From patchwork Thu Feb 10 05:26:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2277 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id /G7DFvw8BWLvdAAAqwncew (envelope-from ) for ; Thu, 10 Feb 2022 11:27:40 -0500 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director13.mail.ord1d.rsapps.net with LMTP id aOUJNfw8BWLFTQAA91zNiA (envelope-from ) for ; Thu, 10 Feb 2022 11:27:40 -0500 Received: from smtp14.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id iHwnAeg8BWKgOQAAgKDEHA (envelope-from ) for ; Thu, 10 Feb 2022 11:27:20 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5d86d594-8a8e-11ec-b1d1-525400504bae-1-1 Received: from [216.105.38.7] ([216.105.38.7:37516] helo=lists.sourceforge.net) by smtp14.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D9/8E-21562-CFC35026; Thu, 10 Feb 2022 11:27:40 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nICHR-0001hE-04; Thu, 10 Feb 2022 16:26:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nICHP-0001gy-J2 for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=VjaBtFkgVazkfAsn/KW/PE41gdffnGa9SQz22L4v+p4=; b=I/tK9vHkZVQcez6lw4OyN9bNyD HH41oAqPhqHk3kVPVCvD03OULhp/UdJQ/CwW2ZyOAkf/sOyMrM9XALorh3U3STiTKkhuGuDM2DVN1 4Tspo+5brge8ssWgVJ6SITBvAS7QbREeE5d3paZ4XDFQ6qPg/ToxWEQcPYwbTScPH3P0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=VjaBtFkgVazkfAsn/KW/PE41gdffnGa9SQz22L4v+p4=; b=Z GoVdHQVp8ckgQqmVQHpPspDkrbV2xJMGyRHD8UZ0JWMMFAppSN+j35zqAWdKB1lype+QjsETUUCPg F5FWOX4HuEN1iId8ChL7mXeLM31KPFrHNl3BkfHJIc3fDk5eYIxdKAQKHcFWs8JcYZkBaW22Gx7Et 1wnUaLjtBwPPCvF8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nICHJ-00DbNW-S8 for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nICHA-00060E-A5 for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 17:26:32 +0100 Received: (nullmailer pid 3310020 invoked by uid 10006); Thu, 10 Feb 2022 16:26:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 10 Feb 2022 17:26:25 +0100 Message-Id: <20220210162632.3309974-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This always uses the configured MTU size instead relying on the calculated MTU size. Patch v4: Fix a few overlooked TUN_MTU_SIZE. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 2 +- src/openvpn/init.c | 20 ++++++++++ src/openvpn/mtu.c | 4 ++-- src/openvpn/mtu.h | 5 ----- 4 files changed, 13 [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1nICHJ-00DbNW-S8 Subject: [Openvpn-devel] [PATCH v4 1/8] Replace TUN_MTU_SIZE with frame->tun_mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This always uses the configured MTU size instead relying on the calculated MTU size. Patch v4: Fix a few overlooked TUN_MTU_SIZE. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 2 +- src/openvpn/init.c | 20 ++++++++++---------- src/openvpn/mtu.c | 4 ++-- src/openvpn/mtu.h | 5 ----- 4 files changed, 13 insertions(+), 18 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index af041179..dcc430d4 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1381,7 +1381,7 @@ ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client) * packet */ int max_payload_size = min_int(MAX_ICMPV6LEN, - TUN_MTU_SIZE(&c->c2.frame) - icmpheader_len); + c->c2.frame.tun_mtu - icmpheader_len); int payload_len = min_int(max_payload_size, BLEN(&inputipbuf)); pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 8e1e43cb..4c799f19 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1735,7 +1735,7 @@ do_open_tun(struct context *c) c->options.dev_type, c->options.dev_node, &gc); - do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es, + do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); } @@ -1766,7 +1766,7 @@ do_open_tun(struct context *c) && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN) { do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, - TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx); + c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); } /* run the up script */ @@ -1778,7 +1778,7 @@ do_open_tun(struct context *c) c->c1.tuntap->adapter_index, #endif dev_type_string(c->options.dev, c->options.dev_type), - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1827,7 +1827,7 @@ else c->c1.tuntap->adapter_index, #endif dev_type_string(c->options.dev, c->options.dev_type), - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", @@ -1906,7 +1906,7 @@ do_close_tun(struct context *c, bool force) adapter_index, #endif NULL, - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1936,7 +1936,7 @@ do_close_tun(struct context *c, bool force) adapter_index, #endif NULL, - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", @@ -1974,7 +1974,7 @@ do_close_tun(struct context *c, bool force) adapter_index, #endif NULL, - TUN_MTU_SIZE(&c->c2.frame), + c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", @@ -2154,7 +2154,7 @@ void adjust_mtu_peerid(struct context *c) { msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu" " fixed by config - reducing tun-mtu to %d, expect" - " MTU problems", TUN_MTU_SIZE(&c->c2.frame)); + " MTU problems", c->c2.frame.tun_mtu); } } @@ -3185,11 +3185,11 @@ do_init_frame(struct context *c) #ifdef ENABLE_FRAGMENT if ((c->options.ce.mssfix || c->options.ce.fragment) - && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU) + && c->c2.frame.tun_mtu != ETHERNET_MTU) { msg(M_WARN, "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", - ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment)); + ETHERNET_MTU, c->c2.frame.tun_mtu); } #endif } diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index d014d2b8..783fcc5f 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -229,9 +229,9 @@ frame_finalize(struct frame *frame, frame->link_mtu = link_mtu; } - if (TUN_MTU_SIZE(frame) < TUN_MTU_MIN) + if (frame->tun_mtu < TUN_MTU_MIN) { - msg(M_WARN, "TUN MTU value (%d) must be at least %d", TUN_MTU_SIZE(frame), TUN_MTU_MIN); + msg(M_WARN, "TUN MTU value (%d) must be at least %d", frame->tun_mtu, TUN_MTU_MIN); frame_print(frame, M_FATAL, "MTU is too small"); } diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index ef8ac4ab..7a6cdcb4 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -184,11 +184,6 @@ struct options; */ #define TUN_LINK_DELTA(f) ((f)->extra_frame + (f)->extra_tun) -/* - * This is the size to "ifconfig" the tun or tap device. - */ -#define TUN_MTU_SIZE(f) ((f)->link_mtu - TUN_LINK_DELTA(f)) - /* * This is the maximum packet size that we need to be able to * read from or write to a tun or tap device. For example, From patchwork Thu Feb 10 05:26:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2276 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.54]) by backend41.mail.ord1d.rsapps.net with LMTP id +F/cB/s8BWLBdAAAqwncew (envelope-from ) for ; Thu, 10 Feb 2022 11:27:39 -0500 Received: from proxy5.mail.iad3a.rsapps.net ([172.27.255.54]) by director8.mail.ord1d.rsapps.net with LMTP id SL+GJvs8BWI8YgAAfY0hYg (envelope-from ) for ; Thu, 10 Feb 2022 11:27:39 -0500 Received: from smtp10.gate.iad3a ([172.27.255.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3a.rsapps.net with LMTPS id 2DgNHvs8BWJrbwAAhn5joQ (envelope-from ) for ; Thu, 10 Feb 2022 11:27:39 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5c6270e2-8a8e-11ec-88be-525400a8203f-1-1 Received: from [216.105.38.7] ([216.105.38.7:39860] helo=lists.sourceforge.net) by smtp10.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5B/E0-19657-AFC35026; Thu, 10 Feb 2022 11:27:38 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nICHU-00054Z-1g; Thu, 10 Feb 2022 16:26:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nICHQ-00054E-W8 for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Esgufp2T3bITeF0rQ71oMbm+R+nmeHf09MyHSFahxwM=; b=WbP+7MVLHxcLTyemOQF/1Ypavp 4ldhHUTHkQpKoN5W9OQSrHV5c0zMntA2vsQUTlkl9Qv6z0o3GtLvrgCIXVuIYVAWTSB44a18xQTrW ca0yB8j2iRxIZgLEFXqfGPsZejV3ndyxZ5wdf6cqVR65JQRyWqLGs0TBL+jdgldsbDTI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Esgufp2T3bITeF0rQ71oMbm+R+nmeHf09MyHSFahxwM=; b=F+nwqe5Jo+Efuxh8EYuWfthsmj VFokfnYHRHgyUVemZMiz2nUG1Zw+z8rSgHHOQTg25nNOsd9NCkv8ZfsVPQxG+XYkMwkngt9uD0TMJ F1wU5xEruC4UQNpzVZCtFbgWjDXI6mtnH0mjpNQ92NVVLZEtdjbisM1D3nG93mgL/MDw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nICHN-0004UH-IF for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nICHA-00060G-DI for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 17:26:32 +0100 Received: (nullmailer pid 3310023 invoked by uid 10006); Thu, 10 Feb 2022 16:26:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 10 Feb 2022 17:26:26 +0100 Message-Id: <20220210162632.3309974-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220210162632.3309974-1-arne@rfc2549.org> References: <20220210162632.3309974-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The current default is 1450, which translates to 1478 byte packets for udp4 and 1498 byte packets for udp6. This commit changes the mssfix default to take the outer IP overhead into account as well an [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1nICHN-0004UH-IF Subject: [Openvpn-devel] [PATCH v4 2/8] Change the default for mssfix to mssfix 1492 mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The current default is 1450, which translates to 1478 byte packets for udp4 and 1498 byte packets for udp6. This commit changes the mssfix default to take the outer IP overhead into account as well and changes the target to 1492. 1492 was picked in our community meeting for being a very common encapsulation upper bound. The change also disables an mssfix default if tun-mtu is set to a value different than 1500. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/mtu.h | 2 +- src/openvpn/options.c | 60 +++++++++++++++++++++++++++++-------------- src/openvpn/options.h | 2 +- 3 files changed, 43 insertions(+), 21 deletions(-) diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 7a6cdcb4..3a8faec1 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -77,7 +77,7 @@ /* * Default MSSFIX value, used for reducing TCP MTU size */ -#define MSSFIX_DEFAULT 1450 +#define MSSFIX_DEFAULT 1492 /* * Alignment of payload data such as IP packet or diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 705f7e0c..491edbe5 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -803,7 +803,9 @@ init_options(struct options *o, const bool init_gc) o->ce.tun_mtu = TUN_MTU_DEFAULT; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.mtu_discover_type = -1; - o->ce.mssfix = MSSFIX_DEFAULT; + o->ce.mssfix = 0; + o->ce.mssfix_default = true; + o->ce.mssfix_encap = true; o->route_delay_window = 30; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; @@ -1511,6 +1513,7 @@ show_connection_entry(const struct connection_entry *o) SHOW_INT(fragment); #endif SHOW_INT(mssfix); + SHOW_BOOL(mssfix_encap); SHOW_INT(explicit_exit_notification); @@ -2887,22 +2890,6 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->flags |= CE_DISABLED; } - /* - * If --mssfix is supplied without a parameter, default - * it to --fragment value, if --fragment is specified. - */ - if (o->ce.mssfix_default) - { -#ifdef ENABLE_FRAGMENT - if (ce->fragment) - { - ce->mssfix = ce->fragment; - } -#else - msg(M_USAGE, "--mssfix must specify a parameter"); -#endif - } - /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) * so fall back to IPv4-only (trac #1221) */ @@ -2936,6 +2923,36 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } } + /* + * If --mssfix is supplied without a parameter or not specified at all, + * default it to --fragment value, if --fragment is specified and otherwise + * to the default if tun-mtu is 1500 + */ + if (o->ce.mssfix_default) + { +#ifdef ENABLE_FRAGMENT + if (ce->fragment) + { + ce->mssfix = ce->fragment; + } + else +#endif + if (ce->tun_mtu_defined && o->ce.tun_mtu == TUN_MTU_DEFAULT) + { + /* We want to only set mssfix default value if we use a default + * MTU Size, otherwise the different size of tun should either + * already solve the problem or mssfix might artifically make the + * payload packets smaller without mssfix 0 */ + ce->mssfix = MSSFIX_DEFAULT; + ce->mssfix_encap = true; + } + else + { + msg(D_MTU_INFO, "Note: not enabling mssfix for non-default value " + "of --tun-mtu"); + } + } + /* * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined. * @@ -6812,12 +6829,17 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) { + /* value specified, assume encapsulation is not + * included unles "mtu" follows later */ options->ce.mssfix = positive_atoi(p[1]); + options->ce.mssfix_encap = false; + options->ce.mssfix_default = false; } - - if (!p[1]) + else { + /* Set MTU to default values */ options->ce.mssfix_default = true; + options->ce.mssfix_encap = true; } if (p[2] && streq(p[2], "mtu")) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 13d6b0da..3d0f7fe7 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -126,7 +126,7 @@ struct connection_entry int fragment; /* internal fragmentation size */ int mssfix; /* Upper bound on TCP MSS */ - bool mssfix_default; /* true if --mssfix was supplied without a parameter */ + bool mssfix_default; /* true if --mssfix should use the default parameters */ bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include * overhead from IP and TCP/UDP encapsulation */ From patchwork Thu Feb 10 05:26:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2273 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.53]) by backend41.mail.ord1d.rsapps.net with LMTP id ILhZCvg8BWKBdAAAqwncew (envelope-from ) for ; Thu, 10 Feb 2022 11:27:36 -0500 Received: from proxy7.mail.iad3a.rsapps.net ([172.27.255.53]) by director11.mail.ord1d.rsapps.net with LMTP id wBb7KPg8BWLCBgAAvGGmqA (envelope-from ) for ; Thu, 10 Feb 2022 11:27:36 -0500 Received: from smtp35.gate.iad3a ([172.27.255.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.iad3a.rsapps.net with LMTPS id GK8lIvg8BWIyQgAAnPvY+A (envelope-from ) for ; Thu, 10 Feb 2022 11:27:36 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5aa8e02e-8a8e-11ec-9bc5-52540083445f-1-1 Received: from [216.105.38.7] ([216.105.38.7:39836] helo=lists.sourceforge.net) by smtp35.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 84/AF-02491-7FC35026; Thu, 10 Feb 2022 11:27:36 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nICHT-00054S-Po; Thu, 10 Feb 2022 16:26:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nICHQ-000548-NO for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=O24gUVWYo0QItJ+YDw+kObOTEDdpAm9jQg55qus/CsM=; b=faQsq7IJ6Q+OJGhNVo2ON7pA1c 7vXrfJEsslCUWcLFxNspvs8FuOTwc31tsAZzB3XF58aoHQDaJoPbasfiEvfvkt+Hj9FwlFGW6F7g3 KSdqJgEUvXdNOSan02S+HahacbafysqVP882G1MJc6a9ObPtgi8qHU8MEfwNgT2NNCJA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=O24gUVWYo0QItJ+YDw+kObOTEDdpAm9jQg55qus/CsM=; b=egB8LpptaJ6Fx4bE+sz5HV3UvN LsGl9SpFSbz1nSeHfGpS3XTqxZdi4JwRBuVhcyJcgPT57FHbS94UZYwTanKepuW/TPZjwDCaDv7T5 k9HVy6vIA/XcK7bSAVcFSqSHelHgcw87QtpuooNO+aMlX9dIwK5i4brrKOULbGcvnt/k=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nICHJ-00DbNX-No for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nICHA-00060K-GG for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 17:26:32 +0100 Received: (nullmailer pid 3310026 invoked by uid 10006); Thu, 10 Feb 2022 16:26:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 10 Feb 2022 17:26:27 +0100 Message-Id: <20220210162632.3309974-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220210162632.3309974-1-arne@rfc2549.org> References: <20220210162632.3309974-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Instead relying on the link_mtu_dynamic field and its calculation in the frame struct, add a new field max_fragment_size and add a calculation of it similar to mssfix. Also whenever mssfix value is calculated, we also want to calculate the values for fragment as both options need to be calculated from the real overhead. Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nICHJ-00DbNX-No Subject: [Openvpn-devel] [PATCH v4 3/8] Add mtu paramter to --fragment and change fragment calculation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Instead relying on the link_mtu_dynamic field and its calculation in the frame struct, add a new field max_fragment_size and add a calculation of it similar to mssfix. Also whenever mssfix value is calculated, we also want to calculate the values for fragment as both options need to be calculated from the real overhead. Patch v2: Fix syntax in rst man page Signed-off-by: Arne Schwabe --- Changes.rst | 9 ++- doc/man-sections/link-options.rst | 20 ++++- src/openvpn/forward.c | 3 +- src/openvpn/fragment.c | 4 +- src/openvpn/init.c | 15 ++-- src/openvpn/mss.c | 100 +++++++++++++++++++++++-- src/openvpn/mss.h | 13 +++- src/openvpn/mtu.c | 48 +----------- src/openvpn/mtu.h | 21 ++++-- src/openvpn/options.c | 12 ++- src/openvpn/options.h | 2 + src/openvpn/socket.c | 11 --- src/openvpn/socket.h | 2 - src/openvpn/ssl.c | 20 +---- tests/unit_tests/openvpn/test_crypto.c | 8 +- 15 files changed, 178 insertions(+), 110 deletions(-) diff --git a/Changes.rst b/Changes.rst index 7d6fb7f7..ceb0b268 100644 --- a/Changes.rst +++ b/Changes.rst @@ -63,10 +63,11 @@ Optional ciphers in ``--data-ciphers`` those as optional and only use them if the SSL library supports them. -Improved ``--mssfix`` calculation - The ``--mssfix`` option now allows an optional :code:`mtu` parameter to specify - that different overhead for IPv4/IPv6 should taken into account and the resulting - size is specified as the total size of the VPN packets including IP and UDP headers. +Improved ``--mssfix`` and ``--fragment`` calculation + The ``--mssfix`` and ``--fragment`` options now allow an optional :code:`mtu` + parameter to specify that different overhead for IPv4/IPv6 should taken into + account and the resulting size is specified as the total size of the VPN packets + including IP and UDP headers. Deprecated features ------------------- diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 1792aaec..1cf6dd84 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -24,13 +24,25 @@ the local and the remote host. from any address, not only the address which was specified in the ``--remote`` option. ---fragment max +--fragment args + + Valid syntax: + :: + + fragment max + fragment max mtu + Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than ``max`` bytes. - The ``max`` parameter is interpreted in the same way as the - ``--link-mtu`` parameter, i.e. the UDP packet size after encapsulation - overhead has been added in, but not including the UDP header itself. + If the :code:`mtu` parameter is present the ``max`` parameter is + interpreted to include IP and UDP encapsulation overhead. The + :code:`mtu` parameter is introduced in OpenVPN version 2.6.0. + + If the :code:`mtu` parameter is absent, the ``max`` parameter is + interpreted in the same way as the ``--link-mtu`` parameter, i.e. + the UDP packet size after encapsulation overhead has been added in, + but not including the UDP header itself. The ``--fragment`` option only makes sense when you are using the UDP protocol (``--proto udp``). diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index dcc430d4..37554fc9 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -482,8 +482,7 @@ check_fragment(struct context *c) /* OS MTU Hint? */ if (lsi->mtu_changed && lsi->lsa) { - frame_adjust_path_mtu(&c->c2.frame_fragment, c->c2.link_socket->mtu, - lsi->lsa->actual.dest.addr.sa.sa_family, lsi->proto); + frame_adjust_path_mtu(c); lsi->mtu_changed = false; } diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index 6ede4b95..f10fa9ac 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -335,12 +335,12 @@ fragment_outgoing(struct fragment_master *f, struct buffer *buf, msg(D_FRAG_ERRORS, "FRAG: outgoing buffer is not empty, len=[%d,%d]", buf->len, f->outgoing.len); } - if (buf->len > PAYLOAD_SIZE_DYNAMIC(frame)) /* should we fragment? */ + if (buf->len > frame->max_fragment_size) /* should we fragment? */ { /* * Send the datagram as a series of 2 or more fragments. */ - f->outgoing_frag_size = optimal_fragment_size(buf->len, PAYLOAD_SIZE_DYNAMIC(frame)); + f->outgoing_frag_size = optimal_fragment_size(buf->len, frame->max_fragment_size); if (buf->len > f->outgoing_frag_size * MAX_FRAGS) { FRAG_ERR("too many fragments would be required to send datagram"); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 4c799f19..b9c3e166 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3361,8 +3361,8 @@ static void do_init_fragment(struct context *c) { ASSERT(c->options.ce.fragment); - frame_set_mtu_dynamic(&c->c2.frame_fragment, - c->options.ce.fragment, SET_MTU_UPPER_BOUND); + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, + &c->options, get_link_socket_info(c)); fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); } #endif @@ -4230,9 +4230,9 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f } #endif - /* initialize dynamic MTU variable */ - frame_calculate_mssfix(&c->c2.frame, &c->c1.ks.key_type, &c->options, - get_link_socket_info(c)); + /* initialize dynamic MTU based options (fragment/mssfix) */ + frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options, + get_link_socket_info(c)); /* bind the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) @@ -4284,6 +4284,11 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f link_socket_init_phase2(c); } + /* Update dynamic frame calculation as exact transport socket information + * (IP vs IPv6) may be only available after socket phase2 has finished */ + frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options, + get_link_socket_info(c)); + /* * Actually do UID/GID downgrade, and chroot, if requested. * May be delayed by --client, --pull, or --up-delay. diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 03624741..09632ece 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -33,6 +33,7 @@ #include "crypto.h" #include "ssl_common.h" #include "memdbg.h" +#include "forward.h" /* * Lower MSS on TCP SYN packets to fix MTU @@ -247,16 +248,42 @@ get_ip_encap_overhead(const struct options *options, return datagram_overhead(af, lsi->proto); } -void -frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options, - struct link_socket_info *lsi) +static void +frame_calculate_fragment(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi) { - if (options->ce.mssfix == 0) +#if defined(ENABLE_FRAGMENT) + unsigned int overhead; + + overhead = frame_calculate_protocol_header_size(kt, options, false); + + if (options->ce.fragment_encap) { - return; + overhead += get_ip_encap_overhead(options, lsi); + } + + unsigned int target = options->ce.fragment - overhead; + /* The 4 bytes of header that fragment adds itself. The other extra payload + * bytes (Ethernet header/compression) are handled by the fragment code + * just as part of the payload and therefore automatically taken into + * account if the packet needs to fragmented */ + frame->max_fragment_size = adjust_payload_max_cbc(kt, target) - 4; + + if (cipher_kt_mode_cbc(kt->cipher)) + { + /* The packet id gets added to *each* fragment in CBC mode, so we need + * to account for it */ + frame->max_fragment_size -= calc_packet_id_size_dc(options, kt); } +#endif +} +static void +frame_calculate_mssfix(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi) +{ unsigned int overhead, payload_overhead; overhead = frame_calculate_protocol_header_size(kt, options, false); @@ -291,3 +318,64 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, } + +void +frame_calculate_dynamic(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi) +{ + if (options->ce.fragment > 0) + { + frame_calculate_fragment(frame, kt, options, lsi); + } + + if (options->ce.mssfix > 0) + { + frame_calculate_mssfix(frame, kt, options, lsi); + } +} + +/* + * Adjust frame structure based on a Path MTU value given + * to us by the OS. + */ +void +frame_adjust_path_mtu(struct context *c) +{ + struct link_socket_info *lsi = get_link_socket_info(c); + struct options *o = &c->options; + + int pmtu = c->c2.link_socket->mtu; + sa_family_t af = lsi->lsa->actual.dest.addr.sa.sa_family; + int proto = lsi->proto; + + int encap_overhead = datagram_overhead(af, proto); + + /* check if mssfix and fragment need to be adjusted */ + if (pmtu < o->ce.mssfix + || (o->ce.mssfix_encap && pmtu < o->ce.mssfix + encap_overhead)) + { + const char* mtustr = o->ce.mssfix_encap ? " mtu" : ""; + msg(D_MTU_INFO, "Note adjusting 'mssfix %d %s' to 'mssfix %d mtu' " + "according to path MTU discovery", o->ce.mssfix, + mtustr, pmtu); + o->ce.mssfix = pmtu; + o->ce.mssfix_encap = true; + frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, o, lsi); + } + +#if defined(ENABLE_FRAGMENT) + if (pmtu < o->ce.fragment || + (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead)) + { + const char* mtustr = o->ce.fragment_encap ? " mtu" : ""; + msg(D_MTU_INFO, "Note adjusting 'fragment %d %s' to 'fragment %d mtu' " + "according to path MTU discovery", o->ce.mssfix, + mtustr, pmtu); + o->ce.fragment = pmtu; + o->ce.fragment_encap = true; + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, + o, lsi); + } +#endif +} diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index 298148f4..4b809b1c 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -36,8 +36,15 @@ void mss_fixup_ipv6(struct buffer *buf, int maxmss); void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); /** Set the --mssfix option. */ -void frame_calculate_mssfix(struct frame *frame, struct key_type *kt, - const struct options *options, - struct link_socket_info *lsi); +void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, + const struct options *options, + struct link_socket_info *lsi); + +/** + * Checks and adjusts the fragment and mssfix value according to the + * discovered path mtu value + * @param c context to adjust + */ +void frame_adjust_path_mtu(struct context *c); #endif diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 783fcc5f..6d349f7a 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -52,12 +52,7 @@ alloc_buf_sock_tun(struct buffer *buf, ASSERT(buf_safe(buf, 0)); } - -/** - * Return the size of the packet ID size that is currently in use by cipher and - * options for the data channel. - */ -static unsigned int +unsigned int calc_packet_id_size_dc(const struct options *options, const struct key_type *kt) { /* Unless no-replay is enabled, we have a packet id, no matter if @@ -234,44 +229,7 @@ frame_finalize(struct frame *frame, msg(M_WARN, "TUN MTU value (%d) must be at least %d", frame->tun_mtu, TUN_MTU_MIN); frame_print(frame, M_FATAL, "MTU is too small"); } - - frame->link_mtu_dynamic = frame->link_mtu; } - -/* - * Set the tun MTU dynamically. - */ -void -frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags) -{ - -#ifdef ENABLE_DEBUG - const int orig_mtu = mtu; - const int orig_link_mtu_dynamic = frame->link_mtu_dynamic; -#endif - - ASSERT(mtu >= 0); - - if (flags & SET_MTU_TUN) - { - mtu += TUN_LINK_DELTA(frame); - } - - if (!(flags & SET_MTU_UPPER_BOUND) || mtu < frame->link_mtu_dynamic) - { - frame->link_mtu_dynamic = constrain_int( - mtu, - EXPANDED_SIZE_MIN(frame), - EXPANDED_SIZE(frame)); - } - - dmsg(D_MTU_DEBUG, "MTU DYNAMIC mtu=%d, flags=%u, %d -> %d", - orig_mtu, - flags, - orig_link_mtu_dynamic, - frame->link_mtu_dynamic); -} - /* * Move extra_frame octets into extra_tun. Used by fragmenting code * to adjust frame relative to its position in the buffer processing @@ -297,12 +255,14 @@ frame_print(const struct frame *frame, } buf_printf(&out, "["); buf_printf(&out, " mss_fix:%d", frame->mss_fix); +#ifdef ENABLE_FRAGMENT + buf_printf(&out, " max_frag:%d", frame->max_fragment_size); +#endif buf_printf(&out, " tun_mtu:%d", frame->tun_mtu); buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); buf_printf(&out, " L:%d", frame->link_mtu); - buf_printf(&out, " D:%d", frame->link_mtu_dynamic); buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 3a8faec1..5f7205f4 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -113,14 +113,18 @@ struct frame { int link_mtu; /**< Maximum packet size to be sent over * the external network interface. */ - unsigned int mss_fix; /**< The actual MSS value that should be + unsigned int mss_fix; /**< The actual MSS value that should be * written to the payload packets. This * is the value for IPv4 TCP packets. For * IPv6 packets another 20 bytes must * be subtracted */ - int link_mtu_dynamic; /**< Dynamic MTU value for the external - * network interface. */ + int max_fragment_size; /**< The maximum size of a fragment. + * Fragmentation is done on the unencrypted + * payload after (potential) compression. So + * this value specifies the maximum payload + * size that can be send in a single fragment + */ int extra_frame; /**< Maximum number of bytes that all * processing steps together could add. @@ -190,7 +194,6 @@ struct options; * a tap device ifconfiged to an MTU of 1200 might actually want * to return a packet size of 1214 on a read(). */ -#define PAYLOAD_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic - (f)->extra_frame) #define PAYLOAD_SIZE(f) ((f)->buf.payload_size) /* @@ -198,7 +201,6 @@ struct options; * overhead is added. */ #define EXPANDED_SIZE(f) ((f)->link_mtu) -#define EXPANDED_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic) #define EXPANDED_SIZE_MIN(f) (TUN_MTU_MIN + TUN_LINK_DELTA(f)) /* @@ -309,6 +311,15 @@ size_t calc_options_string_link_mtu(const struct options *options, const struct frame *frame); +/** + * Return the size of the packet ID size that is currently in use by cipher and + * options for the data channel. + */ +unsigned int +calc_packet_id_size_dc(const struct options *options, + const struct key_type *kt); + + /* * frame_set_mtu_dynamic and flags */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 491edbe5..392d2896 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6159,11 +6159,19 @@ add_option(struct options *options, msg(msglevel, "--mtu-dynamic has been replaced by --fragment"); goto err; } - else if (streq(p[0], "fragment") && p[1] && !p[2]) + else if (streq(p[0], "fragment") && p[1] && !p[3]) { -/* VERIFY_PERMISSION (OPT_P_MTU); */ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.fragment = positive_atoi(p[1]); + + if (p[2] && streq(p[2], "mtu")) + { + options->ce.fragment_encap = true; + } + else if (p[2]) + { + msg(msglevel, "Unknown parameter to --fragment: %s", p[2]); + } } #endif else if (streq(p[0], "mtu-disc") && p[1] && !p[2]) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 3d0f7fe7..9c25fbaf 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -125,6 +125,8 @@ struct connection_entry int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */ int fragment; /* internal fragmentation size */ + bool fragment_encap; /* true if --fragment had the "mtu" parameter to + * include overhead from IP and TCP/UDP encapsulation */ int mssfix; /* Upper bound on TCP MSS */ bool mssfix_default; /* true if --mssfix should use the default parameters */ bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 45541c12..be66994f 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1644,17 +1644,6 @@ socket_frame_init(const struct frame *frame, struct link_socket *sock) } } -/* - * Adjust frame structure based on a Path MTU value given - * to us by the OS. - */ -void -frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto) -{ - frame_set_mtu_dynamic(frame, pmtu - datagram_overhead(af, proto), - SET_MTU_UPPER_BOUND); -} - static void resolve_bind_local(struct link_socket *sock, const sa_family_t af) { diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 63a25485..51f28ba5 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -333,8 +333,6 @@ void do_preresolve(struct context *c); void socket_adjust_frame_parameters(struct frame *frame, int proto); -void frame_adjust_path_mtu(struct frame *frame, int pmtu, sa_family_t af, int proto); - void link_socket_close(struct link_socket *sock); void sd_close(socket_descriptor_t *sd); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index ea6ae180..10f75d66 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -331,7 +331,6 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame /* set dynamic link MTU to cap control channel packets at 1250 bytes */ ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); - frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame); /* calculate the maximum overhead that control channel frames may have */ int overhead = 0; @@ -1920,9 +1919,8 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, frame_remove_from_extra_frame(frame, crypto_max_overhead()); crypto_adjust_frame_parameters(frame, &session->opt->key_type, options->replay, packet_id_long_form); - frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, - options->ce.tun_mtu_defined, options->ce.tun_mtu); - frame_calculate_mssfix(frame, &session->opt->key_type, options, lsi); + frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi); + frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); /* @@ -1937,7 +1935,7 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, frame_remove_from_extra_frame(frame_fragment, crypto_max_overhead()); crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type, options->replay, packet_id_long_form); - frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND); + frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi); frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); } @@ -2990,6 +2988,7 @@ tls_process(struct tls_multi *multi, if (buf) { int status = key_state_read_ciphertext(&ks->ks_ssl, buf, multi->opt.frame.tun_mtu); + if (status == -1) { msg(D_TLS_ERRORS, @@ -3835,17 +3834,6 @@ tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, goto error; } - if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame)) - { - dmsg(D_TLS_STATE_ERRORS, - "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected", - buf->len, - print_link_socket_actual(from, &gc), - EXPANDED_SIZE_DYNAMIC(&tas->frame)); - goto error; - } - - struct buffer newbuf = clone_buf(buf); struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap; diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 5669948f..7fb9d624 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -388,7 +388,7 @@ test_mssfix_mtu_calculation(void **state) init_key_type(&kt, o.ciphername, o.authname, false, false); /* No encryption, just packet id (8) + TCP payload(20) + IP payload(20) */ - frame_calculate_mssfix(&f, &kt, &o, NULL); + frame_calculate_dynamic(&f, &kt, &o, NULL); assert_int_equal(f.mss_fix, 952); /* Static key OCC examples */ @@ -398,7 +398,7 @@ test_mssfix_mtu_calculation(void **state) o.ciphername = "none"; o.authname = "none"; init_key_type(&kt, o.ciphername, o.authname, false, false); - frame_calculate_mssfix(&f, &kt, &o, NULL); + frame_calculate_dynamic(&f, &kt, &o, NULL); assert_int_equal(f.mss_fix, 952); /* secret, cipher AES-128-CBC, auth none */ @@ -412,7 +412,7 @@ test_mssfix_mtu_calculation(void **state) * all result in the same CBC block size/padding and <= 991 and >=1008 * should be one block less and more respectively */ o.ce.mssfix = i; - frame_calculate_mssfix(&f, &kt, &o, NULL); + frame_calculate_dynamic(&f, &kt, &o, NULL); if (i <= 991) { assert_int_equal(f.mss_fix, 911); @@ -440,7 +440,7 @@ test_mssfix_mtu_calculation(void **state) /* For stream ciphers, the value should not be influenced by block * sizes or similar but always have the same difference */ o.ce.mssfix = i; - frame_calculate_mssfix(&f, &kt, &o, NULL); + frame_calculate_dynamic(&f, &kt, &o, NULL); /* 4 byte opcode/peerid, 4 byte pkt ID, 16 byte tag, 40 TCP+IP */ assert_int_equal(f.mss_fix, i - 4 - 4 - 16 - 40); From patchwork Thu Feb 10 05:26:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2274 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id A5moIvo8BWLBdAAAqwncew (envelope-from ) for ; Thu, 10 Feb 2022 11:27:38 -0500 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id GFtkBfs8BWKydgAAalYnBA (envelope-from ) for ; Thu, 10 Feb 2022 11:27:39 -0500 Received: from smtp23.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id wK7jDOY8BWJcOQAAgKDEHA (envelope-from ) for ; Thu, 10 Feb 2022 11:27:18 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5c2f4780-8a8e-11ec-a06b-525400bfb165-1-1 Received: from [216.105.38.7] ([216.105.38.7:58668] helo=lists.sourceforge.net) by smtp23.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7D/CC-20835-AFC35026; Thu, 10 Feb 2022 11:27:38 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nICHT-00054L-MZ; Thu, 10 Feb 2022 16:26:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nICHP-000541-Pv for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bqPHXRaF6suws8x2y+XfwjbhaxQyyn2/h9rFF5BLsWM=; b=fFQvuTpbgQFgjrxmWRdcC/CHPi LULsUuNFOahy7Aj51rpyf8/+BH0osQFKnvXORQbm+m9lnriXFu5fq8YUmIydgvI0j9ei/FRxoNk0v FT01w2sVbkQWgZZOf7RoeByGtcGMIjEn8ZshJ6SFc1NNuSo+/5F1irFmbvFy1nzFUvlA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=bqPHXRaF6suws8x2y+XfwjbhaxQyyn2/h9rFF5BLsWM=; b=mEOe89BTBee95Wy9loj5wdFqXE +cfXnZftj8f/xJkAyoPM8QxHL5Q3JUyPZtqjwsHJJ+pNDHc6xmja/u2Qadyl3BfhWEp4elOwzWtVr ez8iCKHgqFxvc6PUllhZLWj1bAIYS4AU7NKDXvW2JI/1/iw6OYf27oupuqEL5PwtPRXg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nICHJ-00DbNY-U4 for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nICHA-00060N-J4 for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 17:26:32 +0100 Received: (nullmailer pid 3310029 invoked by uid 10006); Thu, 10 Feb 2022 16:26:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 10 Feb 2022 17:26:28 +0100 Message-Id: <20220210162632.3309974-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220210162632.3309974-1-arne@rfc2549.org> References: <20220210162632.3309974-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The warning that fragment/mssfix needs also tun-mtu set to 1500 makes little sense. Remove it completely. Instead warn if there are incosistencies between --fragment and mssfix. Patch v2: clarify the mssfix and fragment mtu warning message Patch v4: Rebase Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1nICHJ-00DbNY-U4 Subject: [Openvpn-devel] [PATCH v4 4/8] Update fragment and mssfix related warnings X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The warning that fragment/mssfix needs also tun-mtu set to 1500 makes little sense. Remove it completely. Instead warn if there are incosistencies between --fragment and mssfix. Patch v2: clarify the mssfix and fragment mtu warning message Patch v4: Rebase Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/init.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b9c3e166..b1952f46 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3184,12 +3184,17 @@ do_init_frame(struct context *c) #endif #ifdef ENABLE_FRAGMENT - if ((c->options.ce.mssfix || c->options.ce.fragment) - && c->c2.frame.tun_mtu != ETHERNET_MTU) + if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment) { - msg(M_WARN, - "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", - ETHERNET_MTU, c->c2.frame.tun_mtu); + msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " + "set --fragment (%d) larger or equal than --mssfix (%d)", + c->options.ce.fragment, c->options.ce.mssfix); + } + if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0 + && c->options.ce.fragment_encap != c->options.ce.mssfix_encap) + { + msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " + "use the \"mtu\" flag for both or none of of them."); } #endif } From patchwork Thu Feb 10 05:26:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2272 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id GHdLOfc8BWJ1dAAAqwncew (envelope-from ) for ; Thu, 10 Feb 2022 11:27:35 -0500 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id EJ1oHPg8BWI8dgAAalYnBA (envelope-from ) for ; Thu, 10 Feb 2022 11:27:36 -0500 Received: from smtp4.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTPS id AA2+G/g8BWLESAAAetu3IA (envelope-from ) for ; Thu, 10 Feb 2022 11:27:36 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5a546c9c-8a8e-11ec-bd87-525400760ffc-1-1 Received: from [216.105.38.7] ([216.105.38.7:37472] helo=lists.sourceforge.net) by smtp4.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C9/2F-07260-7FC35026; Thu, 10 Feb 2022 11:27:35 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nICHT-0001hc-K6; Thu, 10 Feb 2022 16:26:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nICHQ-0001hC-UH for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+OSk9ZYqqBPlVLtUQMnA4kg8Ohp5lwPYIHrQvsxfH1M=; b=M5xwZ6pKY3cYyuU8PQPnVUuqqu qkEc+LSllzqKR8MKqIul+ZEO7wigep6mvVJJ6ogw4xapLdZRCNZGR6PU8pMKxHD3DTYNre3Biukq+ /keY8CbnHQDPsO7AclbmtOqTLBeB/PN1JNnmgjg8h3TwIl2wwEeLeGx1FEqGIW/An9AA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+OSk9ZYqqBPlVLtUQMnA4kg8Ohp5lwPYIHrQvsxfH1M=; b=EF+MsrW0aH0Yo7PquIYXlwn7Bm p1pb3pQvySmdKhbzQHfBTWhD6ROafS2wovUEWQbOMC+TwAjqfwGy/UTXfFDjWRLgxyqyuMae7L/Pj t4uMLRi7FPzTGHifgwOUeZGyV0iNN3fE+WQVBRn1WnNbFO+aF7+FygKIi/ETypkkxNQU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nICHM-0004UK-TJ for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nICHA-00060Q-Lp for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 17:26:32 +0100 Received: (nullmailer pid 3310032 invoked by uid 10006); Thu, 10 Feb 2022 16:26:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 10 Feb 2022 17:26:29 +0100 Message-Id: <20220210162632.3309974-5-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220210162632.3309974-1-arne@rfc2549.org> References: <20220210162632.3309974-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/occ.c | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index 6fc5e003..b7670356 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -199,8 +199,11 @@ check_send_occ_load_test_dowork(struct context * [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nICHM-0004UK-TJ Subject: [Openvpn-devel] [PATCH v4 5/8] Use new frame header methods to calculate OCC_MTU_LOAD payload size X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/occ.c | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index 6fc5e003..b7670356 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -199,8 +199,11 @@ check_send_occ_load_test_dowork(struct context *c) if (entry->op >= 0) { c->c2.occ_op = entry->op; - c->c2.occ_mtu_load_size = - EXPANDED_SIZE(&c->c2.frame) + entry->delta; + size_t payload_size = frame_calculate_payload_size(&c->c2.frame, + &c->options, &c->c1.ks.key_type); + size_t header_size = frame_calculate_protocol_header_size(&c->c1.ks.key_type, &c->options, false); + + c->c2.occ_mtu_load_size = payload_size + header_size; } else { @@ -298,10 +301,21 @@ check_send_occ_msg_dowork(struct context *c) { break; } - need_to_add = min_int(c->c2.occ_mtu_load_size, EXPANDED_SIZE(&c->c2.frame)) + size_t proto_hdr, payload_hdr; + const struct key_type *kt = &c->c1.ks.key_type; + + /* OCC message have comp/fragment headers but not ethernet headers */ + payload_hdr = frame_calculate_payload_overhead(&c->c2.frame, &c->options, + kt, false); + + /* Since we do not know the payload size we just pass 0 as size here */ + proto_hdr = frame_calculate_protocol_header_size(kt, &c->options, false); + + need_to_add = min_int(c->c2.occ_mtu_load_size, c->c2.frame.buf.payload_size) - OCC_STRING_SIZE - - sizeof(uint8_t) - - EXTRA_FRAME(&c->c2.frame); + - sizeof(uint8_t) /* occ opcode */ + - payload_hdr + - proto_hdr; while (need_to_add > 0) { @@ -314,12 +328,13 @@ check_send_occ_msg_dowork(struct context *c) } --need_to_add; } - dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d-%d-%d-%d,%d) size=%d", + dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d,%d)-%d-%d-%d-%d) size=%d", c->c2.occ_mtu_load_size, + c->c2.frame.buf.payload_size, OCC_STRING_SIZE, (int) sizeof(uint8_t), - EXTRA_FRAME(&c->c2.frame), - c->c2.frame.buf.payload_size, + (int) payload_hdr, + (int) proto_hdr, BLEN(&c->c2.buf)); doit = true; } From patchwork Thu Feb 10 05:26:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2275 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id +NuoKPo8BWLBdAAAqwncew (envelope-from ) for ; Thu, 10 Feb 2022 11:27:38 -0500 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director15.mail.ord1d.rsapps.net with LMTP id wD+9C/s8BWKGVQAAIcMcQg (envelope-from ) for ; Thu, 10 Feb 2022 11:27:39 -0500 Received: from smtp33.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTPS id 2FUSC/s8BWKgSAAAetu3IA (envelope-from ) for ; Thu, 10 Feb 2022 11:27:39 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5c3f7ede-8a8e-11ec-9884-525400041ef2-1-1 Received: from [216.105.38.7] ([216.105.38.7:41994] helo=lists.sourceforge.net) by smtp33.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B8/D5-00840-AFC35026; Thu, 10 Feb 2022 11:27:38 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nICHS-0001Kr-QQ; Thu, 10 Feb 2022 16:26:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nICHQ-0001KP-Lp for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LsiF3Ko1FR+5yEhSpdK0oybmnZIgZ+LNJV8W2jp8Cho=; b=D97xMd8l00REKPXZYs5nXm3fJX 56uFo8OT8TFobGdghhQ7S9sOAGerz5rf/Zy38mjHMgxthDEvT97T0kumaElB9SbLoviROhzut4MR8 S5ZcYZMl5fY+0g0Ye3dfdbf/+L1LO/Fdm2k4rJoCccUNVfsOZFPOPxNzCNDi1VB4id3g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=LsiF3Ko1FR+5yEhSpdK0oybmnZIgZ+LNJV8W2jp8Cho=; b=jEp09xziP9je6dVDFnbr5lu3Zp +wB6YFJqdXDFiKKboqAl2MNcsbN8H4A7zB9c/xE7+1mJx0lVoihao2wxO+3PtbZ5p2pr046jBI9r2 kFANdXsKxp6d/PryVPyycTCda3pVz4K4xHtxnZDiV8qTATBYBVJeqqOgcls5UUCStW50=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nICHN-0004UL-2n for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nICHA-00060S-O3 for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 17:26:32 +0100 Received: (nullmailer pid 3310037 invoked by uid 10006); Thu, 10 Feb 2022 16:26:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 10 Feb 2022 17:26:30 +0100 Message-Id: <20220210162632.3309974-6-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220210162632.3309974-1-arne@rfc2549.org> References: <20220210162632.3309974-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The previous commits removed any reads from this variable. So we can now safely remove it. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 19 src/openvpn/mtu.c | 1 - src/openvpn/mtu.h | 13 src/openvpn/socks.c | 11 + src/ope [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1nICHN-0004UL-2n Subject: [Openvpn-devel] [PATCH v4 6/8] Remove extra_link from frame X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The previous commits removed any reads from this variable. So we can now safely remove it. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/init.c | 19 ------------------- src/openvpn/mtu.c | 1 - src/openvpn/mtu.h | 13 ------------- src/openvpn/socks.c | 11 +---------- src/openvpn/socks.h | 2 -- src/openvpn/ssl.c | 1 - 6 files changed, 1 insertion(+), 46 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b1952f46..7e22d09b 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3110,14 +3110,6 @@ do_init_frame(struct context *c) } #endif /* USE_COMP */ - /* - * Adjust frame size for UDP Socks support. - */ - if (c->options.ce.socks_proxy_server) - { - socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); - } - /* * Adjust frame size based on the --tun-mtu-extra parameter. */ @@ -3150,17 +3142,6 @@ do_init_frame(struct context *c) #endif #endif /* USE_COMP */ - /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client) - * and need link_mtu+3 bytes on socket reception (on server). - * - * accommodate receive path in f->extra_link, which has the side effect of - * also increasing send buffers (BUF_SIZE() macro), which need to be - * allocated big enough before receiving peer-id option from server. - * - * f->extra_frame is adjusted when peer-id option is push-received - */ - frame_add_to_extra_link(&c->c2.frame, 3); - #ifdef ENABLE_FRAGMENT /* * Set frame parameter for fragment code. This is necessary because diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 6d349f7a..2c455c3e 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -266,7 +266,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); - buf_printf(&out, " EL:%d", frame->extra_link); buf_printf(&out, " ]"); msg(level, "%s", out.data); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 5f7205f4..6188c0da 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -163,13 +163,6 @@ struct frame { * which defaults to 0 for tun and 32 * (\c TAP_MTU_EXTRA_DEFAULT) for tap. * */ - - int extra_link; /**< Maximum number of bytes in excess of - * external network interface's MTU that - * might be read from or written to it. - * - * Used by peer-id (3) and - * socks UDP (10) */ }; /* Forward declarations, to prevent includes */ @@ -378,12 +371,6 @@ frame_add_to_extra_tun(struct frame *frame, const int increment) frame->extra_tun += increment; } -static inline void -frame_add_to_extra_link(struct frame *frame, const int increment) -{ - frame->extra_link += increment; -} - static inline void frame_add_to_extra_buffer(struct frame *frame, const int increment) { diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index f5108b03..768bb613 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -49,15 +49,6 @@ #define UP_TYPE_SOCKS "SOCKS Proxy" -void -socks_adjust_frame_parameters(struct frame *frame, int proto) -{ - if (proto == PROTO_UDP) - { - frame_add_to_extra_link(frame, 10); - } -} - struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, @@ -610,7 +601,7 @@ socks_process_outgoing_udp(struct buffer *buf, /* * Get a 10 byte subset buffer prepended to buf -- * we expect these bytes will be here because - * we allocated frame space in socks_adjust_frame_parameters. + * we always allocate space for these bytes */ struct buffer head = buf_sub(buf, 10, true); diff --git a/src/openvpn/socks.h b/src/openvpn/socks.h index 88cf9523..47cdac10 100644 --- a/src/openvpn/socks.h +++ b/src/openvpn/socks.h @@ -42,8 +42,6 @@ struct socks_proxy_info { char authfile[256]; }; -void socks_adjust_frame_parameters(struct frame *frame, int proto); - struct socks_proxy_info *socks_proxy_new(const char *server, const char *port, const char *authfile); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 10f75d66..38085f77 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -322,7 +322,6 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame /* inherit link MTU and extra_link from data channel */ frame->link_mtu = data_channel_frame->link_mtu; - frame->extra_link = data_channel_frame->extra_link; /* set extra_frame */ tls_adjust_frame_parameters(frame); From patchwork Thu Feb 10 05:26:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2271 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id UOfOMPc8BWJ1dAAAqwncew (envelope-from ) for ; Thu, 10 Feb 2022 11:27:35 -0500 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id wFcGFPg8BWLMbgAAIasKDg (envelope-from ) for ; Thu, 10 Feb 2022 11:27:36 -0500 Received: from smtp26.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id gBK5E/g8BWLPPwAA8Zzt7w (envelope-from ) for ; Thu, 10 Feb 2022 11:27:36 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5a5a21aa-8a8e-11ec-82fb-525400c5b129-1-1 Received: from [216.105.38.7] ([216.105.38.7:41978] helo=lists.sourceforge.net) by smtp26.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 49/E1-10556-7FC35026; Thu, 10 Feb 2022 11:27:35 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nICHS-0001Km-KZ; Thu, 10 Feb 2022 16:26:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nICHQ-0001KF-Dq for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7PyyZ40C+aE+ut2CXcGoIlgXNFuxLaO5NGkh9RTK4ao=; b=HdxoTamsgkpam7YBaAglFxbRgW 1s/sZ8qWNekAruBrDN4BNSOp90CbOAKCJxfPks2uzXk6L+wlgHLMEiSFiqXtaejGlASBG+qLxUd3I JbkiEYvI5XVSkpX3BTlb9Kiaa94Glwz3Mb3TxT9M06Wd3KWeklNAjFPUGQ11PlbTqNUk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7PyyZ40C+aE+ut2CXcGoIlgXNFuxLaO5NGkh9RTK4ao=; b=WPRz6CbA4JE/bvzgoZ2fiDbBPu vJFo6w9XD5hgPQYUOTgthmFcpR4yWj/9iu/wD/EEkPB8gtK+4nw/YX5R01Vai9OOVqwe8N6oF3BJN v9nRcRkUfNvcuESd1uIgLt7NEN0Eee1qnpu9kgnxg1GKJjuP5dIPFWTwTfRE60KugKCI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nICHJ-00DbNa-Nn for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nICHA-00060W-RH for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 17:26:32 +0100 Received: (nullmailer pid 3310040 invoked by uid 10006); Thu, 10 Feb 2022 16:26:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 10 Feb 2022 17:26:31 +0100 Message-Id: <20220210162632.3309974-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220210162632.3309974-1-arne@rfc2549.org> References: <20220210162632.3309974-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 8 -------- src/openvpn/comp.h | 2 -- src/openvpn/forward.c | 4 ++-- src/openvpn/init.c | 39 +++ [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nICHJ-00DbNa-Nn Subject: [Openvpn-devel] [PATCH v4 7/8] Remove frame->link_mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/comp.c | 8 -------- src/openvpn/comp.h | 2 -- src/openvpn/forward.c | 4 ++-- src/openvpn/init.c | 39 +++------------------------------------ src/openvpn/mtu.c | 26 -------------------------- src/openvpn/mtu.h | 22 ---------------------- src/openvpn/ssl.c | 9 --------- 7 files changed, 5 insertions(+), 105 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 757f503d..7fff869b 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -123,14 +123,6 @@ comp_add_to_extra_frame(struct frame *frame) frame_add_to_extra_frame(frame, COMP_PREFIX_LEN); } -void -comp_add_to_extra_buffer(struct frame *frame) -{ - /* Leave room for compression buffer to expand in worst case scenario - * where data is totally incompressible */ - frame_add_to_extra_buffer(frame, COMP_EXTRA_BUFFER(EXPANDED_SIZE(frame))); -} - void comp_print_stats(const struct compress_context *compctx, struct status_output *so) { diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index f2c9ea8a..964fbce5 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -178,8 +178,6 @@ void comp_uninit(struct compress_context *compctx); void comp_add_to_extra_frame(struct frame *frame); -void comp_add_to_extra_buffer(struct frame *frame); - void comp_print_stats(const struct compress_context *compctx, struct status_output *so); void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out); diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 37554fc9..f508d3b6 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1545,7 +1545,7 @@ process_outgoing_link(struct context *c) perf_push(PERF_PROC_OUT_LINK); - if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE(&c->c2.frame)) + if (c->c2.to_link.len > 0 && c->c2.to_link.len <= c->c2.frame.buf.payload_size) { /* * Setup for call to send/sendto which will send @@ -1673,7 +1673,7 @@ process_outgoing_link(struct context *c) msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)", print_link_socket_actual(c->c2.to_link_addr, &gc), c->c2.to_link.len, - EXPANDED_SIZE(&c->c2.frame)); + c->c2.frame.buf.payload_size); } } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7e22d09b..038fc504 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2140,24 +2140,6 @@ pull_permission_mask(const struct context *c) return flags; } -static -void adjust_mtu_peerid(struct context *c) -{ - frame_add_to_extra_frame(&c->c2.frame, 3); /* peer-id overhead */ - if (!c->options.ce.link_mtu_defined) - { - frame_add_to_link_mtu(&c->c2.frame, 3); - msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d", - EXPANDED_SIZE(&c->c2.frame)); - } - else - { - msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu" - " fixed by config - reducing tun-mtu to %d, expect" - " MTU problems", c->c2.frame.tun_mtu); - } -} - static bool do_deferred_p2p_ncp(struct context *c) { @@ -2166,11 +2148,6 @@ do_deferred_p2p_ncp(struct context *c) return true; } - if (c->c2.tls_multi->use_peer_id) - { - adjust_mtu_peerid(c); - } - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, @@ -2292,7 +2269,6 @@ do_deferred_options(struct context *c, const unsigned int found) msg(D_PUSH, "OPTIONS IMPORT: peer-id set"); c->c2.tls_multi->use_peer_id = true; c->c2.tls_multi->peer_id = c->options.peer_id; - adjust_mtu_peerid(c); } /* process (potentially pushed) crypto options */ @@ -2528,14 +2504,6 @@ frame_finalize_options(struct context *c, const struct options *o) frame->buf.payload_size = payload_size; frame->buf.headroom = headroom; frame->buf.tailroom = tailroom; - - /* Kept to still update/calculate the other fields for now */ - frame_finalize(frame, - o->ce.link_mtu_defined, - o->ce.link_mtu, - o->ce.tun_mtu_defined, - o->ce.tun_mtu); - } /* @@ -3043,8 +3011,8 @@ do_init_frame_tls(struct context *c) if (c->c2.tls_multi) { tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame); - ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <= - EXPANDED_SIZE(&c->c2.frame)); + ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= + c->c2.frame.buf.payload_size); frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms"); } @@ -3136,9 +3104,8 @@ do_init_frame(struct context *c) * Modify frame parameters if compression is compiled in. * Should be called after frame_finalize_options. */ - comp_add_to_extra_buffer(&c->c2.frame); #ifdef ENABLE_FRAGMENT - comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ + /*TODO:frame comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); omit compression frame delta from final frame_fragment */ #endif #endif /* USE_COMP */ diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 2c455c3e..c9cd0e38 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -205,31 +205,6 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) return payload + overhead; } -void -frame_finalize(struct frame *frame, - bool link_mtu_defined, - int link_mtu, - bool tun_mtu_defined, - int tun_mtu) -{ - /* Set link_mtu based on command line options */ - if (tun_mtu_defined) - { - ASSERT(!link_mtu_defined); - frame->link_mtu = tun_mtu + TUN_LINK_DELTA(frame); - } - else - { - ASSERT(link_mtu_defined); - frame->link_mtu = link_mtu; - } - - if (frame->tun_mtu < TUN_MTU_MIN) - { - msg(M_WARN, "TUN MTU value (%d) must be at least %d", frame->tun_mtu, TUN_MTU_MIN); - frame_print(frame, M_FATAL, "MTU is too small"); - } -} /* * Move extra_frame octets into extra_tun. Used by fragmenting code * to adjust frame relative to its position in the buffer processing @@ -262,7 +237,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); - buf_printf(&out, " L:%d", frame->link_mtu); buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 6188c0da..86c0f2ac 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -110,9 +110,6 @@ struct frame { * decryption/encryption or compression. */ } buf; - int link_mtu; /**< Maximum packet size to be sent over - * the external network interface. */ - unsigned int mss_fix; /**< The actual MSS value that should be * written to the payload packets. This * is the value for IPv4 TCP packets. For @@ -189,13 +186,6 @@ struct options; */ #define PAYLOAD_SIZE(f) ((f)->buf.payload_size) -/* - * Max size of a payload packet after encryption, compression, etc. - * overhead is added. - */ -#define EXPANDED_SIZE(f) ((f)->link_mtu) -#define EXPANDED_SIZE_MIN(f) (TUN_MTU_MIN + TUN_LINK_DELTA(f)) - /* * Control buffer headroom allocations to allow for efficient prepending. */ @@ -218,12 +208,6 @@ struct options; * Function prototypes. */ -void frame_finalize(struct frame *frame, - bool link_mtu_defined, - int link_mtu, - bool tun_mtu_defined, - int tun_mtu); - void frame_subtract_extra(struct frame *frame, const struct frame *src); void frame_print(const struct frame *frame, @@ -347,12 +331,6 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); * frame member adjustment functions */ -static inline void -frame_add_to_link_mtu(struct frame *frame, const int increment) -{ - frame->link_mtu += increment; -} - static inline void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 38085f77..306c2efd 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -320,17 +320,11 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame * if --tls-auth is enabled. */ - /* inherit link MTU and extra_link from data channel */ - frame->link_mtu = data_channel_frame->link_mtu; - /* set extra_frame */ tls_adjust_frame_parameters(frame); reliable_ack_adjust_frame_parameters(frame, CONTROL_SEND_ACK_MAX); frame_add_to_extra_frame(frame, SID_SIZE + sizeof(packet_id_type)); - /* set dynamic link MTU to cap control channel packets at 1250 bytes */ - ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); - /* calculate the maximum overhead that control channel frames may have */ int overhead = 0; @@ -1931,9 +1925,6 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, if (frame_fragment) { - frame_remove_from_extra_frame(frame_fragment, crypto_max_overhead()); - crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type, - options->replay, packet_id_long_form); frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi); frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); } From patchwork Thu Feb 10 05:26:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2278 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id wKCRIfw8BWLvdAAAqwncew (envelope-from ) for ; Thu, 10 Feb 2022 11:27:40 -0500 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id aGHIBP08BWKwbwAAIasKDg (envelope-from ) for ; Thu, 10 Feb 2022 11:27:41 -0500 Received: from smtp14.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTPS id +CRmBP08BWLecAAAsk8m8w (envelope-from ) for ; Thu, 10 Feb 2022 11:27:41 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5db1a184-8a8e-11ec-b1d1-525400504bae-1-1 Received: from [216.105.38.7] ([216.105.38.7:37524] helo=lists.sourceforge.net) by smtp14.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4A/8E-21562-CFC35026; Thu, 10 Feb 2022 11:27:40 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nICHT-0001hV-BO; Thu, 10 Feb 2022 16:26:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nICHQ-0001h6-GO for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=V7tH0Huh6E2+JEEsEXaOJqu0bRBzpMYe6pa7Ye26FIc=; b=W5bpy70EuzwVWTg9BAKvKPaMN7 lR4qbZBv1wFqR+ANgIunN9M8zJjp0eZVc6TV9/UdRq04mlRvgbvijq2x7+16MGNJ25lJniNE6zI0y sS8YrGAxZyCPjnYPEssEYYJM+K5QycByLKxgdvqBW/GgIZLz6AZJUPXUzqeSHI5TtYMo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=V7tH0Huh6E2+JEEsEXaOJqu0bRBzpMYe6pa7Ye26FIc=; b=Zwq3fhW4lcko5uZQUAYiuCmCks ETSE3e/vfgTJVmND/4twDzIFA47ecQu47nrSO9h6v3ejblpO0G0RpTh5wQJPRLXZ2M3M1fny49qZg Q7gdVDLTiZsDdX01FDKqlLIAhKghD37pH7Eui/NboJkSQeF1Whdg6+8aEHwush5QgBIs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nICHJ-00DbNb-No for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nICHA-00060Z-Tn for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 17:26:32 +0100 Received: (nullmailer pid 3310043 invoked by uid 10006); Thu, 10 Feb 2022 16:26:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 10 Feb 2022 17:26:32 +0100 Message-Id: <20220210162632.3309974-8-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220210162632.3309974-1-arne@rfc2549.org> References: <20220210162632.3309974-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 7 ------ src/openvpn/comp.h | 2 -- src/openvpn/crypto.c | 37 src/openvpn/fragment.c | 3 --- src/open [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1nICHJ-00DbNb-No Subject: [Openvpn-devel] [PATCH v4 8/8] Remove frame.extra_frame and frame.extra_buffer X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/comp.c | 7 ------ src/openvpn/comp.h | 2 -- src/openvpn/crypto.c | 37 --------------------------- src/openvpn/fragment.c | 3 --- src/openvpn/init.c | 56 ----------------------------------------- src/openvpn/mtu.c | 14 ----------- src/openvpn/mtu.h | 42 ++----------------------------- src/openvpn/reliable.c | 7 ------ src/openvpn/reliable.h | 3 --- src/openvpn/socket.c | 10 -------- src/openvpn/socket.h | 2 -- src/openvpn/ssl.c | 21 ---------------- src/openvpn/ssl.h | 5 ---- src/openvpn/tls_crypt.c | 10 -------- src/openvpn/tls_crypt.h | 5 ---- 15 files changed, 2 insertions(+), 222 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 7fff869b..099ac027 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -116,13 +116,6 @@ comp_uninit(struct compress_context *compctx) } } -void -comp_add_to_extra_frame(struct frame *frame) -{ - /* Leave room for our one-byte compressed/didn't-compress prefix byte. */ - frame_add_to_extra_frame(frame, COMP_PREFIX_LEN); -} - void comp_print_stats(const struct compress_context *compctx, struct status_output *so) { diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 964fbce5..874036dc 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -176,8 +176,6 @@ struct compress_context *comp_init(const struct compress_options *opt); void comp_uninit(struct compress_context *compctx); -void comp_add_to_extra_frame(struct frame *frame); - void comp_print_stats(const struct compress_context *compctx, struct status_output *so); void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out); diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 461cfb8c..c8d2bcca 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -716,43 +716,6 @@ calculate_crypto_overhead(const struct key_type *kt, return crypto_overhead; } -void -crypto_adjust_frame_parameters(struct frame *frame, - const struct key_type *kt, - bool packet_id, - bool packet_id_long_form) -{ - unsigned int crypto_overhead = 0; - - if (packet_id) - { - crypto_overhead += packet_id_size(packet_id_long_form); - } - - if (cipher_defined(kt->cipher)) - { - crypto_overhead += cipher_kt_iv_size(kt->cipher); - - if (cipher_kt_mode_aead(kt->cipher)) - { - crypto_overhead += cipher_kt_tag_size(kt->cipher); - } - - /* extra block required by cipher_ctx_update() */ - crypto_overhead += cipher_kt_block_size(kt->cipher); - } - - if (md_defined(kt->digest)) - { - crypto_overhead += md_kt_size(kt->digest); - } - - frame_add_to_extra_frame(frame, crypto_overhead); - - msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for crypto by %u bytes", - __func__, crypto_overhead); -} - unsigned int crypto_max_overhead(void) { diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index f10fa9ac..949db8f5 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -96,9 +96,6 @@ fragment_init(struct frame *frame) * fragment_master assume an initial CLEAR */ ALLOC_OBJ_CLEAR(ret, struct fragment_master); - /* add in the size of our contribution to the expanded frame size */ - frame_add_to_extra_frame(frame, sizeof(fragment_header_type)); - /* * Outgoing sequence ID is randomized to reduce * the probability of sequence number collisions diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 038fc504..f14ecf63 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2597,10 +2597,6 @@ do_init_crypto_static(struct context *c, const unsigned int flags) /* Get key schedule */ c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; - /* Compute MTU parameters */ - crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, - options->replay, true); - /* Sanity check on sequence number, and cipher mode options */ check_replay_consistency(&c->c1.ks.key_type, options->replay); } @@ -2792,19 +2788,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); - /* Compute MTU parameters (postpone if we push/pull options) */ - if (c->options.pull || c->options.mode == MODE_SERVER) - { - /* Account for worst-case crypto overhead before allocating buffers */ - frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead()); - } - else - { - crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, - options->replay, packet_id_long_form); - } - tls_adjust_frame_parameters(&c->c2.frame); - /* Set all command-line TLS-related options */ CLEAR(to); @@ -2957,8 +2940,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; - crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type, - true, true); } /* TLS handshake encryption (--tls-crypt) */ @@ -2969,7 +2950,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; - tls_crypt_adjust_frame_parameters(&to.frame); if (options->ce.tls_crypt_v2_file) { @@ -2987,10 +2967,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } } - /* If we are running over TCP, allow for - * length prefix */ - socket_adjust_frame_parameters(&to.frame, options->ce.proto); - /* * Initialize OpenVPN's master TLS-mode object. */ @@ -3064,20 +3040,6 @@ do_init_crypto(struct context *c, const unsigned int flags) static void do_init_frame(struct context *c) { -#ifdef USE_COMP - /* - * modify frame parameters if compression is enabled - */ - if (comp_enabled(&c->options.comp)) - { - comp_add_to_extra_frame(&c->c2.frame); - -#ifdef ENABLE_FRAGMENT - comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ -#endif - } -#endif /* USE_COMP */ - /* * Adjust frame size based on the --tun-mtu-extra parameter. */ @@ -3086,29 +3048,12 @@ do_init_frame(struct context *c) frame_add_to_extra_tun(&c->c2.frame, c->options.ce.tun_mtu_extra); } - /* - * Adjust frame size based on link socket parameters. - * (Since TCP is a stream protocol, we need to insert - * a packet length uint16_t in the buffer.) - */ - socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); - /* * Fill in the blanks in the frame parameters structure, * make sure values are rational, etc. */ frame_finalize_options(c, NULL); -#ifdef USE_COMP - /* - * Modify frame parameters if compression is compiled in. - * Should be called after frame_finalize_options. - */ -#ifdef ENABLE_FRAGMENT - /*TODO:frame comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); omit compression frame delta from final frame_fragment */ -#endif -#endif /* USE_COMP */ - #ifdef ENABLE_FRAGMENT /* * Set frame parameter for fragment code. This is necessary because @@ -3116,7 +3061,6 @@ do_init_frame(struct context *c) * passed through the compression code. */ c->c2.frame_fragment = c->c2.frame; - frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit); c->c2.frame_fragment_initial = c->c2.frame_fragment; #endif diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index c9cd0e38..3e48d275 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -205,18 +205,6 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) return payload + overhead; } -/* - * Move extra_frame octets into extra_tun. Used by fragmenting code - * to adjust frame relative to its position in the buffer processing - * queue. - */ -void -frame_subtract_extra(struct frame *frame, const struct frame *src) -{ - frame->extra_frame -= src->extra_frame; - frame->extra_tun += src->extra_frame; -} - void frame_print(const struct frame *frame, int level, @@ -237,8 +225,6 @@ frame_print(const struct frame *frame, buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); - buf_printf(&out, " EF:%d", frame->extra_frame); - buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); buf_printf(&out, " ]"); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 86c0f2ac..dddbf4fc 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -123,13 +123,6 @@ struct frame { * size that can be send in a single fragment */ - int extra_frame; /**< Maximum number of bytes that all - * processing steps together could add. - * @code - * frame.link_mtu = "socket MTU" - extra_frame; - * @endcode - */ - int tun_mtu; /**< the (user) configured tun-mtu. This is used * in configuring the tun interface or * in calculations that use the desired size @@ -141,16 +134,6 @@ struct frame { * code ignores it) */ - int extra_buffer; /**< Maximum number of bytes that - * processing steps could expand the - * internal work buffer. - * - * This is used by the \link compression - * Data Channel Compression - * module\endlink to give enough working - * space for worst-case expansion of - * incompressible content. */ - int extra_tun; /**< Maximum number of bytes in excess of * the tun/tap MTU that might be read * from or written to the virtual @@ -196,9 +179,8 @@ struct options; * * Most of our code only prepends headers but compression needs the extra bytes * *after* the data as compressed data might end up larger than the original - * data (and max compression overhead is part of extra_buffer). Also crypto - * needs an extra block for encryption. Therefore tailroom is larger than the - * headroom. + * data. Also crypto needs an extra block for encryption. Therefore tailroom is + * larger than the headroom. */ #define BUF_SIZE(f) ((f)->buf.headroom + (f)->buf.payload_size + (f)->buf.tailroom) @@ -208,8 +190,6 @@ struct options; * Function prototypes. */ -void frame_subtract_extra(struct frame *frame, const struct frame *src); - void frame_print(const struct frame *frame, int level, const char *prefix); @@ -331,30 +311,12 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); * frame member adjustment functions */ -static inline void -frame_add_to_extra_frame(struct frame *frame, const unsigned int increment) -{ - frame->extra_frame += increment; -} - -static inline void -frame_remove_from_extra_frame(struct frame *frame, const unsigned int decrement) -{ - frame->extra_frame -= decrement; -} - static inline void frame_add_to_extra_tun(struct frame *frame, const int increment) { frame->extra_tun += increment; } -static inline void -frame_add_to_extra_buffer(struct frame *frame, const int increment) -{ - frame->extra_buffer += increment; -} - static inline bool frame_defined(const struct frame *frame) { diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index c2f0ca01..10a798a5 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -251,13 +251,6 @@ error: return false; } -/* add to extra_frame the maximum number of bytes we will need for reliable_ack_write */ -void -reliable_ack_adjust_frame_parameters(struct frame *frame, int max) -{ - frame_add_to_extra_frame(frame, ACK_SIZE(max)); -} - /* print a reliable ACK record coming off the wire */ const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc) diff --git a/src/openvpn/reliable.h b/src/openvpn/reliable.h index 99a4bc6d..cd80bbfb 100644 --- a/src/openvpn/reliable.h +++ b/src/openvpn/reliable.h @@ -210,9 +210,6 @@ void reliable_init(struct reliable *rel, int buf_size, int offset, int array_siz */ void reliable_free(struct reliable *rel); -/* add to extra_frame the maximum number of bytes we will need for reliable_ack_write */ -void reliable_ack_adjust_frame_parameters(struct frame *frame, int max); - /** @} name Functions for initialization and cleanup */ diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index be66994f..0f34a5de 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2285,16 +2285,6 @@ link_socket_close(struct link_socket *sock) } } -/* for stream protocols, allow for packet length prefix */ -void -socket_adjust_frame_parameters(struct frame *frame, int proto) -{ - if (link_socket_proto_connection_oriented(proto)) - { - frame_add_to_extra_frame(frame, sizeof(packet_size_type)); - } -} - void setenv_trusted(struct env_set *es, const struct link_socket_info *info) { diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 51f28ba5..e9f1524d 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -331,8 +331,6 @@ void link_socket_init_phase2(struct context *c); void do_preresolve(struct context *c); -void socket_adjust_frame_parameters(struct frame *frame, int proto); - void link_socket_close(struct link_socket *sock); void sd_close(socket_descriptor_t *sd); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 306c2efd..ae6a9914 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -295,18 +295,6 @@ tls_limit_reneg_bytes(const char *ciphername, int *reneg_bytes) } } -/* - * Max number of bytes we will add - * for data structures common to both - * data and control channel packets. - * (opcode only). - */ -void -tls_adjust_frame_parameters(struct frame *frame) -{ - frame_add_to_extra_frame(frame, 1); /* space for opcode */ -} - /* * Max number of bytes we will add * to control channel packet. @@ -320,11 +308,6 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame * if --tls-auth is enabled. */ - /* set extra_frame */ - tls_adjust_frame_parameters(frame); - reliable_ack_adjust_frame_parameters(frame, CONTROL_SEND_ACK_MAX); - frame_add_to_extra_frame(frame, SID_SIZE + sizeof(packet_id_type)); - /* calculate the maximum overhead that control channel frames may have */ int overhead = 0; @@ -1908,10 +1891,6 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM; } - /* Update frame parameters: undo worst-case overhead, add actual overhead */ - frame_remove_from_extra_frame(frame, crypto_max_overhead()); - crypto_adjust_frame_parameters(frame, &session->opt->key_type, - options->replay, packet_id_long_form); frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi); frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index bc8842d3..cf754ad2 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -471,11 +471,6 @@ void ssl_put_auth_challenge(const char *cr_str); #endif -/* - * Reserve any extra space required on frames. - */ -void tls_adjust_frame_parameters(struct frame *frame); - /* * Send a payload over the TLS control channel */ diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index d940ec30..610168b0 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -89,16 +89,6 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, "Control Channel Encryption", "tls-crypt"); } -void -tls_crypt_adjust_frame_parameters(struct frame *frame) -{ - frame_add_to_extra_frame(frame, tls_crypt_buf_overhead()); - - msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for tls-crypt by %i bytes", - __func__, tls_crypt_buf_overhead()); -} - - bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt) diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h index 81d0a10e..928ff547 100644 --- a/src/openvpn/tls_crypt.h +++ b/src/openvpn/tls_crypt.h @@ -123,11 +123,6 @@ void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, */ int tls_crypt_buf_overhead(void); -/** - * Adjust frame parameters for --tls-crypt overhead. - */ -void tls_crypt_adjust_frame_parameters(struct frame *frame); - /** * Wrap a control channel packet (both authenticates and encrypts the data). *