests/unit_tests/openvpn/test_crypto.c | 128 ++++++++++++++++++++++++- tests/unit_tests/openvpn/test_misc.c | 1 + 6 files changed, 192 insertions(+), 55 deletions(-) diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index e7ff477cd..c7f69bb2a 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -61,6 +61,8 @@ frame_calculate_protocol_header_size(const struct key_type *kt, /* Sum of all the overhead that reduces the usable packet size */ size_t header_size = 0; + bool tlsmode = options->tls_server || options->tls_client; + /* A socks proxy adds 10 byte of extra header to each packet */ if (options->ce.socks_proxy_server && proto_is_udp(options->ce.proto)) { @@ -74,7 +76,10 @@ frame_calculate_protocol_header_size(const struct key_type *kt, } /* Add the opcode and peerid */ - header_size += options->use_peer_id ? 4 : 1; + if (tlsmode) + { + header_size += options->use_peer_id ? 4 : 1; + } /* Add the crypto overhead */ bool packet_id = options->replay; @@ -131,6 +136,49 @@ frame_calculate_payload_size(const struct frame *frame, const struct options *op return payload_size; } +size_t +calc_options_string_link_mtu(const struct options *o, const struct frame *frame) +{ + unsigned int payload = frame_calculate_payload_size(frame, o); + + /* neither --secret nor TLS mode */ + if (!o->tls_client && !o->tls_server && !o->shared_secret_file) + { + return payload; + } + + struct key_type occ_kt; + + /* o->ciphername might be BF-CBC even though the underlying SSL library + * does not support it. For this reason we workaround this corner case + * by pretending to have no encryption enabled and by manually adding + * the required packet overhead to the MTU computation. + */ + const char* ciphername = o->ciphername; + + unsigned int overhead = 0; + + if (strcmp(o->ciphername, "BF-CBC") == 0) + { + /* none has no overhead, so use this to later add only --auth + * overhead */ + + /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */ + overhead += 64/8 + 64/8; + /* set ciphername to none, so its size does get added in the + * fake_kt and the cipher is not tried to be resolved */ + ciphername = "none"; + } + + /* We pass tlsmode always true here since as we do not need to check if + * the ciphers are actually valid for non tls in occ calucation */ + init_key_type(&occ_kt, ciphername, o->authname, true, false); + + overhead += frame_calculate_protocol_header_size(&occ_kt, o, 0, true); + + return payload + overhead; +} + void frame_finalize(struct frame *frame, bool link_mtu_defined, diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index ae83d3e7a..f60138607 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -280,6 +280,17 @@ frame_calculate_protocol_header_size(const struct key_type *kt, unsigned int payload_size, bool occ); +/** + * Calculate the link-mtu to advertise to our peer. The actual value is not + * relevant, because we will possibly perform data channel cipher negotiation + * after this, but older clients will log warnings if we do not supply them the + * value they expect. This assumes that the traditional cipher/auth directives + * in the config match the config of the peer. + */ +size_t +calc_options_string_link_mtu(const struct options *options, + const struct frame *frame); + /* * frame_set_mtu_dynamic and flags */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c1663b264..441855c7d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3764,57 +3764,6 @@ pre_connect_restore(struct options *o, struct gc_arena *gc) o->data_channel_crypto_flags = 0; } -/** - * Calculate the link-mtu to advertise to our peer. The actual value is not - * relevant, because we will possibly perform data channel cipher negotiation - * after this, but older clients will log warnings if we do not supply them the - * value they expect. This assumes that the traditional cipher/auth directives - * in the config match the config of the peer. - */ -static size_t -calc_options_string_link_mtu(const struct options *o, const struct frame *frame) -{ - size_t link_mtu = EXPANDED_SIZE(frame); - - if (o->pull || o->mode == MODE_SERVER) - { - struct frame fake_frame = *frame; - struct key_type fake_kt; - - frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead()); - - - /* o->ciphername might be BF-CBC even though the underlying SSL library - * does not support it. For this reason we workaround this corner case - * by pretending to have no encryption enabled and by manually adding - * the required packet overhead to the MTU computation. - */ - const char* ciphername = o->ciphername; - - if (strcmp(o->ciphername, "BF-CBC") == 0) - { - /* none has no overhead, so use this to later add only --auth - * overhead */ - - /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */ - frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8); - /* set ciphername to none, so its size does get added in the - * fake_kt and the cipher is not tried to be resolved */ - ciphername = "none"; - } - - init_key_type(&fake_kt, ciphername, o->authname, true, false); - - crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay, - cipher_kt_mode_ofb_cfb(fake_kt.cipher)); - frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, - o->ce.tun_mtu_defined, o->ce.tun_mtu); - msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu, - EXPANDED_SIZE(&fake_frame)); - link_mtu = EXPANDED_SIZE(&fake_frame); - } - return link_mtu; -} /* * Build an options string to represent data channel encryption options. * This string must match exactly between peers. The keysize is checked diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 44b77cc5d..f681b353c 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -46,7 +46,9 @@ crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ $(openvpn_srcdir)/crypto_openssl.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ - $(openvpn_srcdir)/platform.c + $(openvpn_srcdir)/platform.c \ + $(openvpn_srcdir)/mtu.c \ + $(openvpn_srcdir)/mss.c packet_id_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) @@ -137,4 +139,4 @@ misc_testdriver_SOURCES = test_misc.c mock_msg.c \ mock_get_random.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/ssl_util.c \ - $(openvpn_srcdir)/platform.c \ No newline at end of file + $(openvpn_srcdir)/platform.c diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 51672f9b2..19ce174ea 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -37,6 +37,7 @@ #include #include "crypto.h" +#include "options.h" #include "ssl_backend.h" #include "mock_msg.h" @@ -234,6 +235,130 @@ test_des_encrypt(void **state) free(src2); } +/* This test is in test_crypto as it calls into the functions that calculate + * the crypto overhead */ +static void +test_occ_mtu_calculation(void **state) +{ + struct gc_arena gc = gc_new(); + + struct frame f = { 0 }; + struct options o = { 0 }; + size_t linkmtu; + + /* common defaults */ + o.ce.tun_mtu = 1400; + o.replay = true; + o.ce.proto = PROTO_UDP; + + /* No crypto at all */ + o.ciphername = "none"; + o.authname = "none"; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1400); + + /* Static key OCC examples */ + o.shared_secret_file = "not null"; + + /* secret, auth none, cipher none */ + o.ciphername = "none"; + o.authname = "none"; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1408); + + /* secret, cipher AES-128-CBC, auth none */ + o.ciphername = "AES-128-CBC"; + o.authname = "none"; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1440); + + /* secret, cipher none, auth SHA256 */ + o.ciphername = "none"; + o.authname = "SHA256"; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1440); + + /* --secret, cipher BF-CBC, auth SHA1 */ + o.ciphername = "BF-CBC"; + o.authname = "SHA1"; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1444); + + /* --secret, cipher BF-CBC, auth SHA1, tcp-client */ + o.ce.proto = PROTO_TCP_CLIENT; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1446); + + o.ce.proto = PROTO_UDP; + + /* --secret, comp-lzo yes, cipher BF-CBC, auth SHA1 */ + o.comp.alg = COMP_ALG_LZO; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1445); + + /* --secret, comp-lzo yes, cipher BF-CBC, auth SHA1, fragment 1200 */ + o.ce.fragment = 1200; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1449); + + o.comp.alg = COMP_ALG_UNDEF; + o.ce.fragment = 0; + + /* TLS mode */ + o.shared_secret_file = NULL; + o.tls_client = true; + o.pull = true; + + /* tls client, cipher AES-128-CBC, auth SHA1, tls-auth*/ + o.authname = "SHA1"; + o.ciphername = "AES-128-CBC"; + o.tls_auth_file = "dummy"; + + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1457); + + /* tls client, cipher AES-128-CBC, auth SHA1 */ + o.tls_auth_file = NULL; + + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1457); + + /* tls client, cipher none, auth none */ + o.authname = "none"; + o.ciphername = "none"; + + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1405); + + /* tls client, auth none, cipher none, no-replay */ + o.replay = false; + + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1401); + + + o.replay = true; + + /* tls client, auth SHA1, cipher AES-256-GCM */ + o.authname = "SHA1"; + o.ciphername = "AES-256-GCM"; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1449); + + + /* tls client, auth SHA1, cipher AES-256-GCM, fragment, comp-lzo yes */ + o.comp.alg = COMP_ALG_LZO; + o.ce.fragment = 1200; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1454); + + /* tls client, auth SHA1, cipher AES-256-GCM, fragment, comp-lzo yes, socks */ + o.ce.socks_proxy_server = "socks.example.com"; + linkmtu = calc_options_string_link_mtu(&o, &f); + assert_int_equal(linkmtu, 1464); + + gc_free(&gc); +} int main(void) @@ -243,7 +368,8 @@ main(void) cmocka_unit_test(crypto_translate_cipher_names), cmocka_unit_test(crypto_test_tls_prf), cmocka_unit_test(crypto_test_hmac), - cmocka_unit_test(test_des_encrypt) + cmocka_unit_test(test_des_encrypt), + cmocka_unit_test(test_occ_mtu_calculation) }; #if defined(ENABLE_CRYPTO_OPENSSL) diff --git a/tests/unit_tests/openvpn/test_misc.c b/tests/unit_tests/openvpn/test_misc.c index 70f726d0f..867fa1bb5 100644 --- a/tests/unit_tests/openvpn/test_misc.c +++ b/tests/unit_tests/openvpn/test_misc.c @@ -37,6 +37,7 @@ #include #include "ssl_util.h" +#include "options.h" static void test_compat_lzo_string(void **state) From patchwork Tue Dec 7 06:02:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2129 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.52]) by backend41.mail.ord1d.rsapps.net with LMTP id YFwcIs2Tr2ELUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 Received: from proxy13.mail.iad3a.rsapps.net ([172.27.255.52]) by director9.mail.ord1d.rsapps.net with LMTP id EFuMA86Tr2H0YAAAalYnBA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:10 -0500 Received: from smtp49.gate.iad3a ([172.27.255.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3a.rsapps.net with LMTPS id +ATOOc2Tr2FtVAAAwhxzoA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp49.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8c7b1ad2-577f-11ec-a8a2-525400fffce0-1-1 Received: from [216.105.38.7] ([216.105.38.7:36736] helo=lists.sourceforge.net) by smtp49.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BD/EC-11802-BC39FA16; Tue, 07 Dec 2021 12:03:08 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrD-0002ny-LN; Tue, 07 Dec 2021 17:02:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrB-0002nK-IH for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9hbVCvaQ/k11FJAjn8qAIV2SbYVbbdXuNwnE40dcyPg=; b=KD1Kwv6KF5R/BKJJ2/eIOUtX+u w+18EzJ/eB7gXQ8YgH7A2VGDdquBXnVYNnCKm2Forh7QzcmpeDHdEDDEgmUGfOqIrOg+FuzMBIaZ8 Fl54lzxdOvf/82+dC8fVAHx+xVxjJJWbZ1JJHr0uFHJ+zHqZI/r3E4yz2Wm7xCNMJ5RE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9hbVCvaQ/k11FJAjn8qAIV2SbYVbbdXuNwnE40dcyPg=; b=EeBqIDgm/Npcpctiz6Bc+4pFaj RtS2DHt8XAuGtrKa0Fg4wF6S2fA0AAfYsWFDGdqqkH8BbEWz+9ZLhn1tUhMMgUbLzChgnPOuGU0Af cpkTpI+C1bdBYk80ViPX4Lq5K6eZQhzxUOXwQ4u6l3rsb46JZVzmbPy0Jr2cfDgWVww8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr8-007aKD-Se for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:21 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000Ie4-1i for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275915 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:00 +0100 Message-Id: <20211207170211.3275837-11-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Currently we use half dynamic buffer sizes where we use have a fixed overhead for crypto (crypto_max_overhead) but use a dynamic overhead for the the other small header sizes. Signed-off-by: Arne Schwabe --- src/openvpn/comp-lz4.c | 4 +- src/openvpn/crypto.c | 4 +- src/openvpn/forward.c | 8 +-- src/openvpn/init.c | 109 +++++++++++++++++++++++++++++++++++- [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr8-007aKD-Se Subject: [Openvpn-devel] [PATCH 10/21] Change buffer allocation calculation and checks to be more static X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Currently we use half dynamic buffer sizes where we use have a fixed overhead for crypto (crypto_max_overhead) but use a dynamic overhead for the the other small header sizes. Signed-off-by: Arne Schwabe --- src/openvpn/comp-lz4.c | 4 +- src/openvpn/crypto.c | 4 +- src/openvpn/forward.c | 8 +-- src/openvpn/init.c | 109 +++++++++++++++++++++++++++++++++++---- src/openvpn/init.h | 2 +- src/openvpn/lzo.c | 2 +- src/openvpn/mss.c | 4 +- src/openvpn/mtu.c | 7 ++- src/openvpn/mtu.h | 74 +++++++++++++------------- src/openvpn/multi.c | 4 +- src/openvpn/multi.h | 2 +- src/openvpn/occ.c | 4 +- src/openvpn/options.c | 2 +- src/openvpn/ping.c | 2 +- src/openvpn/ssl.c | 35 ++++++++++--- src/openvpn/ssl_common.h | 3 +- 16 files changed, 191 insertions(+), 75 deletions(-) diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index bceca5e2c..aa83ea80f 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -213,7 +213,7 @@ lz4_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { - size_t zlen_max = EXPANDED_SIZE(frame); + size_t zlen_max = frame->buf.payload_size; uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) @@ -250,7 +250,7 @@ lz4v2_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { - size_t zlen_max = EXPANDED_SIZE(frame); + size_t zlen_max = frame->buf.payload_size; uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 249c4212d..b4b8ca54b 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1070,7 +1070,7 @@ test_crypto(struct crypto_options *co, struct frame *frame) { int i, j; struct gc_arena gc = gc_new(); - struct buffer src = alloc_buf_gc(TUN_MTU_SIZE(frame), &gc); + struct buffer src = alloc_buf_gc(frame->buf.payload_size, &gc); struct buffer work = alloc_buf_gc(BUF_SIZE(frame), &gc); struct buffer encrypt_workspace = alloc_buf_gc(BUF_SIZE(frame), &gc); struct buffer decrypt_workspace = alloc_buf_gc(BUF_SIZE(frame), &gc); @@ -1101,7 +1101,7 @@ test_crypto(struct crypto_options *co, struct frame *frame) } msg(M_INFO, "Entering " PACKAGE_NAME " crypto self-test mode."); - for (i = 1; i <= TUN_MTU_SIZE(frame); ++i) + for (i = 1; i <= frame->buf.payload_size; ++i) { update_time(); diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index f82386a1d..c971c6bdb 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1119,8 +1119,8 @@ read_incoming_tun(struct context *c) } #else /* ifdef _WIN32 */ ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); - ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); - c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), MAX_RW_SIZE_TUN(&c->c2.frame)); + ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size)); + c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size); #endif /* ifdef _WIN32 */ #ifdef PACKET_TRUNCATION_CHECK @@ -1709,7 +1709,7 @@ process_outgoing_tun(struct context *c) PIP_MSSFIX | PIPV4_EXTRACT_DHCP_ROUTER | PIPV4_CLIENT_NAT | PIP_OUTGOING, &c->c2.to_tun); - if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN(&c->c2.frame)) + if (c->c2.to_tun.len <= c->c2.frame.buf.payload_size) { /* * Write to TUN/TAP device. @@ -1769,7 +1769,7 @@ process_outgoing_tun(struct context *c) */ msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", c->c2.to_tun.len, - MAX_RW_SIZE_TUN(&c->c2.frame)); + c->c2.frame.buf.payload_size); } buf_reset(&c->c2.to_tun); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b22ce60af..2ce963663 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -740,7 +740,7 @@ init_port_share(struct context *c) { port_share = port_share_open(c->options.port_share_host, c->options.port_share_port, - MAX_RW_SIZE_LINK(&c->c2.frame), + c->c2.frame.buf.payload_size, c->options.port_share_journal_dir); if (port_share == NULL) { @@ -2441,6 +2441,35 @@ do_startup_pause(struct context *c) } } +static size_t +get_frame_mtu(struct context *c, const struct options *o) +{ + size_t mtu; + + if (o->ce.link_mtu_defined) + { + ASSERT(o->ce.link_mtu_defined); + /* if we have a link mtu defined we calculate what the old code + * would have come up with as tun-mtu */ + size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, + o, 0, true); + mtu = o->ce.link_mtu - overhead; + + } + else + { + ASSERT(o->ce.tun_mtu_defined); + mtu = o->ce.tun_mtu; + } + + if (mtu < TUN_MTU_MIN) + { + msg(M_WARN, "TUN MTU value (%lu) must be at least %d", mtu, TUN_MTU_MIN); + frame_print(&c->c2.frame, M_FATAL, "MTU is too small"); + } + return mtu; +} + /* * Finalize MTU parameters based on command line or config file options. */ @@ -2452,12 +2481,68 @@ frame_finalize_options(struct context *c, const struct options *o) o = &c->options; } - frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN); - frame_finalize(&c->c2.frame, + struct frame *frame = &c->c2.frame; + + frame->tun_mtu = get_frame_mtu(c, o); + + /* We always allow at least 1500 MTU packets to be received in our buffer + * space */ + size_t payload_size = max_int(1500, frame->tun_mtu); + + /* The extra tun needs to be added to the payload size */ + if (o->ce.tun_mtu_defined) + { + payload_size += o->ce.tun_mtu_extra; + } + + /* Add 100 byte of extra space in the buffer to account for slightly + * mismatched MUTs between peers */ + payload_size += 100; + + + /* the space that is reserved before the payload to add extra headers to it + * we always reserve the space for the worst case */ + size_t headroom = 0; + + /* includes IV and packet ID */ + headroom += crypto_max_overhead(); + + /* peer id + opcode */ + headroom += 4; + + /* socks proxy header */ + headroom += 10; + + /* compression header and fragment header (part of the encrypted payload) */ + headroom += 1 + 1; + + /* Round up headroom to the next multiple of 4 to ensure alignment */ + headroom = (headroom + 3) & ~3; + + /* Add the headroom to the payloadsize as a received (IP) packet can have + * all the extra headers in it */ + payload_size += headroom; + + /* the space after the payload, this needs some extra buffer space for + * encryption so headroom is probably too much but we do not really care + * the few extra bytes */ + size_t tailroom = headroom; + +#ifdef USE_COMP + tailroom += COMP_EXTRA_BUFFER(frame->buf.payload_size); +#endif + + frame->buf.payload_size = payload_size; + frame->buf.headroom = headroom; + frame->buf.tailroom = tailroom; + + /* Kept to still update/calculate the other fields for now */ + frame_finalize(frame, o->ce.link_mtu_defined, o->ce.link_mtu, o->ce.tun_mtu_defined, o->ce.tun_mtu); + } /* @@ -3224,23 +3309,25 @@ do_init_frame_tls(struct context *c) } struct context_buffers * -init_context_buffers(const struct frame *frame) +init_context_buffers(struct frame *frame) { struct context_buffers *b; ALLOC_OBJ_CLEAR(b, struct context_buffers); - b->read_link_buf = alloc_buf(BUF_SIZE(frame)); - b->read_tun_buf = alloc_buf(BUF_SIZE(frame)); + size_t buf_size = BUF_SIZE(frame); + + b->read_link_buf = alloc_buf(buf_size); + b->read_tun_buf = alloc_buf(buf_size); - b->aux_buf = alloc_buf(BUF_SIZE(frame)); + b->aux_buf = alloc_buf(buf_size); - b->encrypt_buf = alloc_buf(BUF_SIZE(frame)); - b->decrypt_buf = alloc_buf(BUF_SIZE(frame)); + b->encrypt_buf = alloc_buf(buf_size); + b->decrypt_buf = alloc_buf(buf_size); #ifdef USE_COMP - b->compress_buf = alloc_buf(BUF_SIZE(frame)); - b->decompress_buf = alloc_buf(BUF_SIZE(frame)); + b->compress_buf = alloc_buf(buf_size); + b->decompress_buf = alloc_buf(buf_size); #endif return b; diff --git a/src/openvpn/init.h b/src/openvpn/init.h index 52581f8ae..cc80fefee 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -110,7 +110,7 @@ void inherit_context_top(struct context *dest, void close_context(struct context *c, int sig, unsigned int flags); -struct context_buffers *init_context_buffers(const struct frame *frame); +struct context_buffers *init_context_buffers(struct frame *frame); void free_context_buffers(struct context_buffers *b); diff --git a/src/openvpn/lzo.c b/src/openvpn/lzo.c index 8d572684a..e7e89655f 100644 --- a/src/openvpn/lzo.c +++ b/src/openvpn/lzo.c @@ -213,7 +213,7 @@ lzo_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { - lzo_uint zlen = EXPANDED_SIZE(frame); + lzo_uint zlen = frame->buf.payload_size; int err; uint8_t c; /* flag indicating whether or not our peer compressed */ diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 56dea0292..e4311c42a 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -222,8 +222,8 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, payload_size = frame_calculate_payload_size(frame, options); - overhead = frame_calculate_protocol_header_size(kt, options, - payload_size, false); + overhead = frame_calculate_protocol_header_size(kt, options, payload_size, + false); /* Calculate the number of bytes that the payload differs from the payload * MTU. This are fragment/compression/ethernet headers */ diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index c7f69bb2a..88a42a0c5 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -48,7 +48,7 @@ alloc_buf_sock_tun(struct buffer *buf, /* allocate buffer for overlapped I/O */ *buf = alloc_buf(BUF_SIZE(frame)); ASSERT(buf_init(buf, FRAME_HEADROOM(frame))); - buf->len = tuntap_buffer ? MAX_RW_SIZE_TUN(frame) : MAX_RW_SIZE_LINK(frame); + buf->len = frame->buf.payload_size; ASSERT(buf_safe(buf, 0)); } @@ -265,6 +265,11 @@ frame_print(const struct frame *frame, buf_printf(&out, "%s ", prefix); } buf_printf(&out, "["); + buf_printf(&out, " mss_fix:%d", frame->mss_fix); + buf_printf(&out, " tun_mtu:%d", frame->tun_mtu); + buf_printf(&out, " headroom:%d", frame->buf.headroom); + buf_printf(&out, " payload:%d", frame->buf.payload_size); + buf_printf(&out, " tailroom:%d", frame->buf.tailroom); buf_printf(&out, " L:%d", frame->link_mtu); buf_printf(&out, " D:%d", frame->link_mtu_dynamic); buf_printf(&out, " EF:%d", frame->extra_frame); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index f60138607..ace33a74a 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -91,6 +91,25 @@ * Packet geometry parameters. */ struct frame { + struct { + /* This struct holds all the information about the buffers that are + * allocated to match this frame */ + int payload_size; /**< the maximum size that a payload that our + * buffers can hold from either tun device + * or network link. + */ + + + int headroom; /**< the headroom in the buffer, this is choosen + * to allow all potential header to be added + * before the packet */ + + int tailroom; /**< the tailroom in the buffer. Chosen large + * enough to also accompany any extrea header + * or work space required by + * decryption/encryption or compression. */ + } buf; + int link_mtu; /**< Maximum packet size to be sent over * the external network interface. */ @@ -110,6 +129,17 @@ struct frame { * @endcode */ + int tun_mtu; /**< the (user) configured tun-mtu. This is used + * in configuring the tun interface or + * in calculations that use the desired size + * of the payload in the buffer. + * + * This variable is also used in control + * frame context to set the desired maximum + * control frame payload (although most of + * code ignores it) + */ + int extra_buffer; /**< Maximum number of bytes that * processing steps could expand the * internal work buffer. @@ -165,8 +195,8 @@ struct options; * a tap device ifconfiged to an MTU of 1200 might actually want * to return a packet size of 1214 on a read(). */ -#define PAYLOAD_SIZE(f) ((f)->link_mtu - (f)->extra_frame) #define PAYLOAD_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic - (f)->extra_frame) +#define PAYLOAD_SIZE(f) ((f)->buf.payload_size) /* * Max size of a payload packet after encryption, compression, etc. @@ -176,35 +206,23 @@ struct options; #define EXPANDED_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic) #define EXPANDED_SIZE_MIN(f) (TUN_MTU_MIN + TUN_LINK_DELTA(f)) -/* - * These values are used as maximum size constraints - * on read() or write() from TUN/TAP device or TCP/UDP port. - */ -#define MAX_RW_SIZE_TUN(f) (PAYLOAD_SIZE(f)) -#define MAX_RW_SIZE_LINK(f) (EXPANDED_SIZE(f) + (f)->extra_link) - /* * Control buffer headroom allocations to allow for efficient prepending. */ -#define FRAME_HEADROOM_BASE(f) (TUN_LINK_DELTA(f) + (f)->extra_buffer + (f)->extra_link) -/* Same as FRAME_HEADROOM_BASE but rounded up to next multiple of PAYLOAD_ALIGN */ -#define FRAME_HEADROOM(f) frame_headroom(f) /* * Max size of a buffer used to build a packet for output to - * the TCP/UDP port. - * - * the FRAME_HEADROOM_BASE(f) * 2 should not be necessary but it looks that at - * some point in the past we seem to have lost the information what parts of - * the extra space we need to have before the data and which we need after - * the data. So we ensure we have the FRAME_HEADROOM before and after the - * actual data. + * the TCP/UDP port or to read a packet from a tap/tun device. * * Most of our code only prepends headers but compression needs the extra bytes * *after* the data as compressed data might end up larger than the original - * data (and max compression overhead is part of extra_buffer) + * data (and max compression overhead is part of extra_buffer). Also crypto + * needs an extra block for encryption. Therefore tailroom is larger than the + * headroom. */ -#define BUF_SIZE(f) (TUN_MTU_SIZE(f) + FRAME_HEADROOM_BASE(f) * 2) +#define BUF_SIZE(f) ((f)->buf.headroom + (f)->buf.payload_size + (f)->buf.tailroom) + +#define FRAME_HEADROOM(f) ((f)->buf.headroom) /* * Function prototypes. @@ -321,20 +339,6 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); #endif -/* - * Calculate a starting offset into a buffer object, dealing with - * headroom and alignment issues. - */ -static inline int -frame_headroom(const struct frame *f) -{ - const int offset = FRAME_HEADROOM_BASE(f); - /* These two lines just pad offset to next multiple of PAYLOAD_ALIGN in - * a complicated and confusing way */ - const int delta = ((PAYLOAD_ALIGN << 24) - offset) & (PAYLOAD_ALIGN - 1); - return offset + delta; -} - /* * frame member adjustment functions */ @@ -378,7 +382,7 @@ frame_add_to_extra_buffer(struct frame *frame, const int increment) static inline bool frame_defined(const struct frame *frame) { - return frame->link_mtu > 0; + return frame->buf.payload_size > 0; } #endif /* ifndef MTU_H */ diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 103e882e3..e5ffebff2 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3495,7 +3495,7 @@ gremlin_flood_clients(struct multi_context *m) int i; ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame))); - parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame)); + parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size); msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d", parm.n_packets, @@ -3557,7 +3557,7 @@ multi_process_per_second_timers_dowork(struct multi_context *m) } void -multi_top_init(struct multi_context *m, const struct context *top) +multi_top_init(struct multi_context *m, struct context *top) { inherit_context_top(&m->top, top); m->top.c2.buffers = init_context_buffers(&top->c2.frame); diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 6e85c21c9..c2b085e32 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -257,7 +257,7 @@ void multi_init(struct multi_context *m, struct context *t, bool tcp_mode); void multi_uninit(struct multi_context *m); -void multi_top_init(struct multi_context *m, const struct context *top); +void multi_top_init(struct multi_context *m, struct context *top); void multi_top_free(struct multi_context *m); diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index 610c05f5f..c4e7c1be2 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -219,7 +219,7 @@ check_send_occ_msg_dowork(struct context *c) c->c2.buf = c->c2.buffers->aux_buf; ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); - ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); + ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size)); ASSERT(buf_write(&c->c2.buf, occ_magic, OCC_STRING_SIZE)); switch (c->c2.occ_op) @@ -319,7 +319,7 @@ check_send_occ_msg_dowork(struct context *c) OCC_STRING_SIZE, (int) sizeof(uint8_t), EXTRA_FRAME(&c->c2.frame), - MAX_RW_SIZE_TUN(&c->c2.frame), + c->c2.frame.buf.payload_size, BLEN(&c->c2.buf)); doit = true; } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 441855c7d..6dd573adb 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3832,7 +3832,7 @@ options_string(const struct options *o, buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); - buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame)); + buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o); diff --git a/src/openvpn/ping.c b/src/openvpn/ping.c index 67bbca14d..a28f347f8 100644 --- a/src/openvpn/ping.c +++ b/src/openvpn/ping.c @@ -80,7 +80,7 @@ check_ping_send_dowork(struct context *c) { c->c2.buf = c->c2.buffers->aux_buf; ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); - ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); + ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size)); ASSERT(buf_write(&c->c2.buf, ping_string, sizeof(ping_string))); /* diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 608b30110..41981d220 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -332,6 +332,32 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame /* set dynamic link MTU to cap control channel packets at 1250 bytes */ ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame); + + /* calculate the maximum overhead that control channel frames may have */ + int overhead = 0; + + /* Socks */ + overhead += 10; + + /* tls-auth and tls-crypt */ + overhead += max_int(tls_crypt_buf_overhead(), + packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE); + + /* TCP length field and opcode */ + overhead+= 3; + + /* Previous OpenVPN version calculated the maximum size and buffer of a + * control frame depending on the overhead of the data channel frame + * overhead and limited its maximum size to 1250. We always allocate the + * 1250 buffer size since a lot of code blindly assumes a large buffer + * (e.g. PUSH_BUNDLE_SIZE) and set frame->mtu_mtu as suggestion for the + * size */ + frame->buf.payload_size = 1250 + overhead; + + frame->buf.headroom = overhead; + frame->buf.tailroom = overhead; + + frame->tun_mtu = min_int(data_channel_frame->tun_mtu, 1250); } void @@ -1870,13 +1896,6 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", options->ciphername); } - else - { - /* Very hacky workaround and quick fix for frame calculation - * different when adjusting frame size when the original and new cipher - * are identical to avoid a regression with client without NCP */ - return tls_session_generate_data_channel_keys(session); - } init_key_type(&session->opt->key_type, options->ciphername, options->authname, true, true); @@ -2959,7 +2978,7 @@ tls_process(struct tls_multi *multi, buf = reliable_get_buf_output_sequenced(ks->send_reliable); if (buf) { - int status = key_state_read_ciphertext(&ks->ks_ssl, buf, PAYLOAD_SIZE_DYNAMIC(&multi->opt.frame)); + int status = key_state_read_ciphertext(&ks->ks_ssl, buf, multi->opt.frame.tun_mtu); if (status == -1) { msg(D_TLS_ERRORS, diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index f851bd2b9..ada68b4b8 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -221,8 +221,9 @@ struct key_state struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */ struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */ + /** Holds outgoing message for the control channel until ks->state reaches + * S_ACTIVE */ struct buffer_list *paybuf; - counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */ counter_type n_packets; /* how many packets sent/recvd since last key exchange */ From patchwork Tue Dec 7 06:02:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2128 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 0B5vGs2Tr2ELUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 Received: from proxy2.mail.iad3b.rsapps.net ([172.31.255.6]) by director15.mail.ord1d.rsapps.net with LMTP id SPZ/N82Tr2GfAQAAIcMcQg (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 Received: from smtp13.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.iad3b.rsapps.net with LMTPS id GErHMM2Tr2HrQQAAvAZTew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8d27d952-577f-11ec-be6b-5254001dfc40-1-1 Received: from [216.105.38.7] ([216.105.38.7:60366] helo=lists.sourceforge.net) by smtp13.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 44/81-27804-CC39FA16; Tue, 07 Dec 2021 12:03:09 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrC-0000tL-O1; Tue, 07 Dec 2021 17:02:22 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrA-0000su-My for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=4wLw51ZGRqVVtLq4VLfxhI8DVWBilMN7cM6l0VaeKzU=; b=XJPC9IETuWIjC0cvaH7lkZEUih 1BN6rMQxrM7OngDgFCE7E3+SNQDsuGW1f5Q9LwhxOwmPgGq0+IL4VbLNiOrjdTFZDTe3hLijHVvI7 1HJWROu+IlZsoiA+nHjfGJYiiCYOIwwCZHIs5B0kidGTqBUm1spOP/fNUsh5RAI0j8Fw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4wLw51ZGRqVVtLq4VLfxhI8DVWBilMN7cM6l0VaeKzU=; b=eh3eAwxtcFPLqtoVwuDHzDmU9I uwbNr3S18KL8rVkyiFX3e6eYd/E2ehFcPP9D8j62pV7Af5DUtK80AXMOG2TU8FuiIga+JDJRLR0jF y6cN+31iTkxtvlQd8xICGvbKPthdE0FRpkhK6C7uOv0dd3HtP4de0ITxucENO2fyIJQw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr9-007aKE-3I for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000Ie7-3j for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275918 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:01 +0100 Message-Id: <20211207170211.3275837-12-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This function is static and just calls another functions. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 2ce963663..0287dda35 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3045,7 +3045,7 @@ do_init_crypto_tls(struct context *c, con [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr9-007aKE-3I Subject: [Openvpn-devel] [PATCH 11/21] Remove pointless do_init_frame_tls function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This function is static and just calls another functions. Signed-off-by: Arne Schwabe Acked-By: Frank Lichtenheld --- src/openvpn/init.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 2ce963663..0287dda35 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3045,7 +3045,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } static void -do_init_finalize_tls_frame(struct context *c) +do_init_frame_tls(struct context *c) { if (c->c2.tls_multi) { @@ -3302,12 +3302,6 @@ do_option_warnings(struct context *c) } } -static void -do_init_frame_tls(struct context *c) -{ - do_init_finalize_tls_frame(c); -} - struct context_buffers * init_context_buffers(struct frame *frame) { From patchwork Tue Dec 7 06:02:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2131 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id cNruB8+Tr2EHUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:11 -0500 Received: from proxy13.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id aAcRJc+Tr2EedwAAvGGmqA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:11 -0500 Received: from smtp27.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3b.rsapps.net with LMTPS id 0IGFHs+Tr2E0FwAAvUvv+w (envelope-from ) for ; Tue, 07 Dec 2021 12:03:11 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8e4e7a20-577f-11ec-9ee9-5254006b1ac1-1-1 Received: from [216.105.38.7] ([216.105.38.7:60420] helo=lists.sourceforge.net) by smtp27.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EA/37-06611-EC39FA16; Tue, 07 Dec 2021 12:03:10 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrI-0000w9-94; Tue, 07 Dec 2021 17:02:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrE-0000uI-Dx for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gxbQbdW4pMcEUOVFKNaRp2cAaM7Y7YsB8o1rDZoBKo8=; b=OE64MyXmBDCO1JRWuc0vN51I0e Hn8WWBLh7HSK6KfCX09+7P3b8nMTqD8S/26BwsuTp6k3wgeNVjuIYkaik6Wpd187bwN+1awlEWzD9 t/OpENYTeCedov7RJbLTpo7f+9nDfoPlVsmGCC2vL72yoFtZzYzhS/KdVg/bC36/XN6U=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gxbQbdW4pMcEUOVFKNaRp2cAaM7Y7YsB8o1rDZoBKo8=; b=PwRDJjOGWnsnS/9fdtC1bmXZkt 63fzwbL83Yi5K2wHkPQ9bacjjat7u4WIJIuLtBvHf9kzfcJSMvHTPh/HTlnfhCHcHJ6X/0ZmxmzkY 46KspPI92wBIoSysGpZvbaiA/QvajS6Z/IzQNPBOcJe5pMIwM+o5uCwIFZtZjEy7+ihU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrD-0006Mu-KR for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:24 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000IeB-72 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275921 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:02 +0100 Message-Id: <20211207170211.3275837-13-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This function is supposed to calculate the overhead of the protocol header (IP/IPv6 + TCP/UDP). But at some point the index that used to index the array proto_overhead and the associated PROTO_N went [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrD-0006Mu-KR Subject: [Openvpn-devel] [PATCH 12/21] Fix datagram_overhead and assorted functions X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This function is supposed to calculate the overhead of the protocol header (IP/IPv6 + TCP/UDP). But at some point the index that used to index the array proto_overhead and the associated PROTO_N went completely out of sync. This fixed the function and related caller to again calculate the overhead as intended. Note that IPv6 mapped IPv4 addresses still have the wrong overhead calculated as they treated as IPv6 addresses (0:0:0:0:0:ffff::/96) Signed-off-by: Arne Schwabe Acked-By: Frank Lichtenheld --- src/openvpn/forward.c | 10 ++++++---- src/openvpn/socket.c | 16 +++------------- src/openvpn/socket.h | 17 ++++++----------- 3 files changed, 15 insertions(+), 28 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index c971c6bdb..6de6b4d49 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -480,10 +480,10 @@ check_fragment(struct context *c) struct link_socket_info *lsi = get_link_socket_info(c); /* OS MTU Hint? */ - if (lsi->mtu_changed) + if (lsi->mtu_changed && lsi->lsa) { frame_adjust_path_mtu(&c->c2.frame_fragment, c->c2.link_socket->mtu, - c->options.ce.proto); + lsi->lsa->actual.dest.addr.sa.sa_family, lsi->proto); lsi->mtu_changed = false; } @@ -1565,8 +1565,10 @@ process_outgoing_link(struct context *c) */ if (c->options.shaper) { - shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link) - + datagram_overhead(c->options.ce.proto)); + int overhead = datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family, + c->options.ce.proto); + shaper_wrote_bytes(&c->c2.shaper, + BLEN(&c->c2.to_link) + overhead); } /* diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index df7367469..93d2e61ec 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -44,17 +44,6 @@ #include "memdbg.h" -const int proto_overhead[] = { /* indexed by PROTO_x */ - 0, - IPv4_UDP_HEADER_SIZE, /* IPv4 */ - IPv4_TCP_HEADER_SIZE, - IPv4_TCP_HEADER_SIZE, - IPv6_UDP_HEADER_SIZE, /* IPv6 */ - IPv6_TCP_HEADER_SIZE, - IPv6_TCP_HEADER_SIZE, - IPv6_TCP_HEADER_SIZE, -}; - /* * Convert sockflags/getaddr_flags into getaddr_flags */ @@ -1660,9 +1649,10 @@ socket_frame_init(const struct frame *frame, struct link_socket *sock) * to us by the OS. */ void -frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto) +frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto) { - frame_set_mtu_dynamic(frame, pmtu - datagram_overhead(proto), SET_MTU_UPPER_BOUND); + frame_set_mtu_dynamic(frame, pmtu - datagram_overhead(af, proto), + SET_MTU_UPPER_BOUND); } static void diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index cc1e0c366..936ef2623 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -300,7 +300,7 @@ void do_preresolve(struct context *c); void socket_adjust_frame_parameters(struct frame *frame, int proto); -void frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto); +void frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto); void link_socket_close(struct link_socket *sock); @@ -579,18 +579,13 @@ const char *addr_family_name(int af); /* * Overhead added to packets by various protocols. */ -#define IPv4_UDP_HEADER_SIZE 28 -#define IPv4_TCP_HEADER_SIZE 40 -#define IPv6_UDP_HEADER_SIZE 48 -#define IPv6_TCP_HEADER_SIZE 60 - -extern const int proto_overhead[]; - static inline int -datagram_overhead(int proto) +datagram_overhead(sa_family_t af, int proto) { - ASSERT(proto >= 0 && proto < PROTO_N); - return proto_overhead [proto]; + int overhead = 0; + overhead += (proto == PROTO_UDP) ? 8 : 20; + overhead += (af == AF_INET) ? 20 : 40; + return overhead; } /* From patchwork Tue Dec 7 06:02:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2135 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id OOhnItCTr2EZUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:12 -0500 Received: from proxy16.mail.iad3b.rsapps.net ([172.31.255.6]) by director14.mail.ord1d.rsapps.net with LMTP id 4IUYBNGTr2FiaQAAeJ7fFg (envelope-from ) for ; Tue, 07 Dec 2021 12:03:13 -0500 Received: from smtp34.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3b.rsapps.net with LMTPS id wGfMONCTr2HQQQAAPj+4aA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:12 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8eeb9896-577f-11ec-a204-5254005e8ddb-1-1 Received: from [216.105.38.7] ([216.105.38.7:60438] helo=lists.sourceforge.net) by smtp34.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 20/71-02284-FC39FA16; Tue, 07 Dec 2021 12:03:11 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrD-0000th-Ld; Tue, 07 Dec 2021 17:02:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrB-0000t5-9g for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=cM+3kzRjSDDCMdC3Hi0TW8Vxq74RX0D35oxrtezLRb0=; b=HmEXrH62zMZiqvHv2lDFqm2q7U qG40hbtsoyeE5hKTiDzuIVgs4YqFxXB9Oe33kDTZQYBLcyobRaZ1FBVdV95OzL+gtpHRtgZoayxcE 1pXfpASs5WdKhKxg3anXSd1ZrAiQawWBABi8UugCwVkrDOHEuanc+tI4gIJQ7Rcfl3U8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=cM+3kzRjSDDCMdC3Hi0TW8Vxq74RX0D35oxrtezLRb0=; b=d603nKgQIPYu1B3MB3Nvqnps7g CMFvXHSs/n4cL6s7xwFWslppbwXMkRuKwZjq24cfDdOoc18Z+Eof1PTYJQRxqv29SRHwQoKLuLjmX a5KlqoGjNSYUA7NwFbmL6h/cW9wPUTzRC1LnQwqLYGS1Hm69HZZF3MyBGX6jBMfUH+X8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr9-007aKF-8c for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:21 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000IeE-9g for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275924 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:03 +0100 Message-Id: <20211207170211.3275837-14-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The current mssfix parameter is a bit as it needs manual calculation of the allowable packet size and also the resulting MSS value does not take into account if IPv4 or IPv6 is used on the outer tunne [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr9-007aKF-8c Subject: [Openvpn-devel] [PATCH 13/21] Implement optional mtu parameter for mssfix X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The current mssfix parameter is a bit as it needs manual calculation of the allowable packet size and also the resulting MSS value does not take into account if IPv4 or IPv6 is used on the outer tunnel. The mtu parameter fixes both of these problem by dynamically including the real overhead. The syntax and naming of the parater is chosen for compatiblity with OpenVPN3. Signed-off-by: Arne Schwabe --- Changes.rst | 6 ++++++ doc/man-sections/link-options.rst | 22 ++++++++++++++-------- src/openvpn/init.c | 7 ++++--- src/openvpn/mss.c | 29 ++++++++++++++++++++++++++++- src/openvpn/mss.h | 3 ++- src/openvpn/multi.c | 3 ++- src/openvpn/options.c | 13 +++++++++++-- src/openvpn/options.h | 5 ++++- src/openvpn/ssl.c | 11 +++++++---- src/openvpn/ssl.h | 5 ++++- 10 files changed, 82 insertions(+), 22 deletions(-) diff --git a/Changes.rst b/Changes.rst index b7d7f2054..cf6a2f86d 100644 --- a/Changes.rst +++ b/Changes.rst @@ -62,6 +62,12 @@ Optional ciphers in ``--data-ciphers`` Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark those as optional and only use them if the SSL library supports them. + +Improved ``--mssfix`` calculation + The ``--mssfix`` option now allows an optional :code:`mtu` parameter to specify + that different overhead for IPv4/IPv6 should taken into account and the resulting + size is specified as the total size of the VPN packets including IP and UDP headers. + Deprecated features ------------------- ``inetd`` has been removed diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index b1ae4e75a..f41c0c4f1 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -110,19 +110,25 @@ the local and the remote host. (:code:`p2p`). OpenVPN 2.0 introduces a new mode (:code:`server`) which implements a multi-client server capability. ---mssfix max +--mssfix max [mtu] Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed ``max`` bytes. The default value is :code:`1450`. - The ``max`` parameter is interpreted in the same way as the - ``--link-mtu`` parameter, i.e. the UDP packet size after encapsulation - overhead has been added in, but not including the UDP header itself. - Resulting packet would be at most 28 bytes larger for IPv4 and 48 bytes - for IPv6 (20/40 bytes for IP header and 8 bytes for UDP header). Default - value of 1450 allows IPv4 packets to be transmitted over a link with MTU - 1473 or higher without IP level fragmentation. + If the :code:`mtu` parameter is specified the ``max`` value is interpreted + as the resulting packet size of VPN packets including the IP and UDP header. + Use :code:`0` as max to use the default of :code:1450. Support for the + :code:`mtu` parameter was added with OpenVPN version 2.6.0. + + If the :code:`mtu` parameter is not specified, the ``max`` parameter + is interpreted in the same way as the ``--link-mtu`` parameter, i.e. + the UDP packet size after encapsulation overhead has been added in, but + not including the UDP header itself. Resulting packet would be at most 28 + bytes larger for IPv4 and 48 bytes for IPv6 (20/40 bytes for IP header and + 8 bytes for UDP header). Default value of 1450 allows IPv4 packets to be + transmitted over a link with MTU 1473 or higher without IP level + fragmentation. The ``--mssfix`` option only makes sense when you are using the UDP protocol for OpenVPN peer-to-peer communication, i.e. ``--proto udp``. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 0287dda35..b3653971c 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2207,7 +2207,7 @@ do_deferred_p2p_ncp(struct context *c) #endif if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame, - frame_fragment)) + frame_fragment, get_link_socket_info(c))) { msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher"); return false; @@ -2322,7 +2322,7 @@ do_deferred_options(struct context *c, const unsigned int found) struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame, - frame_fragment)) + frame_fragment, get_link_socket_info(c))) { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); return false; @@ -4238,7 +4238,8 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f #endif /* initialize dynamic MTU variable */ - frame_calculate_mssfix(&c->c2.frame, &c->c1.ks.key_type, &c->options); + frame_calculate_mssfix(&c->c2.frame, &c->c1.ks.key_type, &c->options, + get_link_socket_info(c)); /* bind the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index e4311c42a..b1f10d53e 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -207,9 +207,30 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) } } +static unsigned int +get_ip_encap_overhead(const struct options *options, + const struct link_socket_info *lsi) +{ + /* Add the overhead of the encapsulating IP packets */ + sa_family_t af; + if (lsi->lsa) + { + af = lsi->lsa->actual.dest.addr.sa.sa_family; + } + else + { + /* In the early init before the connection is established or we + * are in listen mode we can only make an educated guess + * from the af of the connection entry */ + af = options->ce.af; + } + return datagram_overhead(af, lsi->proto); +} + void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options) + const struct options *options, + struct link_socket_info *lsi) { if (options->ce.mssfix == 0) { @@ -236,6 +257,12 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, * * (RFC 879, section 7). */ + if (options->ce.mssfix_encap) + { + /* Add the overhead of the encapsulating IP packets */ + overhead += get_ip_encap_overhead(options, lsi); + } + /* Add 20 bytes for the IPv4 header and TCP header of the payload, * the mssfix routes will add 20 extra if payload is IPv6 */ overhead += 20 + 20; diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index 856f4c4e3..eecc79948 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -37,6 +37,7 @@ void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); /** Set the --mssfix option. */ void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options); + const struct options *options, + struct link_socket_info *lsi); #endif diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index e5ffebff2..67b7114ad 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2286,7 +2286,8 @@ multi_client_generate_tls_keys(struct context *c) #endif struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (!tls_session_update_crypto_params(session, &c->options, - &c->c2.frame, frame_fragment)) + &c->c2.frame, frame_fragment, + get_link_socket_info(c))) { msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); register_signal(c, SIGUSR1, "process-push-msg-failed"); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6dd573adb..8997fa988 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6771,18 +6771,27 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); script_security_set(atoi(p[1])); } - else if (streq(p[0], "mssfix") && !p[2]) + else if (streq(p[0], "mssfix") && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) { options->ce.mssfix = positive_atoi(p[1]); } - else + + if (!p[1] || options->ce.mssfix == 0) { options->ce.mssfix_default = true; } + if (p[2] && streq(p[2], "mtu")) + { + options->ce.mssfix_encap = true; + } + else if (p[2]) + { + msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]); + } } else if (streq(p[0], "disable-occ") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index d4f41cd71..557edab9b 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -126,7 +126,10 @@ struct connection_entry int fragment; /* internal fragmentation size */ int mssfix; /* Upper bound on TCP MSS */ - bool mssfix_default; /* true if --mssfix was supplied without a parameter */ + bool mssfix_default; /* true if --mssfix was supplied without a parameter + * or 0 was specified as MTU */ + bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include + * overhead from IP and TCP/UDP encapsulation */ int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */ diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 41981d220..c5b085646 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1883,7 +1883,8 @@ cleanup: bool tls_session_update_crypto_params_do_work(struct tls_session *session, struct options* options, struct frame *frame, - struct frame *frame_fragment) + struct frame *frame_fragment, + struct link_socket_info *lsi) { if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) { @@ -1913,7 +1914,7 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, options->replay, packet_id_long_form); frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, options->ce.tun_mtu_defined, options->ce.tun_mtu); - frame_calculate_mssfix(frame, &session->opt->key_type, options); + frame_calculate_mssfix(frame, &session->opt->key_type, options, lsi); frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); /* @@ -1938,7 +1939,8 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, - struct frame *frame_fragment) + struct frame *frame_fragment, + struct link_socket_info *lsi) { bool cipher_allowed_as_fallback = options->enable_ncp_fallback @@ -1957,7 +1959,8 @@ tls_session_update_crypto_params(struct tls_session *session, /* Import crypto settings that might be set by pull/push */ session->opt->crypto_flags |= options->data_channel_crypto_flags; - return tls_session_update_crypto_params_do_work(session, options, frame, frame_fragment); + return tls_session_update_crypto_params_do_work(session, options, frame, + frame_fragment, lsi); } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index b14453fe2..e566acd81 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -508,13 +508,16 @@ void tls_update_remote_addr(struct tls_multi *multi, * @param frame The frame options for this session (frame overhead is * adjusted based on the selected cipher/auth). * @param frame_fragment The fragment frame options. + * @param lsi link socket info to adjust MTU related options + * depending on the current protocol * * @return true if updating succeeded or keys are already generated, false otherwise. */ bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, - struct frame *frame_fragment); + struct frame *frame_fragment, + struct link_socket_info *lsi); /* * inline functions From patchwork Tue Dec 7 06:02:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2142 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id UI2iJdeTr2FMUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:19 -0500 Received: from proxy15.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id SJY4B9iTr2HDSwAAovjBpQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:20 -0500 Received: from smtp40.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.iad3b.rsapps.net with LMTPS id QOK2OteTr2HaWgAAhyf7VQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:19 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 93496576-577f-11ec-a3c4-5254000cc6d4-1-1 Received: from [216.105.38.7] ([216.105.38.7:47260] helo=lists.sourceforge.net) by smtp40.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F9/35-29055-7D39FA16; Tue, 07 Dec 2021 12:03:19 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrH-0003Rc-O8; Tue, 07 Dec 2021 17:02:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrE-0003PH-Nq for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=s/uyoMshql31n7Vb8TqehKdzxS/wQYxp5G1BF/q5VnU=; b=BUOqo8Hir+KpoK96Qv5430Qsca WFOrZ0459pX58Dd3JIGQwBcDhDCrIgfFfblEMXOrqcveLUmdgqac0bCOkTAu+lVKUYdlNMXiTg9es Fy5YGbFpTZbY+NoWaIlY5CcQFDuU/Q9XmihF3iX5UwztoFeO0l2ylKwDlNEXFM8Kvk0I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=s/uyoMshql31n7Vb8TqehKdzxS/wQYxp5G1BF/q5VnU=; b=aJhjmt+39lKAuAotM/89VObAXC n7vfRtt9HQ3SAsat9BdRAjFrwVrMG5OHpsFJZiErwp2+hgzby05LN6GAHpjP2m5/2tflhkUVOE63r ieLrLMP+nniNXJP8mYxLRMCO+cF3hummNxOpptafEQYAiTbnjaDYNb6wuvBGXDpX4Ao8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrD-0006Mv-Ha for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000IeH-DG for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275927 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:04 +0100 Message-Id: <20211207170211.3275837-15-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Instead relying on the link_mtu_dynamic field and its calculation in the frame struct, add a new field max_fragment_size and add a calculation of it similar to mssfix. Also whenever mssfix value is calculated, we also want to calculate the values for fragment as both options need to be calculated from the real overhead. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrD-0006Mv-Ha Subject: [Openvpn-devel] [PATCH 14/21] Add mtu paramter to --fragment and change fragment calculation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Instead relying on the link_mtu_dynamic field and its calculation in the frame struct, add a new field max_fragment_size and add a calculation of it similar to mssfix. Also whenever mssfix value is calculated, we also want to calculate the values for fragment as both options need to be calculated from the real overhead. Signed-off-by: Arne Schwabe --- Changes.rst | 9 +-- doc/man-sections/link-options.rst | 13 ++-- src/openvpn/forward.c | 3 +- src/openvpn/fragment.c | 4 +- src/openvpn/init.c | 23 +++---- src/openvpn/mss.c | 101 +++++++++++++++++++++++++++--- src/openvpn/mss.h | 13 +++- src/openvpn/mtu.c | 66 +------------------ src/openvpn/mtu.h | 22 +++---- src/openvpn/options.c | 12 +++- src/openvpn/options.h | 2 + src/openvpn/socket.c | 11 ---- src/openvpn/socket.h | 2 - src/openvpn/ssl.c | 20 ++---- 14 files changed, 157 insertions(+), 144 deletions(-) diff --git a/Changes.rst b/Changes.rst index cf6a2f86d..c673196fa 100644 --- a/Changes.rst +++ b/Changes.rst @@ -63,10 +63,11 @@ Optional ciphers in ``--data-ciphers`` those as optional and only use them if the SSL library supports them. -Improved ``--mssfix`` calculation - The ``--mssfix`` option now allows an optional :code:`mtu` parameter to specify - that different overhead for IPv4/IPv6 should taken into account and the resulting - size is specified as the total size of the VPN packets including IP and UDP headers. +Improved ``--mssfix`` and ``--fragement`` calculation + The ``--mssfix`` and ``--fragment`` options now allow an optional :code:`mtu` + parameter to specify that different overhead for IPv4/IPv6 should taken into + account and the resulting size is specified as the total size of the VPN packets + including IP and UDP headers. Deprecated features ------------------- diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index f41c0c4f1..b71656e0b 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -24,13 +24,18 @@ the local and the remote host. from any address, not only the address which was specified in the ``--remote`` option. ---fragment max +--fragment max [mtu] Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than ``max`` bytes. - The ``max`` parameter is interpreted in the same way as the - ``--link-mtu`` parameter, i.e. the UDP packet size after encapsulation - overhead has been added in, but not including the UDP header itself. + If the :code:`mtu` parameter is present the ``max`` parameter is + interpreted to include IP and UDP encapsulation overhead. The + :code:`mtu` parameter is introduced in OpenVPN version 2.6.0. + + If the :code:`mtu` parameter is absent, the ``max`` parameter is + interpreted in the same way as the ``--link-mtu`` parameter, i.e. + the UDP packet size after encapsulation overhead has been added in, + but not including the UDP header itself. The ``--fragment`` option only makes sense when you are using the UDP protocol (``--proto udp``). diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 6de6b4d49..3f362e95d 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -482,8 +482,7 @@ check_fragment(struct context *c) /* OS MTU Hint? */ if (lsi->mtu_changed && lsi->lsa) { - frame_adjust_path_mtu(&c->c2.frame_fragment, c->c2.link_socket->mtu, - lsi->lsa->actual.dest.addr.sa.sa_family, lsi->proto); + frame_adjust_path_mtu(c); lsi->mtu_changed = false; } diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index 6f8fb4476..ce8cd3489 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -335,12 +335,12 @@ fragment_outgoing(struct fragment_master *f, struct buffer *buf, msg(D_FRAG_ERRORS, "FRAG: outgoing buffer is not empty, len=[%d,%d]", buf->len, f->outgoing.len); } - if (buf->len > PAYLOAD_SIZE_DYNAMIC(frame)) /* should we fragment? */ + if (buf->len > frame->max_fragment_size) /* should we fragment? */ { /* * Send the datagram as a series of 2 or more fragments. */ - f->outgoing_frag_size = optimal_fragment_size(buf->len, PAYLOAD_SIZE_DYNAMIC(frame)); + f->outgoing_frag_size = optimal_fragment_size(buf->len, frame->max_fragment_size); if (buf->len > f->outgoing_frag_size * MAX_FRAGS) { FRAG_ERR("too many fragments would be required to send datagram"); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b3653971c..31ae250bc 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2535,14 +2535,6 @@ frame_finalize_options(struct context *c, const struct options *o) frame->buf.payload_size = payload_size; frame->buf.headroom = headroom; frame->buf.tailroom = tailroom; - - /* Kept to still update/calculate the other fields for now */ - frame_finalize(frame, - o->ce.link_mtu_defined, - o->ce.link_mtu, - o->ce.tun_mtu_defined, - o->ce.tun_mtu); - } /* @@ -3368,8 +3360,8 @@ static void do_init_fragment(struct context *c) { ASSERT(c->options.ce.fragment); - frame_set_mtu_dynamic(&c->c2.frame_fragment, - c->options.ce.fragment, SET_MTU_UPPER_BOUND); + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, + &c->options, get_link_socket_info(c)); fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); } #endif @@ -4237,9 +4229,9 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f } #endif - /* initialize dynamic MTU variable */ - frame_calculate_mssfix(&c->c2.frame, &c->c1.ks.key_type, &c->options, - get_link_socket_info(c)); + /* initialize dynamic MTU based options (fragment/mssfix) */ + frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options, + get_link_socket_info(c)); /* bind the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) @@ -4291,6 +4283,11 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f link_socket_init_phase2(c); } + /* Update dynamic frame calculation as exact transport socket information + * (IP vs IPv6) may be only available after socket phase2 has finished */ + frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options, + get_link_socket_info(c)); + /* * Actually do UID/GID downgrade, and chroot, if requested. * May be delayed by --client, --pull, or --up-delay. diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index b1f10d53e..5b18a8fa2 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -33,6 +33,7 @@ #include "crypto.h" #include "ssl_common.h" #include "memdbg.h" +#include "forward.h" /* * Lower MSS on TCP SYN packets to fix MTU @@ -227,16 +228,41 @@ get_ip_encap_overhead(const struct options *options, return datagram_overhead(af, lsi->proto); } -void -frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options, - struct link_socket_info *lsi) +static void +frame_calculate_fragment(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi) { - if (options->ce.mssfix == 0) +#if defined(ENABLE_FRAGMENT) + unsigned int payload_size; + unsigned int overhead; + + payload_size = frame_calculate_payload_size(frame, options); + + overhead = frame_calculate_protocol_header_size(kt, options, payload_size, + false); + + /* The 4 bytes of header that fragment adds itself. The other extra payload + * bytes (Ethernet header/compression) are handled by the fragment code + * just as part of the payload and therefore automatically taken into + * account if the packet needs to fragmented */ + overhead += 4; + + if (options->ce.fragment_encap) { - return; + overhead += get_ip_encap_overhead(options, lsi); } + /* Calculate the maximum fragment size */ + frame->max_fragment_size = options->ce.fragment - overhead; +#endif +} + +static void +frame_calculate_mssfix(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi) +{ unsigned int payload_size; unsigned int overhead; @@ -270,4 +296,65 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, /* Calculate the maximum MSS value from the max link layer size specified * by ce.mssfix */ frame->mss_fix = options->ce.mssfix - overhead - payload_overhead; -} \ No newline at end of file +} + +void +frame_calculate_dynamic(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi) +{ + if (options->ce.fragment > 0) + { + frame_calculate_fragment(frame, kt, options, lsi); + } + + if (options->ce.mssfix > 0) + { + frame_calculate_mssfix(frame, kt, options, lsi); + } +} + +/* + * Adjust frame structure based on a Path MTU value given + * to us by the OS. + */ +void +frame_adjust_path_mtu(struct context *c) +{ + struct link_socket_info *lsi = get_link_socket_info(c); + struct options *o = &c->options; + + int pmtu = c->c2.link_socket->mtu; + sa_family_t af = lsi->lsa->actual.dest.addr.sa.sa_family; + int proto = lsi->proto; + + int encap_overhead = datagram_overhead(af, proto); + + /* check if mssfix and fragment need to be adjusted */ + if (pmtu < o->ce.mssfix + || (o->ce.mssfix_encap && pmtu < o->ce.mssfix + encap_overhead)) + { + const char* mtustr = o->ce.mssfix_encap ? " mtu" : ""; + msg(D_MTU_INFO, "Note adjusting 'mssfix %d %s' to 'mssfix %d mtu' " + "according to path MTU discovery", o->ce.mssfix, + mtustr, pmtu); + o->ce.mssfix = pmtu; + o->ce.mssfix_encap = true; + frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, o, lsi); + } + +#if defined(ENABLE_FRAGMENT) + if (pmtu < o->ce.fragment || + (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead)) + { + const char* mtustr = o->ce.fragment_encap ? " mtu" : ""; + msg(D_MTU_INFO, "Note adjusting 'fragment %d %s' to 'fragment %d mtu' " + "according to path MTU discovery", o->ce.mssfix, + mtustr, pmtu); + o->ce.fragment = pmtu; + o->ce.fragment_encap = true; + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, + o, lsi); + } +#endif +} diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index eecc79948..82e0c58f6 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -36,8 +36,15 @@ void mss_fixup_ipv6(struct buffer *buf, int maxmss); void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); /** Set the --mssfix option. */ -void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options, - struct link_socket_info *lsi); +void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi); + +/** + * Checks and adjusts the fragment and mssfix value according to the + * discovered path mtu value + * @param c context to adjust + */ +void frame_adjust_path_mtu(struct context *c); #endif diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 88a42a0c5..62a66c8fd 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -179,68 +179,6 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) return payload + overhead; } -void -frame_finalize(struct frame *frame, - bool link_mtu_defined, - int link_mtu, - bool tun_mtu_defined, - int tun_mtu) -{ - /* Set link_mtu based on command line options */ - if (tun_mtu_defined) - { - ASSERT(!link_mtu_defined); - frame->link_mtu = tun_mtu + TUN_LINK_DELTA(frame); - } - else - { - ASSERT(link_mtu_defined); - frame->link_mtu = link_mtu; - } - - if (TUN_MTU_SIZE(frame) < TUN_MTU_MIN) - { - msg(M_WARN, "TUN MTU value (%d) must be at least %d", TUN_MTU_SIZE(frame), TUN_MTU_MIN); - frame_print(frame, M_FATAL, "MTU is too small"); - } - - frame->link_mtu_dynamic = frame->link_mtu; -} - -/* - * Set the tun MTU dynamically. - */ -void -frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags) -{ - -#ifdef ENABLE_DEBUG - const int orig_mtu = mtu; - const int orig_link_mtu_dynamic = frame->link_mtu_dynamic; -#endif - - ASSERT(mtu >= 0); - - if (flags & SET_MTU_TUN) - { - mtu += TUN_LINK_DELTA(frame); - } - - if (!(flags & SET_MTU_UPPER_BOUND) || mtu < frame->link_mtu_dynamic) - { - frame->link_mtu_dynamic = constrain_int( - mtu, - EXPANDED_SIZE_MIN(frame), - EXPANDED_SIZE(frame)); - } - - dmsg(D_MTU_DEBUG, "MTU DYNAMIC mtu=%d, flags=%u, %d -> %d", - orig_mtu, - flags, - orig_link_mtu_dynamic, - frame->link_mtu_dynamic); -} - /* * Move extra_frame octets into extra_tun. Used by fragmenting code * to adjust frame relative to its position in the buffer processing @@ -266,12 +204,14 @@ frame_print(const struct frame *frame, } buf_printf(&out, "["); buf_printf(&out, " mss_fix:%d", frame->mss_fix); +#ifdef ENABLE_FRAGMENT + buf_printf(&out, " max_frag:%d", frame->max_fragment_size); +#endif buf_printf(&out, " tun_mtu:%d", frame->tun_mtu); buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); buf_printf(&out, " L:%d", frame->link_mtu); - buf_printf(&out, " D:%d", frame->link_mtu_dynamic); buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index ace33a74a..06a00b5bb 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -113,14 +113,18 @@ struct frame { int link_mtu; /**< Maximum packet size to be sent over * the external network interface. */ - unsigned int mss_fix; /**< The actual MSS value that should be + unsigned int mss_fix; /**< The actual MSS value that should be * written to the payload packets. This * is the value for IPv4 TCP packets. For * IPv6 packets another 20 bytes must * be subtracted */ - int link_mtu_dynamic; /**< Dynamic MTU value for the external - * network interface. */ + int max_fragment_size; /**< The maximum size of a fragment. + * Fragmentation is done on the unencrypted + * payload after (potential) compression. So + * this value specifies the maximum payload + * size that can be send in a single fragment + */ int extra_frame; /**< Maximum number of bytes that all * processing steps together could add. @@ -195,7 +199,6 @@ struct options; * a tap device ifconfiged to an MTU of 1200 might actually want * to return a packet size of 1214 on a read(). */ -#define PAYLOAD_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic - (f)->extra_frame) #define PAYLOAD_SIZE(f) ((f)->buf.payload_size) /* @@ -203,7 +206,6 @@ struct options; * overhead is added. */ #define EXPANDED_SIZE(f) ((f)->link_mtu) -#define EXPANDED_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic) #define EXPANDED_SIZE_MIN(f) (TUN_MTU_MIN + TUN_LINK_DELTA(f)) /* @@ -224,16 +226,6 @@ struct options; #define FRAME_HEADROOM(f) ((f)->buf.headroom) -/* - * Function prototypes. - */ - -void frame_finalize(struct frame *frame, - bool link_mtu_defined, - int link_mtu, - bool tun_mtu_defined, - int tun_mtu); - void frame_subtract_extra(struct frame *frame, const struct frame *src); void frame_print(const struct frame *frame, diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8997fa988..e1792d510 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6115,11 +6115,19 @@ add_option(struct options *options, msg(msglevel, "--mtu-dynamic has been replaced by --fragment"); goto err; } - else if (streq(p[0], "fragment") && p[1] && !p[2]) + else if (streq(p[0], "fragment") && p[1] && !p[3]) { -/* VERIFY_PERMISSION (OPT_P_MTU); */ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.fragment = positive_atoi(p[1]); + + if (p[2] && streq(p[2], "mtu")) + { + options->ce.fragment_encap = true; + } + else if (p[2]) + { + msg(msglevel, "Unknown parameter to --fragment: %s", p[2]); + } } #endif else if (streq(p[0], "mtu-disc") && p[1] && !p[2]) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 557edab9b..256318291 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -125,6 +125,8 @@ struct connection_entry int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */ int fragment; /* internal fragmentation size */ + bool fragment_encap; /* true if --fragment had the "mtu" parameter to + * include overhead from IP and TCP/UDP encapsulation */ int mssfix; /* Upper bound on TCP MSS */ bool mssfix_default; /* true if --mssfix was supplied without a parameter * or 0 was specified as MTU */ diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 93d2e61ec..fe1dfb315 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1644,17 +1644,6 @@ socket_frame_init(const struct frame *frame, struct link_socket *sock) } } -/* - * Adjust frame structure based on a Path MTU value given - * to us by the OS. - */ -void -frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto) -{ - frame_set_mtu_dynamic(frame, pmtu - datagram_overhead(af, proto), - SET_MTU_UPPER_BOUND); -} - static void resolve_bind_local(struct link_socket *sock, const sa_family_t af) { diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 936ef2623..a43ed80b5 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -300,8 +300,6 @@ void do_preresolve(struct context *c); void socket_adjust_frame_parameters(struct frame *frame, int proto); -void frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto); - void link_socket_close(struct link_socket *sock); void sd_close(socket_descriptor_t *sd); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c5b085646..79a5660bd 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -331,7 +331,6 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame /* set dynamic link MTU to cap control channel packets at 1250 bytes */ ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); - frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame); /* calculate the maximum overhead that control channel frames may have */ int overhead = 0; @@ -1912,9 +1911,8 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, frame_remove_from_extra_frame(frame, crypto_max_overhead()); crypto_adjust_frame_parameters(frame, &session->opt->key_type, options->replay, packet_id_long_form); - frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, - options->ce.tun_mtu_defined, options->ce.tun_mtu); - frame_calculate_mssfix(frame, &session->opt->key_type, options, lsi); + frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi); + frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); /* @@ -1929,7 +1927,7 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, frame_remove_from_extra_frame(frame_fragment, crypto_max_overhead()); crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type, options->replay, packet_id_long_form); - frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND); + frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi); frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); } @@ -2982,6 +2980,7 @@ tls_process(struct tls_multi *multi, if (buf) { int status = key_state_read_ciphertext(&ks->ks_ssl, buf, multi->opt.frame.tun_mtu); + if (status == -1) { msg(D_TLS_ERRORS, @@ -3827,17 +3826,6 @@ tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, goto error; } - if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame)) - { - dmsg(D_TLS_STATE_ERRORS, - "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected", - buf->len, - print_link_socket_actual(from, &gc), - EXPANDED_SIZE_DYNAMIC(&tas->frame)); - goto error; - } - - struct buffer newbuf = clone_buf(buf); struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap; From patchwork Tue Dec 7 06:02:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2133 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id iCqvOc+Tr2ENUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:11 -0500 Received: from proxy7.mail.iad3b.rsapps.net ([172.31.255.6]) by director12.mail.ord1d.rsapps.net with LMTP id gFOqLM+Tr2GhVQAAIasKDg (envelope-from ) for ; Tue, 07 Dec 2021 12:03:11 -0500 Received: from smtp32.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.iad3b.rsapps.net with LMTPS id eMKOE9CTr2FlLwAAQkQ5tQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:12 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp32.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8eb07a40-577f-11ec-8d97-5254006a2e70-1-1 Received: from [216.105.38.7] ([216.105.38.7:47072] helo=lists.sourceforge.net) by smtp32.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6A/A1-06898-FC39FA16; Tue, 07 Dec 2021 12:03:11 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrE-0003PF-QP; Tue, 07 Dec 2021 17:02:25 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudr9-0003OG-Iy for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IIKIn5OdmX7AJx1iWjwh5ot109ECmABJhis2zSAUuhg=; b=U1xcZI3cnaPQml4kIlC8eqzrDd VMGE26BvHp+2xxUPfLjfSDB3EV22qjCcvH7udEMxd7qSG3KS5ZgHn6shGpDpTtfNgQfdDbW9udPX2 hkk03m7G2WZBpcS7nHguanejA95isnIhMrNV718g/D0un4EszNwT/k2gqrKe77pFbqec=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=IIKIn5OdmX7AJx1iWjwh5ot109ECmABJhis2zSAUuhg=; b=i7NnpQRDFL2C5ho+TLSJHtW9r6 RfHRFzW9JG1/t4vtWudFG2t3oHoscL8rgyjtMvhPIR9aJW5T9F9EDJXsw9XS0QCd9oXJ66a7RGZ1R Dg+btkS/4ewLA9qQzZXBwG1l9CgnbhW8OcaGyDXYTt1RSAZZmSNADQCFDVhT1dgehd3c=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr9-007aKG-F9 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000IeK-Fo for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275930 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:05 +0100 Message-Id: <20211207170211.3275837-16-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The warning that fragment/mssfix needs also tun-mtu set to 1500 makes little sense. Remove it completely. Instead warn if there are incosistencies between --fragment and mssfix. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr9-007aKG-F9 Subject: [Openvpn-devel] [PATCH 15/21] Update fragment and mssfix related warnings X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The warning that fragment/mssfix needs also tun-mtu set to 1500 makes little sense. Remove it completely. Instead warn if there are incosistencies between --fragment and mssfix. Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- src/openvpn/init.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 31ae250bc..4f08e560a 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3183,12 +3183,17 @@ do_init_frame(struct context *c) #endif #ifdef ENABLE_FRAGMENT - if ((c->options.ce.mssfix || c->options.ce.fragment) - && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU) + if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment) { - msg(M_WARN, - "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", - ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment)); + msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " + "set --fragment (%d) larger than --mssfix (%d)", + c->options.ce.fragment, c->options.ce.mssfix); + } + if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0 + && c->options.ce.fragment_encap != c->options.ce.mssfix_encap) + { + msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " + "use the mtu for both or none."); } #endif } From patchwork Tue Dec 7 06:02:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2143 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id cI/AMEyUr2GdXQAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:05:16 -0500 Received: from proxy11.mail.iad3b.rsapps.net ([172.31.255.6]) by director12.mail.ord1d.rsapps.net with LMTP id mLefJEyUr2HAVAAAIasKDg (envelope-from ) for ; Tue, 07 Dec 2021 12:05:16 -0500 Received: from smtp13.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.iad3b.rsapps.net with LMTPS id yAQHDk2Ur2E3cAAARNREpw (envelope-from ) for ; Tue, 07 Dec 2021 12:05:17 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8dbcb518-577f-11ec-be6b-5254001dfc40-1-1 Received: from [216.105.38.7] ([216.105.38.7:47020] helo=lists.sourceforge.net) by smtp13.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 68/81-27804-DC39FA16; Tue, 07 Dec 2021 12:03:09 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrH-0003R6-Cb; Tue, 07 Dec 2021 17:02:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrE-0003P2-3e for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=p7X/k+chKRvtCc7OGA7tiI6k36CZH6YosalvXpq8wEE=; b=bPybVQt2cvpg2Gz0UV5JlDI/TD KvAt7HLi4+5dCeyoIjhnH3DKOVSO+Tm6GMmi+omjCllRWA+qe5jtoMEN8+9uNW3JaRRYEAt3NgXxH kVEJCC2xkDs414XldIIOECzE/w579TDmKgmeuN5afcqE2kDt8/LVA5Zc/7KIyj5WCbkk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=p7X/k+chKRvtCc7OGA7tiI6k36CZH6YosalvXpq8wEE=; b=L1+OUmPuriqJJ2O+o7mESdwAiS OAFGhaTtTQytUcJEMApHBD9LUUNpUAq937pz0uGXNA9JYIVqveNHGlXyOx0Zf3QsTSPd4egxZkX6+ ba3UXZ81WMFEY4x8hUxGncHImMjPmCYZ1zXmPQ+Em+yipFGFl89BjjjUhT37+qsUlygk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrD-0006Mw-Mv for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000IeM-I6 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275933 invoked by uid 10006); Tue, 07 Dec 2021 17:02:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:06 +0100 Message-Id: <20211207170211.3275837-17-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The link mtu is no longer used and calculating a compatibility link MTU just for scripts makes little sense as well. Replace the parameter instead with a fixed paramter 0. Signed-off-by: Arne Schwabe --- Changes.rst | 2 ++ src/openvpn/init.c | 16 +++ 2 files changed, 5 insertions(+), 13 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrD-0006Mw-Mv Subject: [Openvpn-devel] [PATCH 16/21] Remove link_mtu parameter when running up/down scripts X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The link mtu is no longer used and calculating a compatibility link MTU just for scripts makes little sense as well. Replace the parameter instead with a fixed paramter 0. Signed-off-by: Arne Schwabe --- Changes.rst | 2 ++ src/openvpn/init.c | 16 +++------------- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/Changes.rst b/Changes.rst index c673196fa..3ae994022 100644 --- a/Changes.rst +++ b/Changes.rst @@ -129,6 +129,8 @@ User-visible Changes - CHACHA20-POLY1305 is included in the default of ``--data-ciphers`` when available. - Option ``--prng`` is ignored as we rely on the SSL library random number generator. - Option ``--nobind`` is default when ``--client`` or ``--pull`` is used in the configuration +- :code:`link_mtu` parameter is removed from environment or replaced with 0 when scripts are + called with parameters. This parameter is unreliable and no longer internally calculated. Overview of changes in 2.5 ========================== diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 4f08e560a..72ffbfdfc 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -113,7 +113,6 @@ run_up_down(const char *command, #endif const char *dev_type, int tun_mtu, - int link_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, @@ -129,7 +128,6 @@ run_up_down(const char *command, } setenv_str(es, "script_context", context); setenv_int(es, "tun_mtu", tun_mtu); - setenv_int(es, "link_mtu", link_mtu); setenv_str(es, "dev", arg); if (dev_type) { @@ -157,11 +155,8 @@ run_up_down(const char *command, struct argv argv = argv_new(); ASSERT(arg); argv_printf(&argv, - "%s %d %d %s %s %s", - arg, - tun_mtu, link_mtu, - ifconfig_local, ifconfig_remote, - context); + "%s %d 0 %s %s %s", + arg, tun_mtu, ifconfig_local, ifconfig_remote, context); if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { @@ -177,7 +172,7 @@ run_up_down(const char *command, ASSERT(arg); setenv_str(es, "script_type", script_type); argv_parse_cmd(&argv, command); - argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu, + argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote, context); argv_msg(M_INFO, &argv); openvpn_run_script(&argv, es, S_FATAL, "--up/--down"); @@ -1784,7 +1779,6 @@ do_open_tun(struct context *c) #endif dev_type_string(c->options.dev, c->options.dev_type), TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1834,7 +1828,6 @@ else #endif dev_type_string(c->options.dev, c->options.dev_type), TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", @@ -1914,7 +1907,6 @@ do_close_tun(struct context *c, bool force) #endif NULL, TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1945,7 +1937,6 @@ do_close_tun(struct context *c, bool force) #endif NULL, TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1984,7 +1975,6 @@ do_close_tun(struct context *c, bool force) #endif NULL, TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", From patchwork Tue Dec 7 06:02:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2127 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.50]) by backend41.mail.ord1d.rsapps.net with LMTP id mBFoFs2Tr2ENUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 Received: from proxy5.mail.iad3a.rsapps.net ([172.27.255.50]) by director11.mail.ord1d.rsapps.net with LMTP id qFKGM82Tr2FWdAAAvGGmqA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 Received: from smtp40.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3a.rsapps.net with LMTPS id GEcYLs2Tr2EjdwAAhn5joQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:09 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8cf510b2-577f-11ec-b31d-5254003a14f9-1-1 Received: from [216.105.38.7] ([216.105.38.7:36762] helo=lists.sourceforge.net) by smtp40.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E0/47-22483-CC39FA16; Tue, 07 Dec 2021 12:03:08 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrB-0002nL-I0; Tue, 07 Dec 2021 17:02:21 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrA-0002n4-PQ for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zjhNpa6LZ0rZ9Eo6NXxYIMmjj5E7WgUjM2st4zsLRy0=; b=ZZIMA5QOPXBjsfAE6O+TR/q0TQ M8ubdeReyQMa+MNs2Xpm72c/TGunwgDKwUzFsbjNMdN+X58DJe11qC3TrpsDOB6U84jMeFvycjI46 4Qqzz5IE7EQeGM5I9oHAOvt0wB7MEtsHv8KowiwDTkDBGAJyO20bowiIXruHV/iz1G4s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zjhNpa6LZ0rZ9Eo6NXxYIMmjj5E7WgUjM2st4zsLRy0=; b=aRz2C0jiKU+a2VNWEhFxxjH3Ua WZ+O1jn+UqyBkZN8Mu6XBN7WD1dXp48EMpO/Pi5EDP6M6ira7g5iakR/CD8CJzR6yqPX4J7DUR1/b tpoc3+qepARad3+PZtcycoFjl/T7bJd++VahwoRS9vwQ4rmW1lneB7w/IOB1a86yH/58=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr9-007aKH-Jk for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000IeQ-L5 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275936 invoked by uid 10006); Tue, 07 Dec 2021 17:02:13 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:07 +0100 Message-Id: <20211207170211.3275837-18-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/occ.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index c4e7c1be2..05e2d4b85 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -199,8 +199,12 @@ check_send_occ_load_test_dowork(struct context [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr9-007aKH-Jk Subject: [Openvpn-devel] [PATCH 17/21] Use new frame header methods to calculate OCC_MTU_LOAD payload size X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe --- src/openvpn/occ.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index c4e7c1be2..05e2d4b85 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -199,8 +199,12 @@ check_send_occ_load_test_dowork(struct context *c) if (entry->op >= 0) { c->c2.occ_op = entry->op; - c->c2.occ_mtu_load_size = - EXPANDED_SIZE(&c->c2.frame) + entry->delta; + size_t payload_size = frame_calculate_payload_size(&c->c2.frame, + &c->options); + size_t header_size = frame_calculate_protocol_header_size(&c->c1.ks.key_type, &c->options, + payload_size, false); + + c->c2.occ_mtu_load_size = payload_size + header_size; } else { @@ -298,10 +302,21 @@ check_send_occ_msg_dowork(struct context *c) { break; } - need_to_add = min_int(c->c2.occ_mtu_load_size, EXPANDED_SIZE(&c->c2.frame)) + size_t proto_hdr, payload_hdr; + + /* OCC message have comp/fragment headers but not ethernet headers */ + payload_hdr = frame_calculate_payload_overhead(&c->c2.frame, &c->options, + false); + + /* Since we do not know the payload size we just pass 0 as size here */ + proto_hdr = frame_calculate_protocol_header_size(&c->c1.ks.key_type, + &c->options, 0, false); + + need_to_add = min_int(c->c2.occ_mtu_load_size, c->c2.frame.buf.payload_size) - OCC_STRING_SIZE - - sizeof(uint8_t) - - EXTRA_FRAME(&c->c2.frame); + - sizeof(uint8_t) /* occ opcode */ + - payload_hdr + - proto_hdr; while (need_to_add > 0) { @@ -314,12 +329,13 @@ check_send_occ_msg_dowork(struct context *c) } --need_to_add; } - dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d-%d-%d-%d,%d) size=%d", + dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d,%d)-%d-%d-%d-%d) size=%d", c->c2.occ_mtu_load_size, + c->c2.frame.buf.payload_size, OCC_STRING_SIZE, (int) sizeof(uint8_t), - EXTRA_FRAME(&c->c2.frame), - c->c2.frame.buf.payload_size, + (int) payload_hdr, + (int) proto_hdr, BLEN(&c->c2.buf)); doit = true; } From patchwork Tue Dec 7 06:02:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2138 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id CM0/O9STr2FAUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:16 -0500 Received: from proxy18.mail.iad3b.rsapps.net ([172.31.255.6]) by director14.mail.ord1d.rsapps.net with LMTP id OJDtHNWTr2EWaQAAeJ7fFg (envelope-from ) for ; Tue, 07 Dec 2021 12:03:17 -0500 Received: from smtp27.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3b.rsapps.net with LMTPS id GAL4FdWTr2H4aAAA3NpJmQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:17 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 922db7aa-577f-11ec-9ee9-5254006b1ac1-1-1 Received: from [216.105.38.7] ([216.105.38.7:47214] helo=lists.sourceforge.net) by smtp27.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 01/57-06611-5D39FA16; Tue, 07 Dec 2021 12:03:17 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrG-0003Qj-S5; Tue, 07 Dec 2021 17:02:27 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrE-0003P4-59 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7mYpSPaw0SRpSHovr+zEwKYBmu4jriqbl/JKZ/F6f/I=; b=Kqx0JfWaI8X3qEGdDOvVAaI2cz ac7mnNy0dyJ8VEgJnTgyWRlw4sfgytrnSx8PsIXPeLWTkj0V0a2egD+z27ho+7oXAzZmfsX3X8c9z 4Au9QyuQXcd4Q62zq4b58kjv5389X9FqAIswBpVWwyuf7CwvZNc2aLK58qTJmi026w+8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7mYpSPaw0SRpSHovr+zEwKYBmu4jriqbl/JKZ/F6f/I=; b=W3Y/EziQcmJ0LnfTlcAfOe7Ojz VMJTYvKtcNEglHijypwD+mSWiFVbgFAolpFNCwF43k5MoObAmgMPSoCVh68UboM98NsBWJAvqrQ3d 5ZJ7uKlBruKDaA02m0HODUxZ+0mjLvzFHfzdyoBAbbyFWrb5Mi3CF4R2gU7En2KnjgwM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrD-0006Mx-N5 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000IeT-Nz for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275939 invoked by uid 10006); Tue, 07 Dec 2021 17:02:13 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:08 +0100 Message-Id: <20211207170211.3275837-19-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The previous commits removed any reads from this variable. So we can now safely remove it. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 19 src/openvpn/mtu.c | 1 - src/openvpn/mtu.h | 13 src/openvpn/socks.c | 11 + src/ope [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrD-0006Mx-N5 Subject: [Openvpn-devel] [PATCH 18/21] Remove extra_link from frame X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The previous commits removed any reads from this variable. So we can now safely remove it. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 19 ------------------- src/openvpn/mtu.c | 1 - src/openvpn/mtu.h | 13 ------------- src/openvpn/socks.c | 11 +---------- src/openvpn/socks.h | 2 -- src/openvpn/ssl.c | 1 - 6 files changed, 1 insertion(+), 46 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 72ffbfdfc..9d9dfe96a 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3099,14 +3099,6 @@ do_init_frame(struct context *c) } #endif /* USE_COMP */ - /* - * Adjust frame size for UDP Socks support. - */ - if (c->options.ce.socks_proxy_server) - { - socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); - } - /* * Adjust frame size based on the --tun-mtu-extra parameter. */ @@ -3139,17 +3131,6 @@ do_init_frame(struct context *c) #endif #endif /* USE_COMP */ - /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client) - * and need link_mtu+3 bytes on socket reception (on server). - * - * accommodate receive path in f->extra_link, which has the side effect of - * also increasing send buffers (BUF_SIZE() macro), which need to be - * allocated big enough before receiving peer-id option from server. - * - * f->extra_frame is adjusted when peer-id option is push-received - */ - frame_add_to_extra_link(&c->c2.frame, 3); - #ifdef ENABLE_FRAGMENT /* * Set frame parameter for fragment code. This is necessary because diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 62a66c8fd..9ca58c1f0 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -215,7 +215,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); - buf_printf(&out, " EL:%d", frame->extra_link); buf_printf(&out, " ]"); msg(level, "%s", out.data); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 06a00b5bb..1c479c9f5 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -163,13 +163,6 @@ struct frame { * which defaults to 0 for tun and 32 * (\c TAP_MTU_EXTRA_DEFAULT) for tap. * */ - - int extra_link; /**< Maximum number of bytes in excess of - * external network interface's MTU that - * might be read from or written to it. - * - * Used by peer-id (3) and - * socks UDP (10) */ }; /* Forward declarations, to prevent includes */ @@ -359,12 +352,6 @@ frame_add_to_extra_tun(struct frame *frame, const int increment) frame->extra_tun += increment; } -static inline void -frame_add_to_extra_link(struct frame *frame, const int increment) -{ - frame->extra_link += increment; -} - static inline void frame_add_to_extra_buffer(struct frame *frame, const int increment) { diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index 27a583313..6935e761a 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -49,15 +49,6 @@ #define UP_TYPE_SOCKS "SOCKS Proxy" -void -socks_adjust_frame_parameters(struct frame *frame, int proto) -{ - if (proto == PROTO_UDP) - { - frame_add_to_extra_link(frame, 10); - } -} - struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, @@ -610,7 +601,7 @@ socks_process_outgoing_udp(struct buffer *buf, /* * Get a 10 byte subset buffer prepended to buf -- * we expect these bytes will be here because - * we allocated frame space in socks_adjust_frame_parameters. + * we always allocate space for these bytes */ struct buffer head = buf_sub(buf, 10, true); diff --git a/src/openvpn/socks.h b/src/openvpn/socks.h index 9bda2e808..4ab30f55f 100644 --- a/src/openvpn/socks.h +++ b/src/openvpn/socks.h @@ -42,8 +42,6 @@ struct socks_proxy_info { char authfile[256]; }; -void socks_adjust_frame_parameters(struct frame *frame, int proto); - struct socks_proxy_info *socks_proxy_new(const char *server, const char *port, const char *authfile); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 79a5660bd..d55ffcdd2 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -322,7 +322,6 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame /* inherit link MTU and extra_link from data channel */ frame->link_mtu = data_channel_frame->link_mtu; - frame->extra_link = data_channel_frame->extra_link; /* set extra_frame */ tls_adjust_frame_parameters(frame); From patchwork Tue Dec 7 06:02:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2134 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id eDEIHNCTr2EZUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:12 -0500 Received: from proxy8.mail.iad3b.rsapps.net ([172.31.255.6]) by director15.mail.ord1d.rsapps.net with LMTP id CNsfOdCTr2EhAwAAIcMcQg (envelope-from ) for ; Tue, 07 Dec 2021 12:03:12 -0500 Received: from smtp33.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.iad3b.rsapps.net with LMTPS id 0JONMdCTr2H3dAAAoCsc3g (envelope-from ) for ; Tue, 07 Dec 2021 12:03:12 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8f0d4e14-577f-11ec-ab03-525400fb5834-1-1 Received: from [216.105.38.7] ([216.105.38.7:47088] helo=lists.sourceforge.net) by smtp33.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EA/34-09544-FC39FA16; Tue, 07 Dec 2021 12:03:12 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrF-0003Pm-Ij; Tue, 07 Dec 2021 17:02:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudr9-0003OS-S5 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=t707JV8wG9GTjbpQ8q1HxPEBUP8xO2BAjJxcORMLlLg=; b=h5e9LxqEueine/bAZ79Bi7Y19L BW/iIeAD3ajfVJAIysFg5LHHFvd+0rSh69tqai1WM3JQUhb1KaNHRKSBbKVuY2cv88fIOONZKWplM 8/Ckq9bQIadsXMiUTm4rjYc8AjsCIm4ka7UqoOYd+6+73iDQ1sR0rEbUqOoEXcPHhGcY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=t707JV8wG9GTjbpQ8q1HxPEBUP8xO2BAjJxcORMLlLg=; b=L0Jpk5vCheTD8KTrSkI6xMsfdO FvwAmpJ7O9aOZWbB14vjbPIMFLtP7aiD+7HetE8dx8JDdcJ4q53Q1WF5pwOu4+/gR12zE+7VwtoGn rjxwhwBC/tPdAm6IcCnEx4nIy+QrQRIrYSpaJIk4ISheMN2vXzWG4pz24qILht+5CdXI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudr9-007aKI-W0 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:20 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000IeW-RI for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275942 invoked by uid 10006); Tue, 07 Dec 2021 17:02:13 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:09 +0100 Message-Id: <20211207170211.3275837-20-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This always uses the configured MTU size instead relying on the calculated MTU size. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 2 +- src/openvpn/init.c | 16 ++++++++-------- src/openvpn/mtu.h | 5 ----- 3 files changed, 9 insertions(+), 14 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudr9-007aKI-W0 Subject: [Openvpn-devel] [PATCH 19/21] Replace TUN_MTU_SIZE with frame->tun_mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This always uses the configured MTU size instead relying on the calculated MTU size. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 2 +- src/openvpn/init.c | 16 ++++++++-------- src/openvpn/mtu.h | 5 ----- 3 files changed, 9 insertions(+), 14 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 3f362e95d..5f8361d3e 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1379,7 +1379,7 @@ ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client) * packet */ int max_payload_size = min_int(MAX_ICMPV6LEN, - TUN_MTU_SIZE(&c->c2.frame) - icmpheader_len); + c->c2.frame.tun_mtu - icmpheader_len); int payload_len = min_int(max_payload_size, BLEN(&inputipbuf)); pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9d9dfe96a..a8717c92a 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1735,7 +1735,7 @@ do_open_tun(struct context *c) c->options.dev_type, c->options.dev_node, &gc); - do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es, + do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); } @@ -1766,7 +1766,7 @@ do_open_tun(struct context *c) && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN) { do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, - TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx); + c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); } /* run the up script */ @@ -1778,7 +1778,7 @@ do_open_tun(struct context *c) c->c1.tuntap->adapter_index, #endif dev_type_string(c->options.dev, c->options.dev_type), - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1827,7 +1827,7 @@ else c->c1.tuntap->adapter_index, #endif dev_type_string(c->options.dev, c->options.dev_type), - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", @@ -1906,7 +1906,7 @@ do_close_tun(struct context *c, bool force) adapter_index, #endif NULL, - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1936,7 +1936,7 @@ do_close_tun(struct context *c, bool force) adapter_index, #endif NULL, - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1974,7 +1974,7 @@ do_close_tun(struct context *c, bool force) adapter_index, #endif NULL, - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", @@ -2154,7 +2154,7 @@ void adjust_mtu_peerid(struct context *c) { msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu" " fixed by config - reducing tun-mtu to %d, expect" - " MTU problems", TUN_MTU_SIZE(&c->c2.frame)); + " MTU problems", c->c2.frame.tun_mtu); } } diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 1c479c9f5..b7c12b968 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -181,11 +181,6 @@ struct options; */ #define TUN_LINK_DELTA(f) ((f)->extra_frame + (f)->extra_tun) -/* - * This is the size to "ifconfig" the tun or tap device. - */ -#define TUN_MTU_SIZE(f) ((f)->link_mtu - TUN_LINK_DELTA(f)) - /* * This is the maximum packet size that we need to be able to * read from or write to a tun or tap device. For example, From patchwork Tue Dec 7 06:02:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2141 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 2FW3LtaTr2FIUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:18 -0500 Received: from proxy7.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id 2A5oENeTr2GPdQAAvGGmqA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:19 -0500 Received: from smtp10.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.iad3b.rsapps.net with LMTPS id OMxVCteTr2E7MAAAQkQ5tQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:19 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 92d2fed6-577f-11ec-9f50-52540055034d-1-1 Received: from [216.105.38.7] ([216.105.38.7:60592] helo=lists.sourceforge.net) by smtp10.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 44/E2-11534-6D39FA16; Tue, 07 Dec 2021 12:03:18 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrI-0000wj-SU; Tue, 07 Dec 2021 17:02:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrF-0000us-MU for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vmf3nDgqGGKcGP3lEX0FTZgmFwyAklDwI5oxnMaMQvs=; b=nPn5yen0AFEAK0FTlARidBPkzW 9SfW7lvOVazLhQ6ovZ9niID/u/iw61OgiBPCBvwYiV4eROgWwLs0qjExHDNmcFNx4Mu8Tk5slSml3 7icG2RdxUPGU8tWWxphWHl49mcMl/FzPuAtG36gDnR5bzwpD1Y6hAesHZLk0/BEwrOJc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vmf3nDgqGGKcGP3lEX0FTZgmFwyAklDwI5oxnMaMQvs=; b=km1hHI1Kna1zbkviGhQ/5npyXU bld3VMDKDtg6OSqwzSTfngWfdnKqiWndzkgByS6x/8RLtJA6esdqK1GpkyN8YmRaxSB73yBIGk3eB U8MvW5yOOfuyCqPpyeuTXsrZ157j45aM+Q4A4O5wb6gJ0UVhsq3nmAeYSuKL4zHRcqQE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrD-0006My-JE for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr2-000IeY-Tt for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:12 +0100 Received: (nullmailer pid 3275945 invoked by uid 10006); Tue, 07 Dec 2021 17:02:13 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:10 +0100 Message-Id: <20211207170211.3275837-21-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 8 -------- src/openvpn/comp.h | 2 -- src/openvpn/forward.c | 4 ++-- src/openvpn/init.c | 31 +++ src/ [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrD-0006My-JE Subject: [Openvpn-devel] [PATCH 20/21] Remove frame->link_mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 8 -------- src/openvpn/comp.h | 2 -- src/openvpn/forward.c | 4 ++-- src/openvpn/init.c | 31 +++---------------------------- src/openvpn/mtu.c | 1 - src/openvpn/mtu.h | 16 ---------------- src/openvpn/ssl.c | 9 --------- 7 files changed, 5 insertions(+), 66 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index ad49b00b9..2d89e944d 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -123,14 +123,6 @@ comp_add_to_extra_frame(struct frame *frame) frame_add_to_extra_frame(frame, COMP_PREFIX_LEN); } -void -comp_add_to_extra_buffer(struct frame *frame) -{ - /* Leave room for compression buffer to expand in worst case scenario - * where data is totally incompressible */ - frame_add_to_extra_buffer(frame, COMP_EXTRA_BUFFER(EXPANDED_SIZE(frame))); -} - void comp_print_stats(const struct compress_context *compctx, struct status_output *so) { diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 0d284e274..e42fc144f 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -178,8 +178,6 @@ void comp_uninit(struct compress_context *compctx); void comp_add_to_extra_frame(struct frame *frame); -void comp_add_to_extra_buffer(struct frame *frame); - void comp_print_stats(const struct compress_context *compctx, struct status_output *so); void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out); diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 5f8361d3e..b6e9eabbb 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1544,7 +1544,7 @@ process_outgoing_link(struct context *c) perf_push(PERF_PROC_OUT_LINK); - if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE(&c->c2.frame)) + if (c->c2.to_link.len > 0 && c->c2.to_link.len <= c->c2.frame.buf.payload_size) { /* * Setup for call to send/sendto which will send @@ -1672,7 +1672,7 @@ process_outgoing_link(struct context *c) msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)", print_link_socket_actual(c->c2.to_link_addr, &gc), c->c2.to_link.len, - EXPANDED_SIZE(&c->c2.frame)); + c->c2.frame.buf.payload_size); } } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index a8717c92a..abdf6aaf3 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2140,24 +2140,6 @@ pull_permission_mask(const struct context *c) return flags; } -static -void adjust_mtu_peerid(struct context *c) -{ - frame_add_to_extra_frame(&c->c2.frame, 3); /* peer-id overhead */ - if (!c->options.ce.link_mtu_defined) - { - frame_add_to_link_mtu(&c->c2.frame, 3); - msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d", - EXPANDED_SIZE(&c->c2.frame)); - } - else - { - msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu" - " fixed by config - reducing tun-mtu to %d, expect" - " MTU problems", c->c2.frame.tun_mtu); - } -} - static bool do_deferred_p2p_ncp(struct context *c) { @@ -2166,11 +2148,6 @@ do_deferred_p2p_ncp(struct context *c) return true; } - if (c->c2.tls_multi->use_peer_id) - { - adjust_mtu_peerid(c); - } - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, @@ -2292,7 +2269,6 @@ do_deferred_options(struct context *c, const unsigned int found) msg(D_PUSH, "OPTIONS IMPORT: peer-id set"); c->c2.tls_multi->use_peer_id = true; c->c2.tls_multi->peer_id = c->options.peer_id; - adjust_mtu_peerid(c); } /* process (potentially pushed) crypto options */ @@ -3032,8 +3008,8 @@ do_init_frame_tls(struct context *c) if (c->c2.tls_multi) { tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame); - ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <= - EXPANDED_SIZE(&c->c2.frame)); + ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= + c->c2.frame.buf.payload_size); frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms"); } @@ -3125,9 +3101,8 @@ do_init_frame(struct context *c) * Modify frame parameters if compression is compiled in. * Should be called after frame_finalize_options. */ - comp_add_to_extra_buffer(&c->c2.frame); #ifdef ENABLE_FRAGMENT - comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ + /*TODO:frame comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); omit compression frame delta from final frame_fragment */ #endif #endif /* USE_COMP */ diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 9ca58c1f0..eb823165a 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -211,7 +211,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); - buf_printf(&out, " L:%d", frame->link_mtu); buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index b7c12b968..72cf80917 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -110,9 +110,6 @@ struct frame { * decryption/encryption or compression. */ } buf; - int link_mtu; /**< Maximum packet size to be sent over - * the external network interface. */ - unsigned int mss_fix; /**< The actual MSS value that should be * written to the payload packets. This * is the value for IPv4 TCP packets. For @@ -189,13 +186,6 @@ struct options; */ #define PAYLOAD_SIZE(f) ((f)->buf.payload_size) -/* - * Max size of a payload packet after encryption, compression, etc. - * overhead is added. - */ -#define EXPANDED_SIZE(f) ((f)->link_mtu) -#define EXPANDED_SIZE_MIN(f) (TUN_MTU_MIN + TUN_LINK_DELTA(f)) - /* * Control buffer headroom allocations to allow for efficient prepending. */ @@ -323,12 +313,6 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); * frame member adjustment functions */ -static inline void -frame_add_to_link_mtu(struct frame *frame, const int increment) -{ - frame->link_mtu += increment; -} - static inline void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d55ffcdd2..bb1ff04cc 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -320,17 +320,11 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame * if --tls-auth is enabled. */ - /* inherit link MTU and extra_link from data channel */ - frame->link_mtu = data_channel_frame->link_mtu; - /* set extra_frame */ tls_adjust_frame_parameters(frame); reliable_ack_adjust_frame_parameters(frame, CONTROL_SEND_ACK_MAX); frame_add_to_extra_frame(frame, SID_SIZE + sizeof(packet_id_type)); - /* set dynamic link MTU to cap control channel packets at 1250 bytes */ - ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); - /* calculate the maximum overhead that control channel frames may have */ int overhead = 0; @@ -1923,9 +1917,6 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, if (frame_fragment) { - frame_remove_from_extra_frame(frame_fragment, crypto_max_overhead()); - crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type, - options->replay, packet_id_long_form); frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi); frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); } From patchwork Tue Dec 7 06:02:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2137 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id wPYTA9STr2FAUwAAqwncew (envelope-from ) for ; Tue, 07 Dec 2021 12:03:16 -0500 Received: from proxy20.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id qIRJINSTr2GmYAAAalYnBA (envelope-from ) for ; Tue, 07 Dec 2021 12:03:16 -0500 Received: from smtp12.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.iad3b.rsapps.net with LMTPS id ePjkGNSTr2GuKgAAcDxLoQ (envelope-from ) for ; Tue, 07 Dec 2021 12:03:16 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9163f49c-577f-11ec-9fda-525400ae1f9d-1-1 Received: from [216.105.38.7] ([216.105.38.7:43486] helo=lists.sourceforge.net) by smtp12.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B6/E5-08585-3D39FA16; Tue, 07 Dec 2021 12:03:16 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mudrJ-0002qF-Of; Tue, 07 Dec 2021 17:02:29 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mudrB-0002nT-Ke for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tgKButuHNxVJ73xY2LOxtX23OFYp33UkI/UnrTEsgz4=; b=JffF+txT9M4RHf7BNVrV9EFqLf G2blqvob3NgXYVQzKIdj1rNIQ6RJDmXqi09xD32znQ0JNTK6y0tDDVuXRCwicWqTvLwCQxWb1LhOW SSWk8SgjeBtarqS2JT8VHrjE42PjbYZFKHlMXlfLwCEn2foaJhy/ubQ3LNNXNI5pY+Pw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tgKButuHNxVJ73xY2LOxtX23OFYp33UkI/UnrTEsgz4=; b=F0VjiVy4j/dw4PZNqYeVi7R2wg 0Jj/cQ8EPOeBvhBXouYQIRchaWHm9BNGBx7M0V6M0RZnG6MaktcJoEHFk04wBo4z14eXqbxmBAi6n Ai0MZJmlk3DCD+yGOLUqwvTmQwJOo1YDGc7c01kMxPzxPb8rkvI4xZzcMxaOMLK/hf+A=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mudrA-007aKJ-06 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 17:02:21 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mudr3-000Iec-16 for openvpn-devel@lists.sourceforge.net; Tue, 07 Dec 2021 18:02:13 +0100 Received: (nullmailer pid 3275948 invoked by uid 10006); Tue, 07 Dec 2021 17:02:13 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Dec 2021 18:02:11 +0100 Message-Id: <20211207170211.3275837-22-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211207170211.3275837-1-arne@rfc2549.org> References: <20211207170211.3275837-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 7 ------ src/openvpn/comp.h | 2 -- src/openvpn/crypto.c | 37 src/openvpn/crypto.h | 7 ------ src/ope [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mudrA-007aKJ-06 Subject: [Openvpn-devel] [PATCH 21/21] Remove frame.extra_frame and frame.extra_buffer X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 7 ------ src/openvpn/comp.h | 2 -- src/openvpn/crypto.c | 37 --------------------------- src/openvpn/crypto.h | 7 ------ src/openvpn/fragment.c | 3 --- src/openvpn/init.c | 56 ----------------------------------------- src/openvpn/mtu.c | 14 ----------- src/openvpn/mtu.h | 42 ++----------------------------- src/openvpn/reliable.c | 7 ------ src/openvpn/reliable.h | 3 --- src/openvpn/socket.c | 10 -------- src/openvpn/socket.h | 2 -- src/openvpn/ssl.c | 21 ---------------- src/openvpn/ssl.h | 5 ---- src/openvpn/tls_crypt.c | 10 -------- src/openvpn/tls_crypt.h | 5 ---- 16 files changed, 2 insertions(+), 229 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 2d89e944d..33bf21a7a 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -116,13 +116,6 @@ comp_uninit(struct compress_context *compctx) } } -void -comp_add_to_extra_frame(struct frame *frame) -{ - /* Leave room for our one-byte compressed/didn't-compress prefix byte. */ - frame_add_to_extra_frame(frame, COMP_PREFIX_LEN); -} - void comp_print_stats(const struct compress_context *compctx, struct status_output *so) { diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index e42fc144f..d059d6cd3 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -176,8 +176,6 @@ struct compress_context *comp_init(const struct compress_options *opt); void comp_uninit(struct compress_context *compctx); -void comp_add_to_extra_frame(struct frame *frame); - void comp_print_stats(const struct compress_context *compctx, struct status_output *so); void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out); diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index b4b8ca54b..f4f23427b 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -722,43 +722,6 @@ calculate_crypto_overhead(const struct key_type *kt, return crypto_overhead; } -void -crypto_adjust_frame_parameters(struct frame *frame, - const struct key_type *kt, - bool packet_id, - bool packet_id_long_form) -{ - unsigned int crypto_overhead = 0; - - if (packet_id) - { - crypto_overhead += packet_id_size(packet_id_long_form); - } - - if (cipher_defined(kt->cipher)) - { - crypto_overhead += cipher_kt_iv_size(kt->cipher); - - if (cipher_kt_mode_aead(kt->cipher)) - { - crypto_overhead += cipher_kt_tag_size(kt->cipher); - } - - /* extra block required by cipher_ctx_update() */ - crypto_overhead += cipher_kt_block_size(kt->cipher); - } - - if (md_defined(kt->digest)) - { - crypto_overhead += md_kt_size(kt->digest); - } - - frame_add_to_extra_frame(frame, crypto_overhead); - - msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for crypto by %u bytes", - __func__, crypto_overhead); -} - unsigned int crypto_max_overhead(void) { diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 5a67b7ac1..b039c3b6b 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -408,13 +408,6 @@ bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc); - -/** Calculate crypto overhead and adjust frame to account for that */ -void crypto_adjust_frame_parameters(struct frame *frame, - const struct key_type *kt, - bool packet_id, - bool packet_id_long_form); - /** Calculate the maximum overhead that our encryption has * on a packet. This does not include needed additional buffer size * diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index ce8cd3489..eb90dcacb 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -96,9 +96,6 @@ fragment_init(struct frame *frame) * fragment_master assume an initial CLEAR */ ALLOC_OBJ_CLEAR(ret, struct fragment_master); - /* add in the size of our contribution to the expanded frame size */ - frame_add_to_extra_frame(frame, sizeof(fragment_header_type)); - /* * Outgoing sequence ID is randomized to reduce * the probability of sequence number collisions diff --git a/src/openvpn/init.c b/src/openvpn/init.c index abdf6aaf3..d157bb07e 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2594,10 +2594,6 @@ do_init_crypto_static(struct context *c, const unsigned int flags) /* Get key schedule */ c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; - /* Compute MTU parameters */ - crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, - options->replay, true); - /* Sanity check on sequence number, and cipher mode options */ check_replay_consistency(&c->c1.ks.key_type, options->replay); } @@ -2789,19 +2785,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); - /* Compute MTU parameters (postpone if we push/pull options) */ - if (c->options.pull || c->options.mode == MODE_SERVER) - { - /* Account for worst-case crypto overhead before allocating buffers */ - frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead()); - } - else - { - crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, - options->replay, packet_id_long_form); - } - tls_adjust_frame_parameters(&c->c2.frame); - /* Set all command-line TLS-related options */ CLEAR(to); @@ -2954,8 +2937,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; - crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type, - true, true); } /* TLS handshake encryption (--tls-crypt) */ @@ -2966,7 +2947,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; - tls_crypt_adjust_frame_parameters(&to.frame); if (options->ce.tls_crypt_v2_file) { @@ -2984,10 +2964,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } } - /* If we are running over TCP, allow for - * length prefix */ - socket_adjust_frame_parameters(&to.frame, options->ce.proto); - /* * Initialize OpenVPN's master TLS-mode object. */ @@ -3061,20 +3037,6 @@ do_init_crypto(struct context *c, const unsigned int flags) static void do_init_frame(struct context *c) { -#ifdef USE_COMP - /* - * modify frame parameters if compression is enabled - */ - if (comp_enabled(&c->options.comp)) - { - comp_add_to_extra_frame(&c->c2.frame); - -#ifdef ENABLE_FRAGMENT - comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ -#endif - } -#endif /* USE_COMP */ - /* * Adjust frame size based on the --tun-mtu-extra parameter. */ @@ -3083,29 +3045,12 @@ do_init_frame(struct context *c) frame_add_to_extra_tun(&c->c2.frame, c->options.ce.tun_mtu_extra); } - /* - * Adjust frame size based on link socket parameters. - * (Since TCP is a stream protocol, we need to insert - * a packet length uint16_t in the buffer.) - */ - socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); - /* * Fill in the blanks in the frame parameters structure, * make sure values are rational, etc. */ frame_finalize_options(c, NULL); -#ifdef USE_COMP - /* - * Modify frame parameters if compression is compiled in. - * Should be called after frame_finalize_options. - */ -#ifdef ENABLE_FRAGMENT - /*TODO:frame comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); omit compression frame delta from final frame_fragment */ -#endif -#endif /* USE_COMP */ - #ifdef ENABLE_FRAGMENT /* * Set frame parameter for fragment code. This is necessary because @@ -3113,7 +3058,6 @@ do_init_frame(struct context *c) * passed through the compression code. */ c->c2.frame_fragment = c->c2.frame; - frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit); c->c2.frame_fragment_initial = c->c2.frame_fragment; #endif diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index eb823165a..3783e5315 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -179,18 +179,6 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) return payload + overhead; } -/* - * Move extra_frame octets into extra_tun. Used by fragmenting code - * to adjust frame relative to its position in the buffer processing - * queue. - */ -void -frame_subtract_extra(struct frame *frame, const struct frame *src) -{ - frame->extra_frame -= src->extra_frame; - frame->extra_tun += src->extra_frame; -} - void frame_print(const struct frame *frame, int level, @@ -211,8 +199,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); - buf_printf(&out, " EF:%d", frame->extra_frame); - buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); buf_printf(&out, " ]"); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 72cf80917..d9a0752e6 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -123,13 +123,6 @@ struct frame { * size that can be send in a single fragment */ - int extra_frame; /**< Maximum number of bytes that all - * processing steps together could add. - * @code - * frame.link_mtu = "socket MTU" - extra_frame; - * @endcode - */ - int tun_mtu; /**< the (user) configured tun-mtu. This is used * in configuring the tun interface or * in calculations that use the desired size @@ -141,16 +134,6 @@ struct frame { * code ignores it) */ - int extra_buffer; /**< Maximum number of bytes that - * processing steps could expand the - * internal work buffer. - * - * This is used by the \link compression - * Data Channel Compression - * module\endlink to give enough working - * space for worst-case expansion of - * incompressible content. */ - int extra_tun; /**< Maximum number of bytes in excess of * the tun/tap MTU that might be read * from or written to the virtual @@ -196,16 +179,13 @@ struct options; * * Most of our code only prepends headers but compression needs the extra bytes * *after* the data as compressed data might end up larger than the original - * data (and max compression overhead is part of extra_buffer). Also crypto - * needs an extra block for encryption. Therefore tailroom is larger than the - * headroom. + * data. Also crypto needs an extra block for encryption. Therefore tailroom is + * larger than the headroom. */ #define BUF_SIZE(f) ((f)->buf.headroom + (f)->buf.payload_size + (f)->buf.tailroom) #define FRAME_HEADROOM(f) ((f)->buf.headroom) -void frame_subtract_extra(struct frame *frame, const struct frame *src); - void frame_print(const struct frame *frame, int level, const char *prefix); @@ -313,30 +293,12 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); * frame member adjustment functions */ -static inline void -frame_add_to_extra_frame(struct frame *frame, const unsigned int increment) -{ - frame->extra_frame += increment; -} - -static inline void -frame_remove_from_extra_frame(struct frame *frame, const unsigned int decrement) -{ - frame->extra_frame -= decrement; -} - static inline void frame_add_to_extra_tun(struct frame *frame, const int increment) { frame->extra_tun += increment; } -static inline void -frame_add_to_extra_buffer(struct frame *frame, const int increment) -{ - frame->extra_buffer += increment; -} - static inline bool frame_defined(const struct frame *frame) { diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 08c9ab192..6f9971010 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -253,13 +253,6 @@ error: return false; } -/* add to extra_frame the maximum number of bytes we will need for reliable_ack_write */ -void -reliable_ack_adjust_frame_parameters(struct frame *frame, int max) -{ - frame_add_to_extra_frame(frame, ACK_SIZE(max)); -} - /* print a reliable ACK record coming off the wire */ const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc) diff --git a/src/openvpn/reliable.h b/src/openvpn/reliable.h index 693abb3c7..cbd9cc8f1 100644 --- a/src/openvpn/reliable.h +++ b/src/openvpn/reliable.h @@ -207,9 +207,6 @@ void reliable_init(struct reliable *rel, int buf_size, int offset, int array_siz */ void reliable_free(struct reliable *rel); -/* add to extra_frame the maximum number of bytes we will need for reliable_ack_write */ -void reliable_ack_adjust_frame_parameters(struct frame *frame, int max); - /** @} name Functions for initialization and cleanup */ diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index fe1dfb315..93b857f01 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2285,16 +2285,6 @@ link_socket_close(struct link_socket *sock) } } -/* for stream protocols, allow for packet length prefix */ -void -socket_adjust_frame_parameters(struct frame *frame, int proto) -{ - if (link_socket_proto_connection_oriented(proto)) - { - frame_add_to_extra_frame(frame, sizeof(packet_size_type)); - } -} - void setenv_trusted(struct env_set *es, const struct link_socket_info *info) { diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index a43ed80b5..2ad0e1b33 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -298,8 +298,6 @@ void link_socket_init_phase2(struct context *c); void do_preresolve(struct context *c); -void socket_adjust_frame_parameters(struct frame *frame, int proto); - void link_socket_close(struct link_socket *sock); void sd_close(socket_descriptor_t *sd); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index bb1ff04cc..4012ebf15 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -295,18 +295,6 @@ tls_limit_reneg_bytes(const char *ciphername, int *reneg_bytes) } } -/* - * Max number of bytes we will add - * for data structures common to both - * data and control channel packets. - * (opcode only). - */ -void -tls_adjust_frame_parameters(struct frame *frame) -{ - frame_add_to_extra_frame(frame, 1); /* space for opcode */ -} - /* * Max number of bytes we will add * to control channel packet. @@ -320,11 +308,6 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame * if --tls-auth is enabled. */ - /* set extra_frame */ - tls_adjust_frame_parameters(frame); - reliable_ack_adjust_frame_parameters(frame, CONTROL_SEND_ACK_MAX); - frame_add_to_extra_frame(frame, SID_SIZE + sizeof(packet_id_type)); - /* calculate the maximum overhead that control channel frames may have */ int overhead = 0; @@ -1900,10 +1883,6 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM; } - /* Update frame parameters: undo worst-case overhead, add actual overhead */ - frame_remove_from_extra_frame(frame, crypto_max_overhead()); - crypto_adjust_frame_parameters(frame, &session->opt->key_type, - options->replay, packet_id_long_form); frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi); frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index e566acd81..5e1c7a2a2 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -471,11 +471,6 @@ void ssl_put_auth_challenge(const char *cr_str); #endif -/* - * Reserve any extra space required on frames. - */ -void tls_adjust_frame_parameters(struct frame *frame); - /* * Send a payload over the TLS control channel */ diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 543e2afd0..26f8b8ddf 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -89,16 +89,6 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, "Control Channel Encryption", "tls-crypt"); } -void -tls_crypt_adjust_frame_parameters(struct frame *frame) -{ - frame_add_to_extra_frame(frame, tls_crypt_buf_overhead()); - - msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for tls-crypt by %i bytes", - __func__, tls_crypt_buf_overhead()); -} - - bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt) diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h index 81d0a10ee..928ff5475 100644 --- a/src/openvpn/tls_crypt.h +++ b/src/openvpn/tls_crypt.h @@ -123,11 +123,6 @@ void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, */ int tls_crypt_buf_overhead(void); -/** - * Adjust frame parameters for --tls-crypt overhead. - */ -void tls_crypt_adjust_frame_parameters(struct frame *frame); - /** * Wrap a control channel packet (both authenticates and encrypts the data). *