diff options
author | Arne Schwabe | 2022-01-24 03:54:59 +0100 |
---|---|---|
committer | Gert Doering | 2022-02-02 14:11:00 +0100 |
commit | 65a21eb14f4afd80864e88ff425f5d9ef8d8fdec (patch) | |
tree | 1d7d31db1464cbf3f7eacf082a2a5999315b1c05 /src/openvpn/ssl.c | |
parent | 5b3c8ca869766de2c94eb7dd4450b0d9ab1c75fc (diff) | |
download | openvpn-65a21eb14f4afd80864e88ff425f5d9ef8d8fdec.zip openvpn-65a21eb14f4afd80864e88ff425f5d9ef8d8fdec.tar.gz |
Change buffer allocation calculation and checks to be more static
Currently we use half dynamic buffer sizes where we use have a fixed
overhead for crypto (crypto_max_overhead) but use a dynamic overhead
for the the other small header sizes.
Patch v3: rebase
Patch v4: add size of ack array to control channel frame size
Patch v5: fix calculation of compression overhead calculated over 0 instead
of payload size
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220124025459.1042317-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23638.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r-- | src/openvpn/ssl.c | 38 |
1 files changed, 30 insertions, 8 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 00c7e3e..309fabf 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -332,6 +332,35 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame /* set dynamic link MTU to cap control channel packets at 1250 bytes */ ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame); + + /* calculate the maximum overhead that control channel frames may have */ + int overhead = 0; + + /* Socks */ + overhead += 10; + + /* tls-auth and tls-crypt */ + overhead += max_int(tls_crypt_buf_overhead(), + packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE); + + /* TCP length field and opcode */ + overhead+= 3; + + /* ACK array and remote SESSION ID (part of the ACK array) */ + overhead += ACK_SIZE(RELIABLE_ACK_SIZE); + + /* Previous OpenVPN version calculated the maximum size and buffer of a + * control frame depending on the overhead of the data channel frame + * overhead and limited its maximum size to 1250. We always allocate the + * 1250 buffer size since a lot of code blindly assumes a large buffer + * (e.g. PUSH_BUNDLE_SIZE) and set frame->mtu_mtu as suggestion for the + * size */ + frame->buf.payload_size = 1250 + overhead; + + frame->buf.headroom = overhead; + frame->buf.tailroom = overhead; + + frame->tun_mtu = min_int(data_channel_frame->tun_mtu, 1250); } void @@ -1875,13 +1904,6 @@ tls_session_update_crypto_params_do_work(struct tls_session *session, msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", options->ciphername); } - else - { - /* Very hacky workaround and quick fix for frame calculation - * different when adjusting frame size when the original and new cipher - * are identical to avoid a regression with client without NCP */ - return tls_session_generate_data_channel_keys(session); - } init_key_type(&session->opt->key_type, options->ciphername, options->authname, true, true); @@ -2964,7 +2986,7 @@ tls_process(struct tls_multi *multi, buf = reliable_get_buf_output_sequenced(ks->send_reliable); if (buf) { - int status = key_state_read_ciphertext(&ks->ks_ssl, buf, PAYLOAD_SIZE_DYNAMIC(&multi->opt.frame)); + int status = key_state_read_ciphertext(&ks->ks_ssl, buf, multi->opt.frame.tun_mtu); if (status == -1) { msg(D_TLS_ERRORS, |