From patchwork Sat Jan 1 05:25:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2194 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.1]) by backend41.mail.ord1d.rsapps.net with LMTP id NsvnCreA0GFyLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:31 -0500 Received: from proxy4.mail.iad3a.rsapps.net ([172.27.255.1]) by director15.mail.ord1d.rsapps.net with LMTP id ODoIDbeA0GGZCwAAIcMcQg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:31 -0500 Received: from smtp40.gate.iad3a ([172.27.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3a.rsapps.net with LMTPS id gK7zBbeA0GGjOAAA8Zvu4w (envelope-from ) for ; Sat, 01 Jan 2022 11:26:31 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9354582e-6b1f-11ec-b31d-5254003a14f9-1-1 Received: from [216.105.38.7] ([216.105.38.7:47604] helo=lists.sourceforge.net) by smtp40.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E2/95-22483-6B080D16; Sat, 01 Jan 2022 11:26:30 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCU-0000Er-Tj; Sat, 01 Jan 2022 16:25:46 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCT-0000E8-Gt for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=cYuzHxrQBkrX02HxQ9eA0YV3aKDQqsIkDukum3H9ivQ=; b=m5Y04mGc8+Lsz2+3NgSNeQ4aN3 u5Ofmc5Gwm2Z3G7RD8zDHCHTAIibu/agkZglYSGrD71U5d7XE3fgeE8pGnCgI/ZO1S6efmY/xllDc PYQRe/q6qIh0+i3di3RoikM3r65aKE/04NdYruOBSQ74p39xdb14aMsMjUPZaKRn5tYI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=cYuzHxrQBkrX02HxQ9eA0YV3aKDQqsIkDukum3H9ivQ=; b=D2Y4lqpgA7EQwjF47vfGJl3nVu RevwxCNIHeaZ8E4/ZTCPu0ITiSjk1CY5QPOJ7VCEKgWmqkK31bPYONoi2rktdjA+OGvGne5PkKBtF b1Q5+9faMv9HC9YLAtlJLXPF/zMJ1+FoyYQR9H06Y/6Rr/f97Os+M3BGyaqxcdh7dksc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV3v-15 for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:45 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000FgD-Dr for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251884 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:19 +0100 Message-Id: <20220101162532.2251835-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This options might have been useful in the past but nowadays it has a very unclear semantics, so better remove/deprecate it. Signed-off-by: Arne Schwabe --- doc/man-sections/link-options.rst | 7 ++++++- src/openvpn/options.c | 4 +--- 2 files changed, 7 insertions(+), 4 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV3v-15 Subject: [Openvpn-devel] [PATCH v3 01/14] Deprecate link-mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This options might have been useful in the past but nowadays it has a very unclear semantics, so better remove/deprecate it. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- doc/man-sections/link-options.rst | 7 ++++++- src/openvpn/options.c | 4 +--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 32e72a1b..b1ae4e75 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -82,10 +82,15 @@ the local and the remote host. ping-restart 60 # Argument: timeout --link-mtu n - Sets an upper bound on the size of UDP packets which are sent between + **DEPRECATED** Sets an upper bound on the size of UDP packets which are sent between OpenVPN peers. *It's best not to set this parameter unless you know what you're doing.* + Due to variable header size of IP header (20 bytes for IPv4 and 40 bytes + for IPv6) and dynamically negotiated data channel cipher, this option + is not reliable. It is recommended to set tun-mtu with enough headroom + instead. + --local host Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0529c141..2ca24685 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2111,9 +2111,7 @@ options_postprocess_verify_ce(const struct options *options, */ if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined) { - msg(M_USAGE, - "only one of --tun-mtu or --link-mtu may be defined (note that " - "--ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT); + msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined"); } if (!proto_is_udp(ce->proto) && options->mtu_test) From patchwork Sat Jan 1 05:25:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2204 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.57]) by backend41.mail.ord1d.rsapps.net with LMTP id 4PFpMr2A0GFRLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:37 -0500 Received: from proxy14.mail.iad3a.rsapps.net ([172.27.255.57]) by director9.mail.ord1d.rsapps.net with LMTP id AFHtNL2A0GHhUQAAalYnBA (envelope-from ) for ; Sat, 01 Jan 2022 11:26:37 -0500 Received: from smtp3.gate.iad3a ([172.27.255.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.iad3a.rsapps.net with LMTPS id sPPWIMSA0GGRFwAA1+b4IQ (envelope-from ) for ; Sat, 01 Jan 2022 11:26:44 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 97395cc8-6b1f-11ec-a14c-525400af4d07-1-1 Received: from [216.105.38.7] ([216.105.38.7:54662] helo=lists.sourceforge.net) by smtp3.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1D/AC-02819-DB080D16; Sat, 01 Jan 2022 11:26:37 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCX-0002eq-Pe; Sat, 01 Jan 2022 16:25:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCV-0002dk-2I for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9uWPXpduftu5JWdauIq+/In7cxb7yItvIk0xGxhaJpc=; b=bmkisKNMSYvZFrnyPbkfW5OBxm TbmXJ6ckKM4cVCyfvIphbLARoujsGjhbUW3zVAjVPxYhFeW90E8ulb0Rz5N73K5dAFiORSpdZbNRB gb5qvEZEnGQ5Uj3XmMNtJVfDfYr8a6PEL5zfy+G05TcS+1qbAM1cKLiN/VFZaXFmUlOw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9uWPXpduftu5JWdauIq+/In7cxb7yItvIk0xGxhaJpc=; b=FY0Tdi9loTq3VM8Rn7VcEFEQwt diwV32p7QCpSlNEtTrZzOvNNTYiCv4nVKZ9vAAb1iUqKbIJ0Ffnpuk0TNovikWj1Ls3+6K6opxLiB kryNDG3uaZidsoFaw9qipoU8mSUrYvMKcQi2N3dJQ/VvUVH+fyfPUxbq2Z18dZ6G4BMg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV3x-1H for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000FgJ-Gg for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251886 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:20 +0100 Message-Id: <20220101162532.2251835-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This commit fixes the MSS calculation in CBC mode. This fix has two parts: - Added rounding to a multiple of block size during calculation of overhead - In CBC mode the packet ID is part of the plaintext (or payload) rather than part of the header (like for AEAD), adjust the [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV3x-1H Subject: [Openvpn-devel] [PATCH v3 02/14] Fix mssfix and frame calculation in CBC mode X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This commit fixes the MSS calculation in CBC mode. This fix has two parts: - Added rounding to a multiple of block size during calculation of overhead - In CBC mode the packet ID is part of the plaintext (or payload) rather than part of the header (like for AEAD), adjust the functions to correctly reflect this. OCC link calculation is not affected since it ignores rounding of CBC block size completely. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/crypto.c | 18 ++---- src/openvpn/crypto.h | 14 ++--- src/openvpn/integer.h | 9 +++ src/openvpn/mss.c | 40 +++++++++--- src/openvpn/mtu.c | 59 +++++++++++++----- src/openvpn/mtu.h | 39 +++++++----- tests/unit_tests/openvpn/test_crypto.c | 86 +++++++++++++++++++++++++- 7 files changed, 203 insertions(+), 62 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..05a2c6be 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -209,7 +209,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, ASSERT(0); } - /* set the IV pseudo-randomly */ + /* write the pseudo-randomly IV (CBC)/packet ID (OFB/CFB) */ ASSERT(buf_write(&work, iv_buf, iv_size)); dmsg(D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex(iv_buf, iv_size, 0, &gc)); @@ -669,17 +669,15 @@ openvpn_decrypt(struct buffer *buf, struct buffer work, unsigned int calculate_crypto_overhead(const struct key_type *kt, - bool packet_id, - bool packet_id_long_form, - unsigned int payload_size, + unsigned int pkt_id_size, bool occ) { unsigned int crypto_overhead = 0; - /* We always have a packet id, no matter if encrypted or unencrypted */ - if (packet_id) + if (!cipher_kt_mode_cbc(kt->cipher)) { - crypto_overhead += packet_id_size(packet_id_long_form); + /* In CBC mode, the packet id is part of the payload size/overhead */ + crypto_overhead += pkt_id_size; } if (cipher_kt_mode_aead(kt->cipher)) @@ -702,11 +700,7 @@ calculate_crypto_overhead(const struct key_type *kt, if (cipher_defined(kt->cipher)) { /* CBC, OFB or CFB mode */ - /* This is a worst case upper bound of needing to add - * a full extra block for padding when the payload - * is exactly a multiple of the block size */ - if (occ || (cipher_kt_mode_cbc(kt->cipher) && - (payload_size % cipher_kt_block_size(kt->cipher) == 0))) + if (occ) { crypto_overhead += cipher_kt_block_size(kt->cipher); } diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 5a67b7ac..43241b86 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -418,20 +418,20 @@ void crypto_adjust_frame_parameters(struct frame *frame, /** Calculate the maximum overhead that our encryption has * on a packet. This does not include needed additional buffer size * + * This does NOT include the padding and rounding of CBC size + * as the users (mssfix/fragment) of this function need to adjust for + * this and add it themselves. + * * @param kt Struct with the crypto algorithm to use - * @param packet_id Whether packet_id is used - * @param packet_id_long_form Whether the packet id has the long form - * @param payload_size payload size, only used if occ is false + * @param packet_id_size Size of the packet id, can be 0 if no-replay is used * @param occ if true calculates the overhead for crypto in the same * incorrect way as all previous OpenVPN versions did, to * end up with identical numbers for OCC compatibility */ unsigned int calculate_crypto_overhead(const struct key_type *kt, - bool packet_id, - bool packet_id_long_form, - unsigned int payload_size, - bool occ); + unsigned int pkt_id_size, + bool occ); /** Return the worst-case OpenVPN crypto overhead (in bytes) */ unsigned int crypto_max_overhead(void); diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h index 8b041f22..8770f701 100644 --- a/src/openvpn/integer.h +++ b/src/openvpn/integer.h @@ -185,4 +185,13 @@ index_verify(int index, int size, const char *file, int line) return index; } +/** + * Rounds down num to the nearest multiple of multiple + */ +static inline unsigned int +round_down_uint(unsigned int num, unsigned int multiple) +{ + return (num / multiple) * multiple; +} + #endif /* ifndef INTEGER_H */ diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 852ef541..3007cc52 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -207,6 +207,26 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) } } +static inline unsigned int +adjust_payload_max_cbc(const struct key_type *kt, unsigned int target) +{ + if (!cipher_kt_mode_cbc(kt->cipher)) + { + /* With stream ciphers (or block cipher in stream modes like CFB, AEAD) + * we can just subtract use the target as is */ + return target; + } + else + { + /* With CBC we need at least one extra byte for padding and then need + * to ensure that the resulting CBC ciphertext length, which is always + * a multiple of the block size, is not larger than the target value */ + unsigned int block_size = cipher_kt_block_size(kt->cipher); + target = round_down_uint(target, block_size); + return target - 1; + } +} + void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, const struct options *options) @@ -216,18 +236,13 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, return; } - unsigned int payload_size; - unsigned int overhead; - - - payload_size = frame_calculate_payload_size(frame, options); + unsigned int overhead, payload_overhead; - overhead = frame_calculate_protocol_header_size(kt, options, - payload_size, false); + overhead = frame_calculate_protocol_header_size(kt, options, false); /* Calculate the number of bytes that the payload differs from the payload * MTU. This are fragment/compression/ethernet headers */ - unsigned payload_overhead = frame_calculate_payload_overhead(frame, options, true); + payload_overhead = frame_calculate_payload_overhead(frame, options, kt, true); /* We are in a "liberal" position with respect to MSS, * i.e. we assume that MSS can be calculated from MTU @@ -238,9 +253,14 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, /* Add 20 bytes for the IPv4 header and 20 byte for the TCP header of the * payload, the mssfix method will add 20 extra if payload is IPv6 */ - overhead += 20 + 20; + payload_overhead += 20 + 20; /* Calculate the maximum MSS value from the max link layer size specified * by ce.mssfix */ - frame->mss_fix = options->ce.mssfix - overhead - payload_overhead; + + /* This is the target value our payload needs to be smaller */ + unsigned int target = options->ce.mssfix - overhead; + frame->mss_fix = adjust_payload_max_cbc(kt, target) - payload_overhead; + + } diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index dac0c1de..cc7c95e4 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -52,10 +52,31 @@ alloc_buf_sock_tun(struct buffer *buf, ASSERT(buf_safe(buf, 0)); } + +/** + * Return the size of the packet ID size that is currently in use by cipher and + * options for the data channel. + */ +static unsigned int +calc_packet_id_size_dc(const struct options *options, const struct key_type *kt) +{ + /* Unless no-replay is enabled, we have a packet id, no matter if + * encryption is used or not */ + if (!options->replay) + { + return 0; + } + + bool tlsmode = options->tls_server || options->tls_client; + + bool packet_id_long_form = !tlsmode || cipher_kt_mode_ofb_cfb(kt->cipher); + + return packet_id_size(packet_id_long_form); +} + size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, - unsigned int payload_size, bool occ) { /* Sum of all the overhead that reduces the usable packet size */ @@ -82,15 +103,11 @@ frame_calculate_protocol_header_size(const struct key_type *kt, header_size += options->use_peer_id ? 4 : 1; } - /* Add the crypto overhead */ - bool packet_id = options->replay; - bool packet_id_long_form = !tlsmode || cipher_kt_mode_ofb_cfb(kt->cipher); + unsigned int pkt_id_size = calc_packet_id_size_dc(options, kt); /* For figuring out the crypto overhead, we need the size of the payload * including all headers that also get encrypted as part of the payload */ - header_size += calculate_crypto_overhead(kt, packet_id, - packet_id_long_form, - payload_size, occ); + header_size += calculate_crypto_overhead(kt, pkt_id_size, occ); return header_size; } @@ -98,13 +115,14 @@ frame_calculate_protocol_header_size(const struct key_type *kt, size_t frame_calculate_payload_overhead(const struct frame *frame, const struct options *options, + const struct key_type *kt, bool extra_tun) { size_t overhead = 0; /* This is the overhead of tap device that is not included in the MTU itself * i.e. Ethernet header that we still need to transmit as part of the - * payload*/ + * payload */ if (extra_tun) { overhead += frame->extra_tun; @@ -127,30 +145,40 @@ frame_calculate_payload_overhead(const struct frame *frame, overhead += 4; } #endif + + if (cipher_kt_mode_cbc(kt->cipher)) + { + /* The packet id is part of the plain text payload instead of the + * cleartext protocol header and needs to be included in the payload + * overhead instead of the protocol header */ + overhead += calc_packet_id_size_dc(options, kt); + } + return overhead; } size_t -frame_calculate_payload_size(const struct frame *frame, const struct options *options) +frame_calculate_payload_size(const struct frame *frame, + const struct options *options, + const struct key_type *kt) { size_t payload_size = options->ce.tun_mtu; - payload_size += frame_calculate_payload_overhead(frame, options, true); + payload_size += frame_calculate_payload_overhead(frame, options, kt, true); return payload_size; } size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame) { - unsigned int payload = frame_calculate_payload_size(frame, o); + struct key_type occ_kt; /* neither --secret nor TLS mode */ if (!o->tls_client && !o->tls_server && !o->shared_secret_file) { - return payload; + init_key_type(&occ_kt, "none", "none", false, false); + return frame_calculate_payload_size(frame, o, &occ_kt); } - struct key_type occ_kt; - /* o->ciphername might be BF-CBC even though the underlying SSL library * does not support it. For this reason we workaround this corner case * by pretending to have no encryption enabled and by manually adding @@ -176,7 +204,8 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) * the ciphers are actually valid for non tls in occ calucation */ init_key_type(&occ_kt, ciphername, o->authname, true, false); - overhead += frame_calculate_protocol_header_size(&occ_kt, o, 0, true); + unsigned int payload = frame_calculate_payload_size(frame, o, &occ_kt); + overhead += frame_calculate_protocol_header_size(&occ_kt, o, true); return payload + overhead; } diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index f6013860..c83d8816 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -226,19 +226,22 @@ void set_mtu_discover_type(socket_descriptor_t sd, int mtu_type, sa_family_t pro int translate_mtu_discover_type_name(const char *name); +/* forward declaration of key_type */ +struct key_type; + /** - * Calculates the size of the payload according to tun-mtu and tap overhead. - * This also includes compression and fragmentation overhead if they are - * enabled. + * Calculates the size of the payload according to tun-mtu and tap overhead. In + * this context payload is identical to the size of the plaintext. + * This also includes compression, fragmentation overhead, and packet id in CBC + * mode if these options are used. + * * * * [IP][UDP][OPENVPN PROTOCOL HEADER][ **PAYLOAD incl compression header** ] - * @param frame - * @param options - * @return */ size_t frame_calculate_payload_size(const struct frame *frame, - const struct options *options); + const struct options *options, + const struct key_type *kt); /** * Calculates the size of the payload overhead according to tun-mtu and @@ -247,37 +250,39 @@ frame_calculate_payload_size(const struct frame *frame, * are considered part of this overhead that increases the payload larger than * tun-mtu. * + * In CBC mode, the IV is part of the payload instead of part of the OpenVPN + * protocol header and is included in the returned value. + * + * In this context payload is identical to the size of the plaintext and this + * method can be also understand as number of bytes that are added to the + * plaintext before encryption. + * * * [IP][UDP][OPENVPN PROTOCOL HEADER][ **PAYLOAD incl compression header** ] - * @param frame - * @param options - * @param extra_tun - * @return */ size_t frame_calculate_payload_overhead(const struct frame *frame, const struct options *options, + const struct key_type *kt, bool extra_tun); -/* forward declaration of key_type */ -struct key_type; - /** * Calculates the size of the OpenVPN protocol header. This includes * the crypto IV/tag/HMAC but does not include the IP encapsulation * + * This does NOT include the padding and rounding of CBC size + * as the users (mssfix/fragment) of this function need to adjust for + * this and add it themselves. * * [IP][UDP][ **OPENVPN PROTOCOL HEADER**][PAYLOAD incl compression header] * * @param kt the key_type to use to calculate the crypto overhead * @param options the options struct to be used to calculate - * @param payload_size the payload size, ignored if occ is true - * @param occ if the calculation should be done for occ compatibility + * @param occ Use the calculation for the OCC link-mtu * @return size of the overhead in bytes */ size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, - unsigned int payload_size, bool occ); /** diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 19ce174e..4a094baa 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -41,6 +41,7 @@ #include "ssl_backend.h" #include "mock_msg.h" +#include "mss.h" static const char testtext[] = "Dummy text to test PEM encoding"; @@ -360,6 +361,88 @@ test_occ_mtu_calculation(void **state) gc_free(&gc); } +static void +test_mssfix_mtu_calculation(void **state) +{ + struct gc_arena gc = gc_new(); + + struct frame f = { 0 }; + struct options o = { 0 }; + + /* common defaults */ + o.ce.tun_mtu = 1400; + o.ce.mssfix = 1000; + o.replay = true; + o.ce.proto = PROTO_UDP; + + /* No crypto at all */ + o.ciphername = "none"; + o.authname = "none"; + struct key_type kt; + init_key_type(&kt, o.ciphername, o.authname, false, false); + + /* No encryption, just packet id (8) + TCP payload(20) + IP payload(20) */ + frame_calculate_mssfix(&f, &kt, &o); + assert_int_equal(f.mss_fix, 952); + + /* Static key OCC examples */ + o.shared_secret_file = "not null"; + + /* secret, auth none, cipher none */ + o.ciphername = "none"; + o.authname = "none"; + init_key_type(&kt, o.ciphername, o.authname, false, false); + frame_calculate_mssfix(&f, &kt, &o); + assert_int_equal(f.mss_fix, 952); + + /* secret, cipher AES-128-CBC, auth none */ + o.ciphername = "AES-128-CBC"; + o.authname = "none"; + init_key_type(&kt, o.ciphername, o.authname, false, false); + + for (int i = 990;i <= 1010;i++) + { + /* 992 - 1008 should end up with the same mssfix value all they + * all result in the same CBC block size/padding and <= 991 and >=1008 + * should be one block less and more respectively */ + o.ce.mssfix = i; + frame_calculate_mssfix(&f, &kt, &o); + if (i <= 991) + { + assert_int_equal(f.mss_fix, 911); + } + else if (i >= 1008) + { + assert_int_equal(f.mss_fix, 943); + } + else + { + assert_int_equal(f.mss_fix, 927); + } + } + + /* tls client, auth SHA1, cipher AES-256-GCM */ + o.authname = "SHA1"; + o.ciphername = "AES-256-GCM"; + o.tls_client = true; + o.peer_id = 77; + o.use_peer_id = true; + init_key_type(&kt, o.ciphername, o.authname, true, false); + + for (int i=900;i <= 1200;i++) + { + /* For stream ciphers, the value should not be influenced by block + * sizes or similar but always have the same difference */ + o.ce.mssfix = i; + frame_calculate_mssfix(&f, &kt, &o); + + /* 4 byte opcode/peerid, 4 byte pkt ID, 16 byte tag, 40 TCP+IP */ + assert_int_equal(f.mss_fix, i - 4 - 4 - 16 - 40); + } + + gc_free(&gc); +} + int main(void) { @@ -369,7 +452,8 @@ main(void) cmocka_unit_test(crypto_test_tls_prf), cmocka_unit_test(crypto_test_hmac), cmocka_unit_test(test_des_encrypt), - cmocka_unit_test(test_occ_mtu_calculation) + cmocka_unit_test(test_occ_mtu_calculation), + cmocka_unit_test(test_mssfix_mtu_calculation) }; #if defined(ENABLE_CRYPTO_OPENSSL) From patchwork Sat Jan 1 05:25:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2205 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id +JOdF7+A0GFRLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:39 -0500 Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id iP03Gr+A0GEPOAAAfY0hYg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:39 -0500 Received: from smtp2.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.ord1d.rsapps.net with LMTPS id CILZGb+A0GFbFgAA7PHxkg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:39 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp2.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9828c646-6b1f-11ec-aec7-5254004a0287-1-1 Received: from [216.105.38.7] ([216.105.38.7:53160] helo=lists.sourceforge.net) by smtp2.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C8/63-23376-EB080D16; Sat, 01 Jan 2022 11:26:38 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCZ-0000fm-3m; Sat, 01 Jan 2022 16:25:52 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCU-0000eN-A4 for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QNuYgMMUcYdkMM151/v+jKhNACwWR6VyUCausZzu/4c=; b=UFbqH9WmlDEci+jD0fPkmjTBQg Xbh5exxRfmAegLdaRk3unM4zNUoNrbp8HIgKaRvl3F1eNb18vX2nFtegA3ZXdmn/lZOtT8LoKq5uX aIbOKqw/usR5ujFDRLnQWVFWemKy55ugux7hm9jzR/P7rBrUf7xCO+n3yBhu3TdKQvGY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QNuYgMMUcYdkMM151/v+jKhNACwWR6VyUCausZzu/4c=; b=V6eWzTb6VTGk3DbBxU45qADWWM uRPTMrUQEIMnAktpiWa/J6q3xNv3nztBiNE7fkv9K5vpAqKi8yLEMyUv/ajIWpVwMWjVWLoZlqIIz tbWH3PP3EUo6NonFS0kE7N7eAF7S3+eRmZJq9soTQgLrTlWVdMDOh5f/0ZEj0wMqz+rQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV3w-1j for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000FgG-FF for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251888 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:21 +0100 Message-Id: <20220101162532.2251835-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Currently we use half dynamic buffer sizes where we use have a fixed overhead for crypto (crypto_max_overhead) but use a dynamic overhead for the the other small header sizes. Signed-off-by: Arne Schwabe --- src/openvpn/comp-lz4.c | 4 +- src/openvpn/crypto.c | 4 +- src/openvpn/forward.c | 8 +-- src/openvpn/init.c | 107 +++++++++++++++++++++++++++++++++++- [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV3w-1j Subject: [Openvpn-devel] [PATCH v3 03/14] Change buffer allocation calculation and checks to be more static X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Currently we use half dynamic buffer sizes where we use have a fixed overhead for crypto (crypto_max_overhead) but use a dynamic overhead for the the other small header sizes. Signed-off-by: Arne Schwabe --- src/openvpn/comp-lz4.c | 4 +- src/openvpn/crypto.c | 4 +- src/openvpn/forward.c | 8 +-- src/openvpn/init.c | 107 +++++++++++++++++++++++++++++++++++---- src/openvpn/lzo.c | 2 +- src/openvpn/mtu.c | 7 ++- src/openvpn/mtu.h | 74 ++++++++++++++------------- src/openvpn/multi.c | 4 +- src/openvpn/multi.h | 2 +- src/openvpn/occ.c | 4 +- src/openvpn/options.c | 2 +- src/openvpn/ping.c | 2 +- src/openvpn/ssl.c | 35 ++++++++++--- src/openvpn/ssl_common.h | 3 +- 14 files changed, 187 insertions(+), 71 deletions(-) diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index bceca5e2..aa83ea80 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -213,7 +213,7 @@ lz4_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { - size_t zlen_max = EXPANDED_SIZE(frame); + size_t zlen_max = frame->buf.payload_size; uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) @@ -250,7 +250,7 @@ lz4v2_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { - size_t zlen_max = EXPANDED_SIZE(frame); + size_t zlen_max = frame->buf.payload_size; uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 05a2c6be..18a6c99c 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1064,7 +1064,7 @@ test_crypto(struct crypto_options *co, struct frame *frame) { int i, j; struct gc_arena gc = gc_new(); - struct buffer src = alloc_buf_gc(TUN_MTU_SIZE(frame), &gc); + struct buffer src = alloc_buf_gc(frame->buf.payload_size, &gc); struct buffer work = alloc_buf_gc(BUF_SIZE(frame), &gc); struct buffer encrypt_workspace = alloc_buf_gc(BUF_SIZE(frame), &gc); struct buffer decrypt_workspace = alloc_buf_gc(BUF_SIZE(frame), &gc); @@ -1095,7 +1095,7 @@ test_crypto(struct crypto_options *co, struct frame *frame) } msg(M_INFO, "Entering " PACKAGE_NAME " crypto self-test mode."); - for (i = 1; i <= TUN_MTU_SIZE(frame); ++i) + for (i = 1; i <= frame->buf.payload_size; ++i) { update_time(); diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index f82386a1..c971c6bd 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1119,8 +1119,8 @@ read_incoming_tun(struct context *c) } #else /* ifdef _WIN32 */ ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); - ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); - c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), MAX_RW_SIZE_TUN(&c->c2.frame)); + ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size)); + c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size); #endif /* ifdef _WIN32 */ #ifdef PACKET_TRUNCATION_CHECK @@ -1709,7 +1709,7 @@ process_outgoing_tun(struct context *c) PIP_MSSFIX | PIPV4_EXTRACT_DHCP_ROUTER | PIPV4_CLIENT_NAT | PIP_OUTGOING, &c->c2.to_tun); - if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN(&c->c2.frame)) + if (c->c2.to_tun.len <= c->c2.frame.buf.payload_size) { /* * Write to TUN/TAP device. @@ -1769,7 +1769,7 @@ process_outgoing_tun(struct context *c) */ msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", c->c2.to_tun.len, - MAX_RW_SIZE_TUN(&c->c2.frame)); + c->c2.frame.buf.payload_size); } buf_reset(&c->c2.to_tun); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index e8723714..c4770c21 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -740,7 +740,7 @@ init_port_share(struct context *c) { port_share = port_share_open(c->options.port_share_host, c->options.port_share_port, - MAX_RW_SIZE_LINK(&c->c2.frame), + c->c2.frame.buf.payload_size, c->options.port_share_journal_dir); if (port_share == NULL) { @@ -2505,6 +2505,35 @@ do_startup_pause(struct context *c) } } +static size_t +get_frame_mtu(struct context *c, const struct options *o) +{ + size_t mtu; + + if (o->ce.link_mtu_defined) + { + ASSERT(o->ce.link_mtu_defined); + /* if we have a link mtu defined we calculate what the old code + * would have come up with as tun-mtu */ + size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, + o, true); + mtu = o->ce.link_mtu - overhead; + + } + else + { + ASSERT(o->ce.tun_mtu_defined); + mtu = o->ce.tun_mtu; + } + + if (mtu < TUN_MTU_MIN) + { + msg(M_WARN, "TUN MTU value (%lu) must be at least %d", mtu, TUN_MTU_MIN); + frame_print(&c->c2.frame, M_FATAL, "MTU is too small"); + } + return mtu; +} + /* * Finalize MTU parameters based on command line or config file options. */ @@ -2516,12 +2545,68 @@ frame_finalize_options(struct context *c, const struct options *o) o = &c->options; } - frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN); - frame_finalize(&c->c2.frame, + struct frame *frame = &c->c2.frame; + + frame->tun_mtu = get_frame_mtu(c, o); + + /* We always allow at least 1500 MTU packets to be received in our buffer + * space */ + size_t payload_size = max_int(1500, frame->tun_mtu); + + /* The extra tun needs to be added to the payload size */ + if (o->ce.tun_mtu_defined) + { + payload_size += o->ce.tun_mtu_extra; + } + + /* Add 100 byte of extra space in the buffer to account for slightly + * mismatched MUTs between peers */ + payload_size += 100; + + + /* the space that is reserved before the payload to add extra headers to it + * we always reserve the space for the worst case */ + size_t headroom = 0; + + /* includes IV and packet ID */ + headroom += crypto_max_overhead(); + + /* peer id + opcode */ + headroom += 4; + + /* socks proxy header */ + headroom += 10; + + /* compression header and fragment header (part of the encrypted payload) */ + headroom += 1 + 1; + + /* Round up headroom to the next multiple of 4 to ensure alignment */ + headroom = (headroom + 3) & ~3; + + /* Add the headroom to the payloadsize as a received (IP) packet can have + * all the extra headers in it */ + payload_size += headroom; + + /* the space after the payload, this needs some extra buffer space for + * encryption so headroom is probably too much but we do not really care + * the few extra bytes */ + size_t tailroom = headroom; + +#ifdef USE_COMP + tailroom += COMP_EXTRA_BUFFER(frame->buf.payload_size); +#endif + + frame->buf.payload_size = payload_size; + frame->buf.headroom = headroom; + frame->buf.tailroom = tailroom; + + /* Kept to still update/calculate the other fields for now */ + frame_finalize(frame, o->ce.link_mtu_defined, o->ce.link_mtu, o->ce.tun_mtu_defined, o->ce.tun_mtu); + } /* @@ -3288,17 +3373,19 @@ init_context_buffers(const struct frame *frame) ALLOC_OBJ_CLEAR(b, struct context_buffers); - b->read_link_buf = alloc_buf(BUF_SIZE(frame)); - b->read_tun_buf = alloc_buf(BUF_SIZE(frame)); + size_t buf_size = BUF_SIZE(frame); + + b->read_link_buf = alloc_buf(buf_size); + b->read_tun_buf = alloc_buf(buf_size); - b->aux_buf = alloc_buf(BUF_SIZE(frame)); + b->aux_buf = alloc_buf(buf_size); - b->encrypt_buf = alloc_buf(BUF_SIZE(frame)); - b->decrypt_buf = alloc_buf(BUF_SIZE(frame)); + b->encrypt_buf = alloc_buf(buf_size); + b->decrypt_buf = alloc_buf(buf_size); #ifdef USE_COMP - b->compress_buf = alloc_buf(BUF_SIZE(frame)); - b->decompress_buf = alloc_buf(BUF_SIZE(frame)); + b->compress_buf = alloc_buf(buf_size); + b->decompress_buf = alloc_buf(buf_size); #endif return b; diff --git a/src/openvpn/lzo.c b/src/openvpn/lzo.c index 8d572684..e7e89655 100644 --- a/src/openvpn/lzo.c +++ b/src/openvpn/lzo.c @@ -213,7 +213,7 @@ lzo_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { - lzo_uint zlen = EXPANDED_SIZE(frame); + lzo_uint zlen = frame->buf.payload_size; int err; uint8_t c; /* flag indicating whether or not our peer compressed */ diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index cc7c95e4..1648c8fe 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -48,7 +48,7 @@ alloc_buf_sock_tun(struct buffer *buf, /* allocate buffer for overlapped I/O */ *buf = alloc_buf(BUF_SIZE(frame)); ASSERT(buf_init(buf, FRAME_HEADROOM(frame))); - buf->len = tuntap_buffer ? MAX_RW_SIZE_TUN(frame) : MAX_RW_SIZE_LINK(frame); + buf->len = frame->buf.payload_size; ASSERT(buf_safe(buf, 0)); } @@ -296,6 +296,11 @@ frame_print(const struct frame *frame, buf_printf(&out, "%s ", prefix); } buf_printf(&out, "["); + buf_printf(&out, " mss_fix:%d", frame->mss_fix); + buf_printf(&out, " tun_mtu:%d", frame->tun_mtu); + buf_printf(&out, " headroom:%d", frame->buf.headroom); + buf_printf(&out, " payload:%d", frame->buf.payload_size); + buf_printf(&out, " tailroom:%d", frame->buf.tailroom); buf_printf(&out, " L:%d", frame->link_mtu); buf_printf(&out, " D:%d", frame->link_mtu_dynamic); buf_printf(&out, " EF:%d", frame->extra_frame); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index c83d8816..930c4b73 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -91,6 +91,25 @@ * Packet geometry parameters. */ struct frame { + struct { + /* This struct holds all the information about the buffers that are + * allocated to match this frame */ + int payload_size; /**< the maximum size that a payload that our + * buffers can hold from either tun device + * or network link. + */ + + + int headroom; /**< the headroom in the buffer, this is choosen + * to allow all potential header to be added + * before the packet */ + + int tailroom; /**< the tailroom in the buffer. Chosen large + * enough to also accompany any extrea header + * or work space required by + * decryption/encryption or compression. */ + } buf; + int link_mtu; /**< Maximum packet size to be sent over * the external network interface. */ @@ -110,6 +129,17 @@ struct frame { * @endcode */ + int tun_mtu; /**< the (user) configured tun-mtu. This is used + * in configuring the tun interface or + * in calculations that use the desired size + * of the payload in the buffer. + * + * This variable is also used in control + * frame context to set the desired maximum + * control frame payload (although most of + * code ignores it) + */ + int extra_buffer; /**< Maximum number of bytes that * processing steps could expand the * internal work buffer. @@ -165,8 +195,8 @@ struct options; * a tap device ifconfiged to an MTU of 1200 might actually want * to return a packet size of 1214 on a read(). */ -#define PAYLOAD_SIZE(f) ((f)->link_mtu - (f)->extra_frame) #define PAYLOAD_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic - (f)->extra_frame) +#define PAYLOAD_SIZE(f) ((f)->buf.payload_size) /* * Max size of a payload packet after encryption, compression, etc. @@ -176,35 +206,23 @@ struct options; #define EXPANDED_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic) #define EXPANDED_SIZE_MIN(f) (TUN_MTU_MIN + TUN_LINK_DELTA(f)) -/* - * These values are used as maximum size constraints - * on read() or write() from TUN/TAP device or TCP/UDP port. - */ -#define MAX_RW_SIZE_TUN(f) (PAYLOAD_SIZE(f)) -#define MAX_RW_SIZE_LINK(f) (EXPANDED_SIZE(f) + (f)->extra_link) - /* * Control buffer headroom allocations to allow for efficient prepending. */ -#define FRAME_HEADROOM_BASE(f) (TUN_LINK_DELTA(f) + (f)->extra_buffer + (f)->extra_link) -/* Same as FRAME_HEADROOM_BASE but rounded up to next multiple of PAYLOAD_ALIGN */ -#define FRAME_HEADROOM(f) frame_headroom(f) /* * Max size of a buffer used to build a packet for output to - * the TCP/UDP port. - * - * the FRAME_HEADROOM_BASE(f) * 2 should not be necessary but it looks that at - * some point in the past we seem to have lost the information what parts of - * the extra space we need to have before the data and which we need after - * the data. So we ensure we have the FRAME_HEADROOM before and after the - * actual data. + * the TCP/UDP port or to read a packet from a tap/tun device. * * Most of our code only prepends headers but compression needs the extra bytes * *after* the data as compressed data might end up larger than the original - * data (and max compression overhead is part of extra_buffer) + * data (and max compression overhead is part of extra_buffer). Also crypto + * needs an extra block for encryption. Therefore tailroom is larger than the + * headroom. */ -#define BUF_SIZE(f) (TUN_MTU_SIZE(f) + FRAME_HEADROOM_BASE(f) * 2) +#define BUF_SIZE(f) ((f)->buf.headroom + (f)->buf.payload_size + (f)->buf.tailroom) + +#define FRAME_HEADROOM(f) ((f)->buf.headroom) /* * Function prototypes. @@ -326,20 +344,6 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); #endif -/* - * Calculate a starting offset into a buffer object, dealing with - * headroom and alignment issues. - */ -static inline int -frame_headroom(const struct frame *f) -{ - const int offset = FRAME_HEADROOM_BASE(f); - /* These two lines just pad offset to next multiple of PAYLOAD_ALIGN in - * a complicated and confusing way */ - const int delta = ((PAYLOAD_ALIGN << 24) - offset) & (PAYLOAD_ALIGN - 1); - return offset + delta; -} - /* * frame member adjustment functions */ @@ -383,7 +387,7 @@ frame_add_to_extra_buffer(struct frame *frame, const int increment) static inline bool frame_defined(const struct frame *frame) { - return frame->link_mtu > 0; + return frame->buf.payload_size > 0; } #endif /* ifndef MTU_H */ diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 103e882e..e5ffebff 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3495,7 +3495,7 @@ gremlin_flood_clients(struct multi_context *m) int i; ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame))); - parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame)); + parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size); msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d", parm.n_packets, @@ -3557,7 +3557,7 @@ multi_process_per_second_timers_dowork(struct multi_context *m) } void -multi_top_init(struct multi_context *m, const struct context *top) +multi_top_init(struct multi_context *m, struct context *top) { inherit_context_top(&m->top, top); m->top.c2.buffers = init_context_buffers(&top->c2.frame); diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 6e85c21c..c2b085e3 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -257,7 +257,7 @@ void multi_init(struct multi_context *m, struct context *t, bool tcp_mode); void multi_uninit(struct multi_context *m); -void multi_top_init(struct multi_context *m, const struct context *top); +void multi_top_init(struct multi_context *m, struct context *top); void multi_top_free(struct multi_context *m); diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index 610c05f5..c4e7c1be 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -219,7 +219,7 @@ check_send_occ_msg_dowork(struct context *c) c->c2.buf = c->c2.buffers->aux_buf; ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); - ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); + ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size)); ASSERT(buf_write(&c->c2.buf, occ_magic, OCC_STRING_SIZE)); switch (c->c2.occ_op) @@ -319,7 +319,7 @@ check_send_occ_msg_dowork(struct context *c) OCC_STRING_SIZE, (int) sizeof(uint8_t), EXTRA_FRAME(&c->c2.frame), - MAX_RW_SIZE_TUN(&c->c2.frame), + c->c2.frame.buf.payload_size, BLEN(&c->c2.buf)); doit = true; } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2ca24685..6e3dccb1 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3832,7 +3832,7 @@ options_string(const struct options *o, buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); - buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame)); + buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o); diff --git a/src/openvpn/ping.c b/src/openvpn/ping.c index 67bbca14..a28f347f 100644 --- a/src/openvpn/ping.c +++ b/src/openvpn/ping.c @@ -80,7 +80,7 @@ check_ping_send_dowork(struct context *c) { c->c2.buf = c->c2.buffers->aux_buf; ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); - ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); + ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size)); ASSERT(buf_write(&c->c2.buf, ping_string, sizeof(ping_string))); /* diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 96c78199..b815cdfc 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -332,6 +332,32 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame /* set dynamic link MTU to cap control channel packets at 1250 bytes */ ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame); + + /* calculate the maximum overhead that control channel frames may have */ + int overhead = 0; + + /* Socks */ + overhead += 10; + + /* tls-auth and tls-crypt */ + overhead += max_int(tls_crypt_buf_overhead(), + packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE); + + /* TCP length field and opcode */ + overhead+= 3; + + /* Previous OpenVPN version calculated the maximum size and buffer of a + * control frame depending on the overhead of the data channel frame + * overhead and limited its maximum size to 1250. We always allocate the + * 1250 buffer size since a lot of code blindly assumes a large buffer + * (e.g. PUSH_BUNDLE_SIZE) and set frame->mtu_mtu as suggestion for the + * size */ + frame->buf.payload_size = 1250 + overhead; + + frame->buf.headroom = overhead; + frame->buf.tailroom = overhead; + + frame->tun_mtu = min_int(data_channel_frame->tun_mtu, 1250); } void @@ -1870,13 +1896,6 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", options->ciphername); } - else - { - /* Very hacky workaround and quick fix for frame calculation - * different when adjusting frame size when the original and new cipher - * are identical to avoid a regression with client without NCP */ - return tls_session_generate_data_channel_keys(session); - } init_key_type(&session->opt->key_type, options->ciphername, options->authname, true, true); @@ -2959,7 +2978,7 @@ tls_process(struct tls_multi *multi, buf = reliable_get_buf_output_sequenced(ks->send_reliable); if (buf) { - int status = key_state_read_ciphertext(&ks->ks_ssl, buf, PAYLOAD_SIZE_DYNAMIC(&multi->opt.frame)); + int status = key_state_read_ciphertext(&ks->ks_ssl, buf, multi->opt.frame.tun_mtu); if (status == -1) { msg(D_TLS_ERRORS, diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index f851bd2b..ada68b4b 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -221,8 +221,9 @@ struct key_state struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */ struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */ + /** Holds outgoing message for the control channel until ks->state reaches + * S_ACTIVE */ struct buffer_list *paybuf; - counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */ counter_type n_packets; /* how many packets sent/recvd since last key exchange */ From patchwork Sat Jan 1 05:25:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2201 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id ID72D7uA0GFyLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:35 -0500 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id 0CWJEruA0GH2QAAAovjBpQ (envelope-from ) for ; Sat, 01 Jan 2022 11:26:35 -0500 Received: from smtp4.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTPS id sxlnEruA0GFLDgAAQyIf0w (envelope-from ) for ; Sat, 01 Jan 2022 11:26:35 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 95f283d0-6b1f-11ec-bd87-525400760ffc-1-1 Received: from [216.105.38.7] ([216.105.38.7:55172] helo=lists.sourceforge.net) by smtp4.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7A/2B-07260-AB080D16; Sat, 01 Jan 2022 11:26:35 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCX-0000Fs-HM; Sat, 01 Jan 2022 16:25:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCU-0000EZ-GE for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LnJ4AWdI39a3kP6daAqrWBp/avygd5G8vTUexHGQt08=; b=YwGcQpbIaqPA+yRoLuIYinS2b5 rpqZOGhi9snD1UpdST5MybM/vHM7F+HbOw+qk4AUv1+MizGNNX+d4y2jaG3JMRQGtzWRUW/jmOWVO RsrwMXk49nLxPORw8MlMgKHtUzG7/LdpFBbak4hjaFOnwTruIHaYUZG3pXXAQjYFxgwo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=LnJ4AWdI39a3kP6daAqrWBp/avygd5G8vTUexHGQt08=; b=i2mLSXrLylVc0Pc036mSmnLj/e qNU/WnryVfwhwMoP/K0uAnNjKQxCmr2dEuCF382RN7GU9cQizB65kHiKIVL5pLiggLE+XXekw9SUv ARvvtHlrBR3p4pGts9NV+i/RR+3kCqFhFjeKpuyi1tKhH909IEZsHA7FlzGKh3KDyKHs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV3t-6a for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000Fg4-9D for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251890 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:22 +0100 Message-Id: <20220101162532.2251835-5-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This function is supposed to calculate the overhead of the protocol header (IP/IPv6 + TCP/UDP). But at some point the index that used to index the array proto_overhead and the associated PROTO_N went [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV3t-6a Subject: [Openvpn-devel] [PATCH v3 04/14] Fix datagram_overhead and assorted functions X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This function is supposed to calculate the overhead of the protocol header (IP/IPv6 + TCP/UDP). But at some point the index that used to index the array proto_overhead and the associated PROTO_N went completely out of sync. This fixed the function and related caller to again calculate the overhead as intended. Note that IPv6 mapped IPv4 addresses still have the wrong overhead calculated as they treated as IPv6 addresses (0:0:0:0:0:ffff::/96) Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 10 ++++++---- src/openvpn/socket.c | 16 +++------------- src/openvpn/socket.h | 17 ++++++----------- 3 files changed, 15 insertions(+), 28 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index c971c6bd..6de6b4d4 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -480,10 +480,10 @@ check_fragment(struct context *c) struct link_socket_info *lsi = get_link_socket_info(c); /* OS MTU Hint? */ - if (lsi->mtu_changed) + if (lsi->mtu_changed && lsi->lsa) { frame_adjust_path_mtu(&c->c2.frame_fragment, c->c2.link_socket->mtu, - c->options.ce.proto); + lsi->lsa->actual.dest.addr.sa.sa_family, lsi->proto); lsi->mtu_changed = false; } @@ -1565,8 +1565,10 @@ process_outgoing_link(struct context *c) */ if (c->options.shaper) { - shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link) - + datagram_overhead(c->options.ce.proto)); + int overhead = datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family, + c->options.ce.proto); + shaper_wrote_bytes(&c->c2.shaper, + BLEN(&c->c2.to_link) + overhead); } /* diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index df736746..93d2e61e 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -44,17 +44,6 @@ #include "memdbg.h" -const int proto_overhead[] = { /* indexed by PROTO_x */ - 0, - IPv4_UDP_HEADER_SIZE, /* IPv4 */ - IPv4_TCP_HEADER_SIZE, - IPv4_TCP_HEADER_SIZE, - IPv6_UDP_HEADER_SIZE, /* IPv6 */ - IPv6_TCP_HEADER_SIZE, - IPv6_TCP_HEADER_SIZE, - IPv6_TCP_HEADER_SIZE, -}; - /* * Convert sockflags/getaddr_flags into getaddr_flags */ @@ -1660,9 +1649,10 @@ socket_frame_init(const struct frame *frame, struct link_socket *sock) * to us by the OS. */ void -frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto) +frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto) { - frame_set_mtu_dynamic(frame, pmtu - datagram_overhead(proto), SET_MTU_UPPER_BOUND); + frame_set_mtu_dynamic(frame, pmtu - datagram_overhead(af, proto), + SET_MTU_UPPER_BOUND); } static void diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index cc1e0c36..936ef262 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -300,7 +300,7 @@ void do_preresolve(struct context *c); void socket_adjust_frame_parameters(struct frame *frame, int proto); -void frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto); +void frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto); void link_socket_close(struct link_socket *sock); @@ -579,18 +579,13 @@ const char *addr_family_name(int af); /* * Overhead added to packets by various protocols. */ -#define IPv4_UDP_HEADER_SIZE 28 -#define IPv4_TCP_HEADER_SIZE 40 -#define IPv6_UDP_HEADER_SIZE 48 -#define IPv6_TCP_HEADER_SIZE 60 - -extern const int proto_overhead[]; - static inline int -datagram_overhead(int proto) +datagram_overhead(sa_family_t af, int proto) { - ASSERT(proto >= 0 && proto < PROTO_N); - return proto_overhead [proto]; + int overhead = 0; + overhead += (proto == PROTO_UDP) ? 8 : 20; + overhead += (af == AF_INET) ? 20 : 40; + return overhead; } /* From patchwork Sat Jan 1 05:25:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2203 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.8]) by backend41.mail.ord1d.rsapps.net with LMTP id cBrXJb2A0GFRLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:37 -0500 Received: from proxy3.mail.iad3a.rsapps.net ([172.27.255.8]) by director15.mail.ord1d.rsapps.net with LMTP id UGtsKL2A0GGZCwAAIcMcQg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:37 -0500 Received: from smtp52.gate.iad3a ([172.27.255.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3a.rsapps.net with LMTPS id +GGTIb2A0GH2BQAAYaqY3Q (envelope-from ) for ; Sat, 01 Jan 2022 11:26:37 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp52.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9702add6-6b1f-11ec-961e-525400a7d0a1-1-1 Received: from [216.105.38.7] ([216.105.38.7:47684] helo=lists.sourceforge.net) by smtp52.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 3D/A4-32171-CB080D16; Sat, 01 Jan 2022 11:26:37 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCX-0000GF-SR; Sat, 01 Jan 2022 16:25:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCU-0000El-RY for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=60eOCHs3C6tc+4sQe2XGzlyXqm0IeZAwSoRv3pOpyjk=; b=ZJGDhQsgDIkJ2UtR1p4eeXwkcH GdCjGfD7K0oQWwI0Fxn8mQ+s58+Iu/h437R5gABvbqdLhKd1fH5B9lAjS4eK3QFARwiD1we8WLGrm wgij5x6oLXZ1YXFiZL2V+0g7iY1PfJNWCH/ersaVvBj4KCXBmgxn+Ab9Zb/7oqKpGwTE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=60eOCHs3C6tc+4sQe2XGzlyXqm0IeZAwSoRv3pOpyjk=; b=JXZynyJLP8ptulmeyuHTAhpTTl CyGTA09Yy7NSTor6NpGPlPQoAuaHAyMmb53Y2rfskY+kGXKk8fsNi6bjpHR+dzUdcZJeF0/81sjCE /YFgmCj4UQcLEku7Uz//OwWKjOuNoI4JqNSlizZ1dOD7X32WxRfaJRYvGViJnmOO2u1U=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV3r-1K for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000Ffv-4k for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251892 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:23 +0100 Message-Id: <20220101162532.2251835-6-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The current mssfix parameter is a bit as it needs manual calculation of the allowable packet size and also the resulting MSS value does not take into account if IPv4 or IPv6 is used on the outer tunne [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV3r-1K Subject: [Openvpn-devel] [PATCH v3 05/14] Implement optional mtu parameter for mssfix X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The current mssfix parameter is a bit as it needs manual calculation of the allowable packet size and also the resulting MSS value does not take into account if IPv4 or IPv6 is used on the outer tunnel. The mtu parameter fixes both of these problem by dynamically including the real overhead. The syntax and naming of the parater is chosen for compatiblity with OpenVPN3. Patch V2: document mssfix 0 disabling mssfix, fix rst syntax Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 6 ++++ doc/man-sections/link-options.rst | 38 +++++++++++++++++++------- src/openvpn/init.c | 7 +++-- src/openvpn/mss.c | 29 +++++++++++++++++++- src/openvpn/mss.h | 3 +- src/openvpn/multi.c | 3 +- src/openvpn/options.c | 13 +++++++-- src/openvpn/options.h | 2 ++ src/openvpn/ssl.c | 11 +++++--- src/openvpn/ssl.h | 5 +++- tests/unit_tests/openvpn/test_crypto.c | 8 +++--- 11 files changed, 98 insertions(+), 27 deletions(-) diff --git a/Changes.rst b/Changes.rst index b7d7f205..cf6a2f86 100644 --- a/Changes.rst +++ b/Changes.rst @@ -62,6 +62,12 @@ Optional ciphers in ``--data-ciphers`` Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark those as optional and only use them if the SSL library supports them. + +Improved ``--mssfix`` calculation + The ``--mssfix`` option now allows an optional :code:`mtu` parameter to specify + that different overhead for IPv4/IPv6 should taken into account and the resulting + size is specified as the total size of the VPN packets including IP and UDP headers. + Deprecated features ------------------- ``inetd`` has been removed diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index b1ae4e75..01bc910f 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -110,19 +110,37 @@ the local and the remote host. (:code:`p2p`). OpenVPN 2.0 introduces a new mode (:code:`server`) which implements a multi-client server capability. ---mssfix max +--mssfix args + + Valid syntax: + :: + + mssfix max [mtu] + + mssfix + Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not - exceed ``max`` bytes. The default value is :code:`1450`. - - The ``max`` parameter is interpreted in the same way as the - ``--link-mtu`` parameter, i.e. the UDP packet size after encapsulation - overhead has been added in, but not including the UDP header itself. - Resulting packet would be at most 28 bytes larger for IPv4 and 48 bytes - for IPv6 (20/40 bytes for IP header and 8 bytes for UDP header). Default - value of 1450 allows IPv4 packets to be transmitted over a link with MTU - 1473 or higher without IP level fragmentation. + exceed ``max`` bytes. The default value is :code:`1450`. Use :code:`0` + as max to disable mssfix. + + If the :code:`mtu` parameter is specified the ``max`` value is interpreted + as the resulting packet size of VPN packets including the IP and UDP header. + Support for the :code:`mtu` parameter was added with OpenVPN version 2.6.0. + + If the :code:`mtu` parameter is not specified, the ``max`` parameter + is interpreted in the same way as the ``--link-mtu`` parameter, i.e. + the UDP packet size after encapsulation overhead has been added in, but + not including the UDP header itself. Resulting packet would be at most 28 + bytes larger for IPv4 and 48 bytes for IPv6 (20/40 bytes for IP header and + 8 bytes for UDP header). Default value of 1450 allows IPv4 packets to be + transmitted over a link with MTU 1473 or higher without IP level + fragmentation. + + if ``--mssfix`` is specified is specified without any parameter it + inherits the parameters of ``--fragment`` if specified or uses the + default for ``--mssfix`` otherwise. The ``--mssfix`` option only makes sense when you are using the UDP protocol for OpenVPN peer-to-peer communication, i.e. ``--proto udp``. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c4770c21..642460c1 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2271,7 +2271,7 @@ do_deferred_p2p_ncp(struct context *c) #endif if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame, - frame_fragment)) + frame_fragment, get_link_socket_info(c))) { msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher"); return false; @@ -2386,7 +2386,7 @@ do_deferred_options(struct context *c, const unsigned int found) struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame, - frame_fragment)) + frame_fragment, get_link_socket_info(c))) { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); return false; @@ -4302,7 +4302,8 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f #endif /* initialize dynamic MTU variable */ - frame_calculate_mssfix(&c->c2.frame, &c->c1.ks.key_type, &c->options); + frame_calculate_mssfix(&c->c2.frame, &c->c1.ks.key_type, &c->options, + get_link_socket_info(c)); /* bind the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 3007cc52..ed64e1e2 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -227,9 +227,30 @@ adjust_payload_max_cbc(const struct key_type *kt, unsigned int target) } } +static unsigned int +get_ip_encap_overhead(const struct options *options, + const struct link_socket_info *lsi) +{ + /* Add the overhead of the encapsulating IP packets */ + sa_family_t af; + if (lsi->lsa) + { + af = lsi->lsa->actual.dest.addr.sa.sa_family; + } + else + { + /* In the early init before the connection is established or we + * are in listen mode we can only make an educated guess + * from the af of the connection entry */ + af = options->ce.af; + } + return datagram_overhead(af, lsi->proto); +} + void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options) + const struct options *options, + struct link_socket_info *lsi) { if (options->ce.mssfix == 0) { @@ -251,6 +272,12 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, * * (RFC 879, section 7). */ + if (options->ce.mssfix_encap) + { + /* Add the overhead of the encapsulating IP packets */ + overhead += get_ip_encap_overhead(options, lsi); + } + /* Add 20 bytes for the IPv4 header and 20 byte for the TCP header of the * payload, the mssfix method will add 20 extra if payload is IPv6 */ payload_overhead += 20 + 20; diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index 856f4c4e..eecc7994 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -37,6 +37,7 @@ void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); /** Set the --mssfix option. */ void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options); + const struct options *options, + struct link_socket_info *lsi); #endif diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index e5ffebff..67b7114a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2286,7 +2286,8 @@ multi_client_generate_tls_keys(struct context *c) #endif struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (!tls_session_update_crypto_params(session, &c->options, - &c->c2.frame, frame_fragment)) + &c->c2.frame, frame_fragment, + get_link_socket_info(c))) { msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); register_signal(c, SIGUSR1, "process-push-msg-failed"); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6e3dccb1..efe3b2fb 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6771,18 +6771,27 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); script_security_set(atoi(p[1])); } - else if (streq(p[0], "mssfix") && !p[2]) + else if (streq(p[0], "mssfix") && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) { options->ce.mssfix = positive_atoi(p[1]); } - else + + if (!p[1]) { options->ce.mssfix_default = true; } + if (p[2] && streq(p[2], "mtu")) + { + options->ce.mssfix_encap = true; + } + else if (p[2]) + { + msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]); + } } else if (streq(p[0], "disable-occ") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index d4f41cd7..c8bccf3e 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -127,6 +127,8 @@ struct connection_entry int fragment; /* internal fragmentation size */ int mssfix; /* Upper bound on TCP MSS */ bool mssfix_default; /* true if --mssfix was supplied without a parameter */ + bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include + * overhead from IP and TCP/UDP encapsulation */ int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */ diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index b815cdfc..d6b91efc 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1883,7 +1883,8 @@ cleanup: bool tls_session_update_crypto_params_do_work(struct tls_session *session, struct options* options, struct frame *frame, - struct frame *frame_fragment) + struct frame *frame_fragment, + struct link_socket_info *lsi) { if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) { @@ -1913,7 +1914,7 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, options->replay, packet_id_long_form); frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, options->ce.tun_mtu_defined, options->ce.tun_mtu); - frame_calculate_mssfix(frame, &session->opt->key_type, options); + frame_calculate_mssfix(frame, &session->opt->key_type, options, lsi); frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); /* @@ -1938,7 +1939,8 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, - struct frame *frame_fragment) + struct frame *frame_fragment, + struct link_socket_info *lsi) { bool cipher_allowed_as_fallback = options->enable_ncp_fallback @@ -1957,7 +1959,8 @@ tls_session_update_crypto_params(struct tls_session *session, /* Import crypto settings that might be set by pull/push */ session->opt->crypto_flags |= options->data_channel_crypto_flags; - return tls_session_update_crypto_params_do_work(session, options, frame, frame_fragment); + return tls_session_update_crypto_params_do_work(session, options, frame, + frame_fragment, lsi); } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index b14453fe..e566acd8 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -508,13 +508,16 @@ void tls_update_remote_addr(struct tls_multi *multi, * @param frame The frame options for this session (frame overhead is * adjusted based on the selected cipher/auth). * @param frame_fragment The fragment frame options. + * @param lsi link socket info to adjust MTU related options + * depending on the current protocol * * @return true if updating succeeded or keys are already generated, false otherwise. */ bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, - struct frame *frame_fragment); + struct frame *frame_fragment, + struct link_socket_info *lsi); /* * inline functions diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 4a094baa..8a31174b 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -382,7 +382,7 @@ test_mssfix_mtu_calculation(void **state) init_key_type(&kt, o.ciphername, o.authname, false, false); /* No encryption, just packet id (8) + TCP payload(20) + IP payload(20) */ - frame_calculate_mssfix(&f, &kt, &o); + frame_calculate_mssfix(&f, &kt, &o, NULL); assert_int_equal(f.mss_fix, 952); /* Static key OCC examples */ @@ -392,7 +392,7 @@ test_mssfix_mtu_calculation(void **state) o.ciphername = "none"; o.authname = "none"; init_key_type(&kt, o.ciphername, o.authname, false, false); - frame_calculate_mssfix(&f, &kt, &o); + frame_calculate_mssfix(&f, &kt, &o, NULL); assert_int_equal(f.mss_fix, 952); /* secret, cipher AES-128-CBC, auth none */ @@ -406,7 +406,7 @@ test_mssfix_mtu_calculation(void **state) * all result in the same CBC block size/padding and <= 991 and >=1008 * should be one block less and more respectively */ o.ce.mssfix = i; - frame_calculate_mssfix(&f, &kt, &o); + frame_calculate_mssfix(&f, &kt, &o, NULL); if (i <= 991) { assert_int_equal(f.mss_fix, 911); @@ -434,7 +434,7 @@ test_mssfix_mtu_calculation(void **state) /* For stream ciphers, the value should not be influenced by block * sizes or similar but always have the same difference */ o.ce.mssfix = i; - frame_calculate_mssfix(&f, &kt, &o); + frame_calculate_mssfix(&f, &kt, &o, NULL); /* 4 byte opcode/peerid, 4 byte pkt ID, 16 byte tag, 40 TCP+IP */ assert_int_equal(f.mss_fix, i - 4 - 4 - 16 - 40); From patchwork Sat Jan 1 05:25:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2193 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.50]) by backend41.mail.ord1d.rsapps.net with LMTP id iDM2BLaA0GFQLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:30 -0500 Received: from proxy6.mail.iad3a.rsapps.net ([172.27.255.50]) by director15.mail.ord1d.rsapps.net with LMTP id qFeuBraA0GGUCwAAIcMcQg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:30 -0500 Received: from smtp34.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.iad3a.rsapps.net with LMTPS id 4JxBALaA0GFeMwAA8udqhg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:30 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9280b7da-6b1f-11ec-a3f7-525400865cc7-1-1 Received: from [216.105.38.7] ([216.105.38.7:54544] helo=lists.sourceforge.net) by smtp34.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5E/6C-11905-5B080D16; Sat, 01 Jan 2022 11:26:29 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCR-0002d2-8s; Sat, 01 Jan 2022 16:25:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCO-0002cm-Ce for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=38pZJR97ab/eUzu0JaXgDV/n/wDVaxlH0vdGWmiX8XY=; b=FvDlYI48qN6bvbkqbbardZqu+8 jrYDUQPmP3zfhYzG8ngvc60jQF+NwyG8EczUKoohKFT3uEeCewUqEq0VimQ690+2vvNjcofu5nO5s HPM++UHk53lMjrC1QkTFD/IWAlwyBTNsgBrxM+TRVJXPj5NL6FM4aZO55+H8m4L9bGAA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=38pZJR97ab/eUzu0JaXgDV/n/wDVaxlH0vdGWmiX8XY=; b=ai1/qfyXEStcz5CzqhA/qgGPCD v31jopTp5xEp0F74PY04oZ4bprGu9c46TgThwBSxin+aED5rMZSTVwayj3Mf94pWH7CKtOHUX5UZ6 dmnztSsf1EMl+/nXaGOHDXDMh0IS5naLhgkRM6wHcmO9sqcqlydNlikp/sQa/4othq04=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCN-0005GK-Ql for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:40 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000Fg7-B1 for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251894 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:24 +0100 Message-Id: <20220101162532.2251835-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The warning that fragment/mssfix needs also tun-mtu set to 1500 makes little sense. Remove it completely. Instead warn if there are incosistencies between --fragment and mssfix. Patch v2: clarify the mssfix and fragment mtu warning message Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCN-0005GK-Ql Subject: [Openvpn-devel] [PATCH v3 06/14] Update fragment and mssfix related warnings X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The warning that fragment/mssfix needs also tun-mtu set to 1500 makes little sense. Remove it completely. Instead warn if there are incosistencies between --fragment and mssfix. Patch v2: clarify the mssfix and fragment mtu warning message Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 642460c1..f3b0776c 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3255,12 +3255,17 @@ do_init_frame(struct context *c) #endif #ifdef ENABLE_FRAGMENT - if ((c->options.ce.mssfix || c->options.ce.fragment) - && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU) + if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment) { - msg(M_WARN, - "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", - ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment)); + msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " + "set --fragment (%d) larger or equal than --mssfix (%d)", + c->options.ce.fragment, c->options.ce.mssfix); + } + if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0 + && c->options.ce.fragment_encap != c->options.ce.mssfix_encap) + { + msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " + "use the \"mtu\" flag for both or none of of them."); } #endif } From patchwork Sat Jan 1 05:25:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2196 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.27.255.51]) by backend41.mail.ord1d.rsapps.net with LMTP id uDkKBLiA0GFyLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 Received: from proxy10.mail.iad3a.rsapps.net ([172.27.255.51]) by director14.mail.ord1d.rsapps.net with LMTP id CCyJBriA0GFBbAAAeJ7fFg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 Received: from smtp19.gate.iad3a ([172.27.255.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3a.rsapps.net with LMTPS id sLVoO7eA0GHCOgAAnQ/bqA (envelope-from ) for ; Sat, 01 Jan 2022 11:26:31 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 93c1faf0-6b1f-11ec-bac0-5254005d39f2-1-1 Received: from [216.105.38.7] ([216.105.38.7:47610] helo=lists.sourceforge.net) by smtp19.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 66/80-02012-7B080D16; Sat, 01 Jan 2022 11:26:31 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCT-0000Dr-7l; Sat, 01 Jan 2022 16:25:45 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCP-0000Dg-KI for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zZHADyxkN0nqBHBxzSRA1x6U9jRjecxMTWBu7Z16QUI=; b=XEKVrtkEMGqlgB+3Q8oGQynN7J 1Gw1psydK3xsH1imWDQmucOhWgYYPoyaxmfvcDgZIsOMDolVaCbbsDbdIAbTtc+WtKwOSvIcuKfVR 4wHH51e6f8C2F46nf3fCZNtEUlbejGjKR9OLMWApWBXra82Qh27DnOfeWHzJrKkbJWdo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zZHADyxkN0nqBHBxzSRA1x6U9jRjecxMTWBu7Z16QUI=; b=e/sreWTa6vVYfpRUbhsnZn89zM /N3iw/kHexodZANJAFYVGQsPNApbvFGD0VebhrAM/G3rFw2puQtA7lcQaUVU1/4n1bSGVtaI01ezt ofBejLSpZr/x7sKo2+bUQfg0F9tjwBc2mZqstcwJD/qN2fMjrpQo6b5zhxX+vQeqobR8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCO-0005GO-Vb for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:41 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000FgM-I7 for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251896 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:25 +0100 Message-Id: <20220101162532.2251835-8-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The current default is 1450, which translates to 1478 byte packets for udp4 and 1498 byte packets for udp6. This commit changes the mssfix default to take the outer IP overhead into account as well an [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCO-0005GO-Vb Subject: [Openvpn-devel] [PATCH v3 07/14] Change the default for mssfix to mssfix 1492 mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The current default is 1450, which translates to 1478 byte packets for udp4 and 1498 byte packets for udp6. This commit changes the mssfix default to take the outer IP overhead into account as well and changes the target to 1492. 1492 was picked in our community meeting for being a very common encapsulation upper bound. The change also disables an mssfix default if tun-mtu is set to a value different than 1500. Signed-off-by: Arne Schwabe --- src/openvpn/mtu.h | 2 +- src/openvpn/options.c | 60 +++++++++++++++++++++++++++++-------------- src/openvpn/options.h | 2 +- 3 files changed, 43 insertions(+), 21 deletions(-) diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 930c4b73..41ba970c 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -77,7 +77,7 @@ /* * Default MSSFIX value, used for reducing TCP MTU size */ -#define MSSFIX_DEFAULT 1450 +#define MSSFIX_DEFAULT 1492 /* * Alignment of payload data such as IP packet or diff --git a/src/openvpn/options.c b/src/openvpn/options.c index efe3b2fb..3ba183d0 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -802,7 +802,9 @@ init_options(struct options *o, const bool init_gc) o->ce.tun_mtu = TUN_MTU_DEFAULT; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.mtu_discover_type = -1; - o->ce.mssfix = MSSFIX_DEFAULT; + o->ce.mssfix = 0; + o->ce.mssfix_default = true; + o->ce.mssfix_encap = true; o->route_delay_window = 30; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; @@ -1509,6 +1511,7 @@ show_connection_entry(const struct connection_entry *o) SHOW_INT(fragment); #endif SHOW_INT(mssfix); + SHOW_BOOL(mssfix_encap); SHOW_INT(explicit_exit_notification); @@ -2884,22 +2887,6 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->flags |= CE_DISABLED; } - /* - * If --mssfix is supplied without a parameter, default - * it to --fragment value, if --fragment is specified. - */ - if (o->ce.mssfix_default) - { -#ifdef ENABLE_FRAGMENT - if (ce->fragment) - { - ce->mssfix = ce->fragment; - } -#else - msg(M_USAGE, "--mssfix must specify a parameter"); -#endif - } - /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) * so fall back to IPv4-only (trac #1221) */ @@ -2933,6 +2920,36 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } } + /* + * If --mssfix is supplied without a parameter or not specified at all, + * default it to --fragment value, if --fragment is specified and otherwise + * to the default if tun-mtu is 1500 + */ + if (o->ce.mssfix_default) + { +#ifdef ENABLE_FRAGMENT + if (ce->fragment) + { + ce->mssfix = ce->fragment; + } + else +#endif + if (ce->tun_mtu_defined && o->ce.tun_mtu == TUN_MTU_DEFAULT) + { + /* We want to only set mssfix default value if we use a default + * MTU Size, otherwise the different size of tun should either + * already solve the problem or mssfix might artifically make the + * payload packets smaller without mssfix 0 */ + ce->mssfix = MSSFIX_DEFAULT; + ce->mssfix_encap = true; + } + else + { + msg(D_MTU_INFO, "Note: not enabling mssfix for non-default value " + "of --tun-mtu"); + } + } + /* * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined. * @@ -6776,12 +6793,17 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) { + /* value specified, assume encapsulation is not + * included unles "mtu" follows later */ options->ce.mssfix = positive_atoi(p[1]); + options->ce.mssfix_encap = false; + options->ce.mssfix_default = false; } - - if (!p[1]) + else { + /* Set MTU to default values */ options->ce.mssfix_default = true; + options->ce.mssfix_encap = true; } if (p[2] && streq(p[2], "mtu")) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index c8bccf3e..d754efa1 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -126,7 +126,7 @@ struct connection_entry int fragment; /* internal fragmentation size */ int mssfix; /* Upper bound on TCP MSS */ - bool mssfix_default; /* true if --mssfix was supplied without a parameter */ + bool mssfix_default; /* true if --mssfix should use the default parameters */ bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include * overhead from IP and TCP/UDP encapsulation */ From patchwork Sat Jan 1 05:25:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2198 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.27.255.59]) by backend41.mail.ord1d.rsapps.net with LMTP id KHoKMLiA0GFtLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 Received: from proxy1.mail.iad3a.rsapps.net ([172.27.255.59]) by director14.mail.ord1d.rsapps.net with LMTP id eOOKMriA0GHwawAAeJ7fFg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 Received: from smtp27.gate.iad3a ([172.27.255.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.iad3a.rsapps.net with LMTPS id 4LQpLbiA0GFdagAA8TVjwQ (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 945e8d3e-6b1f-11ec-8112-525400358560-1-1 Received: from [216.105.38.7] ([216.105.38.7:47622] helo=lists.sourceforge.net) by smtp27.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 2D/79-18199-8B080D16; Sat, 01 Jan 2022 11:26:32 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCW-0000FG-3l; Sat, 01 Jan 2022 16:25:48 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCU-0000EY-CP for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=efTQhiIMM2qA5LeRKwSRMnSXEatgB6W2y1/Vz5zGmu0=; b=VfOfw5yjMv42q4xZ66246rfS8+ lR9nRY1yP32WT2+d1aNQMqjrzcRyLI5HPb+qovXSj4DYsYpsJdMN2jY8fE9ZvD9E25VTtLwrxUcQE Bz6gPaFHGlLAQT+K5p7CN/3ptITYe63vf07sRZEkWDS4DWmZBL8xieDTonTXXEhTSGss=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=efTQhiIMM2qA5LeRKwSRMnSXEatgB6W2y1/Vz5zGmu0=; b=SKayPSE0RjYzSVeNT3S6CacwHp vMvWOX2/kxb2GjbRnr6HA3oJOi1U5Hd5oXMPKF+spDwYBr4QeN9vjos3srnXhpUHZDHTXJdA63ad1 G7C/tvu2DN3Sp2dtIk0hM2HuQ8xyxw/7fOy0ZOL3e4D796kwaSxHbi39wSTDjRbYaXbY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV3u-6w for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000Fg9-CP for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251898 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:26 +0100 Message-Id: <20220101162532.2251835-9-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The link mtu is no longer used and calculating a compatibility link MTU just for scripts makes little sense as well. Replace the parameter instead with a fixed paramter 0. Signed-off-by: Arne Schwabe --- Changes.rst | 2 ++ src/openvpn/init.c | 16 +++ 2 files changed, 5 insertions(+), 13 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV3u-6w Subject: [Openvpn-devel] [PATCH v3 08/14] Remove link_mtu parameter when running up/down scripts X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The link mtu is no longer used and calculating a compatibility link MTU just for scripts makes little sense as well. Replace the parameter instead with a fixed paramter 0. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 2 ++ src/openvpn/init.c | 16 +++------------- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/Changes.rst b/Changes.rst index cf6a2f86..7d6fb7f7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -128,6 +128,8 @@ User-visible Changes - CHACHA20-POLY1305 is included in the default of ``--data-ciphers`` when available. - Option ``--prng`` is ignored as we rely on the SSL library random number generator. - Option ``--nobind`` is default when ``--client`` or ``--pull`` is used in the configuration +- :code:`link_mtu` parameter is removed from environment or replaced with 0 when scripts are + called with parameters. This parameter is unreliable and no longer internally calculated. Overview of changes in 2.5 ========================== diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f3b0776c..1c5d03a8 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -113,7 +113,6 @@ run_up_down(const char *command, #endif const char *dev_type, int tun_mtu, - int link_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, @@ -129,7 +128,6 @@ run_up_down(const char *command, } setenv_str(es, "script_context", context); setenv_int(es, "tun_mtu", tun_mtu); - setenv_int(es, "link_mtu", link_mtu); setenv_str(es, "dev", arg); if (dev_type) { @@ -157,11 +155,8 @@ run_up_down(const char *command, struct argv argv = argv_new(); ASSERT(arg); argv_printf(&argv, - "%s %d %d %s %s %s", - arg, - tun_mtu, link_mtu, - ifconfig_local, ifconfig_remote, - context); + "%s %d 0 %s %s %s", + arg, tun_mtu, ifconfig_local, ifconfig_remote, context); if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { @@ -177,7 +172,7 @@ run_up_down(const char *command, ASSERT(arg); setenv_str(es, "script_type", script_type); argv_parse_cmd(&argv, command); - argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu, + argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote, context); argv_msg(M_INFO, &argv); openvpn_run_script(&argv, es, S_FATAL, "--up/--down"); @@ -1848,7 +1843,6 @@ do_open_tun(struct context *c) #endif dev_type_string(c->options.dev, c->options.dev_type), TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1898,7 +1892,6 @@ else #endif dev_type_string(c->options.dev, c->options.dev_type), TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", @@ -1978,7 +1971,6 @@ do_close_tun(struct context *c, bool force) #endif NULL, TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -2009,7 +2001,6 @@ do_close_tun(struct context *c, bool force) #endif NULL, TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -2048,7 +2039,6 @@ do_close_tun(struct context *c, bool force) #endif NULL, TUN_MTU_SIZE(&c->c2.frame), - EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", From patchwork Sat Jan 1 05:25:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2202 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id cFI+NryA0GFyLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:36 -0500 Received: from proxy10.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id wNLPOLyA0GFuXQAApN4f7A (envelope-from ) for ; Sat, 01 Jan 2022 11:26:36 -0500 Received: from smtp38.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.ord1d.rsapps.net with LMTPS id uGSqOLyA0GGaYwAAfSg8FQ (envelope-from ) for ; Sat, 01 Jan 2022 11:26:36 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9695beb0-6b1f-11ec-abdf-525400f6a58b-1-1 Received: from [216.105.38.7] ([216.105.38.7:40404] helo=lists.sourceforge.net) by smtp38.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 3D/0B-06104-CB080D16; Sat, 01 Jan 2022 11:26:36 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCX-0002ef-M2; Sat, 01 Jan 2022 16:25:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCV-0002dh-26 for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ipxs3eD7k3UZ509f215uKKbBFLB/2qwWC6qmPZKbW5c=; b=NRzYQuKVXSgygZOjHwtwBZQEJU mSv6n6Bx66OjoOtCnY+kLCm0235UV9UwDnT751tpUsW3EHHctFMEnkajC7Q8ztrLrmmp4xWWpFxLx m6rZRFCU2r0E1zfy9YC+Jn+9hv+9Kg8L8qBr+aC/K5ebLmHXoGgOXqN9Mt50kUOnUp0c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ipxs3eD7k3UZ509f215uKKbBFLB/2qwWC6qmPZKbW5c=; b=Y1eN73SsXfX/7w2gneHhiKXM5m VJDl5ds+2SibSjaaO3IfWad85/5MpaZhSh1iQFBpz7rthzVdH4soCNXi23S69U1HMkIds+Z7Y9tyz lbt2vfkyekP4ZrOLEokm+ab47cOO16CQQF3TeTypHyYFUcISO7gsbT5bOrK6QU6Q6wH0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV3s-0X for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000Fg1-7o for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251902 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:27 +0100 Message-Id: <20220101162532.2251835-10-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Instead relying on the link_mtu_dynamic field and its calculation in the frame struct, add a new field max_fragment_size and add a calculation of it similar to mssfix. Also whenever mssfix value is calculated, we also want to calculate the values for fragment as both options need to be calculated from the real overhead. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV3s-0X Subject: [Openvpn-devel] [PATCH v3 09/14] Add mtu paramter to --fragment and change fragment calculation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Instead relying on the link_mtu_dynamic field and its calculation in the frame struct, add a new field max_fragment_size and add a calculation of it similar to mssfix. Also whenever mssfix value is calculated, we also want to calculate the values for fragment as both options need to be calculated from the real overhead. Patch v2: Fix syntax in rst man page Signed-off-by: Arne Schwabe --- Changes.rst | 9 ++- doc/man-sections/link-options.rst | 20 ++++- src/openvpn/forward.c | 3 +- src/openvpn/fragment.c | 4 +- src/openvpn/init.c | 15 ++-- src/openvpn/mss.c | 100 +++++++++++++++++++++++-- src/openvpn/mss.h | 13 +++- src/openvpn/mtu.c | 48 +----------- src/openvpn/mtu.h | 21 ++++-- src/openvpn/options.c | 12 ++- src/openvpn/options.h | 2 + src/openvpn/socket.c | 11 --- src/openvpn/socket.h | 2 - src/openvpn/ssl.c | 20 +---- tests/unit_tests/openvpn/test_crypto.c | 8 +- 15 files changed, 178 insertions(+), 110 deletions(-) diff --git a/Changes.rst b/Changes.rst index 7d6fb7f7..ceb0b268 100644 --- a/Changes.rst +++ b/Changes.rst @@ -63,10 +63,11 @@ Optional ciphers in ``--data-ciphers`` those as optional and only use them if the SSL library supports them. -Improved ``--mssfix`` calculation - The ``--mssfix`` option now allows an optional :code:`mtu` parameter to specify - that different overhead for IPv4/IPv6 should taken into account and the resulting - size is specified as the total size of the VPN packets including IP and UDP headers. +Improved ``--mssfix`` and ``--fragment`` calculation + The ``--mssfix`` and ``--fragment`` options now allow an optional :code:`mtu` + parameter to specify that different overhead for IPv4/IPv6 should taken into + account and the resulting size is specified as the total size of the VPN packets + including IP and UDP headers. Deprecated features ------------------- diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 01bc910f..94453de0 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -24,13 +24,25 @@ the local and the remote host. from any address, not only the address which was specified in the ``--remote`` option. ---fragment max +--fragment args + + Valid syntax: + :: + + fragment max + fragment max mtu + Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than ``max`` bytes. - The ``max`` parameter is interpreted in the same way as the - ``--link-mtu`` parameter, i.e. the UDP packet size after encapsulation - overhead has been added in, but not including the UDP header itself. + If the :code:`mtu` parameter is present the ``max`` parameter is + interpreted to include IP and UDP encapsulation overhead. The + :code:`mtu` parameter is introduced in OpenVPN version 2.6.0. + + If the :code:`mtu` parameter is absent, the ``max`` parameter is + interpreted in the same way as the ``--link-mtu`` parameter, i.e. + the UDP packet size after encapsulation overhead has been added in, + but not including the UDP header itself. The ``--fragment`` option only makes sense when you are using the UDP protocol (``--proto udp``). diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 6de6b4d4..3f362e95 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -482,8 +482,7 @@ check_fragment(struct context *c) /* OS MTU Hint? */ if (lsi->mtu_changed && lsi->lsa) { - frame_adjust_path_mtu(&c->c2.frame_fragment, c->c2.link_socket->mtu, - lsi->lsa->actual.dest.addr.sa.sa_family, lsi->proto); + frame_adjust_path_mtu(c); lsi->mtu_changed = false; } diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index 6f8fb447..ce8cd348 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -335,12 +335,12 @@ fragment_outgoing(struct fragment_master *f, struct buffer *buf, msg(D_FRAG_ERRORS, "FRAG: outgoing buffer is not empty, len=[%d,%d]", buf->len, f->outgoing.len); } - if (buf->len > PAYLOAD_SIZE_DYNAMIC(frame)) /* should we fragment? */ + if (buf->len > frame->max_fragment_size) /* should we fragment? */ { /* * Send the datagram as a series of 2 or more fragments. */ - f->outgoing_frag_size = optimal_fragment_size(buf->len, PAYLOAD_SIZE_DYNAMIC(frame)); + f->outgoing_frag_size = optimal_fragment_size(buf->len, frame->max_fragment_size); if (buf->len > f->outgoing_frag_size * MAX_FRAGS) { FRAG_ERR("too many fragments would be required to send datagram"); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 1c5d03a8..dfc44e9d 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3427,8 +3427,8 @@ static void do_init_fragment(struct context *c) { ASSERT(c->options.ce.fragment); - frame_set_mtu_dynamic(&c->c2.frame_fragment, - c->options.ce.fragment, SET_MTU_UPPER_BOUND); + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, + &c->options, get_link_socket_info(c)); fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); } #endif @@ -4296,9 +4296,9 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f } #endif - /* initialize dynamic MTU variable */ - frame_calculate_mssfix(&c->c2.frame, &c->c1.ks.key_type, &c->options, - get_link_socket_info(c)); + /* initialize dynamic MTU based options (fragment/mssfix) */ + frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options, + get_link_socket_info(c)); /* bind the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) @@ -4350,6 +4350,11 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f link_socket_init_phase2(c); } + /* Update dynamic frame calculation as exact transport socket information + * (IP vs IPv6) may be only available after socket phase2 has finished */ + frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options, + get_link_socket_info(c)); + /* * Actually do UID/GID downgrade, and chroot, if requested. * May be delayed by --client, --pull, or --up-delay. diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index ed64e1e2..f71127c0 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -33,6 +33,7 @@ #include "crypto.h" #include "ssl_common.h" #include "memdbg.h" +#include "forward.h" /* * Lower MSS on TCP SYN packets to fix MTU @@ -247,16 +248,42 @@ get_ip_encap_overhead(const struct options *options, return datagram_overhead(af, lsi->proto); } -void -frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options, - struct link_socket_info *lsi) +static void +frame_calculate_fragment(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi) { - if (options->ce.mssfix == 0) +#if defined(ENABLE_FRAGMENT) + unsigned int overhead; + + overhead = frame_calculate_protocol_header_size(kt, options, false); + + if (options->ce.fragment_encap) { - return; + overhead += get_ip_encap_overhead(options, lsi); + } + + unsigned int target = options->ce.fragment - overhead; + /* The 4 bytes of header that fragment adds itself. The other extra payload + * bytes (Ethernet header/compression) are handled by the fragment code + * just as part of the payload and therefore automatically taken into + * account if the packet needs to fragmented */ + frame->max_fragment_size = adjust_payload_max_cbc(kt, target) - 4; + + if (cipher_kt_mode_cbc(kt->cipher)) + { + /* The packet id gets added to *each* fragment in CBC mode, so we need + * to account for it */ + frame->max_fragment_size -= calc_packet_id_size_dc(options, kt); } +#endif +} +static void +frame_calculate_mssfix(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi) +{ unsigned int overhead, payload_overhead; overhead = frame_calculate_protocol_header_size(kt, options, false); @@ -291,3 +318,64 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, } + +void +frame_calculate_dynamic(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi) +{ + if (options->ce.fragment > 0) + { + frame_calculate_fragment(frame, kt, options, lsi); + } + + if (options->ce.mssfix > 0) + { + frame_calculate_mssfix(frame, kt, options, lsi); + } +} + +/* + * Adjust frame structure based on a Path MTU value given + * to us by the OS. + */ +void +frame_adjust_path_mtu(struct context *c) +{ + struct link_socket_info *lsi = get_link_socket_info(c); + struct options *o = &c->options; + + int pmtu = c->c2.link_socket->mtu; + sa_family_t af = lsi->lsa->actual.dest.addr.sa.sa_family; + int proto = lsi->proto; + + int encap_overhead = datagram_overhead(af, proto); + + /* check if mssfix and fragment need to be adjusted */ + if (pmtu < o->ce.mssfix + || (o->ce.mssfix_encap && pmtu < o->ce.mssfix + encap_overhead)) + { + const char* mtustr = o->ce.mssfix_encap ? " mtu" : ""; + msg(D_MTU_INFO, "Note adjusting 'mssfix %d %s' to 'mssfix %d mtu' " + "according to path MTU discovery", o->ce.mssfix, + mtustr, pmtu); + o->ce.mssfix = pmtu; + o->ce.mssfix_encap = true; + frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, o, lsi); + } + +#if defined(ENABLE_FRAGMENT) + if (pmtu < o->ce.fragment || + (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead)) + { + const char* mtustr = o->ce.fragment_encap ? " mtu" : ""; + msg(D_MTU_INFO, "Note adjusting 'fragment %d %s' to 'fragment %d mtu' " + "according to path MTU discovery", o->ce.mssfix, + mtustr, pmtu); + o->ce.fragment = pmtu; + o->ce.fragment_encap = true; + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, + o, lsi); + } +#endif +} diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index eecc7994..82e0c58f 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -36,8 +36,15 @@ void mss_fixup_ipv6(struct buffer *buf, int maxmss); void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); /** Set the --mssfix option. */ -void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options, - struct link_socket_info *lsi); +void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi); + +/** + * Checks and adjusts the fragment and mssfix value according to the + * discovered path mtu value + * @param c context to adjust + */ +void frame_adjust_path_mtu(struct context *c); #endif diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 1648c8fe..ab088466 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -52,12 +52,7 @@ alloc_buf_sock_tun(struct buffer *buf, ASSERT(buf_safe(buf, 0)); } - -/** - * Return the size of the packet ID size that is currently in use by cipher and - * options for the data channel. - */ -static unsigned int +unsigned int calc_packet_id_size_dc(const struct options *options, const struct key_type *kt) { /* Unless no-replay is enabled, we have a packet id, no matter if @@ -234,44 +229,7 @@ frame_finalize(struct frame *frame, msg(M_WARN, "TUN MTU value (%d) must be at least %d", TUN_MTU_SIZE(frame), TUN_MTU_MIN); frame_print(frame, M_FATAL, "MTU is too small"); } - - frame->link_mtu_dynamic = frame->link_mtu; } - -/* - * Set the tun MTU dynamically. - */ -void -frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags) -{ - -#ifdef ENABLE_DEBUG - const int orig_mtu = mtu; - const int orig_link_mtu_dynamic = frame->link_mtu_dynamic; -#endif - - ASSERT(mtu >= 0); - - if (flags & SET_MTU_TUN) - { - mtu += TUN_LINK_DELTA(frame); - } - - if (!(flags & SET_MTU_UPPER_BOUND) || mtu < frame->link_mtu_dynamic) - { - frame->link_mtu_dynamic = constrain_int( - mtu, - EXPANDED_SIZE_MIN(frame), - EXPANDED_SIZE(frame)); - } - - dmsg(D_MTU_DEBUG, "MTU DYNAMIC mtu=%d, flags=%u, %d -> %d", - orig_mtu, - flags, - orig_link_mtu_dynamic, - frame->link_mtu_dynamic); -} - /* * Move extra_frame octets into extra_tun. Used by fragmenting code * to adjust frame relative to its position in the buffer processing @@ -297,12 +255,14 @@ frame_print(const struct frame *frame, } buf_printf(&out, "["); buf_printf(&out, " mss_fix:%d", frame->mss_fix); +#ifdef ENABLE_FRAGMENT + buf_printf(&out, " max_frag:%d", frame->max_fragment_size); +#endif buf_printf(&out, " tun_mtu:%d", frame->tun_mtu); buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); buf_printf(&out, " L:%d", frame->link_mtu); - buf_printf(&out, " D:%d", frame->link_mtu_dynamic); buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 41ba970c..288cfad6 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -113,14 +113,18 @@ struct frame { int link_mtu; /**< Maximum packet size to be sent over * the external network interface. */ - unsigned int mss_fix; /**< The actual MSS value that should be + unsigned int mss_fix; /**< The actual MSS value that should be * written to the payload packets. This * is the value for IPv4 TCP packets. For * IPv6 packets another 20 bytes must * be subtracted */ - int link_mtu_dynamic; /**< Dynamic MTU value for the external - * network interface. */ + int max_fragment_size; /**< The maximum size of a fragment. + * Fragmentation is done on the unencrypted + * payload after (potential) compression. So + * this value specifies the maximum payload + * size that can be send in a single fragment + */ int extra_frame; /**< Maximum number of bytes that all * processing steps together could add. @@ -195,7 +199,6 @@ struct options; * a tap device ifconfiged to an MTU of 1200 might actually want * to return a packet size of 1214 on a read(). */ -#define PAYLOAD_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic - (f)->extra_frame) #define PAYLOAD_SIZE(f) ((f)->buf.payload_size) /* @@ -203,7 +206,6 @@ struct options; * overhead is added. */ #define EXPANDED_SIZE(f) ((f)->link_mtu) -#define EXPANDED_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic) #define EXPANDED_SIZE_MIN(f) (TUN_MTU_MIN + TUN_LINK_DELTA(f)) /* @@ -314,6 +316,15 @@ size_t calc_options_string_link_mtu(const struct options *options, const struct frame *frame); +/** + * Return the size of the packet ID size that is currently in use by cipher and + * options for the data channel. + */ +unsigned int +calc_packet_id_size_dc(const struct options *options, + const struct key_type *kt); + + /* * frame_set_mtu_dynamic and flags */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3ba183d0..5908b8a9 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6132,11 +6132,19 @@ add_option(struct options *options, msg(msglevel, "--mtu-dynamic has been replaced by --fragment"); goto err; } - else if (streq(p[0], "fragment") && p[1] && !p[2]) + else if (streq(p[0], "fragment") && p[1] && !p[3]) { -/* VERIFY_PERMISSION (OPT_P_MTU); */ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.fragment = positive_atoi(p[1]); + + if (p[2] && streq(p[2], "mtu")) + { + options->ce.fragment_encap = true; + } + else if (p[2]) + { + msg(msglevel, "Unknown parameter to --fragment: %s", p[2]); + } } #endif else if (streq(p[0], "mtu-disc") && p[1] && !p[2]) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index d754efa1..0eeb4920 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -125,6 +125,8 @@ struct connection_entry int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */ int fragment; /* internal fragmentation size */ + bool fragment_encap; /* true if --fragment had the "mtu" parameter to + * include overhead from IP and TCP/UDP encapsulation */ int mssfix; /* Upper bound on TCP MSS */ bool mssfix_default; /* true if --mssfix should use the default parameters */ bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 93d2e61e..fe1dfb31 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1644,17 +1644,6 @@ socket_frame_init(const struct frame *frame, struct link_socket *sock) } } -/* - * Adjust frame structure based on a Path MTU value given - * to us by the OS. - */ -void -frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto) -{ - frame_set_mtu_dynamic(frame, pmtu - datagram_overhead(af, proto), - SET_MTU_UPPER_BOUND); -} - static void resolve_bind_local(struct link_socket *sock, const sa_family_t af) { diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 936ef262..a43ed80b 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -300,8 +300,6 @@ void do_preresolve(struct context *c); void socket_adjust_frame_parameters(struct frame *frame, int proto); -void frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto); - void link_socket_close(struct link_socket *sock); void sd_close(socket_descriptor_t *sd); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d6b91efc..78983545 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -331,7 +331,6 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame /* set dynamic link MTU to cap control channel packets at 1250 bytes */ ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); - frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame); /* calculate the maximum overhead that control channel frames may have */ int overhead = 0; @@ -1912,9 +1911,8 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, frame_remove_from_extra_frame(frame, crypto_max_overhead()); crypto_adjust_frame_parameters(frame, &session->opt->key_type, options->replay, packet_id_long_form); - frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, - options->ce.tun_mtu_defined, options->ce.tun_mtu); - frame_calculate_mssfix(frame, &session->opt->key_type, options, lsi); + frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi); + frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); /* @@ -1929,7 +1927,7 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, frame_remove_from_extra_frame(frame_fragment, crypto_max_overhead()); crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type, options->replay, packet_id_long_form); - frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND); + frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi); frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); } @@ -2982,6 +2980,7 @@ tls_process(struct tls_multi *multi, if (buf) { int status = key_state_read_ciphertext(&ks->ks_ssl, buf, multi->opt.frame.tun_mtu); + if (status == -1) { msg(D_TLS_ERRORS, @@ -3827,17 +3826,6 @@ tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, goto error; } - if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame)) - { - dmsg(D_TLS_STATE_ERRORS, - "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected", - buf->len, - print_link_socket_actual(from, &gc), - EXPANDED_SIZE_DYNAMIC(&tas->frame)); - goto error; - } - - struct buffer newbuf = clone_buf(buf); struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap; diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 8a31174b..e4093d65 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -382,7 +382,7 @@ test_mssfix_mtu_calculation(void **state) init_key_type(&kt, o.ciphername, o.authname, false, false); /* No encryption, just packet id (8) + TCP payload(20) + IP payload(20) */ - frame_calculate_mssfix(&f, &kt, &o, NULL); + frame_calculate_dynamic(&f, &kt, &o, NULL); assert_int_equal(f.mss_fix, 952); /* Static key OCC examples */ @@ -392,7 +392,7 @@ test_mssfix_mtu_calculation(void **state) o.ciphername = "none"; o.authname = "none"; init_key_type(&kt, o.ciphername, o.authname, false, false); - frame_calculate_mssfix(&f, &kt, &o, NULL); + frame_calculate_dynamic(&f, &kt, &o, NULL); assert_int_equal(f.mss_fix, 952); /* secret, cipher AES-128-CBC, auth none */ @@ -406,7 +406,7 @@ test_mssfix_mtu_calculation(void **state) * all result in the same CBC block size/padding and <= 991 and >=1008 * should be one block less and more respectively */ o.ce.mssfix = i; - frame_calculate_mssfix(&f, &kt, &o, NULL); + frame_calculate_dynamic(&f, &kt, &o, NULL); if (i <= 991) { assert_int_equal(f.mss_fix, 911); @@ -434,7 +434,7 @@ test_mssfix_mtu_calculation(void **state) /* For stream ciphers, the value should not be influenced by block * sizes or similar but always have the same difference */ o.ce.mssfix = i; - frame_calculate_mssfix(&f, &kt, &o, NULL); + frame_calculate_dynamic(&f, &kt, &o, NULL); /* 4 byte opcode/peerid, 4 byte pkt ID, 16 byte tag, 40 TCP+IP */ assert_int_equal(f.mss_fix, i - 4 - 4 - 16 - 40); From patchwork Sat Jan 1 05:25:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2192 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id wKxNLLWA0GFQLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:29 -0500 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id mP/ULrWA0GG3SAAAIasKDg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:29 -0500 Received: from smtp19.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTPS id OOpyLrWA0GHLHQAAetu3IA (envelope-from ) for ; Sat, 01 Jan 2022 11:26:29 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 927ac24e-6b1f-11ec-854f-525400d67fa8-1-1 Received: from [216.105.38.7] ([216.105.38.7:53030] helo=lists.sourceforge.net) by smtp19.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 56/4E-27429-5B080D16; Sat, 01 Jan 2022 11:26:29 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCO-0000dZ-8Y; Sat, 01 Jan 2022 16:25:41 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCN-0000dO-Nw for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=TYdwfTl91G7Lokb+RiJz1jfPlwreM1pjjtOPvQv2ItY=; b=YxffaTMBhF2NJEbTsq5oaZUQOW v+OW9cd9O4N2rS+aruOeko2q3R2lW8YiX0Rj1uxaoG4ZzXkyBfKfplCAzO4hmPjlR8IboSpRuZIy+ xlgRL1eCZ46C+CEtgWaIZEkix/5AWoY0rdX6r/2jEcAYyo1DdG3W4bzgz+erKFWkVDz0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TYdwfTl91G7Lokb+RiJz1jfPlwreM1pjjtOPvQv2ItY=; b=YHrJECXJD5J/zuWtdIZd/IFWI5 /nFp+pYCbNwuv+t1qlH8Wl+KtVqPVHdoDSJ+Jyzw9DADkKCAd0uA5D3evAt29wjXokm49EDGyO+Ah EzSBDsUCXNC6OdsAE5aohy+V0AxvweMwylI4fa9RcZpAiP6GiHkfkC7AOYvr/Iq4yd0Y=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCN-0005GI-Ke for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:40 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000Ffx-6P for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251904 invoked by uid 10006); Sat, 01 Jan 2022 16:25:33 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:28 +0100 Message-Id: <20220101162532.2251835-11-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/occ.c | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index c4e7c1be..73b875f3 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -199,8 +199,11 @@ check_send_occ_load_test_dowork(struct context * [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCN-0005GI-Ke Subject: [Openvpn-devel] [PATCH v3 10/14] Use new frame header methods to calculate OCC_MTU_LOAD payload size X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe --- src/openvpn/occ.c | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index c4e7c1be..73b875f3 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -199,8 +199,11 @@ check_send_occ_load_test_dowork(struct context *c) if (entry->op >= 0) { c->c2.occ_op = entry->op; - c->c2.occ_mtu_load_size = - EXPANDED_SIZE(&c->c2.frame) + entry->delta; + size_t payload_size = frame_calculate_payload_size(&c->c2.frame, + &c->options, &c->c1.ks.key_type); + size_t header_size = frame_calculate_protocol_header_size(&c->c1.ks.key_type, &c->options, false); + + c->c2.occ_mtu_load_size = payload_size + header_size; } else { @@ -298,10 +301,21 @@ check_send_occ_msg_dowork(struct context *c) { break; } - need_to_add = min_int(c->c2.occ_mtu_load_size, EXPANDED_SIZE(&c->c2.frame)) + size_t proto_hdr, payload_hdr; + const struct key_type *kt = &c->c1.ks.key_type; + + /* OCC message have comp/fragment headers but not ethernet headers */ + payload_hdr = frame_calculate_payload_overhead(&c->c2.frame, &c->options, + kt, false); + + /* Since we do not know the payload size we just pass 0 as size here */ + proto_hdr = frame_calculate_protocol_header_size(kt, &c->options, false); + + need_to_add = min_int(c->c2.occ_mtu_load_size, c->c2.frame.buf.payload_size) - OCC_STRING_SIZE - - sizeof(uint8_t) - - EXTRA_FRAME(&c->c2.frame); + - sizeof(uint8_t) /* occ opcode */ + - payload_hdr + - proto_hdr; while (need_to_add > 0) { @@ -314,12 +328,13 @@ check_send_occ_msg_dowork(struct context *c) } --need_to_add; } - dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d-%d-%d-%d,%d) size=%d", + dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d,%d)-%d-%d-%d-%d) size=%d", c->c2.occ_mtu_load_size, + c->c2.frame.buf.payload_size, OCC_STRING_SIZE, (int) sizeof(uint8_t), - EXTRA_FRAME(&c->c2.frame), - c->c2.frame.buf.payload_size, + (int) payload_hdr, + (int) proto_hdr, BLEN(&c->c2.buf)); doit = true; } From patchwork Sat Jan 1 05:25:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2199 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.58]) by backend41.mail.ord1d.rsapps.net with LMTP id +CW6MbmA0GFtLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:33 -0500 Received: from proxy2.mail.iad3a.rsapps.net ([172.27.255.58]) by director7.mail.ord1d.rsapps.net with LMTP id uCJQNLmA0GHtQQAAovjBpQ (envelope-from ) for ; Sat, 01 Jan 2022 11:26:33 -0500 Received: from smtp7.gate.iad3a ([172.27.255.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.iad3a.rsapps.net with LMTPS id sAQkLLmA0GFUVgAABcWvHw (envelope-from ) for ; Sat, 01 Jan 2022 11:26:33 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 94cc4194-6b1f-11ec-8c60-525400bbebb8-1-1 Received: from [216.105.38.7] ([216.105.38.7:48036] helo=lists.sourceforge.net) by smtp7.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E2/C1-29000-9B080D16; Sat, 01 Jan 2022 11:26:33 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCU-0000eU-Fx; Sat, 01 Jan 2022 16:25:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCS-0000e5-L0 for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2fUHxDPvSxKUsydirgsjPPRU67cVR00qnCJeLIYebwc=; b=PhSmtLYINYP3ei+pt2+BTM6Wse X9+7y/4WX5QCqmvWpiVqqx3m11I3kwQ8ST1JCAbbZOiHQLrICZVbpU4UbWWR9kIbTEAXZIQ9Ev262 eftk7atDUeRijzndsh6UaI7qBDyf5wsxdXcz8LuT6JdfdIM9rLQcTaCXGOuLRwGLLOTw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=2fUHxDPvSxKUsydirgsjPPRU67cVR00qnCJeLIYebwc=; b=NYTPij83YtllViIk9pE01TQGSz pv4SZTDLMNbvo+YGV88+GvYLggmR5CvNIa32y6pv5N9sABpgUVaE+DWeLPYTNwOhO2xjF6EuvR6fM oTAOAULhACqO7UARu/qBJTUKBPzKkWXYzWlzMgATHasTKv53JZ2mHkiRegS/J+c2h+Lk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV3z-5A for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:45 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000FgP-Jo for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251907 invoked by uid 10006); Sat, 01 Jan 2022 16:25:33 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:29 +0100 Message-Id: <20220101162532.2251835-12-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The previous commits removed any reads from this variable. So we can now safely remove it. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 19 src/openvpn/mtu.c | 1 - src/openvpn/mtu.h | 13 src/openvpn/socks.c | 11 + src/ope [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV3z-5A Subject: [Openvpn-devel] [PATCH v3 11/14] Remove extra_link from frame X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The previous commits removed any reads from this variable. So we can now safely remove it. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 19 ------------------- src/openvpn/mtu.c | 1 - src/openvpn/mtu.h | 13 ------------- src/openvpn/socks.c | 11 +---------- src/openvpn/socks.h | 2 -- src/openvpn/ssl.c | 1 - 6 files changed, 1 insertion(+), 46 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index dfc44e9d..bf6369f8 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3171,14 +3171,6 @@ do_init_frame(struct context *c) } #endif /* USE_COMP */ - /* - * Adjust frame size for UDP Socks support. - */ - if (c->options.ce.socks_proxy_server) - { - socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); - } - /* * Adjust frame size based on the --tun-mtu-extra parameter. */ @@ -3211,17 +3203,6 @@ do_init_frame(struct context *c) #endif #endif /* USE_COMP */ - /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client) - * and need link_mtu+3 bytes on socket reception (on server). - * - * accommodate receive path in f->extra_link, which has the side effect of - * also increasing send buffers (BUF_SIZE() macro), which need to be - * allocated big enough before receiving peer-id option from server. - * - * f->extra_frame is adjusted when peer-id option is push-received - */ - frame_add_to_extra_link(&c->c2.frame, 3); - #ifdef ENABLE_FRAGMENT /* * Set frame parameter for fragment code. This is necessary because diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index ab088466..0bcfbfd1 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -266,7 +266,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); - buf_printf(&out, " EL:%d", frame->extra_link); buf_printf(&out, " ]"); msg(level, "%s", out.data); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 288cfad6..a87adbc4 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -163,13 +163,6 @@ struct frame { * which defaults to 0 for tun and 32 * (\c TAP_MTU_EXTRA_DEFAULT) for tap. * */ - - int extra_link; /**< Maximum number of bytes in excess of - * external network interface's MTU that - * might be read from or written to it. - * - * Used by peer-id (3) and - * socks UDP (10) */ }; /* Forward declarations, to prevent includes */ @@ -383,12 +376,6 @@ frame_add_to_extra_tun(struct frame *frame, const int increment) frame->extra_tun += increment; } -static inline void -frame_add_to_extra_link(struct frame *frame, const int increment) -{ - frame->extra_link += increment; -} - static inline void frame_add_to_extra_buffer(struct frame *frame, const int increment) { diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index 27a58331..6935e761 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -49,15 +49,6 @@ #define UP_TYPE_SOCKS "SOCKS Proxy" -void -socks_adjust_frame_parameters(struct frame *frame, int proto) -{ - if (proto == PROTO_UDP) - { - frame_add_to_extra_link(frame, 10); - } -} - struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, @@ -610,7 +601,7 @@ socks_process_outgoing_udp(struct buffer *buf, /* * Get a 10 byte subset buffer prepended to buf -- * we expect these bytes will be here because - * we allocated frame space in socks_adjust_frame_parameters. + * we always allocate space for these bytes */ struct buffer head = buf_sub(buf, 10, true); diff --git a/src/openvpn/socks.h b/src/openvpn/socks.h index 9bda2e80..4ab30f55 100644 --- a/src/openvpn/socks.h +++ b/src/openvpn/socks.h @@ -42,8 +42,6 @@ struct socks_proxy_info { char authfile[256]; }; -void socks_adjust_frame_parameters(struct frame *frame, int proto); - struct socks_proxy_info *socks_proxy_new(const char *server, const char *port, const char *authfile); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 78983545..091f40eb 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -322,7 +322,6 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame /* inherit link MTU and extra_link from data channel */ frame->link_mtu = data_channel_frame->link_mtu; - frame->extra_link = data_channel_frame->extra_link; /* set extra_frame */ tls_adjust_frame_parameters(frame); From patchwork Sat Jan 1 05:25:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2200 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id kCLqCLuA0GFtLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:35 -0500 Received: from proxy15.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id mNydC7uA0GGNWwAAvGGmqA (envelope-from ) for ; Sat, 01 Jan 2022 11:26:35 -0500 Received: from smtp24.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.ord1d.rsapps.net with LMTPS id kNw8C7uA0GHRBAAAAY1PeQ (envelope-from ) for ; Sat, 01 Jan 2022 11:26:35 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 959e1b56-6b1f-11ec-b65e-52540091a1c4-1-1 Received: from [216.105.38.7] ([216.105.38.7:40380] helo=lists.sourceforge.net) by smtp24.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F7/2C-21679-AB080D16; Sat, 01 Jan 2022 11:26:34 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCW-0002eA-HI; Sat, 01 Jan 2022 16:25:48 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCU-0002dX-ER for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=N74CApZhISklRPKyaLM1GlMylIrzU/jMHgENDd3U7R8=; b=Zp/9ecEhK5e28SNuP8aDkgfxhJ Fwrb3K495ZpH8TKZC66uNVBh5AJXVlNfae+/rkx+cV/af9P91kiTpxfdPpiz9MGeSTG+AVHxeOfpI s7Wkd/goQ37eN/SlKigJhTAFUMmsYZjYkDCZoczVAzCYBAVLNFtmx1Og+saf6N5j6Yx8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=N74CApZhISklRPKyaLM1GlMylIrzU/jMHgENDd3U7R8=; b=UoIJehltkjh7t1Zvtdys47ofxJ Sd9Wj8JEcHCkt/wXSIPyOYvgXtukqzsLkAxZLEWRR9HlEzihn3HWFpg7k4NnL2nATG+ltLl7tXpLZ rsIfms1RX0XrKuh82xc1HShsobf2bL0IA9ggd8uGIATjw/egpvP5VeZ7UByBUBL9ACuI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV40-6L for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000FgV-Mo for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251911 invoked by uid 10006); Sat, 01 Jan 2022 16:25:33 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:30 +0100 Message-Id: <20220101162532.2251835-13-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This always uses the configured MTU size instead relying on the calculated MTU size. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 2 +- src/openvpn/init.c | 16 ++++++++-------- src/openvpn/mtu.h | 5 ----- 3 files changed, 9 insertions(+), 14 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV40-6L Subject: [Openvpn-devel] [PATCH v3 12/14] Replace TUN_MTU_SIZE with frame->tun_mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This always uses the configured MTU size instead relying on the calculated MTU size. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 2 +- src/openvpn/init.c | 16 ++++++++-------- src/openvpn/mtu.h | 5 ----- 3 files changed, 9 insertions(+), 14 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 3f362e95..5f8361d3 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1379,7 +1379,7 @@ ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client) * packet */ int max_payload_size = min_int(MAX_ICMPV6LEN, - TUN_MTU_SIZE(&c->c2.frame) - icmpheader_len); + c->c2.frame.tun_mtu - icmpheader_len); int payload_len = min_int(max_payload_size, BLEN(&inputipbuf)); pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index bf6369f8..4e81016b 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1799,7 +1799,7 @@ do_open_tun(struct context *c) c->options.dev_type, c->options.dev_node, &gc); - do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es, + do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); } @@ -1830,7 +1830,7 @@ do_open_tun(struct context *c) && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN) { do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, - TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx); + c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); } /* run the up script */ @@ -1842,7 +1842,7 @@ do_open_tun(struct context *c) c->c1.tuntap->adapter_index, #endif dev_type_string(c->options.dev, c->options.dev_type), - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1891,7 +1891,7 @@ else c->c1.tuntap->adapter_index, #endif dev_type_string(c->options.dev, c->options.dev_type), - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", @@ -1970,7 +1970,7 @@ do_close_tun(struct context *c, bool force) adapter_index, #endif NULL, - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -2000,7 +2000,7 @@ do_close_tun(struct context *c, bool force) adapter_index, #endif NULL, - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -2038,7 +2038,7 @@ do_close_tun(struct context *c, bool force) adapter_index, #endif NULL, - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", @@ -2218,7 +2218,7 @@ void adjust_mtu_peerid(struct context *c) { msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu" " fixed by config - reducing tun-mtu to %d, expect" - " MTU problems", TUN_MTU_SIZE(&c->c2.frame)); + " MTU problems", c->c2.frame.tun_mtu); } } diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index a87adbc4..c6eca864 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -181,11 +181,6 @@ struct options; */ #define TUN_LINK_DELTA(f) ((f)->extra_frame + (f)->extra_tun) -/* - * This is the size to "ifconfig" the tun or tap device. - */ -#define TUN_MTU_SIZE(f) ((f)->link_mtu - TUN_LINK_DELTA(f)) - /* * This is the maximum packet size that we need to be able to * read from or write to a tun or tap device. For example, From patchwork Sat Jan 1 05:25:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2206 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id SDbRBcGA0GFzLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:41 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id gORbCMGA0GGCTwAAalYnBA (envelope-from ) for ; Sat, 01 Jan 2022 11:26:41 -0500 Received: from smtp25.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id wAYdCMGA0GE3DAAAGdz6CA (envelope-from ) for ; Sat, 01 Jan 2022 11:26:41 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9908631e-6b1f-11ec-8d6d-52540081550e-1-1 Received: from [216.105.38.7] ([216.105.38.7:53176] helo=lists.sourceforge.net) by smtp25.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 75/D4-22155-0C080D16; Sat, 01 Jan 2022 11:26:40 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCY-0000ff-Sg; Sat, 01 Jan 2022 16:25:52 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCT-0000eF-HB for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZdsAb8qFiO4CaoHeLQ8bO2txX5APQT/wDHyWaDWv1P0=; b=b+0EAIQaMGKX7uordbSUpsw4Ak gKBBHPY/S2uG917YH9kGRjpCNNQv5hPhvVbCzT+hSi07QcG44Q6UcyI0Mmr7jVUXH9S9O+HQXPlJG UxzwV6l7qIUZmfiUA6f+eFSVefuT5+DVMXjl5ayWIEhAWq2Sj2EatxrPwn5KsrpHUlzY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZdsAb8qFiO4CaoHeLQ8bO2txX5APQT/wDHyWaDWv1P0=; b=Uy02O/YzG6EjUW/ur0MeMvAVrz BhGNpV6/X0CBNS0Q2LdwcLMrBJ/BQ7wAtCR3ab0zjwcYGJp05kRZ4lly3710lbezNt92h2I4wTiSJ 1iCJmMyutKLBIAMm4bhPZyG3JpPlZ4o54BUFNqKXnYJwI3k2Xc9X6tUqUz9sGFS4Jbjw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCT-00GV41-1t for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000FgY-Ob for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251915 invoked by uid 10006); Sat, 01 Jan 2022 16:25:33 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:31 +0100 Message-Id: <20220101162532.2251835-14-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 8 -------- src/openvpn/comp.h | 2 -- src/openvpn/forward.c | 4 ++-- src/openvpn/init.c | 39 +++ [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCT-00GV41-1t Subject: [Openvpn-devel] [PATCH v3 13/14] Remove frame->link_mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 8 -------- src/openvpn/comp.h | 2 -- src/openvpn/forward.c | 4 ++-- src/openvpn/init.c | 39 +++------------------------------------ src/openvpn/mtu.c | 26 -------------------------- src/openvpn/mtu.h | 22 ---------------------- src/openvpn/ssl.c | 9 --------- 7 files changed, 5 insertions(+), 105 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index ad49b00b..2d89e944 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -123,14 +123,6 @@ comp_add_to_extra_frame(struct frame *frame) frame_add_to_extra_frame(frame, COMP_PREFIX_LEN); } -void -comp_add_to_extra_buffer(struct frame *frame) -{ - /* Leave room for compression buffer to expand in worst case scenario - * where data is totally incompressible */ - frame_add_to_extra_buffer(frame, COMP_EXTRA_BUFFER(EXPANDED_SIZE(frame))); -} - void comp_print_stats(const struct compress_context *compctx, struct status_output *so) { diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 0d284e27..e42fc144 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -178,8 +178,6 @@ void comp_uninit(struct compress_context *compctx); void comp_add_to_extra_frame(struct frame *frame); -void comp_add_to_extra_buffer(struct frame *frame); - void comp_print_stats(const struct compress_context *compctx, struct status_output *so); void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out); diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 5f8361d3..b6e9eabb 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1544,7 +1544,7 @@ process_outgoing_link(struct context *c) perf_push(PERF_PROC_OUT_LINK); - if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE(&c->c2.frame)) + if (c->c2.to_link.len > 0 && c->c2.to_link.len <= c->c2.frame.buf.payload_size) { /* * Setup for call to send/sendto which will send @@ -1672,7 +1672,7 @@ process_outgoing_link(struct context *c) msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)", print_link_socket_actual(c->c2.to_link_addr, &gc), c->c2.to_link.len, - EXPANDED_SIZE(&c->c2.frame)); + c->c2.frame.buf.payload_size); } } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 4e81016b..2baa3c4f 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2204,24 +2204,6 @@ pull_permission_mask(const struct context *c) return flags; } -static -void adjust_mtu_peerid(struct context *c) -{ - frame_add_to_extra_frame(&c->c2.frame, 3); /* peer-id overhead */ - if (!c->options.ce.link_mtu_defined) - { - frame_add_to_link_mtu(&c->c2.frame, 3); - msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d", - EXPANDED_SIZE(&c->c2.frame)); - } - else - { - msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu" - " fixed by config - reducing tun-mtu to %d, expect" - " MTU problems", c->c2.frame.tun_mtu); - } -} - static bool do_deferred_p2p_ncp(struct context *c) { @@ -2230,11 +2212,6 @@ do_deferred_p2p_ncp(struct context *c) return true; } - if (c->c2.tls_multi->use_peer_id) - { - adjust_mtu_peerid(c); - } - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, @@ -2356,7 +2333,6 @@ do_deferred_options(struct context *c, const unsigned int found) msg(D_PUSH, "OPTIONS IMPORT: peer-id set"); c->c2.tls_multi->use_peer_id = true; c->c2.tls_multi->peer_id = c->options.peer_id; - adjust_mtu_peerid(c); } /* process (potentially pushed) crypto options */ @@ -2589,14 +2565,6 @@ frame_finalize_options(struct context *c, const struct options *o) frame->buf.payload_size = payload_size; frame->buf.headroom = headroom; frame->buf.tailroom = tailroom; - - /* Kept to still update/calculate the other fields for now */ - frame_finalize(frame, - o->ce.link_mtu_defined, - o->ce.link_mtu, - o->ce.tun_mtu_defined, - o->ce.tun_mtu); - } /* @@ -3104,8 +3072,8 @@ do_init_frame_tls(struct context *c) if (c->c2.tls_multi) { tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame); - ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <= - EXPANDED_SIZE(&c->c2.frame)); + ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= + c->c2.frame.buf.payload_size); frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms"); } @@ -3197,9 +3165,8 @@ do_init_frame(struct context *c) * Modify frame parameters if compression is compiled in. * Should be called after frame_finalize_options. */ - comp_add_to_extra_buffer(&c->c2.frame); #ifdef ENABLE_FRAGMENT - comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ + /*TODO:frame comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); omit compression frame delta from final frame_fragment */ #endif #endif /* USE_COMP */ diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 0bcfbfd1..986cae47 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -205,31 +205,6 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) return payload + overhead; } -void -frame_finalize(struct frame *frame, - bool link_mtu_defined, - int link_mtu, - bool tun_mtu_defined, - int tun_mtu) -{ - /* Set link_mtu based on command line options */ - if (tun_mtu_defined) - { - ASSERT(!link_mtu_defined); - frame->link_mtu = tun_mtu + TUN_LINK_DELTA(frame); - } - else - { - ASSERT(link_mtu_defined); - frame->link_mtu = link_mtu; - } - - if (TUN_MTU_SIZE(frame) < TUN_MTU_MIN) - { - msg(M_WARN, "TUN MTU value (%d) must be at least %d", TUN_MTU_SIZE(frame), TUN_MTU_MIN); - frame_print(frame, M_FATAL, "MTU is too small"); - } -} /* * Move extra_frame octets into extra_tun. Used by fragmenting code * to adjust frame relative to its position in the buffer processing @@ -262,7 +237,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); - buf_printf(&out, " L:%d", frame->link_mtu); buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index c6eca864..3e4dfb6d 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -110,9 +110,6 @@ struct frame { * decryption/encryption or compression. */ } buf; - int link_mtu; /**< Maximum packet size to be sent over - * the external network interface. */ - unsigned int mss_fix; /**< The actual MSS value that should be * written to the payload packets. This * is the value for IPv4 TCP packets. For @@ -189,13 +186,6 @@ struct options; */ #define PAYLOAD_SIZE(f) ((f)->buf.payload_size) -/* - * Max size of a payload packet after encryption, compression, etc. - * overhead is added. - */ -#define EXPANDED_SIZE(f) ((f)->link_mtu) -#define EXPANDED_SIZE_MIN(f) (TUN_MTU_MIN + TUN_LINK_DELTA(f)) - /* * Control buffer headroom allocations to allow for efficient prepending. */ @@ -218,12 +208,6 @@ struct options; * Function prototypes. */ -void frame_finalize(struct frame *frame, - bool link_mtu_defined, - int link_mtu, - bool tun_mtu_defined, - int tun_mtu); - void frame_subtract_extra(struct frame *frame, const struct frame *src); void frame_print(const struct frame *frame, @@ -347,12 +331,6 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); * frame member adjustment functions */ -static inline void -frame_add_to_link_mtu(struct frame *frame, const int increment) -{ - frame->link_mtu += increment; -} - static inline void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 091f40eb..5b6db4e5 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -320,17 +320,11 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame * if --tls-auth is enabled. */ - /* inherit link MTU and extra_link from data channel */ - frame->link_mtu = data_channel_frame->link_mtu; - /* set extra_frame */ tls_adjust_frame_parameters(frame); reliable_ack_adjust_frame_parameters(frame, CONTROL_SEND_ACK_MAX); frame_add_to_extra_frame(frame, SID_SIZE + sizeof(packet_id_type)); - /* set dynamic link MTU to cap control channel packets at 1250 bytes */ - ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); - /* calculate the maximum overhead that control channel frames may have */ int overhead = 0; @@ -1923,9 +1917,6 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, if (frame_fragment) { - frame_remove_from_extra_frame(frame_fragment, crypto_max_overhead()); - crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type, - options->replay, packet_id_long_form); frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi); frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); } From patchwork Sat Jan 1 05:25:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2197 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.51]) by backend41.mail.ord1d.rsapps.net with LMTP id 6A3BJbiA0GFtLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 Received: from proxy17.mail.iad3a.rsapps.net ([172.27.255.51]) by director15.mail.ord1d.rsapps.net with LMTP id KCZIKLiA0GFODAAAIcMcQg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 Received: from smtp11.gate.iad3a ([172.27.255.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.iad3a.rsapps.net with LMTPS id gEoZOriA0GFxYAAAR4KW9A (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 93fef8c4-6b1f-11ec-b578-5254005eb44a-1-1 Received: from [216.105.38.7] ([216.105.38.7:54580] helo=lists.sourceforge.net) by smtp11.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 63/5D-19034-7B080D16; Sat, 01 Jan 2022 11:26:32 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCT-0002dG-BK; Sat, 01 Jan 2022 16:25:45 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCQ-0002cs-FG for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=dqyBY3niApwMrLMFcnO7VzeW3jYilHvvG5GP4s+NQcE=; b=XkuC/r3NE6/rl5Uc0QQTlhe1+l J8KWw+gtd6XeMnXSttt0rHZkiBgNs+Rhl/HXd8uOcfBVAq/eOJOobJcAYIQirIBS59yJV8ReMEFKG DfmDsmalWh4Mg4yh9e9vPzeyFCybztQ0Tua12K4HpdPM0nGhVNZ9xjyMSeZL2qGCJ3H0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dqyBY3niApwMrLMFcnO7VzeW3jYilHvvG5GP4s+NQcE=; b=mCM6jCMoz3NGRYWn+0I9mXogpJ 1q+NsIfVBS4yMDY7q3ZpkA8OTPZWslT0oz3kEiqalA14b1WrWEwZDKOi6GtjjeusyK5HoPTo01HE8 mpG3T/3qBHZHZvKn81q894Ztzt3i7gUx8DUfxKzU7BHz0sUAS3xHq4fXnlVpKBhahoBs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCP-0005GQ-1C for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000FgS-LP for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251919 invoked by uid 10006); Sat, 01 Jan 2022 16:25:33 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:32 +0100 Message-Id: <20220101162532.2251835-15-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 7 ------ src/openvpn/comp.h | 2 -- src/openvpn/crypto.c | 37 src/openvpn/fragment.c | 3 --- src/open [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCP-0005GQ-1C Subject: [Openvpn-devel] [PATCH v3 14/14] Remove frame.extra_frame and frame.extra_buffer X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 7 ------ src/openvpn/comp.h | 2 -- src/openvpn/crypto.c | 37 --------------------------- src/openvpn/fragment.c | 3 --- src/openvpn/init.c | 56 ----------------------------------------- src/openvpn/mtu.c | 14 ----------- src/openvpn/mtu.h | 42 ++----------------------------- src/openvpn/reliable.c | 7 ------ src/openvpn/reliable.h | 3 --- src/openvpn/socket.c | 10 -------- src/openvpn/socket.h | 2 -- src/openvpn/ssl.c | 21 ---------------- src/openvpn/ssl.h | 5 ---- src/openvpn/tls_crypt.c | 10 -------- src/openvpn/tls_crypt.h | 5 ---- 15 files changed, 2 insertions(+), 222 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 2d89e944..33bf21a7 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -116,13 +116,6 @@ comp_uninit(struct compress_context *compctx) } } -void -comp_add_to_extra_frame(struct frame *frame) -{ - /* Leave room for our one-byte compressed/didn't-compress prefix byte. */ - frame_add_to_extra_frame(frame, COMP_PREFIX_LEN); -} - void comp_print_stats(const struct compress_context *compctx, struct status_output *so) { diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index e42fc144..d059d6cd 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -176,8 +176,6 @@ struct compress_context *comp_init(const struct compress_options *opt); void comp_uninit(struct compress_context *compctx); -void comp_add_to_extra_frame(struct frame *frame); - void comp_print_stats(const struct compress_context *compctx, struct status_output *so); void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out); diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 18a6c99c..e68665e8 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -716,43 +716,6 @@ calculate_crypto_overhead(const struct key_type *kt, return crypto_overhead; } -void -crypto_adjust_frame_parameters(struct frame *frame, - const struct key_type *kt, - bool packet_id, - bool packet_id_long_form) -{ - unsigned int crypto_overhead = 0; - - if (packet_id) - { - crypto_overhead += packet_id_size(packet_id_long_form); - } - - if (cipher_defined(kt->cipher)) - { - crypto_overhead += cipher_kt_iv_size(kt->cipher); - - if (cipher_kt_mode_aead(kt->cipher)) - { - crypto_overhead += cipher_kt_tag_size(kt->cipher); - } - - /* extra block required by cipher_ctx_update() */ - crypto_overhead += cipher_kt_block_size(kt->cipher); - } - - if (md_defined(kt->digest)) - { - crypto_overhead += md_kt_size(kt->digest); - } - - frame_add_to_extra_frame(frame, crypto_overhead); - - msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for crypto by %u bytes", - __func__, crypto_overhead); -} - unsigned int crypto_max_overhead(void) { diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index ce8cd348..eb90dcac 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -96,9 +96,6 @@ fragment_init(struct frame *frame) * fragment_master assume an initial CLEAR */ ALLOC_OBJ_CLEAR(ret, struct fragment_master); - /* add in the size of our contribution to the expanded frame size */ - frame_add_to_extra_frame(frame, sizeof(fragment_header_type)); - /* * Outgoing sequence ID is randomized to reduce * the probability of sequence number collisions diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 2baa3c4f..0b6247f8 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2658,10 +2658,6 @@ do_init_crypto_static(struct context *c, const unsigned int flags) /* Get key schedule */ c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; - /* Compute MTU parameters */ - crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, - options->replay, true); - /* Sanity check on sequence number, and cipher mode options */ check_replay_consistency(&c->c1.ks.key_type, options->replay); } @@ -2853,19 +2849,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); - /* Compute MTU parameters (postpone if we push/pull options) */ - if (c->options.pull || c->options.mode == MODE_SERVER) - { - /* Account for worst-case crypto overhead before allocating buffers */ - frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead()); - } - else - { - crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, - options->replay, packet_id_long_form); - } - tls_adjust_frame_parameters(&c->c2.frame); - /* Set all command-line TLS-related options */ CLEAR(to); @@ -3018,8 +3001,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; - crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type, - true, true); } /* TLS handshake encryption (--tls-crypt) */ @@ -3030,7 +3011,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; - tls_crypt_adjust_frame_parameters(&to.frame); if (options->ce.tls_crypt_v2_file) { @@ -3048,10 +3028,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } } - /* If we are running over TCP, allow for - * length prefix */ - socket_adjust_frame_parameters(&to.frame, options->ce.proto); - /* * Initialize OpenVPN's master TLS-mode object. */ @@ -3125,20 +3101,6 @@ do_init_crypto(struct context *c, const unsigned int flags) static void do_init_frame(struct context *c) { -#ifdef USE_COMP - /* - * modify frame parameters if compression is enabled - */ - if (comp_enabled(&c->options.comp)) - { - comp_add_to_extra_frame(&c->c2.frame); - -#ifdef ENABLE_FRAGMENT - comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ -#endif - } -#endif /* USE_COMP */ - /* * Adjust frame size based on the --tun-mtu-extra parameter. */ @@ -3147,29 +3109,12 @@ do_init_frame(struct context *c) frame_add_to_extra_tun(&c->c2.frame, c->options.ce.tun_mtu_extra); } - /* - * Adjust frame size based on link socket parameters. - * (Since TCP is a stream protocol, we need to insert - * a packet length uint16_t in the buffer.) - */ - socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); - /* * Fill in the blanks in the frame parameters structure, * make sure values are rational, etc. */ frame_finalize_options(c, NULL); -#ifdef USE_COMP - /* - * Modify frame parameters if compression is compiled in. - * Should be called after frame_finalize_options. - */ -#ifdef ENABLE_FRAGMENT - /*TODO:frame comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); omit compression frame delta from final frame_fragment */ -#endif -#endif /* USE_COMP */ - #ifdef ENABLE_FRAGMENT /* * Set frame parameter for fragment code. This is necessary because @@ -3177,7 +3122,6 @@ do_init_frame(struct context *c) * passed through the compression code. */ c->c2.frame_fragment = c->c2.frame; - frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit); c->c2.frame_fragment_initial = c->c2.frame_fragment; #endif diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 986cae47..aa2c425c 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -205,18 +205,6 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) return payload + overhead; } -/* - * Move extra_frame octets into extra_tun. Used by fragmenting code - * to adjust frame relative to its position in the buffer processing - * queue. - */ -void -frame_subtract_extra(struct frame *frame, const struct frame *src) -{ - frame->extra_frame -= src->extra_frame; - frame->extra_tun += src->extra_frame; -} - void frame_print(const struct frame *frame, int level, @@ -237,8 +225,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); - buf_printf(&out, " EF:%d", frame->extra_frame); - buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); buf_printf(&out, " ]"); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 3e4dfb6d..a6d112eb 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -123,13 +123,6 @@ struct frame { * size that can be send in a single fragment */ - int extra_frame; /**< Maximum number of bytes that all - * processing steps together could add. - * @code - * frame.link_mtu = "socket MTU" - extra_frame; - * @endcode - */ - int tun_mtu; /**< the (user) configured tun-mtu. This is used * in configuring the tun interface or * in calculations that use the desired size @@ -141,16 +134,6 @@ struct frame { * code ignores it) */ - int extra_buffer; /**< Maximum number of bytes that - * processing steps could expand the - * internal work buffer. - * - * This is used by the \link compression - * Data Channel Compression - * module\endlink to give enough working - * space for worst-case expansion of - * incompressible content. */ - int extra_tun; /**< Maximum number of bytes in excess of * the tun/tap MTU that might be read * from or written to the virtual @@ -196,9 +179,8 @@ struct options; * * Most of our code only prepends headers but compression needs the extra bytes * *after* the data as compressed data might end up larger than the original - * data (and max compression overhead is part of extra_buffer). Also crypto - * needs an extra block for encryption. Therefore tailroom is larger than the - * headroom. + * data. Also crypto needs an extra block for encryption. Therefore tailroom is + * larger than the headroom. */ #define BUF_SIZE(f) ((f)->buf.headroom + (f)->buf.payload_size + (f)->buf.tailroom) @@ -208,8 +190,6 @@ struct options; * Function prototypes. */ -void frame_subtract_extra(struct frame *frame, const struct frame *src); - void frame_print(const struct frame *frame, int level, const char *prefix); @@ -331,30 +311,12 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); * frame member adjustment functions */ -static inline void -frame_add_to_extra_frame(struct frame *frame, const unsigned int increment) -{ - frame->extra_frame += increment; -} - -static inline void -frame_remove_from_extra_frame(struct frame *frame, const unsigned int decrement) -{ - frame->extra_frame -= decrement; -} - static inline void frame_add_to_extra_tun(struct frame *frame, const int increment) { frame->extra_tun += increment; } -static inline void -frame_add_to_extra_buffer(struct frame *frame, const int increment) -{ - frame->extra_buffer += increment; -} - static inline bool frame_defined(const struct frame *frame) { diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 08c9ab19..6f997101 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -253,13 +253,6 @@ error: return false; } -/* add to extra_frame the maximum number of bytes we will need for reliable_ack_write */ -void -reliable_ack_adjust_frame_parameters(struct frame *frame, int max) -{ - frame_add_to_extra_frame(frame, ACK_SIZE(max)); -} - /* print a reliable ACK record coming off the wire */ const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc) diff --git a/src/openvpn/reliable.h b/src/openvpn/reliable.h index 693abb3c..cbd9cc8f 100644 --- a/src/openvpn/reliable.h +++ b/src/openvpn/reliable.h @@ -207,9 +207,6 @@ void reliable_init(struct reliable *rel, int buf_size, int offset, int array_siz */ void reliable_free(struct reliable *rel); -/* add to extra_frame the maximum number of bytes we will need for reliable_ack_write */ -void reliable_ack_adjust_frame_parameters(struct frame *frame, int max); - /** @} name Functions for initialization and cleanup */ diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index fe1dfb31..93b857f0 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2285,16 +2285,6 @@ link_socket_close(struct link_socket *sock) } } -/* for stream protocols, allow for packet length prefix */ -void -socket_adjust_frame_parameters(struct frame *frame, int proto) -{ - if (link_socket_proto_connection_oriented(proto)) - { - frame_add_to_extra_frame(frame, sizeof(packet_size_type)); - } -} - void setenv_trusted(struct env_set *es, const struct link_socket_info *info) { diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index a43ed80b..2ad0e1b3 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -298,8 +298,6 @@ void link_socket_init_phase2(struct context *c); void do_preresolve(struct context *c); -void socket_adjust_frame_parameters(struct frame *frame, int proto); - void link_socket_close(struct link_socket *sock); void sd_close(socket_descriptor_t *sd); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 5b6db4e5..4cdeb295 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -295,18 +295,6 @@ tls_limit_reneg_bytes(const char *ciphername, int *reneg_bytes) } } -/* - * Max number of bytes we will add - * for data structures common to both - * data and control channel packets. - * (opcode only). - */ -void -tls_adjust_frame_parameters(struct frame *frame) -{ - frame_add_to_extra_frame(frame, 1); /* space for opcode */ -} - /* * Max number of bytes we will add * to control channel packet. @@ -320,11 +308,6 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame * if --tls-auth is enabled. */ - /* set extra_frame */ - tls_adjust_frame_parameters(frame); - reliable_ack_adjust_frame_parameters(frame, CONTROL_SEND_ACK_MAX); - frame_add_to_extra_frame(frame, SID_SIZE + sizeof(packet_id_type)); - /* calculate the maximum overhead that control channel frames may have */ int overhead = 0; @@ -1900,10 +1883,6 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM; } - /* Update frame parameters: undo worst-case overhead, add actual overhead */ - frame_remove_from_extra_frame(frame, crypto_max_overhead()); - crypto_adjust_frame_parameters(frame, &session->opt->key_type, - options->replay, packet_id_long_form); frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi); frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index e566acd8..5e1c7a2a 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -471,11 +471,6 @@ void ssl_put_auth_challenge(const char *cr_str); #endif -/* - * Reserve any extra space required on frames. - */ -void tls_adjust_frame_parameters(struct frame *frame); - /* * Send a payload over the TLS control channel */ diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index d940ec30..610168b0 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -89,16 +89,6 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, "Control Channel Encryption", "tls-crypt"); } -void -tls_crypt_adjust_frame_parameters(struct frame *frame) -{ - frame_add_to_extra_frame(frame, tls_crypt_buf_overhead()); - - msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for tls-crypt by %i bytes", - __func__, tls_crypt_buf_overhead()); -} - - bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt) diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h index 81d0a10e..928ff547 100644 --- a/src/openvpn/tls_crypt.h +++ b/src/openvpn/tls_crypt.h @@ -123,11 +123,6 @@ void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, */ int tls_crypt_buf_overhead(void); -/** - * Adjust frame parameters for --tls-crypt overhead. - */ -void tls_crypt_adjust_frame_parameters(struct frame *frame); - /** * Wrap a control channel packet (both authenticates and encrypts the data). *